Wi-Fi Pineapple · Volume 21
Hak5 WiFi Pineapple Volume 21 — Cheatsheet
Laminate-ready synthesis — the models, the PineAP suite, the radio roles, the legal line, the playbooks, the checklists
Contents
1. About this volume
Vol 21 is the cheatsheet — the whole 21-volume series compressed into laminate-ready reference material. Nothing new here; it is pure synthesis. Every entry points back to the volume that carries the full treatment. This is the page you keep open while you work.
2. The four models — quick reference
(Vols 9-15, comparison Vol 16)
| Mark VII | + AC Tactical | Pager | Enterprise | |
|---|---|---|---|---|
| One-line | the baseline puck | baseline + 5 GHz + field kit | the pocket walk-around unit | the rack-mount scale platform |
| SoC | 1-core MIPS | 1-core MIPS | pocket SoC | 4× ARM Cortex-A7 717 MHz |
| RAM/storage | 256 MB / 2 GB | 256 MB / 2 GB | 256 MB / 4 GB | 1 GB / 4 GB |
| Radios | 3 role-based, 2.4 GHz | 3 + MK7AC (5 GHz) | dual array, 2.4/5/6 GHz + BT | 5 dual-band MIMO |
| Power | USB-C | USB-C | 2000 mAh, ~4 h | AC mains |
| Display | none (web UI) | none (web UI) | ~2.4” color + buttons | none (web UI) |
| Form | small puck | puck + kit, in a case | pocket handheld | rack-mount metal |
| Scale | small | small | small | ~100 DHCP clients |
| Best for | learning / standard pentest | the recommended FIRST buy | walk-around / BT / 6 GHz | agency / large / permanent |
| Deep dive | Vols 9-10 | Vol 11 | Vols 12-13 | Vols 14-15 |
First buy: Mark VII + AC Tactical (Vol 16 §6). Acquisition order: Mark VII+AC → Pager → Enterprise (Vol 16 §7). The line is a matrix, not a ladder — pick by deployment shape, not “best.”
3. The PineAP suite — quick reference
(Vol 3)
PASSIVE (generally lawful as recon — Vol 4)
────────────────────────────────────────────
Recon ................. the interactive airspace view
Log Probes ............ record the probe requests clients broadcast
Log Associations ...... record who associates to what
ACTIVE (** authorization required ** — Vol 4, Vol 8)
────────────────────────────────────────────
Allow Associations .... KARMA — answer "yes" to probed SSIDs
PineAP Daemon ......... the engine: Beacon Response + the
Broadcast SSID Pool
Beacon Response ....... actively beacon the pooled SSIDs
Capture SSIDs to Pool . harvest probed SSIDs into the pool
Deauthentication ...... force a client off its AP
Evil Twin ............. impersonate a specific real AP
TARGETING (scope discipline — Vol 3 §8, Vol 8 §3)
────────────────────────────────────────────
Source / Target MAC ... scope PineAP to the authorized
target(s) — NOT the whole airspaceThe gate: every ACTIVE item crosses the Vol 4 legal line — authorization artifact first, MAC targeting scopes it. When in doubt, don’t TX.
4. Radio roles — quick reference
(Vol 7 §3)
The role-based radio model — each radio gets a JOB:
MANAGEMENT ... your connection to the device / web UI
PineAP ....... being the rogue AP
MONITOR ...... recon, capture, deauth/injection
Role separation is WHY a Pineapple attacks AND observes
at the same time — what a single-radio device cannot do.
Per-model radio counts:
Mark VII ......... 3 radios (2.4 GHz) — 1 of each role
Mark VII + MK7AC . 4 radios — adds a 5 GHz monitor/inject
Pager ............ dual array, 2.4/5/6 GHz + BT/BTLE
Enterprise ....... 5 radios — MULTIPLE PineAP + MULTIPLE
monitor instances, concurrently5. The legal line — quick reference
┌─────────────────────┬──────────────────────────────────┐
│ LAWFUL (generally) │ AUTHORIZATION REQUIRED │
├─────────────────────┼──────────────────────────────────┤
│ passive recon — │ active TX — KARMA, beacon │
│ listening, │ response, deauth, evil twin, │
│ Log Probes, │ the PineAP daemon. ANYTHING │
│ Log Associations │ that TRANSMITS. │
│ │ │
│ observing YOUR OWN │ unauthorized active TX = a │
│ airspace (blue │ crime (computer-access law) │
│ team — Vol 17 §5) │ AND can be unlawful RF │
│ │ interference (Vol 4 §9, Vol 20 │
│ owned hardware │ §5). Both, from one act. │
└─────────────────────┴──────────────────────────────────┘
THE LINE: owned hardware OR explicit written authorization.
No third lawful category. "When in doubt, don't TX."
