Tuesday, May 28, 2013

HOWTO : TP-Link TL-MR3020 as WiFi Pineapple Made Easy


PLEASE CONSIDER THIS ARTICLE IS OUT-DATED AS THE PINEAPPLE FIRMWARE IS NO LONGER SUPPORTED BY THE ORIGINAL AUTHOR. MEANWHILE, THE FIRMWARE IS ALSO VULNERABLE. PLEASE DO NOT TRY TO DO IT. I DO NOT SUPPORT IT ANYMORE TOO. THANKS.

Please be informed that this tutorial is written for Pineapple Mark IV only

Hardware

(1) TP-Link TL-MR3020
(2) SanDisk Cruzer Fit USB Flash Drive (8GB)

Software

(1) OpenWrt
(2) Wifi Pineapple firmware

Wifi Pineapple is created by Hak5. It is quite expensive device. It is also named as Jasager (in German). The meaning in English is "Yes Man".

Wifi Pineapple is the Rouge Wifi Access Point (AP) to answer “Yes” to all Wifi probe requests by mobile devices.

If a Wifi client is looking for the SSID of Macdonld the Pineapple (or Jasager) will reply “That’s Me!”. If another Wifi client is looking for an SSID of Starbucks, again the Pineapple will reply “That's Me!”

Once victims' mobile devices connected to Wifi Pineapple, you can carry out a Man-in-the-Middle attack against the victims.

Now, we are going to make a custom Wifi Pineapple in a much cheaper price, e.g about $30-USD or less in a much more simply way. (Please note that the previous tutorial is out-dated and incompleted, do NOT follow it.)

Step 1 :

To download the OpenWRT (Attitude Adjustment 12.09, r36088 - at this time of writing) :

If you are fresh install from the stock version of the TP-Link TL-MR3020 -
wget http://downloads.openwrt.org/attitude_adjustment/12.09/ar71xx/generic/openwrt-ar71xx-generic-tl-mr3020-v1-squashfs-factory.bin

If you are upgrade from the previous installed OpenWRT -
wget http://downloads.openwrt.org/attitude_adjustment/12.09/ar71xx/generic/openwrt-ar71xx-generic-tl-mr3020-v1-squashfs-sysupgrade.bin

Configure your computer to static IP address :

IP address : 192.168.0.10
Gateway : 192.168.0.1


Connect the TL-MR3020 to your computer with cable. The default IP address of stock TP-Link TL-MR3020 is 192.168.0.254. Then browse to the stock IP address.

The username and password of the stock TP-Link TL-MR3020 are both "admin".

Go to the "System Tools" -- "Firmware Upgrade" to upgrade from the just downloaded .bin file.

Step 2 :

Once upgraded to OpenWRT, your device's IP address will changed to 192.168.1.1.

Configure your computer to static IP address :

IP address : 192.168.1.10
Gateway : 192.168.1.1


Then set the very STRONG root password at "System" -- "Administration".

Go to "System" -- "System" to set the timezone.

To enable wireless at "Network" -- "Wifi".

To enable DHCP at "Network" - "Interfaces" - "Edit" - select "DHCP Client" and select "OpenWrt" by clicking "Switch Protocol". If you take too much time to re-load the page, it is fine. It is because the IP address cannot be get. Just go ahead.

Now, connect your ethernet cable to the TL-MR3020 and your existing router. Connect your computer to the TL-MR3020 via wifi and the SSID is "OpenWrt".

Once you get the IP address, such as 192.168.1.100, you can connect to the TL-MR3020 via ssh.

ssh 192.168.1.100 -lroot

Enter your just created very STRONG root password.

Install the following packages :

opkg update
opkg install kmod-usb-storage
opkg install kmod-fs-ext4
opkg install block-mount


Step 3 :

Format your USB pendrive (8GB) as ext4 and swap, e.g. 2GB for swap (sda1) and 6GB for ext4 (sda2).

Then insert the USB pendrive to the TL-MR3020. Execute the following command line by line.

mkdir -p /mnt/sda2
mount /dev/sda2 /mnt/sda2
mkdir -p /tmp/cproot
mount --bind / /tmp/cproot
tar -C /tmp/cproot -cvf - . | tar -C /mnt/sda2 -xf -
umount /tmp/cproot
umount /mnt/sda2


Step 4 :

/etc/init.d/fstab enable
/etc/init.d/fstab start


vi /etc/config/fstab

Change the content as the following :

config mount
        option target /
        option device /dev/sda2
        option fstype ext4
        option options rw,sync
        option enabled 1
        option enabled_fsck 0

config swap
        option device /dev/sda1
        option enabled 1


The following is the command for the vi if you do not familiar with vi :

i - go to the insert mode and ready for edit
Esc - exit from insert mode
:w - write the changes to the file
:q - quit the vi

Then type the following command to reboot the device :

reboot

Once it boot up again, you login to it via ssh.

