Stealing Data Over Open WiFi
Vložit
- čas přidán 7. 02. 2019
- The data goes... through, the pineapple? zooms in super-tight on face then zooms in super-tight on an actual pineapple [whispers through squinted eyes] ...through the pineapple.
-----------------------------------------------------------------
Interview with Shannon ($10+ patrons):
/ 24521169
Unedited footage for this video ($5+ patrons):
/ 24821506
-----------------------------------------------------------------
Additional Information
The WiFi Pineapple is sold on Hak5's store
shop.hak5.org/products/wifi-p...
www.wifipineapple.com/
How a Wi-Fi Pineapple Can Steal Your Data (And How to Protect Yourself From It)
motherboard.vice.com/en_us/ar...
Websites Visited
kingofmouths.com
spacejam.com
bitchen.com
dustbrothers.com
-----------------------------------------------------------------
Thanks as always to Shannon for making the trip out to record these episodes, you can find more from her at
/ hak5
/ shannonmorse
/ tekthing
/ snubs
/ snubs
-----------------------------------------------------------------
Scam Nation: / scamschool
Patreon: / modernrogue
Discord (patron reward): / discord
MR Articles: themodernrogue.com
Outtakes & BTS: / scamstuff
Subreddit: modernrogue.reddit.com
Merch: shop.themodernrogue.com
Twitter: / modernrogueshow
Instagram: / modernrogueshow
Facebook: / modernrogues
-----------------------------------------------------------------
Music used in this episode:
"Spacesuits" by Kupla
chillhop.bandcamp.com/album/c...
"Grandiose Soul" by Masked Man
chillhop.bandcamp.com/album/c...
"Vino" by Cap Kendricks
chillhop.bandcamp.com/track/vino
"All Us" by Nokiaa x nofeels
chillhop.bandcamp.com/track/a...
Most of the music from the show: bit.ly/mrspotify
-----------------------------------------------------------------
This episode was made with the help of:
Brian Brushwood - host -- / shwood
Jason Murphy - host -- / captainmurphy
Brandt Hughes - camera operator / editor -- / gatowag - / gatowag
Bryce Castillo - camera operator / live audio engineer -- / brycas
Shannon Morse - guest -- / snubs - Zábava
It’s that time of year again: Mystery Box Jackpot season! Here's how it works: Our job is to make you feel like you absolutely won the jackpot when you open your Mystery Box. Each and every Mystery Box Jackpot always has more value in it than what you paid for it. 100% of the time. And if you’re not happy? 100% satisfaction guarantee!
Wanna snag one before they’re all gone? www.scamstuff.com/products/mystery-box-99
We’re giving away a Mystery Box Jackpot ($99 value) to TWO winners of our weekly free giveaway at gimme.scamstuff.com (no purchase necessary, giveaway ends 2/14/2019)
Congrats to the winners of last week’s Cutaway Handcuffs giveaway: Laurent Holin, David Guy, and Kristina Zavala (we will contact you via email within the next two weeks)
Man. I used to use cain and abel back in the day to man in the middle. I wonder if it still works. Also, I built my own bash bunny with a raspberry pi zero after watching the last video you guys did on this.
Stop honeydicking us lol! When she said “honeypot” I about died
I'd like to present an Epic Rogue Quest Concept to you. A Next Level Reality Show Concept to make the outdated model obsolete. I'll buy the beer for a virtual presentation.
Ask yourself. WWWDD, if he was a Rogue? Your concept is inspiring.
Hi if you read this I think you should do a video on 3d printed guns it would be so cool
Welcome to the barely legal show.
Dude she's like 32
bubbathedm man i was NOT talking about that i was talking about hacking.
XD but still. You do realise she's like 32..
@@user-cf3so7mi2o she got dp;),and welcome to NSA watchlist Hiya Interpol too ;)
Legal Adjacent.
1:48 "If I run that through 'the' Google"
Dad just give me the keyboard.
No son i wanna do it, now how do you spell the first letter in man?
fancy seeing you here
Wait you watch the modern rogue?!
I didn’t know you watched this
"For the uninitiated, what is a pineapple?" - Mr Brian Allen Brushwood, 2019
"Is a pineapple an instrument?"
Doesn't it need a pen, or something?
It's what you call a guy with incredibly overdone spiky hair?
