It’s that time of year again: Mystery Box Jackpot season! Here's how it works: Our job is to make you feel like you absolutely won the jackpot when you open your Mystery Box. Each and every Mystery Box Jackpot always has more value in it than what you paid for it. 100% of the time. And if you’re not happy? 100% satisfaction guarantee! Wanna snag one before they’re all gone? www.scamstuff.com/products/mystery-box-99 We’re giving away a Mystery Box Jackpot ($99 value) to TWO winners of our weekly free giveaway at gimme.scamstuff.com (no purchase necessary, giveaway ends 2/14/2019) Congrats to the winners of last week’s Cutaway Handcuffs giveaway: Laurent Holin, David Guy, and Kristina Zavala (we will contact you via email within the next two weeks)
Man. I used to use cain and abel back in the day to man in the middle. I wonder if it still works. Also, I built my own bash bunny with a raspberry pi zero after watching the last video you guys did on this.
I'd like to present an Epic Rogue Quest Concept to you. A Next Level Reality Show Concept to make the outdated model obsolete. I'll buy the beer for a virtual presentation.
A vpn can be more secure, but you're also shifting all your traffic to a server that you should trust. They can do the same thing as the pineapple. Luckily all important login portals are https so that doesn't matter. Just use a known good VPN for torrents or streaming content that's Geo restricted.
@@BuddyJesus Yep... most sites are HTTPS so you have to do a little more work lol. Really using MTM and having either your own SSL certs or using phssing websites/login portal to get username/passwords is what you have to do. Can do this HTTP stuff using wireshark... lol.
How did this not become a super long ad for Nord VPN?! That would've been a perfect segway. "What can we do to protect ourselves?" "Apparently use a VPN" "Speaking of which *commences pitch for Nord VPN*"
@@denism8494 its probably better this way, id rather have a product like that priced through the roof, instead of everyone being able to buy one, keeping them out of most ppls hands, limiting the chance bad ppl get their hands on them, and you average joe citizen doesnt really need one anyway
@@menofwar-os1wi if a bad person cannot afford this they probably also dont have the knowledge to use one. They aren't as simple to use as this video makes out, the limiting factor is not the price, it's the knowledge required. I am poor af, and I am an average person, however I also aspire to have a career in cyber security, therefore I would benefit by having one of these. I'm not saying hurr Durr gimme expensive shit for cheap, I'm just saying the actual value is inflated by videos like this that make it seem like a one stop piece of equipment that does everything and turns you into a 1337 H4X0R
@@denism8494 i can see your point of vieuw and understand what you are trying to tell me, and i mostly agree, but wouldnt said knowledge be obtainable through some googling? (and good luck with your carreer in cyber security)
CUZ IM A MODERN ROUUUUGE!! A little Mason Jurphey in my life A little Ryan Bushwood by my side A little bit of Grant is all I need A little bit of B-Rice is what I see A little bit of Scamming in the sun A little Modern Rouging all night long A little bit of Dresspants here I am A little grilled cheese makes me your fan *NAILED IT!!*
@@pluto8404 It left me whelmed. Like, it did it's job of being a search term. But why not go bigger or go for a complete curveball? Like, grilled cheese smoothie, reverse grilled cheese, grilled cheese without bread or something else absurd... Something that would make any sane person re-read that to make sure it says what they think it says. Basically, what these guys do best, leave their experts concerned or confused.
Brian and Jason THANK YOU for having Shannon on the show. I am learning more watching your show than I did attending high school during the summer. Thanks dudes. . . .A special shout-out to Nord VPN; to which I am a proud customer.
Jason screaming about net neutrality will always be the greatest moment on the show. I've caught myself at work trying to find that gif to just leave it on the computer as I'm leaving, so when the next person unlocks it, they are terrified lol
You guys should make a ultimate modern rogue course, where you put all your modern rogue knowledge to the test. Like you have to find dead drops, take down people with martial arts and nunchucks, get ride of the meat of the thing they stacked in rye, parkour, set and find bugs, find and place hidden cameras, try to solve a crime, all the things that you have ever covered in modern rogue just in a course
@Danny when I say overpriced I mean the hardware itself. The majority of the software on the pineapple is community made. I also have a rubber ducky and that's also overpriced
@@Honosklouker Not to mention most modern network cards can't do this either. This is why if you want to make your own (Or one of the related "products" to the full pineapple) you need to buy an old card. And most of the networking companies have sneakily replaced the chips in their products with newer models that do not support promiscuous mode either. So basically, either you'll pay some guy on the internet whatever price he's managed to gouge up for his old network card, or you buy one of these.
She looks so happy, I think she loves her job :D I like her! And it is a good think to refresh the fact that these risks are out there and pretty easy to set up once you know the basics.
The following phrase is for Jason. All stress is self-induced, it's in your mind, you don't need it, lay it down. Panic is contagious, but so is calm, stay calm, do your work. Slow is smooth, smooth is smart, smart is straight, straight is deadly.
It should be known that the vast majority of websites nowadays utilize HTTPS which added a layer of RSA encryption onto the standard HTTP protocol. RSA is an encryption scheme explicitly designed to prevent man-in-the-middle attacks from seeing the data you send and receive. It can still see the basic HTTP request to the website, but it won't be able to see any of the content, neither web pages or login credentials.
True, It's disappointing to see a Hak5 employee grinning when asked if this device can intercept anything, instead of taking the opportunity to clarify this essential point. It's a disservice, really.
"for your fire starter vids idea" *plant food packets(like the ones you get when you buy flowers from a store) and antifreeze* its a thing and iv seen it done and holy crap i was amazed
My dad is a Computer technician contractor and he harps on me all the time about being careful on public Wi-Fi and never leaving my laptop unlocked unattended
I mean leaving your laptop unlocked and unattended should be common sense not to do, you shouldn't need to be a technician contractor to know that. Then again, I see so many people not bother using passcodes on their phones, so maybe you do.
