Wi-Fi Pineapple · Volume 20
Hak5 WiFi Pineapple Volume 20 — Operational Posture in the Field
Field OPSEC, detection signatures, per-model posture, regional RF reality, and the discovery-and-response protocol
Contents
1. About this volume
Vol 8 laid the foundation of operational posture — the authorization artifact, scope discipline, the device’s attack surface, capture discipline, RF reality, detection, the pre-engagement checklist, discovery+response, closeout. Vol 20 is the field-applied synthesis: posture made concrete per model and per the realities of operating in the field, the detection-signature detail, the regional-RF specifics, and the discovery-and-response protocol as a runnable procedure.
This volume and Vol 8 are the two most posture-critical in the series. Where Vol 8 says what the rules are, Vol 20 says how to run them in the field. Vol 4 (the legal line) and ../_shared/legal_ethics.md (the hub-wide baseline) are the law this volume operationalises — and none of it is optional. The WiFi Pineapple is the most posture-sensitive tool in the Hack Tools lineup; this volume earns that designation.
2. Field OPSEC — the operating discipline
The operator-side discipline, in the field:
Field OPSEC — the operating checklist that runs all engagement
════════════════════════════════════════════════════════════
□ THE AUTHORIZATION ARTIFACT is on your person (Vol 8 §2).
Not in an email, not "back at the office." On you. It is
the single item that distinguishes you from a criminal
doing the identical act (Vol 4 §9).
□ SCOPE is memorised. Which systems, which networks, which
actions. You do not look it up mid-engagement; you know it.
□ RF DISCIPLINE — the lowest power that works. Every extra
dB of TX is extra spill outside scope (§5) and extra
detection signature (§3).
□ THE MANAGEMENT INTERFACE is locked down (Vol 6 §8) — the
Management UI Firewall on, the management surface not
exposed. You are in hostile airspace; your own control
plane is a target (§6).
□ CAPTURE HANDLING is disciplined (Vol 8 §4, Vol 17 §7) —
you know where the captured data is, it is protected,
and it will be destroyed per the artifact's terms (§8).
□ THE ACTIVE WINDOW is time-boxed. Active TX (PineAP) runs
for as long as the objective needs and not one minute
more. Every minute of TX is exposure (§3).Field OPSEC is not a separate activity from “operating the Pineapple” — it is operating the Pineapple, professionally. An engagement that achieves its technical objective but violates the discipline above is a failed engagement, because the discipline is what keeps the work lawful and the operator defensible.
3. Detection signatures — the Pineapple is loud
Vol 8 §6 stated it; this section is the detail. A Pineapple running PineAP is detectable — and a professional operator plans around that fact, because it cuts both ways: it is what a competent blue team sees (so a red-team operator must account for it — Vol 17 §4), and it is what you look for when you are the blue team (Vol 4 §6, Vol 17 §5).
The Pineapple's detection signatures, by axis
════════════════════════════════════════════════════════
RF / 802.11 axis:
• beacon-response patterns — the PineAP daemon answering
probes (Vol 3 §6) produces a recognisable pattern
• KARMA responses — answering probe requests for ANY SSID
a client asks for is itself anomalous (Vol 3 §6)
• deauth frames — running deauth (Vol 3 §9) is loud and
directly detectable
• the rogue-AP fingerprint — an AP that "is" many SSIDs,
or one that appeared where no AP should be
• MAC patterns — the device's MAC behaviour
GEOGRAPHIC axis:
• an AP/signal where none should be — a new strong
source in a known environment
NETWORK axis:
• a client's traffic suddenly routing through an
unexpected hop
• DHCP/DNS coming from the wrong place
PHYSICAL axis:
• the device itself — a puck, a planted unit, an
operator with a Pager — found by a physical sweepWhy this matters for both roles:
- Red team (Vol 17 §4): you will be detectable. The discipline is to be detectable for the minimum time and the minimum signature — time-box the TX, scope it tight, run the least you need. “Undetectable” is not on the menu; “detected late and briefly” is the realistic goal.
- Blue team (Vol 17 §5): this table is your detection guide. Every signature above is something a passive monitoring Pineapple (or any monitor) can be tuned to recognise. Understanding the attack’s signature is how you build the detection (Vol 8 §6).
The honest framing: the Pineapple is a loud tool. It is excellent at what it does and it does not do it quietly. An operator who expects stealth from a Pineapple has misunderstood the device.
