Hak5 // Penetration Testing Platform

WiFi Pineapple

The WiFi Pineapple is a purpose-built wireless auditing platform by Hak5, designed for authorized penetration testers and security professionals. It enables advanced reconnaissance, man-in-the-middle testing, client enumeration, and rogue access point simulation in controlled assessments. This reference covers its architecture, modules, use cases, and operational methodology.

Pentest Tool 802.11 Auditing MITM Platform Recon Framework

Platform Overview

Architecture, capabilities, and positioning within the wireless audit toolkit

What is the WiFi Pineapple?

The WiFi Pineapple is a dedicated wireless penetration testing device built on a Linux-based platform. Unlike general-purpose laptops running aircrack-ng, the Pineapple is a turnkey auditing appliance with a web-based interface (the PineAP Dashboard), a modular payload system, and dual-radio architecture designed specifically for wireless security assessments. It has been an industry-standard tool for red teams, penetration testers, and security researchers since its introduction by Hak5.

Core Architecture

The Pineapple operates with dual wireless radios: one radio serves as the rogue/evil twin access point (AP) that clients connect to, while the second radio maintains an upstream connection to a legitimate network for internet pass-through. This dual-radio design is fundamental to its man-in-the-middle capabilities. The device runs a custom Linux firmware (based on OpenWrt) with the PineAP suite layered on top, providing automated client attraction, logging, and payload delivery. The web-based management dashboard is accessible over the Pineapple's own management network or via USB/Ethernet tethering.

Key Differentiators

Purpose-built hardware — not a general-purpose router reflashed with custom firmware
PineAP Suite automates complex wireless attacks that would otherwise require manual scripting
Module ecosystem enables community-contributed payloads and extensions
Campaign system for long-running, unattended assessments with scheduled tasks
Cloud C2 integration for remote management of deployed Pineapples in the field
Intuitive web UI lowers the barrier for standardized testing across teams
Designed for portability — battery-powered field deployment without a laptop

# Typical assessment workflow overview
$ phase_1: passive_recon → scan environment, enumerate SSIDs, catalog clients
$ phase_2: target_selection → identify in-scope networks and client devices
$ phase_3: active_testing → deploy PineAP, evil twin, captive portals
$ phase_4: data_capture → log credentials, analyze traffic patterns
$ phase_5: reporting → export logs, generate findings, deliver to client
// All phases require written authorization from network owner

Use Cases

Professional scenarios where the WiFi Pineapple is deployed in authorized engagements

// 01

Corporate Wireless Audits

Assess the security posture of enterprise Wi-Fi infrastructure by testing for common misconfigurations, weak authentication, and client-side vulnerabilities.

In a corporate wireless audit, the Pineapple is used to evaluate how company devices respond to rogue access points. Testers deploy an evil twin of the corporate SSID and observe whether employee devices auto-connect. This exposes weaknesses in 802.1X configurations, certificate pinning failures, and whether devices have proper network profiles. The tester documents which devices connected, what credentials were transmitted, and whether network segmentation held. Findings typically feed into recommendations for WPA3-Enterprise deployment, certificate-based authentication, and WIDS/WIPS tuning. Scope: typically covers all office floors, conference rooms, and common areas within the authorized facility.

[ click to expand ]

// 02

Red Team Wireless Engagements

Simulate an adversary who targets the wireless perimeter to gain initial access to internal networks as part of a full-scope red team operation.

Red teams use the Pineapple as an initial access vector. The device can be concealed in a target building (a "drop box") to maintain persistent wireless access. The tester deploys an evil twin to capture domain credentials, then uses those credentials to pivot into the internal network. Techniques include: WPA2-Enterprise credential harvesting via RADIUS impersonation, captive portal phishing to harvest Active Directory passwords, and using the Pineapple as a wireless bridge to tunnel red team C2 traffic into the corporate LAN. The Cloud C2 platform allows the red team operator to remotely manage the Pineapple once physically planted.

[ click to expand ]

// 03

Security Awareness Training

Demonstrate real-world wireless threats to executives and employees to justify security investments and improve user behavior.

One of the most impactful uses of the Pineapple is in live demonstrations. Security teams set up the device in a conference room and show leadership how easily their devices connect to a rogue AP, how credentials can be captured through fake captive portals, and how browsing traffic can be intercepted. This is highly effective because it transforms abstract threats into tangible, visible risks. Employees see their own device names appear in the Pineapple dashboard, which creates a lasting impression. These demonstrations are often the catalyst for policy changes such as disabling auto-connect on managed devices, enforcing VPN usage on untrusted networks, and deploying 802.1X with certificate pinning.