Guybrush Threepwood
@@rlee1185 omg yes
This video was sponsored by Nord VPN
ORLY?
8 minutes ago... man I came so close to god
so happy to see you supporting these guys. They have been pioneers on youtube since the start with Scam School.
you make vids demonized WHY WWHHHYYYYYYY
And pornhub
7:37 - Brian: I'm not comfortable with sharing the names of my devices, that used to be me.
7:41 - Shows the MAC address of the phone.
12:53 350,000 unread emails, why won't you answer me Bry???
Damn
I thought my 200 unread was bad
Holy shit thats alot of unread emails, you'd think hes trying to set a record or something
Lol and the Taco Bell app next to the Health app
search history: blairwitch, khaaaaaan, jason murphy screaming, jason screaming gif modern rogue, grilled cheese | lmao
If I'm ever in the Austin area, I'm totally knocking on the door of the MR compound and asking "Excuse me, is this the Starbucks?"
And they open the door and throw a Manhattan at you.
TWO ONE TWO
@@zaxtonhong3958 Hey, free drink! They can keep the vermouth and the bitters and just throw the bourbon at me, I won't complain.
“Does a vpn make you safer?”
**Proceeds to only use secure sites to test theory
“Wooooooow it’s not being detected”
Zac Chapman you’re right https is encrypted
Would have been nice if she showed SSLsplit, or something to handle proxying HTTPS connections. The majority of sites today have moved to HTTPS.
A vpn can be more secure, but you're also shifting all your traffic to a server that you should trust. They can do the same thing as the pineapple. Luckily all important login portals are https so that doesn't matter.
Just use a known good VPN for torrents or streaming content that's Geo restricted.
Wasn't Nord VPN hacked?
@@BuddyJesus Yep... most sites are HTTPS so you have to do a little more work lol. Really using MTM and having either your own SSL certs or using phssing websites/login portal to get username/passwords is what you have to do. Can do this HTTP stuff using wireshark... lol.
“This is a lab environment”
*Bare insulation in the background*
Zac Chapman that is because its a bare insulation testing lab. You should watch their video comparing rock wool with fiberglass. 20 minutes of gold.
loving those google searches. "khaaaaaan", "jason murphy screaming", "jason screaming gif modern rogue", "grilled cheese"
How did this not become a super long ad for Nord VPN?! That would've been a perfect segway.
"What can we do to protect ourselves?"
"Apparently use a VPN"
"Speaking of which *commences pitch for Nord VPN*"
cause it is actually a super long ad for wifi pineapple. notice the sales links in the desc? hak5 are cool but overpriced.
@@denism8494 its probably better this way, id rather have a product like that priced through the roof, instead of everyone being able to buy one, keeping them out of most ppls hands, limiting the chance bad ppl get their hands on them, and you average joe citizen doesnt really need one anyway
@@menofwar-os1wi if a bad person cannot afford this they probably also dont have the knowledge to use one. They aren't as simple to use as this video makes out, the limiting factor is not the price, it's the knowledge required. I am poor af, and I am an average person, however I also aspire to have a career in cyber security, therefore I would benefit by having one of these. I'm not saying hurr Durr gimme expensive shit for cheap, I'm just saying the actual value is inflated by videos like this that make it seem like a one stop piece of equipment that does everything and turns you into a 1337 H4X0R
@@denism8494 i can see your point of vieuw and understand what you are trying to tell me, and i mostly agree, but wouldnt said knowledge be obtainable through some googling? (and good luck with your carreer in cyber security)
Denis Mcdougall exactly this
I'm taking a security class right now, and this channel has given me so many good ideas for projects.
How did the classes go?
@@AngelusNielson Pretty well thanks, I did a presentation on the dark web. Thanks for reminding me of that class
@@NathanScott Not a problem! Glad you had fun.
Jason screaming about net neutrality will always be the greatest moment on the show. I've caught myself at work trying to find that gif to just leave it on the computer as I'm leaving, so when the next person unlocks it, they are terrified lol
13:48 Are we just gonna ignore Brian's search history?
Oh. My. God.
He searched for grilled cheese. What a sicko
@@pluto8404 It left me whelmed. Like, it did it's job of being a search term. But why not go bigger or go for a complete curveball?
