Wi-Fi Pineapple · Volume 17
Hak5 WiFi Pineapple Volume 17 — Setup Playbooks by Use Case
Wardriving, penetration testing, red-team, blue-team attack-watching — how to set up each model for each job
Contents
1. About this volume
Vol 17 is the operational synthesis — for each major use case (the ones tjscientist named: wardriving, pentesting, attack-watching, plus red-team and lab), a setup playbook: which model, which radio-role assignment, which PineAP config, which modules, which posture controls. Each playbook is bound to Vols 4 + 8 — the authorization gate is step zero of every active playbook, and that is not boilerplate; it is the difference between a professional engagement and a crime (Vol 4 §9).
Templates land in 04-templates/ (wardrive, pentest, attack-watch) — this volume is the narrative; the templates are the fill-in-the-blanks artifacts. Each playbook below uses a common shape: objective → model → radios → PineAP → modules → posture → closeout.
2. Playbook: wardriving / recon mapping
Objective: map the wireless environment — APs, clients, signal, channels, geography. Build a picture, not an intrusion.
Posture: this is the playbook with the lightest authorization friction — wardriving as passive recon sits on the lawful side of the Vol 4 legal-line diagram. The discipline is staying passive: logging only, no TX.
Wardriving setup
════════════════════════════════════════════════════════
MODEL Pager (walk-around, on-device, battery — Vols 12-13)
OR Mark VII + AC (vehicle, tethered to a laptop +
power bank — Vol 11)
RADIOS ALL MONITOR. No PineAP radio active. The whole
point is to LISTEN, not transmit.
PineAP logging only — Log Probes, Log Associations,
Recon (Vol 3 §4-5). PineAP DAEMON OFF. No beacon
response, no SSID pool broadcast, no deauth.
MODULES recon visualisation; GPS integration for the
mapping (a GPS source tags the recon data with
location).
POSTURE this is PASSIVE — generally lawful as recon
(Vol 4). The discipline: do not let it drift
active. The moment a PineAP TX feature is on, you
are off the wardriving playbook and onto §3-4's.
CLOSEOUT export the recon/mapping data; §7.Why the Pager shines here: the walk-around form factor (Vol 13 §5) is wardriving-on-foot, and the feedback subsystem (Vol 12 §7) alerts you without a screen-watch. Why the Mark VII + AC for vehicle wardriving: tethered to a laptop in a vehicle, on a power bank, with the MK7AC giving 5 GHz coverage — the classic drive-and-map setup.
3. Playbook: penetration testing (scoped engagement)
Objective: the canonical authorized engagement — test a defined target’s wireless security and produce a reportable result.
Penetration testing setup
════════════════════════════════════════════════════════
STEP ZERO THE AUTHORIZATION ARTIFACT (Vol 8 §2). In hand.
Scope confirmed. This is not optional and it is
not boilerplate — it is what makes everything
below lawful (Vol 4 §9).
MODEL Mark VII + AC Tactical (Vol 11) — the baseline,
field-ready, full 2.4/5 GHz. The default pentest
Pineapple.
RADIOS management + PineAP + monitor (Vol 9 §4); the
MK7AC adds the 5 GHz monitor/inject radio
(Vol 11 §4).
PineAP the full engine — Allow Associations, the
daemon, Beacon Response, the SSID pool — BUT
SCOPED. Source/Target MAC targeting (Vol 3 §8)
so PineAP engages ONLY the authorized target
client(s), not the whole airspace. Scope
discipline (Vol 8 §3) is built into the config.
WORKFLOW the Vol 10 §5 operating instructions: recon
sweep → scoped PineAP test → handshake capture
→ crack OFF-DEVICE (Vol 19 §3) → Campaign run
for the reportable audit (Vol 5 §4).
MODULES attack-workflow modules, evil-portal page sets
(if in scope), reporting/export tooling — all
vetted (Vol 6 §8, Vol 18 §8).