[ click to expand ]

// 04

Rogue AP Detection Testing

Validate that an organization's Wireless Intrusion Detection/Prevention System (WIDS/WIPS) can detect and alert on unauthorized access points.

Organizations that deploy enterprise WIDS/WIPS solutions (Cisco, Aruba, Fortinet, etc.) need to validate that these systems actually work. The Pineapple is used as a controlled rogue AP to test detection thresholds. Testers deploy the Pineapple with varying configurations — matching the corporate SSID, using similar BSSIDs, operating on different channels — and observe whether the WIDS/WIPS generates alerts, contains the rogue AP, or fails silently. Failure to detect a Pineapple operating on the same SSID as the corporate network represents a critical finding. This testing also evaluates the mean time to detection (MTTD) and whether the containment response (deauth frames) is effective.

[ click to expand ]

// 05

Compliance & Policy Validation

Verify that organizational wireless policies are actually enforced on endpoints — not just documented on paper.

Many compliance frameworks (PCI-DSS, HIPAA, SOC 2) require wireless security testing. The Pineapple enables testers to validate that managed devices reject untrusted certificates, that auto-connect to open networks is disabled via MDM policy, and that sensitive devices don't probe for previously joined home or hotel networks. PCI-DSS Requirement 11.1 specifically mandates quarterly testing for unauthorized wireless access points. The Pineapple's logging capabilities provide the evidence trail needed for compliance reports, documenting exactly which devices connected, when, and what data was exposed.

[ click to expand ]

// 06

IoT & Embedded Device Auditing

Test the wireless security of IoT devices, embedded systems, and smart building infrastructure.

IoT devices (cameras, sensors, industrial controllers, medical devices) often have hardcoded Wi-Fi credentials, use weak or no encryption, and lack certificate validation. The Pineapple is used to create a replica of the IoT network's SSID and observe whether devices blindly connect. Testers can then analyze the traffic these devices send — many transmit telemetry, credentials, or firmware update requests in cleartext. Critical findings include devices that auto-connect to any open network with a familiar SSID, devices that send credentials without TLS, and devices that accept firmware updates over unencrypted channels. This is particularly important in healthcare (connected medical devices), manufacturing (ICS/SCADA), and smart building environments.

[ click to expand ]

// 07

Physical Security Assessments

Evaluate the risk of a physically planted rogue device persisting undetected in a facility.

The Pineapple's compact form factor makes it ideal for testing physical security controls. During authorized assessments, testers conceal the device in a ceiling tile, behind a monitor, or in a network closet, then monitor how long it operates before detection. This tests the organization's ability to detect unauthorized hardware through network monitoring, physical inspections, and port security (802.1X wired). The Pineapple's campaign system allows it to run automated tasks on a schedule while unattended. Metrics captured: time to detection, whether MAC-based or NAC-based controls flagged the device, and whether physical security sweeps identified it.

[ click to expand ]

// 08

VPN & Endpoint Protection Validation

Test whether endpoint security controls (always-on VPN, HIPS, DNS filtering) hold up when a device is on an untrusted network.

Once a client device connects to the Pineapple's rogue AP, the tester can observe whether endpoint protections activate correctly. Does the always-on VPN engage before any cleartext traffic leaks? Does the DNS filtering policy apply on untrusted networks? Do HIPS/EDR agents detect the MITM condition? Common failures include: VPN split-tunnel configurations that leak local traffic, DNS queries that bypass the corporate resolver before the VPN tunnel establishes, and browser-based applications that proceed despite TLS certificate warnings. This testing validates the real-world effectiveness of endpoint security policies that are often only tested in lab environments.

[ click to expand ]

Module Ecosystem

Loadable modules extend core functionality — community and official payloads

mod://

Evil Portal

Serves customizable captive portal pages to connected clients. Clone login pages for authorized phishing assessments and credential capture.

Evil Portal is one of the most-used modules. It intercepts HTTP requests from connected clients and redirects them to a custom captive portal page hosted on the Pineapple. Testers can create replicas of corporate login pages, hotel Wi-Fi portals, or cloud service logins. When the target submits credentials, they are logged locally. Advanced usage: combine with DNS spoofing to redirect HTTPS sites to the portal (only effective if the client ignores certificate warnings), use JavaScript keyloggers in the portal page, or chain with a downstream transparent proxy for continued traffic analysis after portal bypass. All captured credentials are timestamped and logged for inclusion in the pentest report.

[ click to expand ]

mod://

PineAP (Core Suite)

The heart of the Pineapple — automated beacon response, SSID spoofing, client attraction, and logging engine.