1:28 The pineapple (Ananas comosus) is a tropical plant with an edible multiple fruit consisting of coalesced berries, also called pineapples, and the most economically significant plant in the family Bromeliaceae.
the wifi pineapple was my favorite system on hacking the system too! It's what got me into watching Brian and Jason, it's also what got me into magic tricks, and of course the modern rogue! love this episode!
I'm considering buying a wi-fi pineapple, and I have been waiting for this episode for SO LONG! Could you guys also do an episode on cracking WEP security?
@@colton9496 That's fair. I know nobody uses WEP, and you can do this with a wifi adapter in monitor mode, but I think WEP's insecurity is a good lesson towards updating your security, and they can go into detail without being too harmful because nobody uses it.
The reality is: HTTP telnet or other easily crackable non-hash sites/services are NOT common. 99% of your services are HTTPS. Real hackers do Phishing, not sniffing.
14:04 when did this change I know for sure that just not to long ago that you could leave a known pw protect wifi with and "evil AP" with no pw but same SSID and it would connect/could get the pw threw an uncompleted 3 way hand shake and script it to auto update it's pw
The nano costs 100 bucks. A pi3b+ costs 35. Wifi dongle 20 bucks. The wifi pineapple is cool but for us seasoned vets, its pretty old school. I just use my internal card in monitor mode and can do the same things. I can drop a pi zero down and have my own rogue AP. With a 10000 mha battery that means a week of sniffing.
@@ruakij6452 Sure, but most people don't have the patience, the brain or the money to learn these sorts of things. I know many programmers learnt their stuff in small blocks over a year but most can't do that. I haven't done coding in a couple of years, when I was going through it I saw a lot of people bail out really early on. So, sure if they're passionate about learning it they might get to the end but most won't, and honestly if they wanted top not gear they'd look around and not end up paying overprice for old tech. $100 is also kind of a warning point, they either pay it and regret meaning they stay away from that or they get smart and look elsewhere. Also, let it be stated my opinion: If you can't build then you're not true.
@@ruakij6452 Yes, but when people buy things, they mostly tend to want to understand them, too. Especially in this field, either they buy it and use it effectively which is impossible without learning about it or they suck, get bored and quit.
Get some cover plates for those outlets lol. It's great they put your PEX above your electric! ,,,😮 Sorry I'm an electrician, it bugs me. At least they used GFCI outlets.
I am pretty sure of all the people who watched this, half got spooked and changed a lot of their info on their devices and the other half went and got the pineapple.
But when you're traveling to a foreign country you really don't have a choice unless you're willing to pay crazy amounts for a prepaid sim with unlimited data. That's why a VPN is a good thing to have.
@@jojo60rules But we're in 2019, not in the first days of https or 'encryption'. Hackers are evolving and they *can* steal your data now even without notifying you. It is much more dangerous to do it now than like in 2010.
It's a good idea to avoid it at all costs, moreso If you have sensetive data on your device or plan on using it for banking or to order online. The real problem isn't just having some script kids with a Pineapple or other system sniff out your data, more advanced MITM attacks exist where the actual portal is spoofed. Then popular websites you may use are also replicated. Imagine logging into Starbucks but Infact you are logging into someone else's machine. If you look around some places you might see a person with a notebook computer in a dark corner looking over his shoulder 👀 while they are sniffing out traffic or running a fake AP.
Last year at the end of February I basically did a man in the middle ‘attack’ although I wouldn’t really call it attack. So it was during the beast from the east (I’m British) and my WiFi wasn’t working that week, but the WiFi of my neighbour was, and on the Apple IOS select WiFi page you can view and even edit different nearby WiFi routers which can connect to. So I came up with the genius idea of maybe I could connect to my neighbors WiFi without the passcode by edit different parts to be identical to my router, and changed my router to be one digit off of what it was before. It worked I got connected and had internet, but then I wasn’t really expecting it to work and put it back immediately because I didn’t know what had happened, but for about 5 minutes I got internet again by bypassing the WiFi next door. I had managed to gain full access to their router.
I remember how shocked I was when I first saw a movie advertised and the ad included a website that was just about that one movie. I wish I could remember what movie it was, but I was blown away and part of me could not believe in something SO cool and big being done for just one movie.
Not really... There's a version of this for 3/4g called a ISMI catcher. More or less a fake cell phone tower that does the exact same thing. You may have heard them referred to as stingrays. They can also be used to intercept sms.
@@faint525 You can't intercept traffic with them on 3/4G networks. you can only track devices and know when calls are made and sms are sent but not to who or where since that's still encrypted.
@@faint525 There is NO 3g/4g IMSI cather. Only IMSI catcher there exist is 2g ONLY. 4g (and 5g) will make attacking carrier wireless network even more difficult with MU-MIMO and beamforming so whatever data you are getting could only be catched very close to a straight line beetween cell tower and your device
For all the people concerned about the lack of information in this video - You are not vulnerable to this on sites that use https. They are massively blowing it out of proportion because very few big sites still use http. The worst it can do is uncover what IP you're connecting to and reverse dns to find out what site that is - and if you're using a VPN it can't even do that.
Which still doesn't break https. Unless you've compromised a root CA or managed to get the end user to accept a certificate that is not signed by a trusted CA you won't be decrypting any https traffic. This is all just a bunch of fearmongering for something that has been taken into consideration when designing the protocols the internet uses and is a very small issue. About end user accepting untrusted certificate - In chrome or firefox, if the certificate of a website is incorrect it will refuse to load the site and you get to add an exception if you actually want to load it. I haven't used all browsers but I suspect that is how all major browsers handle incorrect certificates. Honestly the worst you could do is supply your own DNS through DHCP and reroute requests to other websites to your own server. On the same note arp poisoning. But you won't be getting anyones password or credit card information.
