Wi-Fi Pineapple · Volume 4
Hak5 WiFi Pineapple Volume 4 — Where It Fits: White, Red, Black, Blue, and the Legal Line
How the Pineapple is used across penetration testing, red teaming, white-hat audit, blue-team defense, and criminal misuse — and exactly where lawful use ends
Contents
1. About this volume
The WiFi Pineapple is a dual-use instrument. The exact same device, running the exact same PineAP suite (Vol 3), is — depending entirely on authorization and intent — a professional audit tool, a red-team weapon, a defensive sensor, or a felony in progress. Nothing in the hardware or firmware changes between those uses. The only thing that changes is whether the operator has the right to do what the device makes easy.
This volume places the technique catalog from Vol 3 across the five common framings — white, pentest, red, blue, black — and draws the legal line precisely. It is a mandatory companion to Vol 3: Vol 3 tells you what the device can do; Vol 4 tells you what you may do. Vol 8 is the operational-posture deep dive (OPSEC, capture-data discipline, the pre-engagement checklist); this volume is the conceptual posture — the line itself.
This is not legal advice. It is an engineer’s framing of why the line is where it is, written so tjscientist operates on the right side of it without having to re-derive it each time.
2. The hat-colors, and why the Pineapple is the same device in every hand
ONE DEVICE. FIVE FRAMINGS. The hardware does not know which one it's in.
═══════════════════════════════════════════════════════════════════════
WHITE HAT authorized audit — find the wireless weaknesses in a
system you're permitted to test, report them, fix them
PENTEST white hat, formalized — a scoped, contracted engagement
with rules of engagement and a deliverable report
RED TEAM adversary emulation — authorized, but goal-driven and
stealthy: "get in like a real attacker would"
BLUE TEAM defense — use the Pineapple's RECON to find rogue APs,
KARMA responders, and deauth floods in your OWN airspace
BLACK HAT unauthorized use against networks/devices you have no
right to touch — a crime, full stop
The dividing line runs between BLUE and BLACK, but it is NOT
"which techniques" — recon is shared by all five. The line is
AUTHORIZATION. (§ 3.)The reason this volume exists: a beginner thinks the hat-color is determined by which features you use. It is not. Recon is used by the blue team and the black hat alike. An evil twin is run by the red team and the criminal alike. The hat-color is determined by authorization, scope, and intent — not by the toggle you flip. Internalize that and the rest of this volume is detail.
3. The legal line — the single most important diagram in this series
════════════════════ THE LEGAL LINE ════════════════════
GENERALLY LAWFUL │ AUTHORIZATION REQUIRED
(situational awareness) │ (active / intrusive)
│
• Recon — scanning the airspace │ • Allow Associations (KARMA) —
• Log Probes / Log Associations │ impersonating networks
• Listening to broadcast 802.11 │ • Beacon Response / Broadcast
management frames │ SSID Pool — transmitting as
• Wardriving (passive) │ networks you are not
• Watching YOUR OWN airspace │ • Deauthentication — DoS
for attacks (blue team) │ • Evil twin / captive portal
│ • Handshake capture via forced
│ reconnect
│ • Anything that TRANSMITS at,
│ or intercepts traffic from,
│ a device you don't own
─────────────────────────────────┼─────────────────────────────────
The Pineapple makes crossing │ Crossing it WITHOUT authorization
this line a UI toggle. │ is, in the US: a CFAA violation
The operator is the only thing │ (unauthorized access) and a
that keeps it honest. │ Wiretap Act violation (intercep-
│ tion), plus FCC issues for the
│ RF. Equivalent statutes apply
│ in essentially every jurisdiction.
═════════════════════════════════════════════════════════The line is between passive observation and active participation. On the left: you are listening to things devices broadcast into public space anyway. On the right: you are transmitting — claiming to be networks you aren’t, disconnecting other people’s sessions, intercepting other people’s traffic.
Two clarifications that matter:
- The left side is “generally” lawful, not “always.” Jurisdictions vary; some places regulate even passive interception more tightly; content interception (vs. management-frame metadata) is treated more strictly than this diagram’s left column implies. When in doubt, treat it as the right column.
- The right side is not made lawful by good intent. “I was only testing” is not a defense for unauthorized active operation. What moves a right-column technique to the lawful side is authorization (§ 10) — not intent, not curiosity, not “it’s my hobby.”
Everything in § 4-9 is an elaboration of this one diagram.
4. White hat — authorized wireless audit
The framing: you have permission to assess a system’s wireless security, you find the weaknesses, you report them so they get fixed.
