PineAP is an effective, modular rogue access point suite for the WiFi Pineapple. In some ways it can be seen as the next-generation Karma, but as you’ll see it’s a whole lot more.
Since the original WiFi Pineapple Mark 1, Karma has played a key role in attracting clients. MK5 Karma now takes on this important role and then some, supporting a host of additional PineAP modules intended to effectively host spoofed Access Points, or honeypots. At the core of this feature is the trick of quite simply replying to probe requests with appropriately crafted probe responses.
For example, if a Client device (like a phone or laptop) sends out a probe request for an Access Point (AP) with the SSID “ACME Corporate LAN”, the MK5 Karma module will reply with an appropriately crafted probe response mimicking the SSID “ACME Corporate LAN”.
While this simple call and response trick is effective on many devices, it becomes even more potent when coupled with the formidable host of PineAP modules like Dogma, Beacon Response, Auto Harvester, Recon Mode and Deauth.
If Karma is the passive listening type, Dogma is it’s direct and aggressive sibling.
The Dogma PineAP module is intended to reinforce the MK5 Karma attack by advertising the spoofed Access Points, or honeypots. This is achieved by transmitting appropriately crafted beacon frames (packets) at uncommonly high rates for WiFi equipment. These frames mimic the networks defined by SSID values in the PineAP SSID Pool. This pool of network names are either defined by the penetration tester, or automatically collected by the Auto Harvester module. More on that in a bit.
For example the WiFi auditor is on an engagement for the ACME Corporation, they might specifically define SSID names derived from ACME corporate and branch offices.
A powerful Dogma feature is its ability to be configured with specific Source and Target MAC addresses. The Target MAC is that of the nearby clients or devices. If a target MAC address is specified, typically only that client (station) will observe the beacon frame advertising the honeypot.
The default target of FF:FF:FF:FF:FF:FF (otherwise known as Broadcast) makes these beacons visible to all nearby devices. This is very useful if the penetration tester is contracted to perform a WiFi audit on only a specific individual within the company.
The default Dogma configuration is to use the MAC address of the WiFi Pineapple as the beacon’s Source address. You may be wondering, why spoof the source address? The answer becomes apparent when using multiple WiFi Pineapples on an engagement. By spoofing the source address of Dogma’s beacons, the tester can use additional WiFi Pineapples to direct clients to a central WiFi Pineapple, either increasing the WiFi coverage area, or increasing the Dogma beacon throughput.
Throughput wise the Dogma module will transmit beacons at an incredibly high rate of around 400 per second. This is about 200-400 times more than most typical access points, which allows the WiFi Pineapple to mimic hundreds of SSIDs at once. The rate can be further increased by choosing Aggressive mode from the Dogma settings, however in our tests we’ve found the Normal mode to be effective even with very large SSID pools.
The Beacon Response module of PineAP brings the siblings Karma and Dogma together for a killer combination.
Similar to how MK5 Karma responds to a potential clients Probe Request with an appropriately crafted Probe Response, the Beacon Response module responds to the potential client with appropriately crafted beacons targeted solely at them. This reinforces the legitimacy of the spoofed network without causing broadcast beacons which may otherwise be picked up by other devices. As opposed to Dogma in its default “broadcast” state, beacon response only responds to the potential client, and only when that client makes a probe request.
For example, if a potential client transmits probe requests looking for an Access Point with the SSID “ACME Corporate LAN” – MK5 Karma will reply with a probe response using the SSID “ACME Corporate LAN”. Additionally, if the Beacon Response module is enabled, several targeted beacon frames advertising the Access Point “ACME Corporate LAN” will be transmitted for a period.
Much like Dogma, these beacon frames use the Source address configured, so the feature can be used in conjunction with multiple WiFi Pineapples during an audit. Since the Target address will always be that of the potential client transmitting the probe requests, the WiFi Pineapples beacon “responses” will typically only be observed by the potential client.
Auto Harvester is like War Driving with the petal to the metal in reverse.
Instead of gathering SSID names from the Beacon frames advertised by Access Points, Auto Harvester collects them from the Probe Requests leaking from the potential clients. These SSID names are often telling of our clients – who they work for, what vendors they meet with, even where they like to get coffee. The network names collected by Auto Harvester get added to the PineAP SSID Pool for use by Dogma. This silent module transmits nothing and can be used alone to perform passive reconnaissance on an area. Running Auto Harvester in a crowded area provides a shocking look at how much data is freely flowing from modern devices – ready to be exploited by the PineAP suite.
For example, if a potential client device transmits a probe request for an Access Point with the SSID “ACME Corporate LAN”, the Auto Harvester module will save “ACME Corporate LAN” to the SSID Pool for later use. If Dogma is currently running, it will broadcast that beacon to either a specified target or broadcast, meaning all devices in the vicinity. Suddenly a single frame leaked from one individual causes the WiFi Pineapple to assume that networks identity for all others in the area.
Unlike traditional War Driving, whereby the auditor passively listens for beacons being advertised by Access Points to paint a picture of the surrounding WiFi landscape, the WiFi Pineapple’s Recon Mode goes one giant step further.
By monitoring channels for both beacons and data activity, Recon Mode paints a more complete picture by combining Access Points with their respective clients. This is huge. With the WiFi landscape displayed in this manner, a tester can quickly identify potential targets from Recon Mode and immediately take action with PineAP. Recon Mode directly interfaces with the rest of the PineAP suite, enabling targeted attacks on both the clients and access point level with contextual actions with just a click.
If PineAP is the ammunition, Recon Mode is the battlefield.
From the “Pinejector” back-end to the Recon Mode front-end, the modular nature of the PineAP suite is at the core of the WiFi Pineapple’s success. MK5 Karma, Dogma, Beacon Response, Auto Harvester, and Recon Mode are only the beginning. It’s been a big year for WiFi Pineapple development, and we’re proud of the powerful Man-In-The-Middle platform we’ve pioneered. PineAP makes the most of the unique WiFi Pineapple Mark V hardware, and we’re eager to show you how far it can go.