PineAP is the Pineapple's core engine for attracting wireless clients. It works by listening for probe requests from nearby devices (devices looking for networks they've previously connected to) and responding to those probes, pretending to be the requested network. Key features: Beacon Response (automatically answers all probe requests), SSID Pool (broadcasts a list of target SSIDs), Dogma (prevents associated clients from connecting to other APs), and logging of all probes and associations. PineAP can be configured to target specific devices by MAC address or to broadly attract all nearby clients. The harvested probe data reveals every network name a device has previously connected to — a significant privacy and security concern.

[ click to expand ]

mod://

Recon Module

Passive and active wireless scanning to enumerate all access points, clients, probe requests, and signal strengths in the target environment.

The Recon module performs comprehensive wireless environment scanning. In passive mode, it listens for beacon frames and probe requests without transmitting. In active mode, it sends probe requests to discover hidden SSIDs. Data collected: SSID names, BSSID (MAC addresses of APs), channel, encryption type (Open/WEP/WPA2/WPA3), signal strength (RSSI), associated client devices, unassociated (probing) clients, and probe request history. This data feeds into the target selection phase and helps testers understand the wireless landscape before deploying active attacks. Results can be filtered by encryption type, signal strength, or client count.

[ click to expand ]

mod://

Deauth Module

Targeted deauthentication to disconnect clients from legitimate APs, forcing them to reconnect — potentially to the Pineapple's evil twin.

Deauthentication sends IEEE 802.11 management frames to disconnect a client from its current AP. This is used to force clients to re-probe and potentially associate with the Pineapple's evil twin. Operational detail: deauth can target a specific client (unicast) or all clients on a BSS (broadcast). The module allows setting the number of deauth packets, the interval, and the target channel. Note that 802.11w (Management Frame Protection) mitigates this attack — testing whether target networks have MFP enabled is itself a valuable finding. Deauth is also used in WPA handshake capture workflows, where forcing a reconnection generates the 4-way handshake needed for offline cracking.

[ click to expand ]

mod://

DNS Spoof

Redirect DNS queries from connected clients to attacker-controlled IP addresses for phishing, payload delivery, or traffic interception.

Once a client is connected to the Pineapple, the DNS Spoof module allows the tester to control name resolution. Any domain can be redirected to an IP of the tester's choosing. Common use: redirect a corporate intranet domain to a cloned login page, redirect software update domains to serve trojanized payloads (in authorized red team ops), or redirect all DNS to a transparent proxy for traffic analysis. This module pairs with Evil Portal for targeted credential harvesting. The spoof rules are configurable per-domain, allowing selective targeting while passing legitimate traffic through normally to avoid detection.

[ click to expand ]

mod://

Cabinet (Reporting)

Centralized logging, evidence collection, and report generation for professional pentest deliverables.

Cabinet aggregates all data collected during an engagement — client associations, captured credentials, DNS queries, probe logs, and session data — into a structured format suitable for pentest reporting. Features: timestamped event logs, exportable CSV/JSON data, client device inventory, session timeline, and evidence packaging. This is critical for professional engagements where findings must be documented with evidence, timelines, and reproducibility details. The logs include MAC addresses (for device identification), timestamps (for timeline correlation), and the specific technique that yielded each finding.

[ click to expand ]

Reconnaissance & Enumeration

Intelligence gathering techniques using the Pineapple's scanning capabilities

Passive Wireless Reconnaissance

The Pineapple's passive recon mode monitors all 802.11 traffic without transmitting, making it undetectable. In this mode, the device captures beacon frames from access points and probe request frames from client devices. Probe requests are particularly valuable — they reveal every SSID a device has previously connected to. A corporate laptop probing for "CorpNet-5G" and "Marriott_WiFi" tells the tester the device's network history. By cataloging probe requests across all in-scope devices, the tester builds a comprehensive map of network names that can be spoofed by PineAP.

Client Fingerprinting

Beyond basic MAC address enumeration, the Pineapple enables client fingerprinting through probe request analysis. The order, frequency, and content of probe requests can identify the operating system and device type. MAC address OUI (Organizationally Unique Identifier) lookup reveals the device manufacturer. Combined with signal strength triangulation (using multiple Pineapples or repositioning), testers can physically locate target devices within a facility. Modern devices with MAC randomization can still be fingerprinted through probe request timing patterns and information element analysis.

Network Topology Mapping

By correlating AP beacon data with client association patterns, the Pineapple helps map the target's wireless topology. This includes identifying SSIDs that share a common infrastructure (same OUI across BSSIDs), detecting VLANs exposed over wireless (multiple SSIDs on the same physical AP), finding hidden SSIDs through client probe/response analysis, and identifying rogue or unauthorized APs already present in the environment. This intelligence informs the active testing phase — the tester now knows which SSIDs to spoof, which clients to target, and where coverage gaps exist.