How the Pineapple is used: the full Vol 3 catalog — recon to map the airspace, PineAP to test whether clients can be lured to a rogue AP, deauth to test reconnect behavior, handshake capture to test PSK strength, evil-twin/captive-portal to test whether users would hand over credentials. The point is to demonstrate the exposure so the owner can close it: enforce 802.1X, deploy PMF, train users, harden client configs.
What makes it white hat: the work is authorized by the system owner and the goal is remediation. Same techniques as a black hat — opposite purpose, with permission.
tjscientist’s most common legitimate use will live here and in § 5: auditing his own networks and devices, and any he’s explicitly authorized to test.
5. Penetration testing — scoped, contracted, reported
The framing: white-hat work, formalized. A penetration test is a white-hat audit with a contract, a defined scope, rules of engagement, a time window, and a deliverable report.
How the Pineapple is used: this is the Pineapple’s home turf — Hak5 explicitly positions it as “the industry-standard WiFi pentest platform.” The web UI’s Campaigns feature exists for exactly this: run a scripted, repeatable wireless audit and emit a report that goes into the engagement deliverable. The targeting controls (Vol 3 § 9 — Source/Target MAC) exist to keep the active techniques inside the contracted scope.
The pentest discipline the Pineapple is built around:
| Pentest element | The Pineapple feature that serves it |
|---|---|
| Defined scope (these assets, not those) | Source/Target MAC, client/SSID filtering (Vol 3 § 9) |
| Repeatable methodology | Campaigns — scripted, scheduled audits |
| Evidence + deliverable | Campaign reports, capture logs, recon exports |
| Time-boxed engagement | Campaign scheduling; the operator’s discipline |
| Remediation handoff | The report → the client’s fix list |
The key insight: a pentest’s scope is the authorization. The contract says “you may test these networks and these devices during this window.” The Pineapple’s targeting controls are the technical means of honoring that. Using broadcast-target active operations (Vol 3 § 9) during a scoped pentest is how an authorized engagement becomes an unauthorized one — you’ve attacked bystanders the contract never covered.
6. Red team — adversary emulation
The framing: still authorized — but instead of “find all the wireless weaknesses,” the goal is “achieve a specific objective the way a real adversary would,” including stealth and creativity. A red team emulates the actual threat.
How the Pineapple is used: as the adversary’s wireless foothold. Surgical, targeted PineAP (Beacon Response + targeting, Vol 3 § 7.1 + § 9) to lure a specific high-value target’s device; an evil twin of a network that target trusts; a captive portal crafted to look exactly like the target org’s SSO. The red team uses the Pineapple’s quiet modes — because a real adversary doesn’t broadcast a flood of fake SSIDs that trips the blue team’s sensors on day one.
What still makes it lawful: red teams are authorized — there’s a contract, a scope, and a “trusted agent” on the client side who knows. The stealth is from the rest of the organization, not from the law. The red team can be sneaky toward the blue team; it cannot be sneaky toward the authorization.
The Pager is the red-team-leaning model (Vol 12-13): pocket-sized, screen-on-device, battery-powered, no laptop needed — built for the walk-in, short-window, look-like-a-normal-person engagement shape.
7. Blue team — defense, and detecting other people’s Pineapples
The framing: the Pineapple as a defensive instrument. This is the use tjscientist explicitly named (“watching for attacks”), and it’s the one that lives entirely on the lawful side of the line (§ 3) — because it’s all recon, in your own airspace.
How the Pineapple is used defensively — every active technique from Vol 3 has a detection signature, and the Pineapple’s recon mode is exactly the sensor that catches them:
| What the blue team watches for | The signature recon sees |
|---|---|
| A rogue AP in the building | An AP broadcasting a corporate SSID from an unexpected BSSID / location / signal direction |
| Another Pineapple running KARMA | A single BSSID answering probes for many different SSIDs — no real AP does that |
| Broadcast SSID Pool / “Dogma” | A sudden flood of SSIDs all originating from one device |
| A deauth flood | A storm of deauthentication frames — one of the most recognizable hostile signatures in Wi-Fi |
| An evil twin | Two APs with the same SSID, different BSSIDs, one of them in the wrong place |
The setup (Vol 17 § attack-watching has the full playbook): park a Pineapple — Mark VII at a desk, Enterprise rack-mounted permanently, Pager on a walk-around sweep — in recon mode, watching your airspace, and it becomes a Wi-Fi intrusion sensor. It catches the attacks because it knows what they look like — it can run them itself.