Like, grilled cheese smoothie, reverse grilled cheese, grilled cheese without bread or something else absurd... Something that would make any sane person re-read that to make sure it says what they think it says. Basically, what these guys do best, leave their experts concerned or confused.
jason murphy screaming gif
whoops this isn't google
Some Jason Murphy issues
CUZ IM A MODERN ROUUUUGE!!
A little Mason Jurphey in my life
A little Ryan Bushwood by my side
A little bit of Grant is all I need
A little bit of B-Rice is what I see
A little bit of Scamming in the sun
A little Modern Rouging all night long
A little bit of Dresspants here I am
A little grilled cheese makes me your fan
*NAILED IT!!*
Rian Rushwood was the fake name Brian used in an earlier ep
A play on his actual name, Brian Brushwood
@@StrokeMahEgo fact fail.
StrokeMahEgo woosh
Rogue.
AHHHHHHHHHHHHUH!
The description perfectly fits what I thought when I saw the thumbnail thing while the video opened
Mad props to Brandt for somehow making Jason singing Mambo No. 5 the most unsettling thing I've seen all year.
Haha, I aim to please
You guys are so much fun to watch and learn.Thanks
Glad to see Shannon back, and a very informative video! Very scary!
You guys should make a ultimate modern rogue course, where you put all your modern rogue knowledge to the test. Like you have to find dead drops, take down people with martial arts and nunchucks, get ride of the meat of the thing they stacked in rye, parkour, set and find bugs, find and place hidden cameras, try to solve a crime, all the things that you have ever covered in modern rogue just in a course
Brian and Jason THANK YOU for having Shannon on the show. I am learning more watching your show than I did attending high school during the summer. Thanks dudes. . . .A special shout-out to Nord VPN; to which I am a proud customer.
Shannon is great! We hope to do more with her soon.
Excellent video. Love this sort of content. Keep em coming.
I just wanted to say the editing of the video is so impressive!!
Why does no one else seem at all concerned that one of Brian's most recent searches was, "Jason Murphy screaming"?
NathanielCF My safe place song is Mambo Number 5. Brian’s safe place song is me screaming.
WHEN JASON STARTED SINGING LOU BEGA!!!
Jason just became the favorite. Brian will have to try harder now, lol
This was super informtive and very well explained. Good show.
I love when two of my favorite CZcams channels do a cross over episode. It's like when the Harlem Globe Trotters guest star on Scooby Doo
“How many things did you infiltrate?”
*”Everything.”*
My dad is a Computer technician contractor and he harps on me all the time about being careful on public Wi-Fi and never leaving my laptop unlocked unattended
Listen to him.
Bet you don't cover up your webcam with tape
I mean leaving your laptop unlocked and unattended should be common sense not to do, you shouldn't need to be a technician contractor to know that. Then again, I see so many people not bother using passcodes on their phones, so maybe you do.
Stop being a dumbass and he'll stop calling you one.
@@spencershaw7818 he does, he just uses transparent tape.
The "For the uninitiated , what is a pineapple ? " part made my day . SUBSCRIBED !
So glad yall did a collab with Hak5's Shannon
That hotspot honey pot with man in the middle is yearning for some penetration testing... Perhaps there's even a backdoor involved!?
12:01
Shannon: What is king of mouths?
Brian: I don't know what you're talking about
Great Host and topic. Fun to watch ~Cheers~ B.Champagne
These have slowly creeped their way into my favorite MR episodes.
Just watched the other hacking eps, glad to see another!!!
I'm considering buying a wi-fi pineapple, and I have been waiting for this episode for SO LONG! Could you guys also do an episode on cracking WEP security?
Nobody uses wep, and just buy a WiFi adapter that supports running in monitoring mode. No need for this junk.
@@colton9496 That's fair. I know nobody uses WEP, and you can do this with a wifi adapter in monitor mode, but I think WEP's insecurity is a good lesson towards updating your security, and they can go into detail without being too harmful because nobody uses it.
Great on camera chemistry. Nothing but good vibes
thanks!
She looks so happy, I think she loves her job :D
I like her! And it is a good think to refresh the fact that these risks are out there and pretty easy to set up once you know the basics.
