HOWTO : TP-Link TL-MR3020 (Pocket Router) as Wifi Pineapple



PLEASE CONSIDER THIS ARTICLE IS OUT-DATED AS THE PINEAPPLE FIRMWARE IS NO LONGER SUPPORTED BY THE ORIGINAL AUTHOR. MEANWHILE, THE FIRMWARE IS ALSO VULNERABLE. PLEASE DO NOT TRY TO DO IT. I DO NOT SUPPORT IT ANYMORE TOO. THANKS.







PLEASE DO NOT FOLLOW THIS TUTORIAL TO SETUP YOUR DIY WIFI PINEAPPLE AS IT IS OUT-DATED AND NOT COMPLETED. A 100% WORKABLE AND SIMPLE TUTORIAL IS HERE.





Hardware



(1) TP-Link TL-MR3020

(2) SanDisk Cruzer Fit USB Flash Drive (8GB)



Software



(1) OpenWrt

(2) Wifi Pineapple Web Interface

(3) Wifi Pineapple (some of the configure, library and program files only)



Wifi Pineapple is created by Hak5. It is quite expensive device. It is also named as Jasager (in German). The meaning in English is "Yes Man".



Wifi Pineapple is the Wifi Access Point (AP) to answer “Yes” to all Wifi connection.



If a Wifi client is looking for the SSID of Macdonld the Pineapple (or Jasager) will reply “That’s Me!”. If another Wifi client is looking for an SSID of Starbucks, again the Pineapple will reply “That's Me!”



From this stage you can attack WiFi clients and perfrom Man-in-The-Middle (MiTM) attacks on victims internet traffic!.



Now, we are going to make a custom Wifi Pineapple in a much cheaper price, e.g about $30-USD or less.



Step 1 :



To download the OpenWRT (Attitude Adjustment 12.09, r36088 - at this time of writing) :



If you are fresh install from the stock version of the TP-Link TL-MR3020 -

wget http://downloads.openwrt.org/attitude_adjustment/12.09/ar71xx/generic/openwrt-ar71xx-generic-tl-mr3020-v1-squashfs-factory.bin



If you are upgrade from the previous installed OpenWRT -

wget http://downloads.openwrt.org/attitude_adjustment/12.09/ar71xx/generic/openwrt-ar71xx-generic-tl-mr3020-v1-squashfs-sysupgrade.bin



Configure your computer to static IP address :



IP address : 192.168.0.10

Gateway : 192.168.0.1




The default IP address of stock TP-Link TL-MR3020 is 192.168.0.254.



The username and password of the stock TP-Link TL-MR3020 are both "admin".



Go to the "System Tools" -- "Firmware Upgrade" to upgrade from the just downloaded .bin file.



Step 2 :



Once upgraded to OpenWRT, your device's IP address will changed to 192.168.1.1.



Then set the very STRONG root password at "System" -- "Administration".



To enable wireless at "Network" -- "Wifi".



To enable DHCP at "Network" - "Interfaces" - "Edit" - select "DHCP Client" and "OpenWrt".



Now, connect your ethernet cable to the TL-MR3020. Connect your computer to the TL-MR3020 via wifi and the SSID is "OpenWrt".



Once you get the IP address, such as 192.168.1.100, you can connect to the TL-MR3020 via ssh.



ssh 192.168.1.100 -lroot



Enter your just created very STRONG root password.



Install the following packages :



opkg update

opkg install kmod-usb-storage

opkg install kmod-fs-ext4

opkg install block-mount




Step 3 :



Format your USB pendrive (8GB) as ext4 and swap, e.g. 2GB for swap (sda1) and 6GB for ext4 (sda2).



Then insert the USB pendrive to the TL-MR3020. Execute the following command line by line.



mkdir -p /mnt/sda2

mount /dev/sda2 /mnt/sda2

mkdir -p /tmp/cproot

mount --bind / /tmp/cproot

tar -C /tmp/cproot -cvf - . | tar -C /mnt/sda2 -xf -

umount /tmp/cproot

umount /mnt/sda2




Step 4 :



/etc/init.d/fstab enable

/etc/init.d/fstab start




vi /etc/config/fstab



Change the content as the following :



config mount

        option target /

        option device /dev/sda2

        option fstype ext4

        option options rw,sync

        option enabled 1

        option enabled_fsck 0



config swap

        option device /dev/sda1

        option enabled 1




The following is the command for the vi if you do not familiar with vi :



i - go to the insert mode and ready for edit

Esc - exit from insert mode

:w - write the changes to the file

:q - quit the vi



Then type the following command to reboot the device :



reboot



Once it boot up again, you login to it via ssh.



