16 juli 2025 · 8 min read
The Wi-Fi Pineapple, developed by Hak5, is a powerful tool designed for wireless network auditing. Its versatility makes it ideal for red teamers and physical pentesters who need to assess wireless environments quickly and efficiently. In this blog post, we’ll go through the basic usage of the Wi-Fi Pineapple, explain how it works, and demonstrate its potential in a controlled test scenario.
The wifi pineapple
The Wi-Fi Pineapple is a Linux-based router running custom firmware, designed to attack, sniff, or redirect clients that connect to its network. Its primary use is to exploit the “Connect Automatically” feature enabled by default on most smart devices we use in daily life.
Connect Automatically button
Phones, laptops, smartwatches, and other wireless devices will often reconnect to any network they’ve previously trusted—without user interaction. The Wi-Fi Pineapple exploits this behavior using its PineAP functionality. This “Pineapple Access Point” feature allows the device to scan for nearby networks and impersonate them.
Once PineAP is active, the Wi-Fi Pineapple can:
This makes it incredibly effective during red team operations, where stealth and client-side access are crucial.
The first step in setting up the Wi-Fi Pineapple is unboxing the device and attaching the three external antennas
boxed Pineapple
To power the device, simply connect it via USB-C to a laptop, desktop, or power bank. For the initial configuration, it’s recommended to connect the Pineapple to a laptop or desktop to share the computer’s internet connection over USB.
unboxed and assembled
Once powered on, the Pineapple’s web interface can be accessed via:
After connecting with the web interface, the setup can be followed to install the firmware.
setup options
We recommend continuing the setup by Wi-Fi for easier access and mobility. However, ensure that you’re operating in a secure, controlled environment before enabling Wi-Fi-based management.
During the setup, the Pineapple will prompt to download and install the latest firmware. If using Wi-Fi setup, connect the device to a nearby access point (such as your router) to provide internet access.
Once the firmware installation is complete, the device is ready to use.
The Wi-Fi Pineapple offers a wide range of features and extensions. In this section, we’ll go over its most important functions.
The Wi-Fi Pineapple features a built-in web interface that serves as the central hub for managing and operating the device. One of the core elements of this interface is the Dashboard.
From the dashboard, users can open a local web shell directly on the Pineapple. This shell gives you access to the system’s file structure and allows advanced users to run Linux commands or inspect logs without needing SSH.
local web shell in Wi-Fi pineapple interface
Navigation is handled through the left-hand sidebar, which lists the main sections of the interface. This layout allows for quick access to different modules and settings, making it easy to switch between functionality like Recon, PineAP, and Module Management.
left-hand sidebar navigation
The dashboard displays several status cards that offer real-time information about the device and its current operations. These cards typically show:
dashboard status cards
In the Wi-Fi Pineapple ecosystem, a campaign represents a project or engagement targeting a specific environment or device. When a red teamer initiates an attack on a wireless target, a campaign is created to structure and log the activity surrounding that operation.
Each campaign is highly customizable and can include different operating modes depending on the objective:
Campaign mode selects
Reconnaissance – Monitor Only
This mode performs passive observation of the wireless environment. It monitors nearby access points and client device activity without broadcasting any signals or interfering with the network. Ideal for stealthy mapping of the Wi-Fi landscape before launching further attacks.
Client Device Assessment – Passive
This mode identifies client devices that are vulnerable to basic rogue access points or Evil Twin attacks. It uses Passive PineAP mode, which only spoofs access points on-demand, based on client device requests. By adjusting the filtering rules, you can control which SSIDs the Pineapple responds to.
Client Device Assessment – Active
In this mode, the Pineapple becomes more aggressive. It uses Active PineAP to broadcast a pool of SSIDs and continuously spoof all nearby access points. This approach is effective for identifying devices that automatically connect to known networks, making them vulnerable to more advanced Evil Twin attacks.
Campaign Reporting and Automation
Campaigns can be configured to automatically generate periodic reports, offering detailed insights into captured data and activity over time. These reports can be generated at custom intervals (e.g., every 30 minutes, 3 hours, or 6 hours), depending on operational needs.
The campaign’s monitoring options can also be configured to target 2.4 Ghz networks, 5Ghz networks or both types of networks. This is especially useful if the pentester is targeting a specific laptop or phone, as phones usually only have 2.4 Ghz connections and laptops 2.4 Ghz and 5 Ghz
configure monitor campaign
Reports:
Using a campaign a Wi-Fi pineapple can be configured to automatically do tasks such as passive scanning or active scanning. The pineapple has the added functionality of being able to generate reports based on its scans. These reports can be generated in the HTML of JSON format.
report format
Afterwords the report can be automatically exfiltrated to an email server, or uploaded using C2.
email reporting
cloud C2 exfiltration
The PineAP module is at the core of the Wi-Fi Pineapple’s rogue access point capabilities. It enables impersonation of nearby Wi-Fi networks by broadcasting cloned SSIDs, tricking devices into connecting to fake networks. With support for both Open APs and WPA2-secured networks, it can lure users into joining unencrypted hotspots or capture partial handshakes from secured ones—useful for offline cracking attempts.
activity log of PineAP
For more advanced operations, Evil Enterprise mode allows the Pineapple to mimic WPA2-Enterprise networks, enabling the capture of authentication attempts and MSCHAPv2 hashes during login. Filters can be used to narrow the attack scope and focus only on specific clients or networks, minimizing noise and exposure.
PineAP dashboard
PineAP supports three distinct operational modes, giving you fine-grained control over how aggressively the device interacts with its environment:
This is ideal for stealthy surveillance or building a list of SSIDs to impersonate later.
Pine AP passive mode
This mode is useful for targeted impersonation attacks during controlled engagements.
Pine AP active mode
PineAP advanced mode
The Recon module is a core component of the Wi-Fi Pineapple, designed to scan and analyze the surrounding wireless landscape. It provides a real-time overview of all nearby access points and client devices, making it ideal for both initial reconnaissance and targeted attacks.
Recon scan with the Wi-Fi Pineapple
During a scan, the Recon module reveals:
Security information of local Hackify Wi-Fi collected by the Wi-Fi Pineapple
You can configure scan duration and intensity in the settings, depending on how detailed the scan needs to be.
Within the Recon module, the Wi-Fi Pineapple offers several active attack options that go beyond passive observation. One of the most effective is client deauthentication, which is a technique used to forcibly disconnect a device from its current access point. This exploit works on networks secured with WPA2 or lower and is commonly used to trigger a reconnection attempt.
Action panel in Recon module
Deauthing a client can serve multiple purposes:
Once a client begins reconnecting, the Pineapple can intercept and save the handshake data. These WPA handshakes are stored locally and can be exported later for offline cracking using tools like hashcat or aircrack-ng. Successfully cracking a handshake may reveal the pre-shared key used by the target network.
The modules selection of the wifi pineapple is a community provided plugin marketplace. Here it is possible to download additional plugins for the Wi-Fi Pineapple which can be used in assessments:
available module on the Wi-Fi Pineapple
modules like PineAP, Recon, and Campaigns, it enables security professionals to simulate real-world attacks such as Evil Twin, rogue access points, and WPA handshake capture—all through a streamlined and user-friendly web interface.
Thanks to its compact and discreet design, the Pineapple can be deployed in hidden or public-facing locations for extended periods. Combined with its Campaign functionality, tasks such as scanning, spoofing, and data collection can be fully automated. Results can then be exfiltrated remotely to a Cloud C2 instance or attacker-controlled server.
These features make the Wi-Fi Pineapple particularly handy in infiltrating a targets environment.
Author: Dennis Drossaert