@sisbrawny Yes and no. For a properly updated operating system - in most cases no. All it really takes is one program with an open port and a security flaw though. For example, the Wannacry ransomware distributed itself through a bug in SMB, the native windows file sharing protocol. Any program on your computer could have a port open and not do security flawlessly in which case you could be vulnerable. An attacker would both need to know you have this program installed, know which port it's on, and know that your version has the security flaw. Most often this is just up to guessing. This whole thing is the reason that Windows separates public networks and home networks, and asks you to accept network access for programs and on which types of networks you want to let the program access the internet. If a program doesn't get to access the internet it can't be vulnerable to outside attacks. If you're accessing a http site or ftp someone could distribute malware to you quite trivially though. Just replace a program you're downloading with their own and then have you execute it because you think it's from the site. Again needs http or ftp (if you don't know what that is, you aren't using it). TL;DR: If you're accepting network access on every program in windows and giving it public network permission - you might be at some risk. If you're not doing that then the risk to you is very small. Mobile devices are also very unlikely to be vulnerable. Biggest risk is probably downloading and executing stuff through unencrypted protocols.
Gross. Everyone who's actually interested in doing something like this without paying for an overpriced device If you have an android. Root it and install cSploit. It's an app you can steal data, and a lot more with. It's a penetration testing tool. I'm saying this because you *totally* shouldn't be using it for illicit purposes. If you have a laptop. Even better! Dual boot linux on it and get a wifi adapter that supports monitor mode. This is very powerful.
It sucks that VPNs are so expensive. I would use NordVPN if it were indeed $2 a month. But you have to get the 3 year plan that's almost $400 up front. I dont have that much money to spend at once. Nord is biting themselves in the ass by doing that. NOBODY would use the other overpriced VPNs if they would just charge $2 to $5 a month, contract free.
You could just make your own for that price. Get a cheap server and run the Road Warrior VPN script ( first link in Google). It's faster as it's just you on it and it's encrypted. However you do lose some annoymousity from hiding in the crowd.
You can also quite easily setup your own home VPN using a linux machine and forwarding the correct port on your gateway. A plus of this is if you have a home media server you can access it from anywhere with decent speed and security.
Hi loves the pineapple .iam thinking of going on holiday in my camper .what is the distance that I can pick up a Wi-Fi .also could I watch tv through somebody’s Wi-Fi ? because I have a stick for streaming
Well, I can carry out the same attack with my regular rooted android phone or a kali linux laptop. It might be a bit messy to get all those scripts and extended range but that's for sure you shouldn't be that excited over these attacks. You can set up a captive portal easily with fluxion and a kali linux machine. The pineapple is just great for those who wants a shitton of range with easily accessible scripts and can carry it around. In short, you can achieve the same results with a regular laptop running kali and a good network card that supports packet injection and mon mode with a good range.
this is pretty informative for noobs like me who couldn't understand what was going in that Silicon Valley episode (The one where they go to Hooli Con)
The thing with VPN's is that you are merely shifting your traffic into another location. The VPN owner could still be tapping into all of your unencrypted HTTP- and DNS-requests. *Here's a few useful tricks to keep you reasonably safe on the internet* - Don't connect to open or public wifi unless you really have to. If an attacker gains physical access to the (legit) wifi access point that is hosting your signal, then they can read all of your unencrypted internet traffic. - Use Two-factor authentication and a password manager with a strong master password. It does not have to be cryptic, something like "MyFavouriteMovieIsSomethingAndMyCatIsOld" works just as good. Just make sure it's something that can't be "social engineered", i.e., extracted from your social media / internet presence through guesswork and investigation. - Use a DNS-provider that supports DoH (DNS over HTTPS), e.g. Quad9 (9.9.9.9) or Cloudflare (1.1.1.1). This is important because whoever hosts your internet can still see your request metadata (what & when) if you are not careful about this. - Ask or force your web browser to always request everything via HTTPS. The websites that don't support HTTPS should be avoided like the plague. - Use a privacy-focused web browser if you are genuinely concerned about your privacy. Websites can still identify you using a technique called "browser fingerprinting". This means that any website that really wants to identify you can do that if you are using a "generous" web browser like Google Chrome, even if you are using "incognito mode", a VPN and HTTPS. Use amiunique.org/ to see if your browser fingerprint is identifiable. - Use a VPN that respects your privacy and does not sell your traffic logs. Try to look for a VPN that has had its codebase vetted by a reputable cybersecurity company. Remember, they can also access your unencrypted internet traffic.
I haven't had a VPN subscription in about 3 years, and have never really considered paying for one again. And of course I know the dangers of unsecured hotspots, but this has made me realise even 'known' and 'safe' open hotspots, there's just as much risk. so I've gone and bought a NordVPN subscription
You can also quite easily setup your own home VPN using a linux machine and forwarding the correct port on your gateway. A plus of this is if you have a home media server you can access this from anywhere with decent speed and security.
They talk about space jam ACTUALLY working but that is also an encrypted site. This is just as useful as when the hack came out for the wep networks when 90% of people had already converted to wpa lol
Using command prompt, you could do the reverse thing. Your computer sends pings, and legit wifi-stations send signals back. Using a few commands in command prompt, you could get about 8/10 wifi-passwords and use their wifi internet (most of the time private, because (again, in most cases) they aren't encrypted, but sometimes business wifi works too).
