weyne/wifipineapple-wiki
1
0
Fork 0
mirror of https://github.com/hak5darren/wifipineapple-wiki.git synced 2025-10-29 16:59:29 +00:00
Code Issues Packages Projects Releases Wiki Activity
wifipineapple-wiki/legacy/add_ssl.md
Darren Kitchen 94fa56f4bc Move old wiki into legacy sub folder
2016-03-22 14:45:52 -07:00

4.9 KiB
Raw Blame History

Change Pineapple Web UI to SSL

Why

As the WiFi Pineappple has become more popular, it has also become more of a target. By default, the WebUI is served using HTTP which is unencrypted. This means that anyone also connected to the Pineapple over WiFi could sniff the network traffic and possibly be able to determine the authentication details to be able to access the WebUI themselves. A solution to this is to use SSL encryption over the HTTP connection (otherwise known as HTTPS).

Install Packages

There are a few packages that we will need to install first.

Note: You will need an active internet connection on your Pineapple to perform this step.

opkg update
opkg --dest usb install libopenssl
opkg --dest usb install openssl-util

Create config files

Next we need to configure SSL.

mkdir -p /etc/ssl/certs
nano /etc/ssl/openssl.cnf

Here is an openssl.cnf if you don't want to customize anything:

dir					= .

[ ca ]
default_ca				= CA_default

[ CA_default ]
serial					= $dir/serial
database				= $dir/certindex.txt
new_certs_dir				= $dir/certs
certificate				= $dir/cacert.pem
private_key				= $dir/private/cakey.pem
default_days				= 365
default_md				= md5
preserve				= no
email_in_dn				= no
nameopt					= default_ca
certopt					= default_ca
policy					= policy_match

[ policy_match ]
countryName				= match
stateOrProvinceName			= match
organizationName			= match
organizationalUnitName			= optional
commonName				= supplied
emailAddress				= optional

[ req ]
default_bits				= 2048			# Size of keys
default_keyfile				= key.pem		# name of generated keys
default_md				= md5				# message digest algorithm
string_mask				= nombstr		# permitted characters
distinguished_name			= req_distinguished_name
req_extensions				= v3_req

[ req_distinguished_name ]
# Variable name				Prompt string
#-------------------------	  ----------------------------------
0.organizationName			= Organization Name (company)
organizationalUnitName			= Organizational Unit Name (department, division)
emailAddress				= Email Address
emailAddress_max			= 40
localityName				= Locality Name (city, district)
stateOrProvinceName			= State or Province Name (full name)
countryName				= Country Name (2 letter code)
countryName_min				= 2
countryName_max				= 2
commonName				= Common Name (hostname, IP, or your name)
commonName_max				= 64

# Default values for the above, for consistency and less typing.
# Variable name				Value
#------------------------	  ------------------------------
0.organizationName_default		= Hak5
localityName_default			=
stateOrProvinceName_default		=
countryName_default			= UK
commonName				= pineapple

[ v3_ca ]
basicConstraints			= CA:TRUE
subjectKeyIdentifier			= hash
authorityKeyIdentifier			= keyid:always,issuer:always

[ v3_req ]
basicConstraints			= CA:FALSE
subjectKeyIdentifier			= hash

Prepare Certificates

Now we begin creating our certificates which will be used in the encryption process.

cd /etc/ssl/certs

Make Private Keys

To generate the private SSL keys, issue the following commands:

openssl genrsa -aes128 -out server.key 2048
openssl genrsa -aes128 -out ca.key 2048

Remove Password From Private Key

We need to remove the password from our private key for obvious security reasons.

openssl rsa -in server.key -out server.key

Generate CA Certificate

The CA certificate will be used to confirm the Pineapple's identity to our browser.

openssl req -new -x509 -days 3650 -key ca.key -out ca.pem

Generate Certificate Signing Request

Using our CA certificate we "sign" our private key to confirm that the Pineapple is what we think it is.

openssl req -new -key server.key -out server.csr

Self-Signed Certificate

Now we can self-sign our certificate.

openssl x509 -req -days 3650 -in server.csr -CA ca.pem -CAkey ca.key -set_serial 01 -out server.pem

Note: Don't forget to install the self-made CA certificate (ca.pem) into your browsers certificate store.

Nginx Configuration

Finally we need to edit our Nginx (the web server that runs on the WiFi Pineapple) configuration file.

Enter nano /etc/nginx/nginx.conf into the terminal and make the following changes:

	server {
	        listen       1471 ssl;		# Port, make sure it is not in conflict with another http daemon.
	        server_name  pineapple;	# Change this, reference -> http://nginx.org/en/docs/http/server_names.html
                ssl_certificate     /etc/ssl/certs/server.pem;
                ssl_certificate_key /etc/ssl/certs/server.key;
                ssl_protocols       SSLv3 TLSv1 TLSv1.1 TLSv1.2;
                ssl_ciphers         HIGH:!aNULL:!MD5;

Note: Don't forget to change the certificate and certificate key to whatever you named them in the earlier steps.

Now you can restart Nginx with:

/etc/init.d/nginx restart

You should now be able to access your WiFi Pineapple at https://172.16.42.1:1471 and log in securely over HTTPS!