WIFI PineApple Mark V & Mobile Device Traffic



Similar documents
How to configure your Thomson SpeedTouch 780WL for ADSL2+

Linksys E2500 Wireless-N Router Configuration Guide

Savvius Insight Initial Configuration

Configuring a customer owned router to function as a switch with Ultra TV

7 6.2 Windows Vista / Windows IP Address Syntax Mobile Port Windows Vista / Windows Apply Rules To Your Device

Network Setup Guide. 1 Glossary. 2 Operation. 1.1 Static IP. 1.2 Point-to-Point Protocol over Ethernet (PPPoE)

Step-by-Step Setup Guide Wireless File Transmitter

Using Cisco UC320W with Windows Small Business Server

StarMOBILE Network Configuration Guide. A guide to configuring your StarMOBILE system for networking

UBIQUITI BRIDGE CONFIGURATION PROCEDURE (PowerStation & NanoStation Units ONLY)

Linksys E2000 Wireless-N Router Configuration Guide

1 PC to WX64 direction connection with crossover cable or hub/switch

IP Address and Pre-configuration Information

Quick Start. Nighthawk X8 AC5300 Tri-Band WiFi Router Model R8500. Package Contents. NETGEAR, Inc. 350 East Plumeria Drive San Jose, CA USA

NETGEAR genie Apps. User Manual. 350 East Plumeria Drive San Jose, CA USA. August v1.0

Mediatrix 4404 Step by Step Configuration Guide June 22, 2011

ShareLink 200 Setup Guide

SETTING UP REMOTE ACCESS ON EYEMAX PC BASED DVR.

Lab Organizing CCENT Objectives by OSI Layer

by using the Setup Wizard in CD Disk

Enabling NAT and Routing in DGW v2.0 June 6, 2012

Quick Installation Guide

Document No. FO1004 Issue Date: Draft: Work Group: FibreOP Technical Team July 23, 2013 Final: Single Static IP Customer Owned LAN Router Support

1. Introduction What is Axis Camera Station? What is Viewer for Axis Camera Station? AXIS Camera Station Service Control 5

Quick Installation Guide

Using a simple crossover RJ45 cable, you can directly connect your Dexter to any computer.

NetLINE Wireless Broadband Gateway

Quick Installation Guide

How To Use The Lutron Home Control+ App On An Ipad Or Ipod

Chapter 1 Configuring Internet Connectivity

Step-by-Step Setup Guide Wireless File Transmitter FTP Mode

What is Bitdefender BOX?

Connecting to the Internet. LAN Hardware Requirements. Computer Requirements. LAN Configuration Requirements

Optimum Business SIP Trunk Set-up Guide

Chapter 4 Customizing Your Network Settings

Quick Installation Guide of WLAN Broadband Router

Chapter 6 Using Network Monitoring Tools

Access the GV-IP Camera through a broadband modem

APPLICATION NOTE. CC5MPX Digital Camera and IPn3Gb Cellular Modem 10/14. App. Note Code: 3T-Z

WLAN Outdoor CPE For 2.4G. Quick Installation Guide

Configuring Routers and Their Settings

How to convert a wireless router to be a wireless. access point

NETWORK SET UP GUIDE FOR

VLANs. Application Note

Quick Start Guide NVR DS-7104NI-SL/W NVR. First Choice For Security Professionals

Software and Settings Instructions

Port Forwarding for CCTV. How to See Video Offsite

Wireless G Broadband quick install

Digi Connect WAN Application Helper Configuring and Testing the Digi Connect WAN GSM

Create a VPN on your ipad, iphone or ipod Touch and SonicWALL NSA UTM firewall - Part 1: SonicWALL NSA Appliance

Chapter 1 Configuring Basic Connectivity

Gauge Drawing Tool Slider Drawing Tool Toggle Button Drawing Tool One-Way List Drawing Tool... 8

NETWORK SETUP GLOSSARY

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Best Practices: Pass-Through w/bypass (Bridge Mode)