![Stromae, Pomme - “Ma Meilleure Ennemie” (from Arcane Season 2) [Official Visualizer]](http://i.ytimg.com/vi/1F3OGIFnW1k/mqdefault.jpg)
It’s that time of year again: Mystery Box Jackpot season! Here's how it works: Our job is to make you feel like you absolutely won the jackpot when you open your Mystery Box. Each and every Mystery Box Jackpot always has more value in it than what you paid for it. 100% of the time. And if you’re not happy? 100% satisfaction guarantee!
Wanna snag one before they’re all gone? www.scamstuff.com/products/mystery-box-99
We’re giving away a Mystery Box Jackpot ($99 value) to TWO winners of our weekly free giveaway at gimme.scamstuff.com (no purchase necessary, giveaway ends 2/14/2019)
Congrats to the winners of last week’s Cutaway Handcuffs giveaway: Laurent Holin, David Guy, and Kristina Zavala (we will contact you via email within the next two weeks)
Man. I used to use cain and abel back in the day to man in the middle. I wonder if it still works. Also, I built my own bash bunny with a raspberry pi zero after watching the last video you guys did on this.
Stop honeydicking us lol! When she said “honeypot” I about died
I'd like to present an Epic Rogue Quest Concept to you. A Next Level Reality Show Concept to make the outdated model obsolete. I'll buy the beer for a virtual presentation.
Ask yourself. WWWDD, if he was a Rogue? Your concept is inspiring.
Hi if you read this I think you should do a video on 3d printed guns it would be so cool
Welcome to the barely legal show.
Dude she's like 32
bubbathedm man i was NOT talking about that i was talking about hacking.
XD but still. You do realise she's like 32..
@@user-cf3so7mi2o she got dp;),and welcome to NSA watchlist Hiya Interpol too ;)
Legal Adjacent.
1:48 "If I run that through 'the' Google"
Dad just give me the keyboard.
No son i wanna do it, now how do you spell the first letter in man?
fancy seeing you here
Wait you watch the modern rogue?!
I didn’t know you watched this
"For the uninitiated, what is a pineapple?" - Mr Brian Allen Brushwood, 2019
"Is a pineapple an instrument?"
Doesn't it need a pen, or something?
It's what you call a guy with incredibly overdone spiky hair?
Guybrush Threepwood
@@rlee1185 omg yes
12:53 350,000 unread emails, why won't you answer me Bry???
Damn
I thought my 200 unread was bad
Holy shit thats alot of unread emails, you'd think hes trying to set a record or something
Lol and the Taco Bell app next to the Health app
search history: blairwitch, khaaaaaan, jason murphy screaming, jason screaming gif modern rogue, grilled cheese | lmao
7:37 - Brian: I'm not comfortable with sharing the names of my devices, that used to be me.
7:41 - Shows the MAC address of the phone.
This video was sponsored by Nord VPN
ORLY?
8 minutes ago... man I came so close to god
so happy to see you supporting these guys. They have been pioneers on youtube since the start with Scam School.
you make vids demonized WHY WWHHHYYYYYYY
And pornhub
“Does a vpn make you safer?”
**Proceeds to only use secure sites to test theory
“Wooooooow it’s not being detected”
Zac Chapman you’re right https is encrypted
Would have been nice if she showed SSLsplit, or something to handle proxying HTTPS connections. The majority of sites today have moved to HTTPS.
A vpn can be more secure, but you're also shifting all your traffic to a server that you should trust. They can do the same thing as the pineapple. Luckily all important login portals are https so that doesn't matter.
Just use a known good VPN for torrents or streaming content that's Geo restricted.
Wasn't Nord VPN hacked?
@@BuddyJesus Yep... most sites are HTTPS so you have to do a little more work lol. Really using MTM and having either your own SSL certs or using phssing websites/login portal to get username/passwords is what you have to do. Can do this HTTP stuff using wireshark... lol.
If I'm ever in the Austin area, I'm totally knocking on the door of the MR compound and asking "Excuse me, is this the Starbucks?"
And they open the door and throw a Manhattan at you.
TWO ONE TWO
@@zaxtonhong3958 Hey, free drink! They can keep the vermouth and the bitters and just throw the bourbon at me, I won't complain.
How did this not become a super long ad for Nord VPN?! That would've been a perfect segway.
"What can we do to protect ourselves?"
"Apparently use a VPN"
"Speaking of which *commences pitch for Nord VPN*"
cause it is actually a super long ad for wifi pineapple. notice the sales links in the desc? hak5 are cool but overpriced.
@@denism8494 its probably better this way, id rather have a product like that priced through the roof, instead of everyone being able to buy one, keeping them out of most ppls hands, limiting the chance bad ppl get their hands on them, and you average joe citizen doesnt really need one anyway
@@menofwar-os1wi if a bad person cannot afford this they probably also dont have the knowledge to use one. They aren't as simple to use as this video makes out, the limiting factor is not the price, it's the knowledge required. I am poor af, and I am an average person, however I also aspire to have a career in cyber security, therefore I would benefit by having one of these. I'm not saying hurr Durr gimme expensive shit for cheap, I'm just saying the actual value is inflated by videos like this that make it seem like a one stop piece of equipment that does everything and turns you into a 1337 H4X0R
@@denism8494 i can see your point of vieuw and understand what you are trying to tell me, and i mostly agree, but wouldnt said knowledge be obtainable through some googling? (and good luck with your carreer in cyber security)
Denis Mcdougall exactly this
“This is a lab environment”
*Bare insulation in the background*
Zac Chapman that is because its a bare insulation testing lab. You should watch their video comparing rock wool with fiberglass. 20 minutes of gold.
loving those google searches. "khaaaaaan", "jason murphy screaming", "jason screaming gif modern rogue", "grilled cheese"
I'm taking a security class right now, and this channel has given me so many good ideas for projects.