"for your fire starter vids idea"
*plant food packets(like the ones you get when you buy flowers from a store) and antifreeze*
its a thing and iv seen it done and holy crap i was amazed
Everytime she smiles while talking about this makes me feel less safe and more scared
the wifi pineapple was my favorite system on hacking the system too! It's what got me into watching Brian and Jason, it's also what got me into magic tricks, and of course the modern rogue!
love this episode!
what episode is that? i wanna watch it too!
@@Givisba it wasn't an episode! it was their netflix special a few years ago
This is some costly production featuring multiple cameras and studio lights! You are raising the bar.
You guys brought the weaboo back! Nice 😄
i love herrr she seems so nice (and of course scary powerful with hacker knowledge)
@@lisdmon6538 I really hope you are joking about her hacker knowledge LOL
Brian’s never left though?
it's spelled "webelo"
@@MexieMex How would you classify 'hacker knowledge' ?
Are y'all going on tour ever?
This video had more tips in simple hosts commentary then my IT lessons in highschool.
Love your open stud and PEX decor.
The Wi-Fi Pineapple is overpriced tho. I have a nano and I love it but still its still overpriced. Love Hak5 too
Root your android device and download cSploit.
@Danny when I say overpriced I mean the hardware itself. The majority of the software on the pineapple is community made. I also have a rubber ducky and that's also overpriced
@@ScibbieGames can't use monitoring mode with modern android phones sadly.
@@Honosklouker Not to mention most modern network cards can't do this either. This is why if you want to make your own (Or one of the related "products" to the full pineapple) you need to buy an old card. And most of the networking companies have sneakily replaced the chips in their products with newer models that do not support promiscuous mode either.
So basically, either you'll pay some guy on the internet whatever price he's managed to gouge up for his old network card, or you buy one of these.
I have the mark 5, old, but still a goodie, with a 16dbi yagi. But then again, the same thing can be done on a linux machine with an usb alfi antenna.
😂😂😂the ending!!👌🏼👌🏼👌🏼 thought I was the only one who sings Mambo #5 to myself to calm down & go to my happy place 😂😂😂😂😂
Honestly thanks for making this shit easier will make my job a lot better, have to get my hands on some of this equipment
I remember how shocked I was when I first saw a movie advertised and the ad included a website that was just about that one movie. I wish I could remember what movie it was, but I was blown away and part of me could not believe in something SO cool and big being done for just one movie.
When's the arm wrestling episode?
I'm guessing Tor vs a Pineapple is also effective protection
Shannon and Brian .... hak5 and scam school from the revision 3 days on the same set. My two favorite shows of all times!!
Keep it up make more of this kind of episodes
you dont need a pineapple to do mitm... i mean, not that i would know...
I mean the pineapple does make it nice and pretty, heaven for script kiddies
14:04 when did this change I know for sure that just not to long ago that you could leave a known pw protect wifi with and "evil AP" with no pw but same SSID and it would connect/could get the pw threw an uncompleted 3 way hand shake and script it to auto update it's pw
More of that knowledge I never knew I needed
I ordered my upgrade!!! Cannot wait for it to get here. Big upgrade from my mark 5
6:14 - I have a pen... I have pineapple... UH... *PineapplePen!*
The reality is: HTTP telnet or other easily crackable non-hash sites/services are NOT common. 99% of your services are HTTPS. Real hackers do Phishing, not sniffing.
Real hackers pop RCEs and 0days
Real hackers have the patience to wait for the 1% to occur.
OMG. You got Shannon Morse on your show??
Ok. You're a REAL show now!😂😂
I just might subscribe. 😎
13:49 the past searches killed me. I’d like to think that when he looked up Jason Murphy screaming, he couldn’t find it so he then looked up Jason screaming gif modern rogue. 😂😂
I never connect to public wifi. It seems pretty ridiculous to do that in 2019.
Agreed. Thank you unlimited data.
But when you're traveling to a foreign country you really don't have a choice unless you're willing to pay crazy amounts for a prepaid sim with unlimited data. That's why a VPN is a good thing to have.
Why? If anything it's much safer to do it in 2019. Every modern website has https. All modern browsers warn you if that's not the case.
@@jojo60rules But we're in 2019, not in the first days of https or 'encryption'. Hackers are evolving and they *can* steal your data now even without notifying you. It is much more dangerous to do it now than like in 2010.
