Recon
Recon mode (or reconnaissance mode), is how the Pineapple suite surveys the surrounding wireless landscape.
Recon mode is a fully passive feature. By simply listening to the packets sent by devices in the area, the Pineapple builds a view of access points and clients around it.
Recon mode features
Channel coverage
A Wi-Fi NIC can only tune to a single channel at a time, but Wi-Fi has dozens (or in some cases, hundreds) of channels. How do we monitor them all without dozens or hundreds of Wi-Fi cards?
The Recon engine automatically hops between channels in the enabled Wi-Fi bands. Each band defines a standard set of channels: Wi-Fi can operate on 2.4GHz (the original Wi-Fi radio frequencies, and typically the slowest and most crowded), 5GHz (expanded channels with less range but typically much faster, used by most modern devices), and 6GHz (a very new channel allocation larger than both 2.4Ghz and 5GHz combined, but with less range and very few devices able to use it yet).
By default, the Wi-Fi Pineapple Pager monitors the 2.4GHz and 5GHz ranges. The 6GHz range can be turned on in the Recon settings or the global System settings under Settings > Network > 6GHz.
Recon mode optimizes how it uses radios automatically. Packets are captured from any available radio, and if a handshake packet is detected, the channel hopping automatically attempts to capture the rest of a handshake before continuing to the next channel.
Access point detection
Every access point advertises its presence with beacon packets - a type of Wi-Fi packet which declares that an access point is present, the network name (or SSID), the encryption options, and often other information about the network.
Beacon packets are how a traditional Wi-Fi device builds a list of networks to join. The WiFi Pineapple Recon engine takes this further: by using raw capture mode instead of relying on the firmware of the Wi-Fi NIC, it is able to detect a network from a single packet.
Hidden access point detection
Hidden access points were never intended as part of the IEEE802.11 / Wi-Fi standard; they were created by manufacturers in an attempt to hide the network identity. Since it was never part of the standard, hiding the network name from beacons does not protect it from being used in other packets.
Recon mode will automatically decloak hidden networks when a client joins.
Client and device detection
Devices generate packets when joining and leaving networks and exchanging data. Even with fully modern encryption (such as WPA3), while the data may be protected, the unique MAC addresses of the client, the access point, and the destination device, are not. Using this information, the Pineapple can build a list of what devices are communicating with access points in the area - and what networks they’re looking to connect to, if they are not connected!
Channel hopping spends a short amount of time on each channel, sampling the packets. Because the Pineapple can only detect packets from devices which are actively transmitting at the time that it is monitoring that channel, not all clients will be detected immediately, however over time as the Pineapple returns to a channel with clients, more data will be collected and the client list will grow.
Client MAC Randomization
Almost all modern operating systems use a feature called MAC randomization, which is often turned on by default.
To help prevent user tracking, MAC randomization changes the address of the Wi-Fi device - sometimes for every network, sometimes on a time-based schedule, sometimes both, depending on the operating system.
When a client changes MAC address, it will appear as a new device in recon - a fully randomized device does not have any ties to previous records - however it may share similar characteristics, such as trying to join the same list of networks.
Client network detection
When a Wi-Fi client is looking for a network to join, it operates in one of three basic patterns:
- Passive network observation. By simply receiving the beacons from access points in the area, a client can compare against the list of configured networks it might join. In this mode, a client is invisible until joining a network.
- Broadcast probe. A client may send a special packet - a probe request - indicating it wants to join a network, but with no network name specified. This allows networks to respond to the client with the configured network name, and the client uses this information to build the network list. Recon mode can detect these clients, and they often join a network immediately after.
- Named probe. If a client can not discover any networks from the configured list passively, or if there are any hidden networks configured on the device, it will start sending probe requests for networks it has previously been configured for. This allows the Pineapple to build a list of networks the device is looking for (which we’ll use later!), and can be used for identifying unique clients or where else a client may have been.
Handshake collection
WPA-PSK and WPA2-PSK networks can be vulnerable to an offline dictionary attack. In an offline attack, an attacker does not need to be connected to the network, instead specific packets (the WPA handshake) are collected, and a list of suspected passwords is compared to the data to try to find a match.
A dictionary attack can be extremely CPU intensive and involve hundreds of millions of possible passwords and combinations. An offline attack is performed on a laptop (or preferably desktop or server) computer, not on the Pineapple device itself, and typically a fast GPU is required for practical attacks.
One of the most powerful and popular tools for performing attacks against password hashes is Hashcat.
The Pineapple automatically collects WPA handshakes in PCAP and Hashcat .22000 hcappx format (both files contain the same information, in slightly different formats).
Handshakes are captured and stored in /root/loot/handshakes/ and can be downloaded via scp, sftp, or via the Virtual Pager interface.
Handshakes are generated when a client joins a network or when the network session refreshes (every 300 seconds per client, by default). To capture handshakes, the WiFi Pineapple must be on the proper channel at the proper time.
Handshakes will be passively collected whenever possible, and locking to a specific network or channel (via the Pineapple Pager UI or the PINEAPPLE_EXAMINE_CHANNEL and PINEAPPLE_EXAMINE_BSSID commands in the shell or in a payload) can help increase the chances of capturing a handshake.