
Beginner's Guide to Wi-fi Interception - nopassrecover
http://www.troyhunt.com/2013/04/the-beginners-guide-to-breaking-website.html?report
======
xerophtye
I don't understand why people are putting this article down by saying "Nothing
Novel In it"; "i have been doing this for X years. I know all this stuff";
"This is too simple. Too Basic"

GUYS!!! It's titled "BEGINNER'S Guide to WiFi Interception" So OFCOURSE it's
basic. It isn't meant for security veterans like you guys. The author is
apparently a secuirty guy too, but he just WANTED to explain it in as simple
as possible way

------
graue
> _... each unsecured network is the Pineapple responding to a probe request
> from the iPhone with the name of the SSID it was previously associated with.
> The names include that of an old wireless router I replaced some years back,
> my parents’ network I was connected to interstate just the other day and an
> airline lounge in a far flung corner of the world._

Whoa, what? This is really how it works? This implies that anywhere you go
with your laptop, someone can sit there and get a list of every wifi you've
ever connected to. :(

I don't understand why this disclosure is necessary, since you can list all
nearby wifis, even ones you've never connected to. Shouldn't it be possible
for a wifi client to get a list of all nearby wifis, then only attempt to
connect to the one it knows, without telling the others anything about what
it's looking for?

Didn't finish reading the article, because it's going step by step and I don't
plan to actually set up a Pineapple, but this surprising bit was the main
takeaway for me.

~~~
thejosh
Yes.

Want to know something scarier? Snoopy -
[http://www.youtube.com/watch?v=Vsn7_4qUdwk&feature=youtu.be](http://www.youtube.com/watch?v=Vsn7_4qUdwk&feature=youtu.be)
.

Well worth the watch.

~~~
sehugg
Blog post about it:
[http://www.sensepost.com/blog/7557.html](http://www.sensepost.com/blog/7557.html)

------
stedaniels
Troy's great strengths come from demonstrating to the average Joe just how
easy this is. He's not going over board on the technical side because his aim
isn't to get everyone doing this. By and large he's pushing companies with
woefully insecure systems into securing them by using the media to spread the
message. Though he usually targets companies with web based forms and
authentication systems he appears here to be doing the same thing. If he
generates enough chatter about it, more pressure will be put on those
responsible to fix the problem.

P.S. The vague "that article rife with errors" and "it's pretty obvious those
screen caps have been photoshopped to try and prove and incorrect point"
comments are pitiful and pointless without some explanations. But ooh, I'm
sure you are all important and busy with out the time to explain yourself.

------
dguido
If you want to know more about KARMA, we came up with it in 2004 and the
original docs and code are on our website:
[http://www.trailofbits.com/software/#karma](http://www.trailofbits.com/software/#karma)

~~~
tptacek
You were involved in KARMA? I thought that was just Dino and Shane. Shane is
working with you guys now too?

~~~
dguido
:-), my bad. Shane doesn't work for us. His name is listed on the research
page, but I should add his name to the software page to credit him there too.

------
diminoten
You can do everything that Pineapple does without Pineapple, I believe. The
advantage here is that it's all in one place, the hardware's figured out, and
it's accessible through a web interface.

And you don't have to know ten year's worth of knowledge to get useful (but
probably illegal) stuff out of it.

At least that's what I'm getting out of this article.

I can very easily see a house being raided and this being used against the
owner as evidence, though. There are _very_ few legitimate uses for something
like this, aren't there?

~~~
ZoF
You can see a house being raided for owning a Pineapple...?

~~~
diminoten
Nope.

I can see a house being raided because of other computer crime evidence, and
the fact that the suspect owned a Pineapple would be used against him in
court.

------
Everlag
Ah the pineapple, a lovely single device mitm for all of your wifi based
needs.

I've been looking into acquire one for months but I can't think of any use
case apart that wouldn't be immoral.

I wonder if I could sit in a coffee shop and provide a faster connection than
standard? I'd be like a smaller, slightly more malicious google in that I
provide a service in exchange for sweet sweet packets!

Also, what's with all the posts from troy? I've been following him for awhile
and it's curious to see these just popping up now.

~~~
wglb
Here is one moral use.

Don't do any mitm or forwarding, but just sit with the CEO or CIO with one in
his office for a few minutes, and show him how his iPhone is suddenly
connected to his home network.

Then you can explain all the implications of this. Including that this is a
readily available device for low cost. And that this particular attack has
been known and documented since 2004.

It would seem unlikely that manufacturers of devices relying on WiFi are
unaware of this. Run a bar across their cages to get this fixed.

------
nodata
Article is hidden in Firefox+Ghostery unless Disqus is enabled.

~~~
ddunkin
Every Disqus article is with it, just unblock it.

------
infoseckid
Here is the advanced guide to Screwing with Wi-Fi:
[http://www.securitytube.net/groups?operation=view&groupId=9](http://www.securitytube.net/groups?operation=view&groupId=9)

------
SometimesAlex
Dear god is that article rife with errors. Almost every declarative statement
made is incorrect.

This is someone looking for a sensational response without taking the time to
wonder if the people reading the article, at least here on HN, are ready to
call him out on his bull shit.

~~~
SometimesAlex
Looking again, it's pretty obvious those screen caps have been photoshopped to
try and prove and incorrect point. Definition of circular arguing.

~~~
diminoten
Can you be specific? I think it'd be interesting to a lot of HN readers if you
could point out the exact errors.

I'm not super well-versed on Pineapple, so I don't know what's true/not true
about what it does/how it does it.

------
vezzy-fnord
Honestly, the hype behind the Wi-Fi Pineapple is a little excessive. It's a
nice little novelty, but it really doesn't offer anything you couldn't do with
the aircrack-ng utilities (airbase-ng for conducting MITM in particular).

------
jj808
As someone that knows next to nothing about internet security, this article
was definitely eye-opening. Can anyone suggest further reading on the topic?

------
ryanthejuggler
Could you do this with a Raspberry Pi, a Netgear antenna, and a crossover
cord? Very tempted to try this out, Linux style.

~~~
chm
If the software and its dependencies can be compiled on the RPi architecture,
it should.

------
channi
I stopped reading the moment I felt this dude thinks "good old windows" and
"microsoft windows world" are better than "the linux things", and from the
comments here I think the article is indeed as lame as I suspected.

~~~
rurounijones
So you stopped reading an article because the guy does not use your preferred
operating system then justify your bias from comments that (at the time of
your posting at least) have no evidence that the article is "lame".

Well done.

