3

I've been doing research on the internet relating to cybersecurity and I came across an article talking about a "Wi-Fi Pineapple".

The article made it seem like anyone can buy this and basically steal peoples information in a Plug-and-play type fashion.

http://blog.privatewifi.com/wifi-pineapple-redux-hacking-toy-offers-no-legitimate-use-tricks-hotspot-users/

I was wondering how accurate this is, is it really that easy?

Most importantly, If one wanted to learn how to use a Wi-Fi pineapple, what concepts would I need to learn and what should I start learning first (networking, programming, Linux, etc,)?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Alex Valdez
  • 33
  • 1
  • 4
  • 4
    The latter part of your question is too broad and is off-topic here. Please read the [help section](https://security.stackexchange.com/help/asking) of this site for more information on what types of questions are accepted here. – Polynomial Mar 04 '19 at 19:43

2 Answers2

1

Yes, it is that easy.

To use a WiFi pineapple it's almost the case that you just buy one and turn it on...

Be aware, though, that while you can use it in limited config to highlight security issues, almost every use case could be illegal where you are.

Be aware that if someone detects you using one, bad things could happen. https://www.csoonline.com/article/2462478/hacker-hunts-and-pwns-wifi-pineapples-with-0-day-at-def-con.html

Talking of DefCon, this guy has the extreme version:

enter image description here https://theoutline.com/post/2017/this-guy-hunted-wi-fi-hackers-using-a-giant-backpack-made-out-of-radios?zd=1&zi=hl5dxkob

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • This covers all the main points I think. One important thing to add on - @Alex Valdez, if there’s anything to start learning first, it’d be Man-In-The-Middle attacks. That is the essence of what a traffic interception device like a Pineapple is (and, also, as Rory pointed out - very likely illegal to execute in a real-world / no-permission-given scenario). Knowing what a MitM is and how it works will require building all the other concepts you may be lacking, so I would recommend going into this attack type in ask me depth. – securityOrange Mar 04 '19 at 21:19
0

This article is incredibly vague and conveniently doesn't talk about things like basic encryption and public key infrastructure that would completely thwart man in the middle style attacks. This means that any company that offers web services protected by a password that even half knows what they are doing would not be affected by this kind of an attack.

The part about getting wifi passwords by pretending to be them is completely true unfortunately. If you set the same SSID as wifi hotspot saved in the device, it will tell the wifi hot spot what it thinks the password is in an attempt to authenticate with it thus giving the wifi password to the device. In my opinion, the WiFi pinapple (I own two versions), is cool, but kind of a toy to learn security topics rather than a platform to preform any real attacks. It is a super cool piece of hardware for the basics though.

MikeSchem
  • 2,266
  • 1
  • 13
  • 33
  • My understanding of the WPA Personal 4-way handshake is that the actual password is never revealed to the server side, but only that each side proves to the other they both know it. IIUC, this means you could use a MiTM attack to establish a connection to the other server and sniff contents of packets, but you wouldn't know the WiFi password. – Steve Sether Mar 04 '19 at 21:49
  • Absolutely - you can use it to learn, rather than have to learn things in order to use it. – Rory Alsop Mar 04 '19 at 21:50