How did the classes go?
@@AngelusNielson Pretty well thanks, I did a presentation on the dark web. Thanks for reminding me of that class
@@NathanScott Not a problem! Glad you had fun.
CUZ IM A MODERN ROUUUUGE!!
A little Mason Jurphey in my life
A little Ryan Bushwood by my side
A little bit of Grant is all I need
A little bit of B-Rice is what I see
A little bit of Scamming in the sun
A little Modern Rouging all night long
A little bit of Dresspants here I am
A little grilled cheese makes me your fan
*NAILED IT!!*
Rian Rushwood was the fake name Brian used in an earlier ep
A play on his actual name, Brian Brushwood
@@StrokeMahEgo fact fail.
StrokeMahEgo woosh
Rogue.
AHHHHHHHHHHHHUH!
13:48 Are we just gonna ignore Brian's search history?
Oh. My. God.
He searched for grilled cheese. What a sicko
@@pluto8404 It left me whelmed. Like, it did it's job of being a search term. But why not go bigger or go for a complete curveball?
Like, grilled cheese smoothie, reverse grilled cheese, grilled cheese without bread or something else absurd... Something that would make any sane person re-read that to make sure it says what they think it says. Basically, what these guys do best, leave their experts concerned or confused.
jason murphy screaming gif
whoops this isn't google
Some Jason Murphy issues
Brian and Jason THANK YOU for having Shannon on the show. I am learning more watching your show than I did attending high school during the summer. Thanks dudes. . . .A special shout-out to Nord VPN; to which I am a proud customer.
Shannon is great! We hope to do more with her soon.
Jason screaming about net neutrality will always be the greatest moment on the show. I've caught myself at work trying to find that gif to just leave it on the computer as I'm leaving, so when the next person unlocks it, they are terrified lol
The description perfectly fits what I thought when I saw the thumbnail thing while the video opened
You guys should make a ultimate modern rogue course, where you put all your modern rogue knowledge to the test. Like you have to find dead drops, take down people with martial arts and nunchucks, get ride of the meat of the thing they stacked in rye, parkour, set and find bugs, find and place hidden cameras, try to solve a crime, all the things that you have ever covered in modern rogue just in a course
Mad props to Brandt for somehow making Jason singing Mambo No. 5 the most unsettling thing I've seen all year.
Haha, I aim to please
I love when two of my favorite RUclips channels do a cross over episode. It's like when the Harlem Globe Trotters guest star on Scooby Doo
WHEN JASON STARTED SINGING LOU BEGA!!!
Jason just became the favorite. Brian will have to try harder now, lol
Why does no one else seem at all concerned that one of Brian's most recent searches was, "Jason Murphy screaming"?
NathanielCF My safe place song is Mambo Number 5. Brian’s safe place song is me screaming.
The Wi-Fi Pineapple is overpriced tho. I have a nano and I love it but still its still overpriced. Love Hak5 too
Root your android device and download cSploit.
@Danny when I say overpriced I mean the hardware itself. The majority of the software on the pineapple is community made. I also have a rubber ducky and that's also overpriced
@@ScibbieGames can't use monitoring mode with modern android phones sadly.
@@Honosklouker Not to mention most modern network cards can't do this either. This is why if you want to make your own (Or one of the related "products" to the full pineapple) you need to buy an old card. And most of the networking companies have sneakily replaced the chips in their products with newer models that do not support promiscuous mode either.
So basically, either you'll pay some guy on the internet whatever price he's managed to gouge up for his old network card, or you buy one of these.
I have the mark 5, old, but still a goodie, with a 16dbi yagi. But then again, the same thing can be done on a linux machine with an usb alfi antenna.
She looks so happy, I think she loves her job :D
I like her! And it is a good think to refresh the fact that these risks are out there and pretty easy to set up once you know the basics.
That hotspot honey pot with man in the middle is yearning for some penetration testing... Perhaps there's even a backdoor involved!?
The following phrase is for Jason. All stress is self-induced, it's in your mind, you don't need it, lay it down. Panic is contagious, but so is calm, stay calm, do your work. Slow is smooth, smooth is smart, smart is straight, straight is deadly.
“How many things did you infiltrate?”
*”Everything.”*
It should be known that the vast majority of websites nowadays utilize HTTPS which added a layer of RSA encryption onto the standard HTTP protocol. RSA is an encryption scheme explicitly designed to prevent man-in-the-middle attacks from seeing the data you send and receive. It can still see the basic HTTP request to the website, but it won't be able to see any of the content, neither web pages or login credentials.
True, It's disappointing to see a Hak5 employee grinning when asked if this device can intercept anything, instead of taking the opportunity to clarify this essential point. It's a disservice, really.
"for your fire starter vids idea"
*plant food packets(like the ones you get when you buy flowers from a store) and antifreeze*
its a thing and iv seen it done and holy crap i was amazed
My dad is a Computer technician contractor and he harps on me all the time about being careful on public Wi-Fi and never leaving my laptop unlocked unattended
Listen to him.
Bet you don't cover up your webcam with tape
I mean leaving your laptop unlocked and unattended should be common sense not to do, you shouldn't need to be a technician contractor to know that. Then again, I see so many people not bother using passcodes on their phones, so maybe you do.
Stop being a dumbass and he'll stop calling you one.
@@spencershaw7818 he does, he just uses transparent tape.
Everytime she smiles while talking about this makes me feel less safe and more scared
You guys are so much fun to watch and learn.Thanks
12:01
Shannon: What is king of mouths?
Brian: I don't know what you're talking about
So glad yall did a collab with Hak5's Shannon
When's the arm wrestling episode?