4. Per-model posture differences
The form factor changes the physical posture; the RF signature is broadly similar across the line (they all run PineAP). The per-model differences:
| Model | Posture profile |
|---|---|
| Mark VII | tethered — the operator is co-located with the device (it runs from a nearby laptop). Physical posture: the operator’s presence is the exposure. Brief, attended engagements. |
| Mark VII + AC Tactical | the field-kit version of the above — mobile, deployable from a case, but still operator-attended. The kit makes it deployable; it does not make it unattended. |
| Pager | covert carry — pocket form factor, on-body. But it is still RF-loud — covert in the physical sense (you cannot see it) does not mean covert in the RF sense (a monitor still hears its PineAP). The Pager’s posture trap: the form factor tempts you to think it is “stealthy,” and it is not, on the RF axis. |
| Enterprise | a permanent, fixed, findable signature. It is installed and it stays (Vol 14 §6, Vol 15 §2). Its posture is continuous — a standing RF signature and a standing physical presence and a standing attack surface (§6), indefinitely. The permanent-install posture is the most demanding in the line. |
The per-model posture insight
════════════════════════════════════════════════════════
FORM FACTOR changes: how you are PHYSICALLY exposed
(co-located? carried? installed?)
FORM FACTOR does NOT change: the RF signature (§3) — they
all run PineAP, they are all
RF-loud
The trap: the Pager FEELS stealthy (you can't see it) so
an operator under-rates its RF signature. The Enterprise
FEELS like infrastructure (it's just in a rack) so an
operator under-rates that it is a STANDING, CONTINUOUS
exposure on every axis (§6). Match the posture to the
REAL exposure, not the FELT one.5. Regional RF reality
Per ../_shared/legal_ethics.md and Vol 8 §5, made concrete:
- Channel and power regulations vary by region. Which channels are legal, at what power, differs by jurisdiction. A Pineapple operated on a channel or at a power level that is legal in one region may not be in another. Know the rules of where you are operating.
- Active TX can constitute unlawful interference. Beacon transmission, deauthentication (Vol 3 §9), and rogue-AP operation are transmissions — and unauthorized or non-compliant RF transmission can be unlawful interference under the FCC (US) and its equivalents worldwide (Vol 4 §9). This is a separate legal exposure from the unauthorized-access exposure — the same act can violate both computer-access law and radio law.
- 6 GHz has its own regional rules. The Pager’s 6 GHz capability (Vol 12 §4) operates in a band whose regulations are newer and vary by region — newer band, less-settled rules, more care required.
- Transmissions do not respect property lines (Vol 8 §5). The single most important RF-reality fact. An authorization artifact may scope you to a building, but RF does not stop at the building’s wall. A high-power or high-gain (Vol 18 §4) configuration spills outside the authorized scope — and a transmission that lands on a neighbouring, un-authorized network is an act against that network. Lowest-power-that-works (§2) is not just OPSEC; it is scope enforcement against the physics of RF.
The RF-spill problem
════════════════════════════════════════════════════════
authorization artifact says: "this building"
RF physics says: "this building, plus
however far the signal
carries — through walls,
into the street, into the
neighbour's office"
The gap between those two is UNAUTHORIZED TERRITORY your
transmission may be reaching. You manage that gap with
POWER DISCIPLINE (§2) and ANTENNA CHOICE (Vol 18 §4) —
and you manage it because the gap is a LEGAL exposure,
not just an OPSEC one.6. The device’s own attack surface in the field
Vol 6 §8 and Vol 8 §3 established it; Vol 20 applies it to the field. The Pineapple is, itself, an attack surface — and it is operating in the environment it is attacking.
The Pineapple's own attack surface, in hostile airspace
════════════════════════════════════════════════════════
THE MANAGEMENT INTERFACE — a web app on a device whose
job is intercepting Wi-Fi. If an adversary reaches it,
they own a wireless interception platform. The
Management UI Firewall (Vol 6 §8) exists for this. NEVER
expose the management surface to untrusted networks —
and during an engagement, EVERY network around you is
untrusted.
MODULES — a community module runs with device privileges
(Vol 6 §8, Vol 18 §8). An untrusted module is an
untrusted root process on your interception device.
Vet before installing.
CLOUD C2 — a remote path INTO the device (Vol 19 §5-6).
A C2-enrolled device is a device with a standing remote
door. A compromised C2 server is a compromised fleet.