To check if the USB pendrive is mounted as "/" or not :

mount
df


Step 5 :

Turn off the TL-MR3020 and take the USB Pendrive out from the TL-MR3020 and insert to your computer.

Back up the USB Pendrive to your computer.

mkdir mr3020
sudo cp -R /media/1234....1123/* ~/mr3020/
sudo cp -R ~/mr3020/lib ~/mr3020/lib-original


*** Where /media/1234....1123/ is different from yours.

You also need to make a backup of the /lib directory.

Do not take out the USB Pendrive from your computer.

Step 6 :

Download the upgrade package of Pineapple to your computer, such as Ubuntu :

wget http://wifipineapple.com/index.php?downloads&downloadUpgrade=2.8.1

Install unsquashfs on your Ubuntu if you do not have it :

sudo apt-get install squashfs-tools

Extract the files from the upgrade-2.8.1.bin :

unsquashfs upgrade-2.8.1.bin

cd squashfs-root


Copy the requested directories to the USB Pendrive.

sudo cp -R bin/* /media/1234....1123/bin/
sudo cp -R sbin/* /media/1234....1123/sbin/
sudo cp -R usr/* /media/1234....1123/usr/
sudo cp -R etc/* /media/1234....1123/etc/
sudo cp -R www/* /media/1234....1123/www/
sudo cp -R pineapple /media/1234....1123/
sudo cp -R lib/firmware/* /media/1234....1123/lib/firmware/
sudo cp lib/* /media/1234....1123/lib/
sudo cp lib/wifi/* /media/1234....1123/lib/wifi/

sudo cp ~/mr3020/etc/config/fstab /media/1234....1123/etc/config/
sudo cp ~/mr3020/etc/passwd /media/1234....1123/etc/
sudo cp ~/mr3020/etc/shadow /media/1234....1123/etc/
sudo cp -R ~/mr3020/lib-original /media/1234....1123/


Step 6a :

To allow the victim to surf the internet via Pineapple, you need to change the DNS and Gateway at /etc/config/dhcp /etc/config/network from 172.16.42.1 to 172.16.42.42.

Step 7 :

Insert back the USB Pendrive to TL-MR3020.

The Pineapple SSID will be "pineapple 0:37'". The username is "root" and the password is your very STRONG password.

Step 8 (Connectivity) :

The following is one of the ways to use the Pineapple (TL-MR3020) by the way of tethering :

Connect your laptop to internet via wireless or 3G.

Set Wired Connection at the Network Manager of the Ubuntu to :

Uncheck Connect Automatically at the wired connection of Network Manager of Ubuntu.

Then connect the CAT5/5e/6 cable to the Pineapple and your laptop.

At the laptop, download the script.

wget http://wifipineapple.com/wp4.sh
chmod +x wp4.sh
sudo ./wp4.sh




The source code of wp4.sh :



Now, your computer (laptop) can access internet and also can access the TL-MR3020. Victims can also access the internet when they connected to your Pineapple.

Once you want to reset what wp4.sh set, you need to run the following script that is created by me.

sudo ./killwp4.sh



When the TL-MR3020 is rebooted, you need to run wp4.sh again to get the access.

Important

There are TWO important things you should NOT do, otherwise, you will brick the TL-MR3020. They are :

First - Do NOT upgrade the OpenWrt from the web interface as the USB pendrive will not be mounted. Unless, you install the related packages again as above stated.

Second - Do NOT upgrade the Pineapple in the normal way. Make sure keep away from the /lib directory. Or, if you have a backup, you can copy the /lib directory back.

Third - Do NOT long press the "WPS/Reset" button on the TL-MR3020; otherwise, the OpenWrt will be reset and the USB pendrive cannot be mounted. Unless, you install the related packages again as above stated.

Fourth - Some infusions (or modules) cannot be installed as it required to install to USB storage but you have not. (the user of Hak5 forum, newbi3, advised the solution and I think this solution is the best.)

Remarks

The Karma is not so powerful as the Android 4.0.4 or up will not do the probe requests. Meanwhile, victims need to connect to the open network instead of encrypted. Otherwise, Karma will not work.

The final word is that I think we can build one with the same steps and procedure for TP-Link TL-WR1043ND and TP-Link WR703N too. However, it may take risk. Make sure you have the same version/revision of the router and the OpenWrt firmware. Otherwise, you may brick the router. I Just bricked a TP-Link TL-MR3220v2 :P.

Reference

Blue for the Pineapple
The beginners guide to breaking website security with nothing more than a Pineapple
Getting Started with the Wi-Fi Pineapple IV (Video)
Security4Plus Youtube Channel (Video)
How To: Configure a WiFi Pineapple For Use With Mac OS X (Video)
The Wifi Pineapple Book - Free Download
WiFi Pineapple – First Impression
You just can't trust wireless: covertly hijacking wifi and stealing passwords using sslstrip
All about WiFi Pineapple (Video)

That's all! See you.