Attack Vectors & Techniques

Authorized testing methodologies executable via the Pineapple platform

vector://

Evil Twin Attack

Create an identical replica of a target access point to intercept client connections and traffic.

The evil twin is the foundational attack. The Pineapple broadcasts the same SSID as the target network, optionally with a stronger signal. Client devices that have previously connected to the legitimate AP will auto-associate with the Pineapple if their connection manager prioritizes signal strength or fails to validate the AP's identity. Against WPA2-Enterprise: the Pineapple can run a rogue RADIUS server (via hostapd-wpe or similar) to capture MSCHAP challenge/response hashes, which can be cracked offline. Against WPA2-PSK: the tester can create an open twin to capture a WPA handshake via deauth + reconnect. Against Open networks: clients connect automatically with zero user interaction.

[ click to expand ]

vector://

Captive Portal Phishing

Present a convincing login page to connected clients to harvest credentials through social engineering.

After a client connects to the evil twin (typically an open network), all HTTP traffic is intercepted and redirected to a captive portal page served by the Pineapple. The portal is customized to match the target organization's branding — a corporate SSO page, an Office 365 login, a VPN portal, etc. Users who enter credentials believe they are authenticating to use the Wi-Fi. Effectiveness: this technique has a high success rate because users are accustomed to captive portals on public Wi-Fi. Even security-conscious users may comply because the portal appears before they can establish a VPN connection. Captured credentials are logged with timestamps and source IP/MAC for the pentest report.

[ click to expand ]

vector://

Man-in-the-Middle (MITM)

Intercept, inspect, and optionally modify traffic flowing between client devices and the internet.

Once clients are connected through the Pineapple, all their traffic flows through the device. The Pineapple's second radio forwards this traffic to the internet via a legitimate upstream connection. This transparent MITM position enables traffic inspection (HTTP URLs, DNS queries, cleartext protocols), SSL stripping (downgrading HTTPS to HTTP where HSTS is not enforced), credential sniffing (FTP, Telnet, HTTP Basic Auth, SMTP), session hijacking (capturing session cookies transmitted over HTTP), and injection of content into HTTP responses. Modern mitigations: HSTS, certificate pinning, and TLS 1.3 significantly limit MITM effectiveness — documenting which applications are and aren't protected is a key pentest finding.

[ click to expand ]

vector://

Probe Request Harvesting

Collect and exploit the network names (SSIDs) that client devices are actively searching for.

Every Wi-Fi enabled device periodically sends probe requests for networks in its preferred network list (PNL). These requests are unencrypted and broadcast. The Pineapple captures all probe requests in the vicinity and builds a database of devices and their network histories. Exploitation: PineAP uses this data to automatically spoof the requested SSIDs, causing devices to connect to the Pineapple thinking it's a known network. This is particularly effective against devices probing for open networks (hotels, airports, coffee shops). Intelligence value: probe data reveals where employees travel, what hotels they use, their home network names, and which devices are managed vs. personal — all valuable for targeted social engineering.

[ click to expand ]

vector://

WPA Handshake Capture

Force and capture the WPA 4-way handshake for offline password cracking.

For WPA2-PSK networks, the Pineapple can facilitate handshake capture by deauthenticating a connected client, then capturing the 4-way handshake when the client reconnects to the legitimate AP. The captured handshake (stored as a .pcap file) can be transferred to a cracking rig running hashcat or aircrack-ng for offline brute-force or dictionary attacks. Key detail: the Pineapple itself doesn't crack the handshake — it captures it. Cracking is performed on separate hardware (GPUs). The Pineapple's role is efficient, targeted deauth and packet capture. Success rates depend entirely on the PSK complexity — 8-character passwords fall in minutes, while complex passphrases may be infeasible to crack.

[ click to expand ]

vector://

Downgrade Attacks

Force clients or networks to use weaker security protocols for easier exploitation.

When a target network supports multiple security modes (e.g., WPA2 and WPA3 in transition mode), the Pineapple can advertise only the weaker option. Clients that support both will connect using the weaker protocol. Examples: advertising a WPA2-only evil twin of a WPA3-transition network, serving an open twin of a WPA2-PSK network, or downgrading WPA2-Enterprise from EAP-TLS (certificate) to EAP-PEAP (password) by controlling the RADIUS negotiation. This testing validates whether the target network has properly disabled legacy protocol support and whether clients enforce minimum security requirements.