It's a good idea to avoid it at all costs, moreso If you have sensetive data on your device or plan on using it for banking or to order online.
The real problem isn't just having some script kids with a Pineapple or other system sniff out your data, more advanced MITM attacks exist where the actual portal is spoofed. Then popular websites you may use are also replicated. Imagine logging into Starbucks but Infact you are logging into someone else's machine.
If you look around some places you might see a person with a notebook computer in a dark corner looking over his shoulder 👀 while they are sniffing out traffic or running a fake AP.
Get some cover plates for those outlets lol. It's great they put your PEX above your electric! ,,,😮 Sorry I'm an electrician, it bugs me. At least they used GFCI outlets.
I love that Jason's calm place is mambo no.5 XD
Shannon:"Even the websites you visit" *SMILES LIKE A MANIAC*
Her laptop is the Kawaii hotspot
Kawai-fi?
HM01 you deserve my like. just take it
HM01 Ohhhhh I got your name lol
Cut/Fly/RockSmash/firethrower
That’s how my charizard was.
Commenting b4 i watch, bet its nord vpn. As first comment, i stand corrected
Just thought id say it, but the modern rogue is the of the few things that brings REAL joy into my life
Here for Shannon, my all time fav host
“This thing looks dangerous”, dude it just looks like a router
Yeah but why would you bring a router to a public place xD
So using standard 3 or 4g is safer than wifis?
Not really...
There's a version of this for 3/4g called a ISMI catcher. More or less a fake cell phone tower that does the exact same thing. You may have heard them referred to as stingrays. They can also be used to intercept sms.
@@faint525 You can't intercept traffic with them on 3/4G networks. you can only track devices and know when calls are made and sms are sent but not to who or where since that's still encrypted.
@@faint525 There is NO 3g/4g IMSI cather. Only IMSI catcher there exist is 2g ONLY.
4g (and 5g) will make attacking carrier wireless network even more difficult with MU-MIMO and beamforming so whatever data you are getting could only be catched very close to a straight line beetween cell tower and your device
It should be known that the vast majority of websites nowadays utilize HTTPS which added a layer of RSA encryption onto the standard HTTP protocol. RSA is an encryption scheme explicitly designed to prevent man-in-the-middle attacks from seeing the data you send and receive. It can still see the basic HTTP request to the website, but it won't be able to see any of the content, neither web pages or login credentials.
True, It's disappointing to see a Hak5 employee grinning when asked if this device can intercept anything, instead of taking the opportunity to clarify this essential point. It's a disservice, really.
Love the Legend of Zelda shirt and all the hacking skills.
Also great stickers on the laptop.
Littering mobile devices with stickers isn't just a style thing. It's also an anti theft measure.
It lowers the value in mutliple ways:
1. easier to recognize (very bad for stolen goods)
2. cheap stuff is more often full of stickers (so the perceived value goes down) (new expensive business laptops will rarely have stickers because the user often doesn't own them)
3. it will look more used (which lowers the price of anything)
And i probably still forgot one or two.
If potential thief has the choice this laptop will be more likely left behind.
Damn is it just me or is she super touchy feely with Brian
You say that like most women who watch this wouldn't be
What woman wouldn't be with Brian
@@moombadoomtrooper8590 why you gotta discriminate
Jason's wife will cut a bitch. It's just safer.
I like to imagine them reading these comments
Did Brian leave his bartending job or is he a hacker on the side?
I’m a legitimate hacking bartender.
Hak5, FTW. Great job, Shannon!
I want to see the outtakes for this episode lol
Well, I can carry out the same attack with my regular rooted android phone or a kali linux laptop. It might be a bit messy to get all those scripts and extended range but that's for sure you shouldn't be that excited over these attacks. You can set up a captive portal easily with fluxion and a kali linux machine. The pineapple is just great for those who wants a shitton of range with easily accessible scripts and can carry it around. In short, you can achieve the same results with a regular laptop running kali and a good network card that supports packet injection and mon mode with a good range.
Kali script kid? 🤦♂️
I just need my wifi adapter and my linux machine 🤐
How do you do that?