POSTURE every active step is inside the authorization
artifact. Targeting scopes it. The Management
UI Firewall is on (Vol 6 §8).
CLOSEOUT the full Vol 8 §9 / Vol 20 §8 closeout: stop
TX, secure captures, restore state, write the
report (incl. which controls would have stopped
each technique — Vol 20 §8). §7 below.This playbook is where the most of the deep dive comes together — Vol 3’s techniques, Vol 8’s posture, Vol 10’s operating instructions, Vol 19’s analysis pipeline. The Campaign run (Vol 5 §4) is what turns it into a deliverable.
4. Playbook: red-team operation
Objective: a covert, objective-driven operation — get to a defined goal, quietly, as an adversary would.
Red-team setup
════════════════════════════════════════════════════════
STEP ZERO AUTHORIZATION ARTIFACT (Vol 8 §2) — covering
the COVERT methods and any planted devices.
Covert ≠ unauthorized. The artifact is the
difference (Vol 4 §9, Vol 20 §7).
MODEL Pager (covert carry — Vols 12-13) for an
operator-carried device; OR a planted Mark VII
for a left-behind device.
RADIOS scoped to the objective — minimal footprint.
A red-team op runs the LEAST it needs to, not
the most it can.
PineAP tightly scoped — Source/Target MAC targeting
(Vol 3 §8) at its strictest. Engage the
objective's target(s), nothing else.
C2 Cloud C2 (Vol 5 §5, Vol 19 §5) for remote
operation of a planted device — with the
attack-surface caveat (a planted, C2-reachable
Pineapple is a standing remote-access surface;
Vol 20 §6).
POSTURE DETECTION MANAGEMENT is the red-team-specific
discipline. The Pineapple is LOUD (Vol 8 §6,
Vol 20 §3) — a red team has to ACCOUNT for
being detectable: minimal TX, minimal time,
tight RF discipline, and a plan for when
(not if) the activity is noticed.
CLOSEOUT retrieve every planted device; restore state;
the discovery-and-response plan was ready
before you started (Vol 20 §7).The red-team-specific point: covertness is a posture, not a permission. A red-team op is still authorized work (the artifact covers the covert methods); it is just quiet authorized work. And the Pineapple’s loudness (Vol 20 §3) means red-team Pineapple work is always a race against detection — plan for it.
5. Playbook: blue-team attack-watching
Objective: the defensive use case — watch the airspace for other people’s attacks. Detect rogue APs, deauth floods, KARMA responders, other Pineapples (Vol 4 §6).
Blue-team attack-watching setup
════════════════════════════════════════════════════════
MODEL Enterprise (Vols 14-15) for a permanent,
wide-coverage monitoring install; OR a
Mark VII for a desk-based / smaller-area watch.
RADIOS ALL MONITOR. Every radio listening. On the
Enterprise, that is up to five radios covering
both bands, multiple channels, concurrently
(Vol 15 §4) — wide airspace coverage.
PineAP OFF — or logging only. This is a PASSIVE
posture. You are WATCHING, not transmitting.
WHAT YOU detecting OTHER attackers' signatures:
WATCH FOR • rogue APs / evil twins in your airspace
• deauth floods (someone running Vol 3 §9
against your network)
• KARMA responders (another Pineapple
answering your clients' probes — Vol 4 §6)
• the Pineapple's own detection signatures
(Vol 8 §6, Vol 20 §3) — turned around to
RECOGNISE them in your airspace
POSTURE here is the key posture fact: a PASSIVE,
ALL-MONITOR, no-TX blue-team watch sits on the
LAWFUL side of the Vol 4 line — it is
observation of YOUR OWN airspace. It does NOT
need per-target authorization the way an active
engagement does. That makes the blue-team
playbook the one you can run with the least
legal friction (alongside §2's wardriving).