1:28 The pineapple (Ananas comosus) is a tropical plant with an edible multiple fruit consisting of coalesced berries, also called pineapples, and the most economically significant plant in the family Bromeliaceae.
Just watched the other hacking eps, glad to see another!!!
the wifi pineapple was my favorite system on hacking the system too! It's what got me into watching Brian and Jason, it's also what got me into magic tricks, and of course the modern rogue!
love this episode!
what episode is that? i wanna watch it too!
@@Givisba it wasn't an episode! it was their netflix special a few years ago
I'm considering buying a wi-fi pineapple, and I have been waiting for this episode for SO LONG! Could you guys also do an episode on cracking WEP security?
Nobody uses wep, and just buy a WiFi adapter that supports running in monitoring mode. No need for this junk.
@@colton9496 That's fair. I know nobody uses WEP, and you can do this with a wifi adapter in monitor mode, but I think WEP's insecurity is a good lesson towards updating your security, and they can go into detail without being too harmful because nobody uses it.
The "For the uninitiated , what is a pineapple ? " part made my day . SUBSCRIBED !
Are y'all going on tour ever?
This was super informtive and very well explained. Good show.
The reality is: HTTP telnet or other easily crackable non-hash sites/services are NOT common. 99% of your services are HTTPS. Real hackers do Phishing, not sniffing.
Real hackers pop RCEs and 0days
Real hackers have the patience to wait for the 1% to occur.
These have slowly creeped their way into my favorite MR episodes.
Damn is it just me or is she super touchy feely with Brian
You say that like most women who watch this wouldn't be
What woman wouldn't be with Brian
@@moombadoomtrooper8590 why you gotta discriminate
Jason's wife will cut a bitch. It's just safer.
I like to imagine them reading these comments
Glad to see Shannon back, and a very informative video! Very scary!
Commenting b4 i watch, bet its nord vpn. As first comment, i stand corrected
I like how they were happy with how the VPN stopped the Pineapple, when they were already only looking at websites with HTTPS
14:04 when did this change I know for sure that just not to long ago that you could leave a known pw protect wifi with and "evil AP" with no pw but same SSID and it would connect/could get the pw threw an uncompleted 3 way hand shake and script it to auto update it's pw
The nano costs 100 bucks. A pi3b+ costs 35. Wifi dongle 20 bucks. The wifi pineapple is cool but for us seasoned vets, its pretty old school. I just use my internal card in monitor mode and can do the same things. I can drop a pi zero down and have my own rogue AP. With a 10000 mha battery that means a week of sniffing.
Everyone needs a starting point.
@@ruakij6452 Sure, but most people don't have the patience, the brain or the money to learn these sorts of things.
I know many programmers learnt their stuff in small blocks over a year but most can't do that.
I haven't done coding in a couple of years, when I was going through it I saw a lot of people bail out really early on. So, sure if they're passionate about learning it they might get to the end but most won't, and honestly if they wanted top not gear they'd look around and not end up paying overprice for old tech. $100 is also kind of a warning point, they either pay it and regret meaning they stay away from that or they get smart and look elsewhere.
Also, let it be stated my opinion: If you can't build then you're not true.
@@ruakij6452 Yes, but when people buy things, they mostly tend to want to understand them, too. Especially in this field, either they buy it and use it effectively which is impossible without learning about it or they suck, get bored and quit.
you dont need a pineapple to do mitm... i mean, not that i would know...
I mean the pineapple does make it nice and pretty, heaven for script kiddies
I just wanted to say the editing of the video is so impressive!!
6:14 - I have a pen... I have pineapple... UH... *PineapplePen!*
This is some costly production featuring multiple cameras and studio lights! You are raising the bar.
Just thought id say it, but the modern rogue is the of the few things that brings REAL joy into my life
I'm guessing Tor vs a Pineapple is also effective protection
A friend of mine did this on the school. He didn't get expelled... I miss that principal
You guys brought the weaboo back! Nice 😄
i love herrr she seems so nice (and of course scary powerful with hacker knowledge)
@@lisdmon6538 I really hope you are joking about her hacker knowledge LOL
Brian’s never left though?
it's spelled "webelo"
@@MexieMex How would you classify 'hacker knowledge' ?
Shannon and Brian .... hak5 and scam school from the revision 3 days on the same set. My two favorite shows of all times!!
Get some cover plates for those outlets lol. It's great they put your PEX above your electric! ,,,😮 Sorry I'm an electrician, it bugs me. At least they used GFCI outlets.
I am pretty sure of all the people who watched this, half got spooked and changed a lot of their info on their devices and the other half went and got the pineapple.
I never connect to public wifi. It seems pretty ridiculous to do that in 2019.
Agreed. Thank you unlimited data.
But when you're traveling to a foreign country you really don't have a choice unless you're willing to pay crazy amounts for a prepaid sim with unlimited data. That's why a VPN is a good thing to have.
Why? If anything it's much safer to do it in 2019. Every modern website has https. All modern browsers warn you if that's not the case.
@@jojo60rules But we're in 2019, not in the first days of https or 'encryption'. Hackers are evolving and they *can* steal your data now even without notifying you. It is much more dangerous to do it now than like in 2010.
It's a good idea to avoid it at all costs, moreso If you have sensetive data on your device or plan on using it for banking or to order online.
The real problem isn't just having some script kids with a Pineapple or other system sniff out your data, more advanced MITM attacks exist where the actual portal is spoofed. Then popular websites you may use are also replicated. Imagine logging into Starbucks but Infact you are logging into someone else's machine.
If you look around some places you might see a person with a notebook computer in a dark corner looking over his shoulder 👀 while they are sniffing out traffic or running a fake AP.
