The PineAP Suite
At the heart of the WiFi Pineapple is the PineAP suite. It’s the intelligent sniffing and injection engine built alongside the custom WiFi Pineapple hardware to fully exploit the 802.11 protocol. PineAP is the software that performs recon, analyzes traffic, captures probes and broadcasts beacons, and enables client device tracking and associations as well as deauthentication – just to name a few. It’s built with profiling and filtering capabilities to help identify targets and keep audits limited to the scope of engagement.
While it can operate in both passive and active modes, it’s most well known for its ability to snare client devices in its role as a rogue access point. With clients captured, the WiFi Pineapple puts the auditor in the position of the man-in-the-middle. From this vantage point, additional WiFi Pineapple modules and integration with typical pentest tools can be leveraged for a variety of attacks.
Allow Associations – When enabled, Client devices will be allowed to associate with the WiFi Pineapple through any requested SSID. E.g. If a Client device sends a Probe Request for SSID “example” the WiFi Pineapple will acknowledge the request, respond and allow the Client device to associate and connect to the WiFi Pineapple network. This feature works in conjunction with Client and SSID filtering. When disabled; clients will not be allowed to associate. Before the evolution of the PineAP suite with the 5th generation WiFi Pineapple, this feature was known as Karma.
Log Probes – When enabled, the PineAP suite will continuously sniff for Probe Request frames from nearby client devices. This feature provides information for analysis from the Logging view.
Log Associations – When enabled, Client Associations to the WiFi Pineapple will be logged. This feature provides information for analysis from the Logging view. If disabled, Associations will not be logged and may not appear in the SSID column from the Clients view.
PineAP Daemon – This daemon must be enabled in order to use the Beacon Response, Capture SSIDs to Pool and Broadcast SSID pool features. The PineAP Daemon will coordinate the appropriate actions based on Source and Target MAC settings as well as the Beacon Response and SSID Broadcast intervals.
This feature requires dedicated access to the wlan1 radio and cannot be used in conjunction with the WiFi Client Mode feature using wlan1 to provide Internet access to the WiFi Pineapple. However, if using a tertiary USB WiFi adapter configured as as wlan2, PineAP and WiFi Client Mode work well together.
The PineAP Daemon must be enabled and PineAP Settings must be saved before the associated features will be available.
Beacon Response – When enabled, targeted beacons will be transmitted to Client devices in response to a Probe Request with the appropriate SSID. These beacons will not be transmitted to broadcast, but rather specifically to the device making the probe request. This prevents the beacon from being visible to other devices. If Allow Associations is enabled and the Client device associates with the WiFi Pineapple, then targeted Beacon Responses will continue to transmit to the Client device for a period of time. Beacon Responses will use the Source MAC setting, which is also shared with the Broadcast SSID Pool feature. The Beacon Response Interval will dictate how frequently to transmit.
Capture SSIDs to Pool – When enabled, the sniffer will save the SSID data of captured Probe Requests to the SSID Pool. This passive feature benefits the Broadcast SSID Pool feature. The SSID Pool may also be managed manually.
Broadcast SSID Pool – When enabled, the SSID Pool will be broadcast as beacons using the Source MAC and Target MAC settings at the interval specified. During the evolution of the PineAP suite this feature was known to the WiFi Pineapple Mark V as “Dogma” as a compliment to “Karma”.
Source MAC – By default, this is the MAC address of wlan0 on the WiFi Pineapple. This is the interface for which associations may be allowed and also hosts the Management Access Point. The MAC address of wlan0 may be changed from the Networking view. This MAC address may be set to that of a secondary WiFi Pineapple if desired. In this configuration multiple WiFi Pineapples may be deployed concurrently, with one configured to allow associations.
Target MAC – By default, this is the broadcast MAC address FF:FF:FF:FF:FF:FF. Frames transmitted to the broadcast address will be seen by all nearby Client devices. Setting the Client MAC address will target PineAP features at the single device. Similar to Beacon Response, only SSIDs Broadcast from the Pool will be visible to the targeted Client device. When used in conjunction with Filtering, this feature enables precision device targeting.
Broadcast SSID Pool Interval – Specifies the Interval in which to Broadcast SSIDs from the Pool. Aggressive will transmit beacons from the SSID pool more frequently, albeit with a higher CPU utilization.
Beacon Response Interval – Specifies the Interval in which to transmit Beacon Responses. Similar to Broadcast SSID Pool Interval, the aggressive mode will transmit more frequently while requiring a higher CPU utilization.
Save Active Config as Default – From the Configuration menu, Saving the active config as the default on Boot will remember the saved PineAP features and settings for use on the next boot cycle.
SSID Pool – Populated automatically when the Capture SSID Pool feature is enabled. May also be added manually using the text field and Add button. Similarly, clicking a listed SSID will populate the text field allowing for the removal of the entry using the Remove button. From the SSID Pool Menu, Clear SSID Pool will remove all entries.