CLOSEOUT the "captures" here are detection logs /
alerts; §7 for handling.Why the Enterprise for the permanent install: mains power + sustained operation + five radios = the device that sits in a rack and watches the airspace continuously and widely (Vol 15 §5, §8). Why the Mark VII for a desk watch: a Mark VII in monitor mode at a desk is a perfectly good smaller-area passive detector. The blue-team playbook is the defensive mirror of everything else in this volume — and the deep dive covers it because understanding the attack is how you detect it (Vol 8 §6).
6. Playbook: lab / learning
Objective: build PineAP fluency — safely, on owned hardware, before any real engagement.
Lab / learning setup
════════════════════════════════════════════════════════
MODEL any — but the Mark VII + AC Tactical (the
baseline — Vol 16 §6) is the one to learn ON,
because skills transfer from the baseline.
ENVIRONMENT a FULLY-OWNED lab: your own APs, your own
client devices. Everything you point the
Pineapple at, you own.
RADIOS experiment freely — assign and reassign roles
(Vol 9 §4), see what each does.
PineAP run the FULL engine — KARMA, the daemon, beacon
response, the SSID pool, deauth, capture. In a
fully-owned lab you can run ALL of Vol 3's
catalog and watch it work.
POSTURE THE LAB IS THE SAFE-HARBOUR. Because every AP
and every client is YOURS, every technique in
Vol 3 is lawful here (Vol 4 — owned hardware).
The lab is where you make every mistake, learn
every feature, and break every assumption —
BEFORE an engagement where the legal line is
real.
GOAL fluency. By the time you run §3's pentest
playbook for real, every PineAP control should
be familiar from the lab.This is the playbook every operator should run first — before §§2-5. The lab is where the platform is learned without consequence, because owned-hardware-pointed-at-owned-hardware is the one configuration where the entire technique catalog is unambiguously lawful (Vol 4). Build the lab; break things in it; then take the platform out.
7. Cross-playbook: capture handling and reporting
Common to every playbook above — the discipline for what you collect:
Capture handling — every playbook
════════════════════════════════════════════════════════
□ CAPTURE-DATA DISCIPLINE (Vol 8 §4) — captured data is
sensitive. Handshakes, probe logs, association logs,
PCAPs all contain real information about real people
and networks. Know where it is; protect it.
□ THE OFF-DEVICE PIPELINE (Vol 19) — captures move OFF
the Pineapple for analysis. The Pineapple captures;
your laptop and a GPU host analyse and crack. The
Pineapple is not the analysis platform (Vol 7 §7).
□ CAMPAIGNS REPORTS (Vol 5 §4) — the on-device summary;
the host-side analysis is the depth.
□ CHAIN OF CUSTODY — for a professional engagement, the
captures are evidence in a report. Treat them with the
handling a deliverable deserves.
□ DESTRUCTION — captured data is destroyed per the
authorization artifact's data-handling terms (Vol 8 §2,
Vol 20 §8). Engagement over = data handled and gone on
the agreed schedule.The reporting half: for the active playbooks (§3-4), the deliverable is a report — and the most valuable thing in it, per Vol 20 §8, is which control would have stopped each technique. A pentest’s value to the client is the defensive insight, not the list of things that worked. Build the report from contemporaneous notes; the Campaign-generated summary is the skeleton, the analysis is the substance.
8. Resources
04-templates/— the wardrive / pentest / attack-watch templates (the fill-in-the-blanks artifacts)- Vols 9-15 — the per-model operating detail each playbook draws on
- Vol 3 — the technique catalog · Vols 4 + 8 — the legal line and posture every active playbook is bound by
- Vol 16 — model comparison (the “which model” each playbook calls)
- Vol 19 — the tooling and capture-analysis pipeline §7 references
- Vol 20 — operational posture in the field (the deep version of every playbook’s posture section)
../_shared/legal_ethics.md— the hub-wide lab-discipline rules
This is Volume 17 of a 21-volume series. Next: Vol 18 — the Mods catalog: Hak5 official add-ons and accessories, the community module landscape, antenna and battery and case mods, the OpenWrt layer, and the vetting discipline.