THE ENTERPRISE multiplies all of the above by PERMANENCE
— a permanently-installed, C2-enrolled Enterprise is a
standing, continuous version of every surface above,
sitting in a rack indefinitely (Vol 15 §6, §2).The field-specific point: a Pineapple is not attacking from a safe distance — it is in the hostile airspace, physically present, with a control plane that an adversary in that same airspace could reach. The thing you brought to intercept Wi-Fi can be turned into a thing that intercepts you. Hardening the device (Management UI Firewall, vetted modules only, deliberate C2 enrollment) is not optional polish — it is recognising that your tool is also a target.
7. Discovery-and-response protocol
Vol 8 §8 stated the principle; here it is as a runnable procedure — what to do if the engagement is discovered, challenged, or the device is found:
DISCOVERY-AND-RESPONSE PROTOCOL
════════════════════════════════════════════════════════
1. STOP. Stop active operations immediately. Stop PineAP
TX. No "just finishing this one thing." No improvising.
2. PRODUCE the authorization artifact (Vol 8 §2, §2 above).
This is the moment it exists for. You carry it on your
person precisely so that this step is possible.
3. CONTACT the named point of contact — both the client's
and yours (the artifact names them — Vol 8 §2).
4. DE-ESCALATE. You are a professional doing authorized
work. Behave like one. Do NOT:
• destroy anything (it looks like — and may be —
evidence tampering)
• flee (it converts a professional engagement into
something that looks criminal)
• lie (the authorization artifact is your standing;
undermining it undermines you)
DO: stay calm, be straightforward, rely on the artifact.
5. DOCUMENT what happened, contemporaneously — what was
discovered, by whom, when, what was said.
The protocol's core: the authorization artifact is your
STANDING. Discovery is not a crisis if you have it and
produce it. Discovery becomes a crisis ONLY if you act
like someone who does NOT have it.This protocol is prepared before the engagement, not improvised during it. Knowing the points of contact, having the artifact on your person, having thought through “what do I do if I’m found” — that preparation is part of the pre-engagement checklist (Vol 8 §7), and it is what makes step 4’s calm professionalism possible rather than aspirational.
8. Engagement closeout
Vol 8 §9 made concrete — the closeout checklist:
ENGAGEMENT CLOSEOUT CHECKLIST
════════════════════════════════════════════════════════
□ STOP PINEAP — all active TX ceased. The active window
is closed.
□ RETRIEVE EVERY DEVICE — every Pineapple, planted or
carried, accounted for and recovered. (The Enterprise,
if permanently installed per an authorized standing
deployment, is the exception — but then its continued
presence is itself authorized and documented.)
□ RESTORE STATE — any host or network state the engagement
changed is restored. Leave clean.
□ SECURE-WIPE CAPTURES per the data agreement — the
captured data (handshakes, PCAPs, probe logs) is handled
and destroyed on the schedule the authorization artifact
specifies (Vol 8 §2, §4; Vol 17 §7). Captured data about
real people and networks does not linger.
□ TEAR DOWN ADDED ATTACK SURFACE — Cloud C2 enrollment,
any exposed management access, any modules installed for
this engagement (§6, Vol 19 §5-6).
□ THE REPORT — written from contemporaneous notes. And the
most valuable thing in it: WHICH CONTROL would have
stopped each technique. A pentest's value to the client
is the defensive insight, not the list of what worked
(Vol 17 §7).
□ LESSONS LEARNED — captured for the next engagement.The closeout is the half of the engagement that makes it professional rather than merely technical. An engagement that ran PineAP brilliantly and then left a planted device unretrieved, a host’s state dirty, captures undeleted, and a C2 enrollment standing is a failed engagement — regardless of how good the technical work was. The closeout is not bureaucratic overhead; it is the discipline that the rest of the engagement was for.
9. Resources
../_shared/legal_ethics.md— the hub-wide lab-discipline rules this volume operationalises- Vol 4 — the legal line · Vol 8 — the posture foundation this volume applies in the field
- Vols 10 / 13 / 15 — per-model operating detail (the §4 posture differences in operational context)
- Vol 17 — the setup playbooks (every playbook’s posture section is the short version of this volume)
- Vol 18 §8 — module vetting (a §6 attack-surface control)
- Vol 19 §5-6 — Cloud C2 as a standing attack surface
This is Volume 20 of a 21-volume series. Next: Vol 21, the cheatsheet — the whole 21-volume series compressed to laminate-ready reference: the four models, the PineAP suite, the radio roles, the legal line, the setup playbooks, and the posture checklists.