Last year at the end of February I basically did a man in the middle ‘attack’ although I wouldn’t really call it attack. So it was during the beast from the east (I’m British) and my WiFi wasn’t working that week, but the WiFi of my neighbour was, and on the Apple IOS select WiFi page you can view and even edit different nearby WiFi routers which can connect to. So I came up with the genius idea of maybe I could connect to my neighbors WiFi without the passcode by edit different parts to be identical to my router, and changed my router to be one digit off of what it was before. It worked I got connected and had internet, but then I wasn’t really expecting it to work and put it back immediately because I didn’t know what had happened, but for about 5 minutes I got internet again by bypassing the WiFi next door. I had managed to gain full access to their router.
WHAT IS A PINAPPLE!?!?!!?
Here for Shannon, my all time fav host
Wireless: 0
Wired: 1
Flawless Victory
(Except not mobile)
And no radiation and wired is faster!
Keyword here DO NOT use wifi you do not pay for and have secured. If I am away from home I run EVERYTHING on my unlimited cell data.
Her laptop is the Kawaii hotspot
Kawai-fi?
HM01 you deserve my like. just take it
HM01 Ohhhhh I got your name lol
Cut/Fly/RockSmash/firethrower
That’s how my charizard was.
I remember how shocked I was when I first saw a movie advertised and the ad included a website that was just about that one movie. I wish I could remember what movie it was, but I was blown away and part of me could not believe in something SO cool and big being done for just one movie.
😂😂😂the ending!!👌🏼👌🏼👌🏼 thought I was the only one who sings Mambo #5 to myself to calm down & go to my happy place 😂😂😂😂😂
That dude needs to chill out on the caffeine. Let the lady speak for f*cks sake! I can't imagine how uncomfortable she probably feels.
Did Brian leave his bartending job or is he a hacker on the side?
I’m a legitimate hacking bartender.
Excellent video. Love this sort of content. Keep em coming.
So using standard 3 or 4g is safer than wifis?
Not really...
There's a version of this for 3/4g called a ISMI catcher. More or less a fake cell phone tower that does the exact same thing. You may have heard them referred to as stingrays. They can also be used to intercept sms.
@@faint525 You can't intercept traffic with them on 3/4G networks. you can only track devices and know when calls are made and sms are sent but not to who or where since that's still encrypted.
@@faint525 There is NO 3g/4g IMSI cather. Only IMSI catcher there exist is 2g ONLY.
4g (and 5g) will make attacking carrier wireless network even more difficult with MU-MIMO and beamforming so whatever data you are getting could only be catched very close to a straight line beetween cell tower and your device
OMG. You got Shannon Morse on your show??
Ok. You're a REAL show now!😂😂
I just might subscribe. 😎
Just buy a raspberry pi and a mon mode wifi adapter, it’s way cheaper.
Help me out bro, I have no idea about any of this but I need help :(
azainho makahue if you want to learn then learn linux and python 3 first, after that learn a bit of networking and make a lab.
For all the people concerned about the lack of information in this video - You are not vulnerable to this on sites that use https. They are massively blowing it out of proportion because very few big sites still use http. The worst it can do is uncover what IP you're connecting to and reverse dns to find out what site that is - and if you're using a VPN it can't even do that.
Dwall is http, as discussed. There's a whole slew of other modules we could do videos on though. www.wifipineapple.com/modules
Which still doesn't break https. Unless you've compromised a root CA or managed to get the end user to accept a certificate that is not signed by a trusted CA you won't be decrypting any https traffic.
This is all just a bunch of fearmongering for something that has been taken into consideration when designing the protocols the internet uses and is a very small issue. About end user accepting untrusted certificate - In chrome or firefox, if the certificate of a website is incorrect it will refuse to load the site and you get to add an exception if you actually want to load it. I haven't used all browsers but I suspect that is how all major browsers handle incorrect certificates.
Honestly the worst you could do is supply your own DNS through DHCP and reroute requests to other websites to your own server. On the same note arp poisoning. But you won't be getting anyones password or credit card information.
@@krappa Can malware be distributed to devices locally connected to the same network?
@sisbrawny Yes and no. For a properly updated operating system - in most cases no. All it really takes is one program with an open port and a security flaw though. For example, the Wannacry ransomware distributed itself through a bug in SMB, the native windows file sharing protocol. Any program on your computer could have a port open and not do security flawlessly in which case you could be vulnerable. An attacker would both need to know you have this program installed, know which port it's on, and know that your version has the security flaw. Most often this is just up to guessing.
This whole thing is the reason that Windows separates public networks and home networks, and asks you to accept network access for programs and on which types of networks you want to let the program access the internet. If a program doesn't get to access the internet it can't be vulnerable to outside attacks.
If you're accessing a http site or ftp someone could distribute malware to you quite trivially though. Just replace a program you're downloading with their own and then have you execute it because you think it's from the site. Again needs http or ftp (if you don't know what that is, you aren't using it).
TL;DR: If you're accepting network access on every program in windows and giving it public network permission - you might be at some risk. If you're not doing that then the risk to you is very small. Mobile devices are also very unlikely to be vulnerable. Biggest risk is probably downloading and executing stuff through unencrypted protocols.
Gross.
Everyone who's actually interested in doing something like this without paying for an overpriced device
If you have an android. Root it and install cSploit. It's an app you can steal data, and a lot more with.
It's a penetration testing tool. I'm saying this because you *totally* shouldn't be using it for illicit purposes.
If you have a laptop. Even better! Dual boot linux on it and get a wifi adapter that supports monitor mode. This is very powerful.
Or just use tshark. Although this has more uses for MITM than just capturing packets over an open network.