To check if the USB pendrive is mounted as "/" or not :



mount

df




Then install any package that you like, such as :



opkg update

opkg install nano

opkg install htop

opkg install bash

opkg install netcat

opkg install tar

opkg install openssh-sftp-client

opkg install nmap

opkg install tcpdump

opkg install aircrack-ng

opkg install kismet-client

opkg install kismet-server

opkg install nbtscan

opkg install snort

# karma should be installed

opkg install karma

opkg install samba36-client

opkg install elinks

opkg install yafc

opkg install python

opkg install uhttpd

# at should be installed

opkg install at

opkg install ethtool

opkg install ettercap

opkg install macchanger

opkg install netstat-nat

opkg install reaver

opkg install sslsniff

opkg install sslstrip

opkg install wget

opkg install wput

opkg install curl

# libnids should be installed

opkg install libnids

# php5 and php5-cgi should be installed

opkg install php5

opkg install php5-cgi




/etc/init.d/atd enable

/etc/init.d/atd start

touch /var/spool/cron/atjobs/.SEQ




Step 5 :



Download the upgrade package of Pineapple to your computer, such as Ubuntu :



wget http://wifipineapple.com/index.php?downloads&downloadUpgrade=2.8.1



Install unsquashfs on your Ubuntu if you do not have it :



sudo apt-get install squashfs-tools



Extract the files from the upgrade-2.8.1.bin :



unsquashfs upgrade-2.8.1.bin



cd squashfs-root




Copy the following files to the TL-MR3020 via ssh :



Should disabled the "Wireless" at the Pineapple webpage before doing the following commands :



scp /home/samiux/test/squashfs-root/usr/sbin/wpad root@192.168.1.100:/usr/sbin



Make sure you restart the "Wireless" after done.



scp /home/samiux/test/squashfs-root/usr/sbin/hostapd_cli root@192.168.1.100:/usr/sbin

scp /home/samiux/test/squashfs-root/lib/wifi/hostapd.sh root@192.168.1.100:/lib/wifi




Step 6 :



Download the Pineapple Web Interface source code to /home/samiux/test/pineapple :



sudo apt-get install git

git clone https://github.com/WiFiPineapple/web-interface.git /home/samiux/test/pineapple




Replace the uncompatiable commands :



grep -lr -e 'ps auxww' /home/samiux/test/pineapple/* | xargs sed -i 's/ps auxww/ps/g'

grep -lr -e 'ps aux' /home/samiux/test/pineapple/* | xargs sed -i 's/ps aux/ps/g'

grep -lr -e 'ps -all' /home/samiux/test/pineapple/* | xargs sed -i 's/ps -all/ps/g'




Then copy the directories to the TL-MT3020 via ssh :



scp -r /home/samiux/test/pineapple/ root@192.168.1.100:/



Download or copy the following files to "/home/samiux/test" :



/etc/config/dhcp :





/etc/config/firewall :





/etc/config/network :





/etc/config/uhttpd :





/etc/php.ini :





Then copy the following files to the TL-MR3020 via ssh :



scp /home/samiux/test/dhcp root@192.168.1.100:/etc/config

scp /home/samiux/test/firewall root@192.168.1.100:/etc/config

scp /home/samiux/test/network root@192.168.1.100:/etc/config

scp /home/samiux/test/uhttpd root@192.168.1.100:/etc/config

scp /home/samiux/test/php.ini root@192.168.1.100:/etc




Step 6a :



scp /home/samiux/test/squashfs-root/usr/sbin/autossh root@192.168.1.100:/usr/sbin/

scp /home/samiux/test/squashfs-root/usr/sbin/chat root@192.168.1.100:/usr/sbin/

scp /home/samiux/test/squashfs-root/usr/sbin/dnsspoof root@192.168.1.100:/usr/sbin/

scp /home/samiux/test/squashfs-root/usr/sbin/dsniff root@192.168.1.100:/usr/sbin/

scp /home/samiux/test/squashfs-root/usr/sbin/empty root@192.168.1.100:/usr/sbin/

scp /home/samiux/test/squashfs-root/usr/sbin/filesnarf root@192.168.1.100:/usr/sbin/

scp /home/samiux/test/squashfs-root/usr/sbin/macof root@192.168.1.100:/usr/sbin/

scp /home/samiux/test/squashfs-root/usr/sbin/mailsnarf root@192.168.1.100:/usr/sbin/

scp /home/samiux/test/squashfs-root/usr/sbin/msgsnarf root@192.168.1.100:/usr/sbin/

scp /home/samiux/test/squashfs-root/usr/sbin/sshmitm root@192.168.1.100:/usr/sbin/

scp /home/samiux/test/squashfs-root/usr/sbin/sshow root@192.168.1.100:/usr/sbin/

scp /home/samiux/test/squashfs-root/usr/sbin/tcpkill root@192.168.1.100:/usr/sbin/

scp /home/samiux/test/squashfs-root/usr/sbin/tcpnice root@192.168.1.100:/usr/sbin/

scp /home/samiux/test/squashfs-root/usr/sbin/urlsnarf root@192.168.1.100:/usr/sbin/

