Introduction
A collection of features
The WiFi Pineapple experience is a suite of related tools and functionality working together to create the Wi-Fi recon and mimicry system.
Recon mode
Recon (reconnaissance) mode surveys the wireless environment and builds a view of access points and devices.
The recon system is the core of the WiFi Pineapple experience when collecting data, finding misconfigured devices, and tracking wireless device and access point behavior.
Recon mode relies on channel hopping to cover the different Wi-Fi channels. By spending a small amount of time on each channel, it can build a view of the networks on all channels.
Because channel hopping can only spend a short time on each channel, client detection may take longer - a client must be active at the same time as the Pineapple is looking at that channel, so not all clients will be detected immediately.
Channel hopping is optimized to pause if a handshake packet is seen, increasing the chances of successfully capturing a full handshake.
Access point detection
Access points - even “hidden” access points - continually advertise their presence. By rapidly changing channels, the WiFi Pineapple collects these advertisements, which include the network name, channel, encryption settings, and more.
Hidden access point decloaking
Hidden access points were never designed as part of the 802.11/Wi-Fi standards - they have always been a hack, and discoverable. By monitoring client behavior, the Pineapple is able to discover the name of a hidden network whenever a client joins.
Client detection
The WiFi Pineapple detects active clients, even on encrypted networks. While encryption protects the content of the client connection, it does not obscure the client MAC address of the client or the destination. Using the MAC addresses of the clients and access points, the Recon system is able to map out what APs a client connects to.
When a client is looking for networks to connect to, it transmits probe packets, often including the list of networks the client has previously joined (the “preferred network list”). The Recon system collects these, making it easier to determine where a client has previously been active and what networks it may be willing to connect to.
Handshake collection
WPA-PSK and WPA2-PSK networks can be vulnerable to an offline attack against connection handshakes. In an offline attack, the attacker does not need to be connected to the network; instead, captured handshake data can be used to brute force credentials. WPA3 was designed to fix this weakness, so handshakes from WPA3 networks are not vulnerable in the same way.
Whenever a client connects to a Wi-Fi WPA-PSK or WPA2-PSK network, it performs a multi-stage handshake where a unique per-client encryption value is exchanged. Handshakes are also generated every time a client refreshes the encryption key - typically every 5 minutes.
The WiFi Pineapple looks for handshake packets and, in collection mode, automatically attempts to capture the related packets, saving them in the /root/loot/handshakes/ directory.
Handshake collection works with the channel hopping system: when a handshake packet is seen, the channel hopping system automatically delays the next channel change, maximizing the chances of capturing a complete handshake exchange.
A collected handshake can be used for with tools such as hashcat. These tools run on a desktop or laptop, and often require GPU acceleration. Typically these tools would not be run on the WiFi Pineapple directly, as they require significant processing power and resources.
Open AP mimicry mode
The Pineapple Open access point is one of the strongest tools during a pentest engagement. The Pineapple Open access point allows a single WiFi Pineapple to act as many access points with different names, capturing clients when they probe for target networks in the clients preferred network list.
Pineapple Open access points use a filter mechanic to ensure your engagement is scoped properly; filters can be configured to allow or block any combination of network names and client addresses.
Scoping your engagement is always important! It ensures that you are only targeting devices you expect to target!
WPA Evil Twin mode
Clone an existing access point, create a generic WPA access point, or attempt to capture partial handshakes for PMKID attacks with WPA Evil Twin mode.
Learn more about Evil Twin mode here!
SSID pool advertising
To help entice clients into connecting to the Pineapple Open AP, in addition to allowing connections to multiple SSIDs, the Pineapple can advertise specific SSIDs from the SSID Advertisement Pool.
Coupled with recon mode, the Pineapple can automatically add probed SSIDs to the pool!
Client disconnection and deauthentication
To aid in capturing clients and handshakes during a pentest, the WiFi Pineapple Pager can attempt to disconnect clients connected to an existing access point, subject to regulatory limitations (DFS and 6GHz) and modern client protection (WPA3 and 802.11w PMF).
Due to strong regulatory restrictions on DFS and 6GHz Wi-Fi channels, injection is not possible against networks on these channels.
Additionally, all networks on 6GHz require WPA3 protections (even ‘open’ networks on 6GHz require WPA3-OWE); WPA3 includes Protected Management Frames or PMF, which prevents injected disconnection packets.