Desktop NETGEAR Genie

Quick Installation Guide

Pre-lab and In-class Laboratory Exercise 10 (L10)

WiFi Cable Modem Router C3700

NETWORK SETUP INSTRUCTIONS

NETVIGATOR Wireless Modem Setup Guide. (TG789Pvn)

Multi-Homing Dual WAN Firewall Router

Internet Access to a DVR365

CONNECTING THE RASPBERRY PI TO A NETWORK

4G Business Continuity Solution. 4G WiFi M2M Router NTC-140W

Mobile Device Manual for 3G DVRs

INSTRUCTION MANUAL Neo Coolcam IP Camera

Chapter 6 Using Network Monitoring Tools

AC1900, N900, and N450 WiFi Cable Data Gateways

Fonality. Optimum Business Trunking and the Fonality Trixbox Pro IP PBX Standard Edition V p13 Configuration Guide

Configuring the WT-4 for ftp (Ad-hoc Mode)

Custom Integration Solutions

How To Check If Your Router Is Working Properly

FAQs: MATRIX NAVAN CNX200. Q: How to configure port triggering?

Installation Steps Follow these steps to install the network camera on your local network (LAN):

Chapter 7 Troubleshooting

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

User Manual. Page 2 of 38

10/ English Edition 1. Quick Start Guide. NWA1100N-CE CloudEnabled Business N Wireless Access Point

MN-700 Base Station Configuration Guide

Configuring the WT-4 for ftp (Ad-hoc Mode)

Digi Connect WAN Application Guide Using the Digi Connect WAN and Digi Connect VPN with a Wireless Router/Access Point

1.3 MEGAPIXEL WIRELESS NETWORK CAMERA SERIES

Extending the range of a wireless network by using mesh topology

(1) Network Camera

How to Set Up a Wireless Network. How to configure a wireless network for a computer science programming contest using PC 2

Wireless Router Setup Manual

1:1 NAT in ZeroShell. Requirements. Overview. Network Setup

Cisco Linksys SPA 2102

Appendix C Network Planning for Dual WAN Ports

Wireless Router Quick Start Guide Rev. 1.0a Model: WR300NQ

Configuring PA Firewalls for a Layer 3 Deployment

Quick Installation Guide DAP Wireless N 300 Access Point & Router

Windows Internet Connection Sharing (ICS) is a feature that is included in all recent versions of

Quick Installation Guide DIR-620. Multifunction Wireless Router Supporting GSM, CDMA, WiMAX with Built-in 4-port Switch

Step-by-Step Setup Guide Wireless File Transmitter

Movie Cube. User s Guide to Wireless Function

D-Link DAP-1360 Repeater Mode Configuration

How to Remotely View Security Cameras Using the Internet

Quick Note 53. Ethernet to W-WAN failover with logical Ethernet interface.

Transcription:

2/19/2015 WIFI PineApple Mark V & Mobile Device Traffic Over the years, as more people have migrated from computers to smart devices such as the iphones, ipads, tablets, Android devices and other mobile devices, I receive several calls per week where the client contends that their device has been hacked and data is being monitored and/or captured by a third party. Finally, after all of the time spent imaging devices, both jail broken and not jail broken, and sifting through the data (that was recoverable, and readable), I had problems determining if in fact there was data being sent from the device outbound to a third party. In a recent case, I found myself digging into the applications code on a jail broken device and plist files to see how the device was configured. Was GSM transmitters turned on and off? Was data being forced to be backed up and sent to a strange location using GSM LTE? While performing research on different types of malware that could capture data and stream it out and after actually looking into the application code of a well known application that was thought to be the bad guy s streaming application, my days of application coding and web sites coding came back. How many times, (in the old days) had I set a configuration file for start-up, then manipulated the code using software switches? It came back to me from my network management days that it really didn t matter so much if specific parameters were set to on or off at boot up, because it comes down to what the application controls on the interfaces. The application can programmatically turn the parameters on (x1x) and off (x0x) on command so unless you get to the device quickly to perform the exam, you may or may not be able to determine what the device configuration was set on a specific day and time. Dah! Then why do I spend so much time looking at plist files and trying to decipher the application code up front when I should be looking at the in-line application code? That is where I will find the switches being manipulated, code insertions, and timers set. Or, would it be easier to connect the client s device to some kind of device and watch the data stream, find out if it sending something out, how often, and to where? It occurred to me if I can see what is going on then I can identify some meaningful keywords, IP addresses, application name, and other items I can now do key-word searches on the device! It would be great to be able to record the sequences and perhaps use it as evidence?