True
I just need my android phone.
u can basically make your own pineapple thing
if you're interested
just reply and i'll contact you
u can install it on a drone and let it go
4:55 - Another thing possibly looking for wifi (and very likely broadcasting wifi) is your car. Those probe requests for the SSID's "OTA" and "AHMOTA" as seen in the list,seem to be related to Honda(and Acura) vehicles/dealerships,AFAICT. I'm assuming they can do some kind of Over-The-Air (OTA) updates to the 'infotainment' systems in those vehicles.
A friend of mine did this on the school. He didn't get expelled... I miss that principal
Just buy a raspberry pi and a mon mode wifi adapter, it’s way cheaper.
Help me out bro, I have no idea about any of this but I need help :(
azainho makahue if you want to learn then learn linux and python 3 first, after that learn a bit of networking and make a lab.
YOOOOOOOOO
GURT
She looks like a stereotypical video game hacker. Rainbow hair, a million laptop stickers, and a flannel over top of a somewhat nerdy tshirt
Using command prompt, you could do the reverse thing.
Your computer sends pings, and legit wifi-stations send signals back. Using a few commands in command prompt, you could get about 8/10 wifi-passwords and use their wifi internet (most of the time private, because (again, in most cases) they aren't encrypted, but sometimes business wifi works too).
Wireless: 0
Wired: 1
Flawless Victory
(Except not mobile)
And no radiation and wired is faster!
Wouldn’t this be more of a rouge AP attack since it isn’t really exploiting anything besides the SSID name
As they always say -- it's R-O-G-U-E, there's an OG in Rogue
SPELL IT RIGHT
I love that Mr. Robot sticker you have Brian
When the device spoofs the the AP GUID , ie. Cisco, Linksys, etc. (I'm only assuming that it's changeble, since hostapd, etc allows setting all of that esoteric info).. does your openwrt mod console somehow maintain a table of GUIDs that, for instance, Starbucks uses as public facing hotspots? So like a giant table of vendors manufacturers, because otherwise it seems to me like a good idea for consumer endpoint software to verify that to protect users from bad APs, no? I hope my question was clear.. :-)
Gross.
Everyone who's actually interested in doing something like this without paying for an overpriced device
If you have an android. Root it and install cSploit. It's an app you can steal data, and a lot more with.
It's a penetration testing tool. I'm saying this because you *totally* shouldn't be using it for illicit purposes.
If you have a laptop. Even better! Dual boot linux on it and get a wifi adapter that supports monitor mode. This is very powerful.
Or just use tshark. Although this has more uses for MITM than just capturing packets over an open network.
Specifically get Kali linux for stuff like this. It comes with a ton of tools for this kind of thing preloaded.
Install magisk, then the nethunter module. Will be completely useless because script kiddie.
Zanti is another option for android.
I just use wifikill so the wifi is faster for me
It sucks that VPNs are so expensive. I would use NordVPN if it were indeed $2 a month. But you have to get the 3 year plan that's almost $400 up front. I dont have that much money to spend at once. Nord is biting themselves in the ass by doing that.
NOBODY would use the other overpriced VPNs if they would just charge $2 to $5 a month, contract free.
You could just make your own for that price. Get a cheap server and run the Road Warrior VPN script ( first link in Google).
It's faster as it's just you on it and it's encrypted. However you do lose some annoymousity from hiding in the crowd.
Mullvad is $5 a month.
I use NordVPN, but you could get the free BearVPN for situations like these when you are on public wifi.
You can also quite easily setup your own home VPN using a linux machine and forwarding the correct port on your gateway. A plus of this is if you have a home media server you can access it from anywhere with decent speed and security.
I am excited for the next episode, why don't you see if you can capture sessions over SSL and try things like cracking wifi passwords with the pineapple. That would be interesting.
The other day I found a USB on the side of the streat. If I didn't see the last episode, I would've plugged it in, thanks Modern Rouge!
"Lab environment" - Uses room with exposed fiberglass insulation. XD
Mambo #5 as Jason's "safe place".... hahahhahahhahahhaaa too good, too good. =)
I like how the hacker shed would look like mine showing the insulation in the walls haha.
You guys should make a video about images meta data. Using images meta data you can determine exactly where someone took there last selfy via the GPS saved into the image file when it was taken and also the direction it was taken in, as well as the time and date of course. Theres methods to remove them and I think all this information about this security hole is useful for everyone to know. Also there's a great story about the US military and uploading images of there new war planes going wrong because of image meta data.