scp /home/samiux/test/squashfs-root/usr/sbin/update-usbids.sh root@192.168.1.100:/usr/sbin/

scp /home/samiux/test/squashfs-root/usr/sbin/webmitm root@192.168.1.100:/usr/sbin/



scp /home/samiux/test/squashfs-root/lib/librpc.so root@192.168.1.100:/lib/

scp /home/samiux/test/squashfs-root/lib/libuClibc-0.9.33.2.so root@192.168.1.100:/lib/




scp -r /home/samiux/test/squashfs-root/etc/chatscripts root@192.168.1.100:/etc/

scp -r /home/samiux/test/squashfs-root/etc/gcom root@192.168.1.100:/etc/

scp -r /home/samiux/test/squashfs-root/etc/usb_modeswitch.d root@192.168.1.100:/etc/




scp /home/samiux/test/squashfs-root/www/* root@192.168.1.100:/www/



Remarks :



The more simply way is to insert the USB pendrive to your computer and copy the said files to the USB pendrive from /home/samiux/squashfs-root or /home/samiux/test by using sudo command. However, you should make sure that you have completed up to Step 4.



Step 7 :



ssh 192.168.1.100 -lroot



Any upgrade/update from the Pineapple will brick your TL-MR3020, so you need to disable it.



touch index.php /www/

mv /pineapple/pages/upgrade.php /pineapple/pages/not-upgrade.php

touch /pineapple/pages/upgrade.php




Step 8 :



nano /etc/rc.local



hostapd_cli -p /var/run/hostapd-phy0 karma_enable




vi /etc/config/httpd.conf



Append the following :



/:root:$p$root



Reboot the TL-MR3020 :



reboot



After boot up, point your browser to the following url :



http://172.16.42.1:1471



Enter username as "root" and password as your very STRONG root password.



The SSID is "OpenWrt".



Step 9 (Connectivity) :



The following is one of the ways to use the Pineapple (TL-MR3020) by the way of tethering :



Connect your laptop to internet via wireless or 3G.



Set Wired Connection at the Network Manager of the Ubuntu to :



Uncheck Connect Automatically at the wired connection of Network Manager of Ubuntu.



Then connect the CAT5/5e/6 cable to the Pineapple and your laptop.



At the laptop, download the script.



wget http://wifipineapple.com/wp4.sh

chmod +x wp4.sh

sudo ./wp4.sh








The source code of wp4.sh :







Now, your computer (laptop) can access internet and also can access the TL-MR3020. Victims can also access the internet when they connected to your Pineapple.



Once you want to reset what wp4.sh set, you need to run the following script that is created by me.



sudo ./killwp4.sh







Step 10 (Optional) :



The following is one of the ways to use the Pineapple (TL-MR3020) with router or alike :



Change the content of the file "/etc/config/network" to the following :



If your router (such as mobile phone with tethering function) IP address range is 192.168.1.x, you can change the IP address of TL-MR3020 to 192.168.1.10 and the gateway as the gateway of your router (such as mobile phone) :



option ipaddr '192.168.1.10'

option netmask '255.255.255.0'

option gateway '192.168.1.1'

option dns '8.8.8.8'




Important



There are TWO important things you should NOT do, otherwise, you will brick the TL-MR3020. They are :



First - Do NOT upgrade the OpenWrt;

Second - Do NOT upgrade the Pineapple in the normal way.





Known Issue



After several days struggle in setting up TP-Link TL-MR3020 Pineapple, I try to test the Karma function. However, I have some problems on it.



For the Karma, I expected that the rouge access point that making by Karma will accept all connections from the nearby victim devices when they are turning on their wifi and looking for their desired networks. However, my TP-Link MR3020 does not working as I expected.



How it does not work?



I have a WPA2 CCMP encrypted access point and her SSID is HelloWorld. My DIY Pineapple's Karma SSID is OpenWrt without any encryption (open).



When I create a new network "OpenWrt" on my Android phone, my phone does not connect to the OpenWrt but connected to HellowWorld instead as I connected to it before.



Secondary, I need to connect to OpenWrt manually. I disabled the wifi function on my phone and then enabled it again. My phone will connect to the OpenWrt automatically even I have connected to Helloworld before.



Thirdly, even the HelloWorld is turned off, my phone cannot connect to OpenWrt automatically if it is not connected to it before.



My questions are :



(1) How can the Karma on my DIY Pineapple to pick up all the connections from the nearby victim devices even they do not connect to my Pineapple SSID manually?



(2) Do I misunderstand the function or feature of Karma? Or, my DIY Pineapple is not working properly only?





Reference



Blue for the Pineapple

The beginners guide to breaking website security with nothing more than a Pineapple

Getting Started with the Wi-Fi Pineapple IV (Video)

Security4Plus Youtube Channel (Video)

How To: Configure a WiFi Pineapple For Use With Mac OS X (Video)

The Wifi Pineapple Book - Free Download



That's all! See you.