These instructions are only for the WiFi Pineapple Mark II.

Do not attempt on unsupported hardware

John Bebo’s Auto-Rickroll payload for the WiFi Pineapple is an excellent example of using Dnsmasq to forward targets to a hosted site. While this site could be malicious, perhaps hosing the Browser Exploitation Framework, Bebo’s payload is a safe and simple prank. Any web site a victim attempts to browse to brings them to a WiFi Pineapple hosted page containing Rick Astley ASCII Art and looping audio. It uses a similar technique employed by Captive Portals – something we’ll explore in more detail soon – except a lot more annoying.

Thanks to great documentation from Bebo and Hak5 forum member Psychosis setting up your own Auto-rickrolling WiFi Pineapple is super simple. In fact, this will work on just about any OpenWRT based wireless access point – but we’ll be focusing on the WiFi Pineapple specifically for its Jasager abilities.

This article will focus on setting up the Auto-Rickroll payload in Windows so the every handy PuTTY and WinSCP tools will be used. If you’re on Mac or Linux you already have SSH and SCP. We’ll also be taking a beginners approach, so if you’re a guru you can simply download the payload and take a look at the commands at the end of the article.

Demonstration

First begin by download this package containing all of the configuration and www files. Extract the contents to a temporary directory. You should notice index.html as well as NGGUP.mp3 and NGGUP.wav – these are the www files. You’ll also notice extension-less files dhcp, network and wireless. These are the configuration files.

WiFi-Pineapple-auto-rickroll-1

Next connect your WiFi Pineapple to a computer via an Ethernet cable. In its default configuration the WiFi Pineapple has the IP address of 192.168.1.1 and will assign your computer an IP address in that range using DHCP.

wifi-pineapple-auto-rickroll-2

To test your connection to the WiFi Pineapple open a shell and issue the ipconfig command. You should have a 192.168.1.x IP address with your default gateway set as 192.168.1.1. Depending on your configuration you may need to disconnect from any wireless or other networks you are currently connected to. Issuing ping 192.168.1.1 should result in four replies.

wifi-pineapple-auto-rickroll-3

Now that you’re directly connected to the WiFi Pineapple open WinSCP. Enter 192.168.1.1 as the host name. Leave 22 as the port number. Enter root for the user name and your password. By default the WiFi Pineapple has a password of “pineapples are yummy”. Select SCP from File protocol and click Login. You may receive two errors regarding group lookup, which are safe to disregard.

wifi-pineapple-auto-rickroll-4

Now that you’re logged into the WiFi Pineapple with WinSCP you can begin transferring files. In the left-pane navigate to the temporary directory to which you extracted the files in the first step. The right pane will be /root on the WiFi Pineapple by default. Select the 6 extracted files on the left and drag them to the right.

wifi-pineapple-auto-rickroll-5

Click Copy to confirm the command and wait for the procedure to complete.

wifi-pineapple-auto-rickroll-6

Now that the files have been copied we’re ready to put them in the appropriate places on the device.

wifi-pineapple-auto-rickroll-7

Open PuTTY and enter 192.168.1.1 in the host name field. Port 22 should be entered by default. Click Open to connect. The first time doing this you will be asked to save the key. Click yes if prompted.

wifi-pineapple-auto-rickroll-8

When prompted login as root. Again, the default password is “pineapplesareyummy” (sans quotes). Issuing the “ls” command will display the files we copied over in the previous step.

wifi-pineapple-auto-rickroll-9

Move the index.html and NGGUP files to /www with the command “mv index.html NGGUP.* /www/” Issuing the “ls” command again will show that only the configuration files remain.

wifi-pineapple-auto-rickroll-10

Before moving the configuration files to their appropriate location we’ll want to backup the existing files – just in case we ever want to go back to the default. Navigate to the config directory with the “cd /etc/config” command. Again “ls” will display all of the files in this directory.

Rename network, dhcp and wireless to network.bak, dhcp.bak and wireless.bak respectively using the mv command. For example, “mv dhcp dhcp.bak”

wifi-pineapple-auto-rickroll-12

Now you’re ready to move the auto-rickrolling configuration files to /etc/config. Since you’re already in that directory use the command “mv ~/* .” (notice the space between * and .). This command says to move (mv) everything (*) from the home directory (~/ – in our case /root since we’re logged in as root) to the current working directory (.).

wifi-pineapple-auto-rickroll-13

Again issuing “ls” will show that the configuration files have moved.

Next we’ll need to modify the dnsmasq config file. By default it does not exist in /etc/ so to create a new one we’ll need to issue the command “touch /etc/dnsmasq.conf”

Once the file has been created we’ll need to add one line to it. We could use a text editor such as vi but I find it easier to simply echo the line into the file. Issue “echo “address=/#/192.168.1.1” > /etc/dnsmasq.conf” (mind the quotes around address=/#/192.168.1.1). The echo command prints whatever is written within the quotes. By default it is written to the screen, but since we used a greater-than sign we specified that the output of the echo command go into the file – in our case /etc/dnsmasq.conf. Alternatively if we were echoing multiple lines into the file we would use two consecurive greater-than signs, which append to the end of a file.

To verify that the configuration has been written issue “cat /etc/dnsmasq.conf”, which will return what we wrote in the previous step, sans quotes. The /#/ part of the command is a wildcard, meaning any address your target attempts to browse to will forward to, in this case, 192.168.1.1.

wifi-pineapple-auto-rickroll-14

Now we’ll also need to modify the /etc/init.d/jasager configuration file so that is begins karma immediately upon powering on. This is the only step specific to the WiFi Pineapple and can be considered optional. I like the idea of karma coming up on its own with this configuration – it really automates the whole attack. Since the WiFi Pineapple doesn’t need Internet access (it’s forwarding everything to an internally hosted page) it’s just a matter of plugging in the battery pack and turning it on.

We’ll need to add a block of commands to a function, so a proper text editor is in order. For this issue “vi /etc/init.d/jasager”

Cursor down to the iptables command and press “i” to insert. Now prepend a # to the command to comment it out. Next, after the tail command and before the function closes enter the following string of commands exactly as outlined here. Save and close the file by pressing the escape key followed by : (colon), x (x) and enter.

wifi-pineapple-auto-rickroll-15

Finally our configuration changes are complete and it is time to reboot, so either pull the plug on the pineapple or issue the “reboot” command. When everything comes back up either stay connected via ethernet or connect via WiFi to the newly renamed SSID of “ricknet” (or any other Jasager-ized SSID). Browse to any website and enjoy the rickroll action.

wifi-pineapple-auto-rickroll-16

Quick steps

#scp * to your pineapple
mv *. /etc/config
mv * /www/
touch /etc/dnsmasq.conf
echo “address=/#/192.168.1.1” > /etc/dnsmasq.conf
vi /etc/init.d/jasager
#add to start()
wlanconfig ath0 create wlandev wifi0 wlanmode master 2>&1 > /dev/null
iwpriv ath0 karma 1
brctl addif br-lan ath0
ifconfig eth0 up
#comment out iptables command
reboot

Auto-Rickrolling WiFi Pineapple

167 Comments

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>