PineAP
PineAP is the center of the WiFi Pineapple's rogue access points, client management and filtering.

PineAP Settings

The main PineAP page is used to manage the PineAP Daemon settings and status. You can manage individual daemon settings by selecting the Advanced tab, or you may select preset settings with the Passive or Active tabs.
On the right hand side, you can find the current SSID pool. These SSIDs can be automatically collected in the Passive and Active modes, or by selecting the "Capture SSIDs to Pool" option in Advanced. You can use the field below and the Add, Remove and Clear buttons to manually add or remove SSIDs.
PineAP Settings

SSID Pool Capture

When "Capture SSIDs to Pool" is enabled, SSIDs seen passively (observed probe requests) and through recon mode are automatically added to the pool of target SSIDs.

Broadcast SSID Pool

When enabled, the WiFi Pineapple will actively advertise previously seen SSIDs. This may be useful for capturing clients looking for specific access points in their list of previous connections.

SSID Pool

When Broadcast SSID Pool is enabled, the WiFi Pineapple will advertise any SSIDs seen in the pool. This can cause clients looking for those networks to connect to the WiFi Pineapple Open network.
The SSID pool can be automatically populated by Recon Mode when the SSID Pool Capture option is selected, or SSIDs can be manually added to it.

Clients

The clients page provides two views for clients, split into connected clients and previous clients. From the Connected Clients you can view information about each connected client, including MAC, IP Address and the SSID they associated to, as well as the ability to kick them from the network.
Switching to the Previous Clients tab shows you a record of all previous associations to the rogue access points hosted by the WiFi Pineapple. Clients that have not yet disconnected from the network have a disconnect time of "Unavailable".

Filtering

The filtering page allows you to have fine control over what devices can connect to your WiFi Pineapple. You can do this by combining two filters: the Client Filter and the SSID Filter, with two modes each: Allow or Deny.
With the client filter you may limit the scope of engagement by choosing what devices may connect. Allow only specific devices, or any device that isn't specifically on the deny list.
With the SSID filter you may specify the spoofed networks for which the WiFi Pineapple will allow associations. Allow associations for only specifically listed SSIDs, or any SSID that isn't specifically listed.

Enterprise

The Enterprise tab allows you to configure a WPA-EAP Enterprise rogue access point. To begin, fill in the form to generate the EAP configuration and certificates.
Enterprise, or EAP, WiFi authentication is typically used on corporate networks with per-user logins on the network. It is protected by a SSL certificate, which must be created first.
Enterprise certificate generation
Once the certificate has been generated, you'll see easy to use options to configure the rogue enterprise access point, and view the challenge data any connected clients provide. Generating the certificate will take a moderate amount of time while the WiFi Pineapple gathers random data.
The information in the enterprise certificate is arbitrary. Some WiFi clients show the user the data entered in the certificate, while others may only show a certificate hash.
Properly configured WiFi Enterprise clients will reject unknown certificates, however many devices do not offer proper configuration and may either blindly accept new certificates, or prompt the user to accept the certificate.

Authentication Methods

When advertising an enterprise network, the WiFi Pineapple supports three authentication types:
  1. 1.
    Any The WiFi Pineapple will allow a client with any authentication method to connect. If possible, the WiFi Pineapple will inform the client it is allowed to connect. Clients connecting with EAP-GTC will connect as normal and the user login saved, while clients connecting with EAP-MSCHAPv2 will receive an error, but the MSCHAPv2 hash challenge will be captured and logged.
  2. 2.
    MSCHAPv2 MSCHAPv2 is the most common authentication method for enterprise clients. A MSCHAPv2 client uses a hashed authentication method which does not disclose the password. The WiFi Pineapple cannot answer the hash challenge without knowing the users password: A MSCHAPv2 client will not be able to fully connect to the WiFi Pineapple access point, but the challenge hash will be captured and logged, and can be processed offline to derive the user password.
  3. 3.
    GTC GTC is a simpler authentication protocol. Clients using GTC will disclose the full username and password, and will connect to the WiFi Pineapple as normal. The username and password will be logged.
For maximum compatibility, leave the authentication method as Any. To try to force clients to use a more vulnerable authentication method, switch to GTC. To capture hashes from clients which are configured to only support MSCHAPv2, use MSCHAPv2 mode.

Access Points

The Access Points tab allows you to configure the other access points hosted on the WiFi Pineapple: The Management AP, Open AP, and Evil WPA/2 AP.