[ click to expand ]

Operational Deployment

Field deployment strategies, campaign management, and remote operation

Cloud C2 (Command & Control)

Hak5's Cloud C2 platform enables remote management of deployed Pineapples over the internet. Once a Pineapple is physically planted and connected to an upstream network, the operator can access its full dashboard from anywhere. This supports long-duration engagements where the device runs unattended for days or weeks. The operator can trigger scans, start/stop PineAP, deploy modules, retrieve captured data, and update configurations — all remotely. The C2 communication is encrypted and uses HTTPS to blend with normal web traffic. Multiple Pineapples can be managed from a single C2 dashboard for large-scale assessments.

Campaign System

The Pineapple's campaign system allows testers to schedule automated task sequences. A campaign might be configured to: run passive recon from 09:00–10:00, activate PineAP from 10:00–12:00, deploy an evil portal from 12:00–14:00 (targeting lunch-hour traffic), then collect and package all logs at 14:00. This automation is essential for drop-box scenarios where the tester cannot be physically present. Campaigns can be set to repeat daily, run once, or trigger based on conditions (e.g., activate when a target MAC address is detected).

Physical Deployment Considerations

The Pineapple is designed for covert field deployment. It can be powered via USB battery pack (4+ hours with a 10,000mAh pack), PoE (if the Mark VII Enterprise is used), or wall power. Common concealment locations include ceiling tiles, behind monitors, in cable trays, inside equipment enclosures, or in a backpack for mobile assessments. Antenna selection matters — the stock omnidirectional antennas provide 360° coverage, while directional panel antennas focus the signal toward a specific area (e.g., a target floor or conference room). Signal strength and antenna placement directly impact how many clients the Pineapple can attract.

OPSEC for Authorized Testers

Even in authorized engagements, operational security matters. Testers should change the Pineapple's default management SSID and credentials, use MAC address randomization for the management radio, encrypt stored logs, use Cloud C2 over VPN for remote management, and maintain detailed activity logs that correlate with the scope document. If detected by the blue team during a red team exercise, the Pineapple's logged evidence proves the authorized tester's identity and scope. Clean-up procedures include removing all captured data from the device post-engagement and securely delivering reports to the client.

# Campaign schedule example

[CAMPAIGN] name: "Q1-Corp-Wireless-Audit"
[09:00] START passive_recon duration=60m
[10:00] START pineap mode=targeted ssid_pool=corporate_list.txt
[10:00] START evil_portal template=corp_sso_clone
[14:00] STOP all_modules
[14:01] EXPORT logs → /sd/campaign_q1/day_01/
[14:02] SYNC cloud_c2 → encrypted_upload
[REPEAT] daily for 5 business days

Hardware & Specifications

Technical specifications for the WiFi Pineapple Mark VII platform

WiFi Pineapple Mark VII

Processor	MediaTek MT7628 (580 MHz MIPS)
RAM	256 MB DDR2
Storage	2 GB NAND + MicroSD slot (up to 128 GB)
Radio 1	802.11 b/g/n 2.4 GHz (PineAP / Evil Twin)
Radio 2	802.11 b/g/n 2.4 GHz (Recon / Client)
USB	USB 2.0 Host (for additional radios, storage, or LTE modems)
Ethernet	1x 10/100 Ethernet (upstream or management)
Power	USB-C (5V/2A) — battery pack compatible
Antennas	2x RP-SMA (replaceable, supports directional)
OS	Custom Linux (OpenWrt-based) with PineAP Suite
Management	Web Dashboard, SSH, Cloud C2
Dimensions	Compact form factor — concealable for field ops

Expanding Capabilities

The USB port accepts additional 5 GHz radios (e.g., Alfa AWUS036ACH) to extend coverage to 802.11ac networks, LTE modems for cellular upstream (eliminating the need for a wired or Wi-Fi upstream connection), GPS modules for wardriving and geolocation of findings, and additional storage for extended campaign logging. The MicroSD slot provides bulk storage for packet captures, which can consume significant space during multi-day engagements. The Ethernet port can serve as the upstream connection in scenarios where the Pineapple is connected to a wired drop in the target facility.

Comparison with Software-Only Approaches

Testers can achieve similar results using a laptop with aircrack-ng, hostapd, dnsmasq, and a collection of scripts. The Pineapple's value proposition is integration, portability, and repeatability. The web UI standardizes workflows across a team. The purpose-built hardware eliminates driver compatibility issues that plague USB Wi-Fi adapters on various Linux distributions. The campaign and C2 systems enable deployment scenarios that a laptop cannot match. For teams that perform regular wireless assessments, the Pineapple reduces setup time from hours to minutes and ensures consistent methodology across engagements.