WiFi Pineapple Mark VII
Last updated
Last updated
Set up:
Access via web:
Automatically perform the following type of campaigns:
Passively monitor client device and access point activity within a defined region of the WiFi environment.
Identify client devices susceptible to basic rogue access points or evil twin attacks. Uses a passive PineAP mode to mimic access points only upon direct request. Depending on filter configuration, client devices may be allowed to associate with the WiFi Pineapple.
Identify client devices susceptible to advanced rogue access points or evil twin attacks. Uses an active PineAP mode to broadcast an SSID pool, mimicking all access points listed. New access points may be dynamically added to the pool. Depending on filter configuration, client devices may be allowed to associate with the WiFi Pineapple.
When you desing a campaign, you are telling PineAP how to behave.
Advanced options:
Impersonate APs: Explicitly advertise lists of access points to instigate clients into connecting to previously saved networks.
Serve a basic, unencrypted Open access point, or automatically impersonate any Open access point requested by a client.
The basic Open access point can be configured as visible or hidden; a hidden access point does not advertise its SSID, but clients which have saved the SSID will still be able to identify it, and some tools may still reveal the SSID.
When "Impersonate All Networks" is enabled, the WiFi Pineapple will answer for all SSIDs which are permitted by the filter configuration!
Filters can be used to tune the responses for your engagement, by either allowing all SSIDs in the filter list, or denying all SSIDs not in the filter list.
Set up an open AP with a login portal to perform phishing attacks, choose the desired template or upload a custom one.
The Evil WPA access point is used to impersonate a WPA (or WPA2) PSK network. It can also be used to collect partial handshakes for use with external cracking tools when the PSK is not known.
Be sure to allow your Evil WPA SSID in your filter configuration, or clients will not be able to connect!
These half-handshakes can be leveraged by hashcat to attack the original passphrase.
Serve a WPA-Enterprise network with optional key exchange degradation. Coupled with automatic authorization of all accounts, identify misconfigured enterprise clients and capture credentials.
It is protected by a SSL certificate, which must be created first.
Properly configured WiFi Enterprise clients will reject unknown certificates, however many devices do not offer proper configuration and may either blindly accept new certificates, or prompt the user to accept the certificate.
There are three authentication types:
Clients connecting with EAP-GTC will connect as normal and the user login saved, while clients connecting with EAP-MSCHAPv2 will receive an error, but the MSCHAPv2 hash challenge will be captured and logged.
Most common authentication method for enterprise clients. A MSCHAPv2 client uses a hashed authentication method which does not disclose the password.
A MSCHAPv2 client will not be able to fully connect to the WiFi Pineapple access point, but the challenge hash will be captured and logged.
Clients using GTC will disclose the full username and password, and will connect to the WiFi Pineapple as normal. The username and password will be logged.
opkg install ca-bundle ca-certificates
opkg update
opkg install hcxdumptool
hcxdumptool -i wlan1mon -o pmkids-capture.pcapng --enable_status=1
hcxpcapngtool -o pmkids-capture.txt pmkids-capture.pcapng
Limit your engagement by configuring access by filters. Limit to specific clients or SSIDs, or exclude specific clients or SSIDs.
On the main Recon page, click on scan to start scanning.
You can search for Access Points or Clients by SSID, BSSID, or MAC address.
You can expand all clients automatically by going to the Recon Settings via the gear icon, and choosing "Expand all client lists"
Active Access Points and Clients can be automatically highlighted to make finding them easier by clicking on Recon Settings > Highlight Active Devices.
By clicking on an AP or Client in the list, a side menu will slide out, from where you can select options specific to the type of device you selected, such as capturing handshakes or cloning, or adding MAC addresses to the Filters.
Tagged parameters are included in the beacon packets which advertise a WiFi network, and contain information about the encryption, channel selection, surrounding traffic, and more.
Simplified explanation of the security options employed by the network.
Once we have clients connected to our malicious AP, we can sniff their network activity.
Once we have clients conected to our malicious AP, click on clients tab, identify in which interface is the client target listening, then click on the tcpdump tab and start listening in that interface. (br-lan most of the times)
HTTPeek displays all images, urls, cookies, and post data sent in plaintext by clients connected to the Wifi Pineapple.
We can click on the Automatic Handshake Capture button or target a specific network for handshake capture by selecting the network, then selecting "Capture Handshakes" from the menu.
The Handshakes tab shows any captured handshakes. Handshakes are captured in PCAP and Hashcat's 22000 format.
Handshakes that list Recon Capture as the source show that they were captured during a Recon scan or a Recon handshake capture.
Handshakes captured from the Evil WPA AP show as Evil WPA/2 Twin.
To set up a custom capative portal, load Google template () and use "save web page" extension to save the target page to simulate, then adapt it to the php google template to grab credentials and load it changing index within the pineapple GUI and not loading a new whole folder.
Once we have clients connected to our malicious AP, we can spoof DNS to redirect victims to our malicious site with the DNSspoff () module.