The authorization artifact (Vol 8 §2) — carry it on you.6. Setup playbooks — quick reference
(Vol 17)
| Playbook | Model | Radios | PineAP | Posture |
|---|---|---|---|---|
| Wardriving (Vol 17 §2) | Pager / Mark VII+AC | all monitor | logging only, daemon OFF | passive — lawful as recon |
| Pentest (Vol 17 §3) | Mark VII + AC | mgmt + PineAP + monitor | full engine, MAC-scoped | auth artifact = step zero |
| Red-team (Vol 17 §4) | Pager / planted Mark VII | minimal footprint | tightly scoped | covert ≠ unauthorized; detection-aware |
| Blue-team (Vol 17 §5) | Enterprise / Mark VII | all monitor | OFF / logging only | passive — lawful w/o per-target auth |
| Lab / learning (Vol 17 §6) | any (Mark VII+AC) | experiment freely | full engine | fully-owned lab = safe-harbour |
7. Checklists
PRE-ENGAGEMENT (Vol 8 §7, Vol 20 §2)
────────────────────────────────────────────
□ authorization artifact — written, specific, ON your person
□ scope memorised — systems, networks, actions
□ Management UI Firewall ON (Vol 6 §8)
□ firmware current (Vol 10 §3); radios role-assigned
□ modules vetted (Vol 18 §8) — current, maintained,
source-visible, or not installed
□ Cloud C2: enrolled ONLY if remote op is needed (Vol 19 §5)
□ discovery-and-response plan prepared (§ below)
□ tested in the owned lab first (Vol 17 §6)
DISCOVERY-AND-RESPONSE (Vol 20 §7)
────────────────────────────────────────────
1. STOP active operations
2. PRODUCE the authorization artifact
3. CONTACT the named points of contact
4. DE-ESCALATE — don't destroy / flee / lie; rely on the artifact
5. DOCUMENT contemporaneously
ENGAGEMENT CLOSEOUT (Vol 8 §9, Vol 20 §8)
────────────────────────────────────────────
□ stop PineAP — active window closed
□ retrieve every device (planted + carried)
□ restore any changed host/network state — leave clean
□ secure-wipe captures per the data agreement
□ tear down added attack surface (C2, mgmt access, modules)
□ write the report — incl. WHICH CONTROL stops each technique
□ lessons learned captured
MODULE VETTING (Vol 18 §8)
────────────────────────────────────────────
□ current? maintained? source-visible? known author?
□ what does it touch? do I actually NEED it?
□ a community module = an untrusted ROOT process — treat it so8. Command and UI quick reference
WEB UI AREAS (Vol 6 §3) — names vary by firmware version
────────────────────────────────────────────
Dashboard ........ device state at a glance
Recon ............ the interactive airspace view (Vol 3 §4)
PineAP ........... the attack engine control panel (Vol 3 §6-8)
Clients .......... seen/connected clients + targeting hooks
Campaigns ........ scripted audits → reports (Vol 5 §4)
Modules .......... browse/install/manage modules (Vol 6 §4)
Settings/System .. networking, Mgmt UI Firewall, firmware,
Cloud C2 enrollment, radio role assignment
Logging .......... probe/association logs, capture artifacts
THE OPENWRT LAYER (Vol 5 §8) — power-user, via SSH
────────────────────────────────────────────
SSH in ........... reach the modified-OpenWrt underneath
opkg ............. install OpenWrt packages the UI doesn't expose
(unsanctioned but real — yours to keep clean across updates)
THE OFF-DEVICE PIPELINE (Vol 19)
────────────────────────────────────────────
capture on Pineapple → EXPORT off-device →
Wireshark / tshark .. PCAP analysis
hashcat mode 22000 .. handshake cracking, on a GPU host
aircrack-ng suite ... shared 802.11 mechanics
Kismet .............. recon cross-check
The Pineapple CAPTURES. The host ANALYSES + CRACKS. (Vol 7 §7)
FIRMWARE (Vol 10 §3)
────────────────────────────────────────────
"best firmware" = current stable Hak5 release. No alt
firmware ecosystem. Mark VII images: downloads.hak5.org/pineapple/mk79. Volume index
| Vol | Title | Vol | Title |
|---|---|---|---|
| 1 | Overview, the four models, decision tree | 12 | Pager — hardware & electronics |
| 2 | History & lineage (Fonera → Mark VII → Pager/Enterprise) | 13 | Pager — firmware, operation, mods, use cases |
| 3 | The PineAP technique catalog | 14 | Enterprise — hardware & electronics |
| 4 | Where it fits — hat-colors & the legal line | 15 | Enterprise — firmware, multi-radio, scale, mods |
| 5 | The firmware foundation (OpenWrt, Campaigns, C2) | 16 | Model comparison & which to get first |
| 6 | The web UI & module ecosystem | 17 | Setup playbooks by use case |
| 7 | Generic hardware architecture | 18 | Mods — Hak5 & community |
| 8 | Legal, ethics & OPSEC foundation | 19 | Tooling, integrations & Cloud C2 fleet ops |
| 9 | Mark VII — hardware & electronics | 20 | Operational posture in the field |
| 10 | Mark VII — firmware, operation, mods, use cases | 21 | Cheatsheet (this volume) |
| 11 | Mark VII + AC — the tactical kit and 5 GHz |
Sibling reference: the Ducky Script deep dive — (the physical-access counterpart; combined workflows in its Vol 14, this series’ Vol 19 §7). Hub: ../_shared/comparison.md · ../_shared/legal_ethics.md · ../_shared/capability_matrix.html.
This is Volume 21 of a 21-volume series — the final volume. The deep dive is complete: Phase 1 / Foundation (Vols 1-8) is what a Pineapple is and does; Phase 2 / Per-model (Vols 9-15) is the four current models in hardware and operation; Phase 3 / Synthesis (Vols 16-21) is the comparison, the playbooks, the mods, the tooling, the posture, and this cheatsheet. Start anywhere the volume index points you; everyone reads Vols 4, 8, and 20.