Necessity once again became the mother of invention! Though I did NOT in any way invent the following process, I found that it did cut down on the time spent in some mobile examinations, and resulted in having captured data as evidence. How many times have we been told by the client, I know there is someone in my phone? Here is a way I found to perhaps answer this question for the client. After searching the internet for keywords associated with my issue, I ran across a device called the a WiFi Pineapple Mark V (WPM5) device. After researching the device is was evident that it could be used for hacking, but it is also used for penetration testing and data audits (monitoring). Perhaps this is just what I need. With this device and the latest copy of WireShark can perform a type of man-in-the-middle monitor? I ordered the device from the vendor and after receiving it, it took me a day-or-two to get the configuration down correctly, to remove the clutter from the WireShark trace but at the end of the day, I am now able to monitor and more specifically capture data packets between the mobile device(s) destination domains/ip addresses and zero in on specific applications on mobile devices. Hopefully, after the data capture, I can bring the recorded illicit conversation(s) into a court of law to actually replay the event(s) for the jury such as a video recording of a shooting would be used as evidence. A video recording of an event is nothing more than a data-stream (zero s and one s) being replayed using a video application, where in this event, the WiFi Pineapple Mark V is the camera, and WireShark is the data application. Will this work? So much for this preface. Now how does it work? How did I setup and monitor the data between the mobile device the WPM5 and the monitoring/auditing device? I am not going to get into all of the features, configurations and applications that the WPM5 can provide but only specifically how it can be used as a digital forensics tool to determine traffic flow inbound and outbound from a mobile device. The WiFi Pineapple Mark 5 is a Web Server. Following the instructions provide with the install manual, I configured the device with the following settings. Accessing the WPM5 locally can be performed over WiFi or connected via an Ethernet cable locally. During my testing, I found that connecting via the Ethernet Locally revealed less clutter when using WireShark to view the packets.

After connecting the WPM5 to the local computer s ethernet port (wired) open your chosen browser and Enter: http://172.16.42.1:1471. When logging into the WPM5, you are presented with the login screen. Enter your configured userid and password you used for the initial setup.

The interface will provide the several options for the configuration. This is the main menu for the WiFi Pineapple Mark V.

Select the NETWORK pane. This display reveals specific information associated with all of the interfaces associated with the WPM5. When selecting the wired tab, you will see that the WiFi PA has a preset (default) IP address of 172.16.42.1, a (default) Netmask Ip address 255.255.255.0, a (default) Gateway IP address of 172.16.42.42, and I chose a DNS of 8.8.8.8 (which is recommended by the makers of the device) The Next tab under the Network pane is the Wired tab.

This tab reveals the Static IP addresses associated with the WPM5 Wired connection. This is the Ethernet connection between the WPM5 and the host computer.

The Next tab under the Network pane is the Access Point tab. This is where the WPM5 Access Point function is configured. During an actual mobile exam, I would recommend the examiner set this SSID to match the SSID and Password that was used natively by the client s mobile device. If the examiner is able to use the same SSID and Password used by the client to connect to their original access point, then once the device is powered up and on the network, it should automatically connect to this SSID and the WPM5. For testing purposes, I used a SSID of Guest with no password set. On the mobile device, I selected the Guest network. The mobile device connected to the WPM5 via Wifi and the data would be routed through the host computer (man-in-the-middle) connection where WireShark was used to capture/review the data packets. I did not make any other changes in the Network pane. Exit the WPM5 menu

