> For the complete documentation index, see [llms.txt](https://documentation.hak5.org/wifi-pineapple-pager/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://documentation.hak5.org/wifi-pineapple-pager/introduction.md).

# Introduction

### A collection of features  <a href="#a-collection-of-features" id="a-collection-of-features"></a>

The WiFi Pineapple experience is a suite of related tools and functionality working together to create the Wi-Fi recon and mimicry system.

### Recon mode  <a href="#recon-mode" id="recon-mode"></a>

Recon (reconnaissance) mode surveys the wireless environment and builds a view of access points and devices.

The recon system is the core of the WiFi Pineapple experience when collecting data, finding misconfigured devices, and tracking wireless device and access point behavior.

{% hint style="info" %}
Recon mode relies on *channel hopping* to cover the different Wi-Fi channels. By spending a small amount of time on each channel, it can build a view of the networks on all channels.\
\
Because channel hopping can only spend a short time on each channel, client detection may take longer - a client must be active at the same time as the Pineapple is looking at that channel, so not all clients will be detected immediately.\
\
Channel hopping is optimized to pause if a handshake packet is seen, increasing the chances of successfully capturing a full handshake.
{% endhint %}

**Access point detection**&#x20;

Access points - even “hidden” access points - continually advertise their presence. By rapidly changing channels, the WiFi Pineapple collects these advertisements, which include the network name, channel, encryption settings, and more.

**Hidden access point decloaking**&#x20;

Hidden access points were never designed as part of the 802.11/Wi-Fi standards - they have always been a hack, and discoverable. By monitoring client behavior, the Pineapple is able to discover the name of a hidden network whenever a client joins.

**Client detection**&#x20;

The WiFi Pineapple detects active clients, even on encrypted networks. While encryption protects the content of the client connection, it does not obscure the client MAC address of the client or the destination. Using the MAC addresses of the clients and access points, the Recon system is able to map out what APs a client connects to.

When a client is looking for networks to connect to, it transmits *probe* packets, often including the list of networks the client has previously joined (the “preferred network list”). The Recon system collects these, making it easier to determine where a client has previously been active and what networks it may be willing to connect to.

**Handshake collection**&#x20;

WPA-PSK and WPA2-PSK networks can be vulnerable to an *offline attack* against connection handshakes. In an offline attack, the attacker does not need to be connected to the network; instead, captured handshake data can be used to brute force credentials. WPA3 was designed to fix this weakness, so handshakes from WPA3 networks are not vulnerable in the same way.

Whenever a client connects to a Wi-Fi WPA-PSK or WPA2-PSK network, it performs a multi-stage handshake where a unique per-client encryption value is exchanged. Handshakes are also generated every time a client refreshes the encryption key - typically every 5 minutes.

The WiFi Pineapple looks for handshake packets and, in collection mode, automatically attempts to capture the related packets, saving them in the `/root/loot/handshakes/` directory.

Handshake collection works with the channel hopping system: when a handshake packet is seen, the channel hopping system automatically delays the next channel change, maximizing the chances of capturing a complete handshake exchange.

A collected handshake can be used for with tools such as [hashcat](https://hashcat.net/). These tools run on a desktop or laptop, and often require GPU acceleration. Typically these tools would not be run on the WiFi Pineapple directly, as they require significant processing power and resources.

### Open AP mimicry mode  <a href="#open-ap-mimicry-mode" id="open-ap-mimicry-mode"></a>

The Pineapple Open access point is one of the strongest tools during a pentest engagement. The Pineapple Open access point allows a single WiFi Pineapple to act as many access points with different names, capturing clients when they probe for target networks in the clients preferred network list.

Pineapple Open access points use a [filter mechanic](/wifi-pineapple-pager/pineapple-open-ap.md#pineapple-filters) to ensure your engagement is scoped properly; filters can be configured to allow or block any combination of network names and client addresses.

{% hint style="info" %}
Scoping your engagement is always important! It ensures that you are only targeting devices you expect to target!
{% endhint %}

### WPA Evil Twin mode  <a href="#wpa-evil-twin-mode" id="wpa-evil-twin-mode"></a>

Clone an existing access point, create a generic WPA access point, or attempt to capture partial handshakes for PMKID attacks with WPA Evil Twin mode.

Learn more [about Evil Twin mode here](/wifi-pineapple-pager/pineapple-evil-wpa.md)!

### SSID pool advertising  <a href="#ssid-pool-a-dvertising" id="ssid-pool-a-dvertising"></a>

To help entice clients into connecting to the Pineapple Open AP, in addition to allowing connections to multiple SSIDs, the Pineapple can advertise specific SSIDs from the SSID Advertisement Pool.

Coupled with recon mode, the Pineapple can automatically add probed SSIDs to the pool!

### Client disconnection and deauthentication  <a href="#client-disconnection-and-deauthentication" id="client-disconnection-and-deauthentication"></a>

To aid in capturing clients and handshakes during a pentest, the WiFi Pineapple Pager can attempt to disconnect clients connected to an existing access point, subject to regulatory limitations (DFS and 6GHz) and modern client protection (WPA3 and 802.11w PMF).

{% hint style="warning" %}
Due to strong regulatory restrictions on DFS and 6GHz Wi-Fi channels, injection is not possible against networks on these channels.\
\
Additionally, all networks on 6GHz require WPA3 protections (even ‘open’ networks on 6GHz require WPA3-OWE); WPA3 includes Protected Management Frames or PMF, which prevents injected disconnection packets.
{% endhint %}

<br>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://documentation.hak5.org/wifi-pineapple-pager/introduction.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.