Specifically get Kali linux for stuff like this. It comes with a ton of tools for this kind of thing preloaded.
Install magisk, then the nethunter module. Will be completely useless because script kiddie.
Zanti is another option for android.
I just use wifikill so the wifi is faster for me
The other day I found a USB on the side of the streat. If I didn't see the last episode, I would've plugged it in, thanks Modern Rouge!
It sucks that VPNs are so expensive. I would use NordVPN if it were indeed $2 a month. But you have to get the 3 year plan that's almost $400 up front. I dont have that much money to spend at once. Nord is biting themselves in the ass by doing that.
NOBODY would use the other overpriced VPNs if they would just charge $2 to $5 a month, contract free.
You could just make your own for that price. Get a cheap server and run the Road Warrior VPN script ( first link in Google).
It's faster as it's just you on it and it's encrypted. However you do lose some annoymousity from hiding in the crowd.
Mullvad is $5 a month.
I use NordVPN, but you could get the free BearVPN for situations like these when you are on public wifi.
You can also quite easily setup your own home VPN using a linux machine and forwarding the correct port on your gateway. A plus of this is if you have a home media server you can access it from anywhere with decent speed and security.
Hi loves the pineapple .iam thinking of going on holiday in my camper .what is the distance that I can pick up a Wi-Fi .also could I watch tv through somebody’s Wi-Fi ? because I have a stick for streaming
Well, I can carry out the same attack with my regular rooted android phone or a kali linux laptop. It might be a bit messy to get all those scripts and extended range but that's for sure you shouldn't be that excited over these attacks. You can set up a captive portal easily with fluxion and a kali linux machine. The pineapple is just great for those who wants a shitton of range with easily accessible scripts and can carry it around. In short, you can achieve the same results with a regular laptop running kali and a good network card that supports packet injection and mon mode with a good range.
Kali script kid? 🤦♂️
Screw the snobs. Modern Rogue is golden. Keep up the good work guys!
“This thing looks dangerous”, dude it just looks like a router
Yeah but why would you bring a router to a public place xD
this is pretty informative for noobs like me who couldn't understand what was going in that Silicon Valley episode (The one where they go to Hooli Con)
Wouldn’t this be more of a rouge AP attack since it isn’t really exploiting anything besides the SSID name
As they always say -- it's R-O-G-U-E, there's an OG in Rogue
SPELL IT RIGHT
Based on Brian's comment on Jason's website they filmed this in early November and it's just now being released
Yeah, we film lots of stuff way in advance.
@@TheStrangerous That's called efficiency!
I just need my wifi adapter and my linux machine 🤐
How do you do that?
True
I just need my android phone.
u can basically make your own pineapple thing
if you're interested
just reply and i'll contact you
u can install it on a drone and let it go
I ordered my upgrade!!! Cannot wait for it to get here. Big upgrade from my mark 5
YOOOOOOOOO
GURT
The thing with VPN's is that you are merely shifting your traffic into another location. The VPN owner could still be tapping into all of your unencrypted HTTP- and DNS-requests.
*Here's a few useful tricks to keep you reasonably safe
on the internet*
- Don't connect to open or public wifi unless you really have to. If an attacker gains physical access to the (legit) wifi access point that is hosting your signal, then they can read all of your unencrypted internet traffic.
- Use Two-factor authentication and a password manager with a strong master password. It does not have to be cryptic, something like "MyFavouriteMovieIsSomethingAndMyCatIsOld" works just as good. Just make sure it's something that can't be "social engineered", i.e., extracted from your social media / internet presence through guesswork and investigation.
- Use a DNS-provider that supports DoH (DNS over HTTPS), e.g. Quad9 (9.9.9.9) or Cloudflare (1.1.1.1). This is important because whoever hosts your internet can still see your request metadata (what & when) if you are not careful about this.
- Ask or force your web browser to always request everything via HTTPS. The websites that don't support HTTPS should be avoided like the plague.
- Use a privacy-focused web browser if you are genuinely concerned about your privacy. Websites can still identify you using a technique called "browser fingerprinting". This means that any website that really wants to identify you can do that if you are using a "generous" web browser like Google Chrome, even if you are using "incognito mode", a VPN and HTTPS. Use amiunique.org/ to see if your browser fingerprint is identifiable.
- Use a VPN that respects your privacy and does not sell your traffic logs. Try to look for a VPN that has had its codebase vetted by a reputable cybersecurity company. Remember, they can also access your unencrypted internet traffic.
I haven't had a VPN subscription in about 3 years, and have never really considered paying for one again. And of course I know the dangers of unsecured hotspots, but this has made me realise even 'known' and 'safe' open hotspots, there's just as much risk. so I've gone and bought a NordVPN subscription
You can also quite easily setup your own home VPN using a linux machine and forwarding the correct port on your gateway. A plus of this is if you have a home media server you can access this from anywhere with decent speed and security.
They talk about space jam ACTUALLY working but that is also an encrypted site. This is just as useful as when the hack came out for the wep networks when 90% of people had already converted to wpa lol
Using command prompt, you could do the reverse thing.
Your computer sends pings, and legit wifi-stations send signals back. Using a few commands in command prompt, you could get about 8/10 wifi-passwords and use their wifi internet (most of the time private, because (again, in most cases) they aren't encrypted, but sometimes business wifi works too).
Great on camera chemistry. Nothing but good vibes
thanks!
I love that Jason's calm place is mambo no.5 XD
The funny thing is that a lot of modern hacking, to my knowledge, is actually social engineering at the bar and on the street
Ayeee old school Scam School
This video had more tips in simple hosts commentary then my IT lessons in highschool.
I can see employers do this to employees who think they can hack into their works WiFi and fuck around