Connection Summary: To make it clear, in my testing, there are three components. 1. The client s device (connected to the WPM5 via WiFi to the SSID) a. SSID used was Guest b. NO Password was set 2. The Wifi PineApple Mark V (configured as an Access Point) with the clients Access Point SSID if possible, but for testing the WPM5 SSID is set to Guest. 3. The monitoring PC work station was connected to the WPM5 using an Ethernet Cable (wired). 4. NOTE there are MS Windows network configurations changes that need to be made. (see below) 5. On the mobile device (iphone) settings, I turned OFF Cellular Data, and Turned ON Airplane Mode, then set the Wifi back to ON, (leaving Airplane Mode to ON) and selected the Guest SSID. This would force all data traffic to the Wifi PineApple Mark V. The WiFi Pineapple Mark 5 has a STATIC IP address of 172.16.42.1 and like a regular WiFi Router will assign (DHCP) clients IP addresses in the range of 172.16.42.1-250. When connecting the local computer via Ethernet or Wireless, the WiFi Pineapple will use a default gateway IP address of 172.16.42.42. On the Widows (host) computer, Open the Network and Sharing Center. The Windows host computer will be in-the-middle of the network configuration. The Windows host computer needs to be connected to an existing Wifi connection with a connection to the internet. (This is your normal every-day Wifi connection to the internet) Data traffic from the client device (Wifi) will connect to the Wifi Pineapple SSID. The Wifi Pineapple will connect to the windows host computer via Ethernet (wired) connection. The windows host computer will be connected to the internet via Wifi to the examiner s Wifi Access point (not through the Pineapple).

On the Windows host computer, using the latest WireShark application, the examiner will be able to monitor inbound and outbound traffic to the mobile device. On the Windows host computer, accessing the network adapter settings, the Pineapple-Facing adapter (Ethernet Adapter) needs to be configured with a static IP address of 172.16.42.42 (IPV4 only) do Not make any changes to IPV6. This is because the WPM5 communicates to the host computer via this IP address.

The Internet-Facing adapter (Examimer s WiFi Access Point) is configured normally which is obtain an IP address automatically (DHCP) and obtain the DNS server address automatically. NOTE: Access the wireless Network Connection Properties for the examiner s Internet-facing adapter. Click on the Sharing tab and check Allow other network users to connect through this computer s internet connection. This will facilitate the pass-thru connection through the examiner s computer and will allow WireShark to capture the network traffic as it passes through the examiners work station. Once WPM5 has been configured, the Host computer s WIFI adapter is set to shared, and the DNS configured on the Host Computer s Ethernet port, the examiner is ready to Startup the WireShark application on the Host computer.

Wifi PA Network Settings ABOUT Kernel IP Route connection Default Route is 172.16.42.0 Default Route is : 172.16.42.42 Wired IP 172.16.42.1 Netmask 255.255.255.0 Gateway 172.16.42.42 DNS 8.8.8.8 Access Point OPEN Access Point Guest Channel 11 Hidden (UNCHECKED) Secure Management Access Point SSID Mgmt WPA2 Password Disabled (checked) Client MODE (not selected) not connected Mobile BroadBand Not Selected

WireShark on Host Computer When starting up WireShark, you will see the two adapters. 1. Internet Facing Wifi Adapter (your normal adapter facing the Internet) 2. Pineapple Ethernet Facing Adapter (LAN Adapter connected to the Wifi Pineapple) On WireShark select: Capture Interfaces Check the Pineapple Ethernet Facing Adapter. NOTE: If you select the Internet Facing adapter, WireShark will capture the HOST computer s packets as well as the Pineapple packets. This will capture unnecessary packets (CLUTTER). When Selecting the Pineapple Ethernet Facing Adapter, you will capture only the packets associated with the Pineapple and the remote devices connected to the Pineapple. If you have any questions, please contact me: Gary Thomas Gary@ThomasForensics.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information