Monthly Archives: September 2014
MannaPi V.01

After seeing the Sensepost’s Dominic White and Ian de Villiers presenting their new Manna attack video I thought it would be great if this attack could be ported to a smaller form factor.

I have an old laptop that has Kali installed on it with a Alfa awus036nha wifi-adaptor. So first I tried to replicate the demo shown in the video on the laptop. With some  sleepless nights and lots of caffeine and bad food choices I finally got it up and running.

Next I needed to find a smaller form factor, I knew about the wifi-pineapple from Hak5 but didn’t pick one up at this year’s DEFCON. (No particular reason,figured I could order it later online, only to find out they don’t ship to Japan. Dumb me should have been obvious) So I ordered a alfa ap121u from a vendor in HK on . A week later I got the hardware , flushed the firmware installed the Pineapple Mark IV firmware on it. I figure maybe I could port the Manna-hostapd to the Pineapple but my coding skills are no where near to do this. Nor do I think the Mark IV platform could handle the current Manna implementation.

So I knew Kali could run on a Raspberry Pi and that a newer version just came out so I picked one up installed the latest Kali 1.0.9 Pi Image file on a SD card and the Pi came up and running.


From there it was just replicating the steps I took on the original laptop Kali to get Manna up and running on the Pi. And MannaPi was born.

Here is shot of Manna running:



The Setup:


  1. Raspberry Pi B+ model.
  2. Offensive Security Kali 1.0.9 IMG
  3. Class (4) SD 16GB card.
  4. Self powered USB HUB
  5. Antenna extending pigtail
  6. Aterm W500P mobile router. <- upstream on eth0
  7. Alfa Awus036nha <- Connection point on wlan1


I chose the Aterm W500P mobile router because it can be powered with a micro-usb cable and it has an ethernet-converter mode which can convert the on-board ethernet of the Pi and turn it into a wireless point. I could have added another wifi-adaptor on the usb but this particular mobile router has an interesting mode pre-installed. Its called the public-hotspot wifi mode and it allows you to preconfigure the router to connect to public wifi-spots when they are available. Now this might not be something spectacular however, the configuration allows you to disable automatic web-login. i.e.) when the router detects a http request it pops up the public wifi spot’s weblogin page….(hint: no need to evil portal cause the traffic is already coming from wlan1 to eth0->public wifi spot)

So when the Manna attack happens:

User device’s NPL list sends out probing beacon -> Manna Replies -> User Device Associates with Manna-hostapd -> traffic bridged to eth0 -> Aterm W500P mobile router -> either tethered internet or Public Wifi weblogin -> to the internet.

wlan1< -> Manna -> eth0 <-> W500p <-> Internet

Ideally if I can find a way to power this whole setup from a mobile battery that would make this one evil rogue AP. However , after some fiddling around drawing power from the Pi board to power both the Alfa and upstream router seemed a bit too much for the Pi. Once manna starts to run the Pi would just drop the usb hence killing the whole process.

-70mA for the keyboard
-500mA for the Alfa
-100mA for the ethernet converter


Theoretically this whole setup could be powered with a laptop mobile battery like HyperJuice or GoalZero’s Sherpa line. Since I don’t have either there is no way for me to test this.

I got some other ideas regarding this implementation and will continue to explore some more stuff. Like I said this is MannaPi V.01.


Manna from Heaven; Improving the state of wireless rogue AP attacks – Dominic White & Ian de Villiers:

-SensePost Manna Github

Security Tube’s Wifi Security Mega Primer
This is a great primer even if you think you know wifi.

Do not use against equipment you don’t own. Doing so is usually illegal and can get you in serious legal trouble. I can’t be responsible for any legal trouble you get in.


ここ数週間の間、国内でwifiの盗聴が話題になっていたので、悪のAPを作ってみようと思った。そこで、思い出したのが今年のDEFCONのワイヤレスビレッジでSensepostのDominic White to Ian de Villiersがkarma攻撃の新しい形を発表してたのでこの攻撃方法を使う事にした。この攻撃は端末のwifiの接続先リストを元に、端末からの問い合わせに対して必ず答えるKarma攻撃をアップデートしたもので、現在の多くの端末では従来のKarma攻撃が通じない問題(?)を解決している。Manna攻撃では積極的に問い合わせビーコンに対して応答することで以前に繋がった事のあるAPが近くにあるように騙す事で端末が自動的に接続する問題点をついている。

ハードウェアには最近発売になったRaspberry Pi B+を使い、Offensive Security から出てるKali 1.0.9 イメージをOSとして使ってる。






 UPDATE/ 追記:

Sept.7.2014:04:00 JST.

After some thinking I figured out that I could probably power the whole setup if I could find a decent high capacity mobile battery. So I got hold of an Anker Astro Pro 2 (15000mah). Then I grabbed an old usb cable gutted it to create a usb-to-power frankenstein cable. So now MannaPi is fully mobile running of the Astro Pro.

[ ASTRO PRO] -> charges powered usb hub (via FrankenCable) -> Powers MannaPi and provide power for the wireless mobile router/converter (eth0)


歯を磨きながら、考えてたら、ある程度の容量のモバイルバッテリーで駆動が可能かもと思い、古いUSBケーブルからハブへ電源供給できるケーブルを作った。これでMannaPiはコンセントが不必要になり完全にモバイルな形に出来た。電源に使ったのはAnker Astro Pro2 という15000mahのモバイルバッテリ。



Closed/ケースを閉じた状態 (MBA:13 inch for reference)


ps. The cigarette pack is for reference and not intended as a advertisement or endorsement of particular brand of cigarette or the habit of smoking.

 UPDATE Sept.9th

Current startup script.



#service network-manager stop
#rfkill unblock wlan

ifconfig $phy up

sed -i "s/^interface=.*$/interface=$phy/" $conf
$hostapd $conf | tee /var/log/Mana-simplerun.log&
sleep 5
ifconfig $phy netmask
route add -net netmask gw

dhcpd -cf conf/dhcpd.conf $phy

echo '1' > /proc/sys/net/ipv4/ip_forward
iptables --policy INPUT ACCEPT
iptables --policy FORWARD ACCEPT
iptables --policy OUTPUT ACCEPT
iptables -F
iptables -t nat -F
iptables -t nat -A POSTROUTING -o $upstream -j MASQUERADE
iptables -A FORWARD -i $phy -o $upstream -j ACCEPT

echo "Hit enter to kill me"
pkill dhcpd
pkill sslstrip
pkill sslsplit
pkill hostapd
pkill python
iptables -t nat -F

If you need/want to download all images from a webpage.

Yea yea I know, curl+some reg expressions would do the same damn thing,
but for the non-coding people here is a super simple(i.e.:dump) way to get
all images from a webpage  using Automator. It has no filters, no input etc etc.

Just keep the page you want to download from open in the front in Safari
and hit this workflow either as an app or service or workflow script.
And it should download all images to a folder on your desktop with the url as a folder


Screen Shot 2014-09-01 at 2.39.41 PM


In case you still not sure here is a app from this workflow.