Why this matters for the buy decision: the blue-team use is the one with zero authorization complexity — it’s your airspace, it’s passive. For tjscientist, “watching for attacks” is the use he can deploy on day one without an engagement contract. Vol 16’s buy analysis weighs this.
8. Black hat — what criminal misuse looks like, and why it’s a crime
This section exists for recognition and avoidance — so the line is unmistakable.
What unauthorized criminal use of a Pineapple looks like: standing up an evil twin of a coffee-shop or airport Wi-Fi to harvest strangers’ credentials and traffic; KARMA-attacking a crowd to MITM whoever connects; deauth-flooding a venue’s network; capturing handshakes from neighbors’ or businesses’ networks to crack their keys; using a captive portal to phish credentials from people who never consented to anything.
Why every one of those is a crime (US framing; equivalents apply globally):
- CFAA — unauthorized access. The moment a victim’s device associates to your rogue AP and you’re positioned to access their traffic, you have “accessed” a system without authorization. Impersonating a network to obtain that access is the unauthorized-access offense.
- Wiretap Act — interception. Intercepting the contents of someone’s communications without consent is a federal felony. An evil twin that passes (and inspects) a victim’s traffic is doing exactly that.
- FCC — willful interference. Deauthentication is willful interference with a radio communication — the FCC has fined organizations heavily for exactly this (the well-known hotel-Wi-Fi deauth cases).
- Plus: wire fraud, identity theft, computer-fraud statutes, depending on what’s done with what’s captured.
Intent doesn’t save you. “I was curious,” “I was learning,” “I didn’t keep the data” — none of these are defenses to unauthorized active operation. The offense is in the unauthorized access and interception, not in what you later did with it.
The recognition rule: if you cannot point to a specific authorization (you own it, or you have written permission — § 10) covering the specific networks and devices your active techniques will touch, you are on the black-hat side of § 3’s line. There is no fourth option.
9. The grey areas — research, training, “my own network”
Three situations that feel grey and where operators get into trouble:
“It’s my own network.” Testing networks and devices you own is the cleanest lawful use — but the edges bite. Your rogue AP’s RF doesn’t stop at your property line; if a neighbor’s device associates to your KARMA AP, you’ve now touched a device you don’t own. Your deauth frames hit whatever’s in range. Own the network AND control the RF environment — which in practice means a shielded space, or low power and targeted operation, or simply accepting that broadcast-target active operations are never truly “just my network.”
Security research. Genuine research (responsible disclosure, academic work, vendor-coordinated testing) has some latitude — but it is not a blanket. Research that intercepts third parties’ traffic without consent is still interception. The “research” framing protects methodology and disclosure, not unauthorized access to bystanders.
Training and demos. Teaching with a Pineapple is valuable and common — but a “demo” at a conference that KARMA-attacks the audience’s phones is attacking the audience’s phones. Lawful training uses your own devices as the targets, or a shielded/isolated lab network, or runs purely in recon.
The through-line: in every grey area, the question collapses back to § 3 — are you transmitting at, or intercepting from, a device you don’t own and aren’t authorized to touch? If yes, the grey is actually black. If no, you’re fine. The greyness is usually just incomplete thinking about whose devices are in RF range.
10. The authorization artifact — what “written authorization” actually means
“Authorization” is invoked constantly in this volume. Concretely, for tjscientist or anyone operating a Pineapple beyond their own owned gear, it means a document that:
- Names the parties — who’s authorizing, who’s authorized.
- Defines the scope — which networks (SSIDs, BSSIDs), which devices/MACs, which physical locations. The Pineapple’s targeting controls (Vol 3 § 9) exist to honor exactly this.
- Sets the time window — when the engagement starts and ends.
- States what’s permitted — recon only? active PineAP? deauth? captive portals capturing credentials? Each escalation should be explicit.
- Is signed by someone who can actually grant it — the network/system owner, not a tenant, not an employee without authority, not “the IT guy said it was fine.”
- Is in your possession during the engagement — on paper, verifiable, with a contact who can confirm it in real time (Vol 8 § discovery-response).
For tjscientist’s planned use — auditing his own networks and devices, blue-team watching his own airspace — the “authorization” is ownership, and the artifact is simpler. The moment the work touches anything he doesn’t own, the document above is the thing standing between “penetration test” and “computer crime.” Vol 8 turns this into the operational pre-engagement checklist.
11. Resources
Legal framing
- US CFAA (Computer Fraud and Abuse Act, 18 U.S.C. § 1030): https://www.law.cornell.edu/uscode/text/18/1030
- US Wiretap Act (18 U.S.C. § 2511): https://www.law.cornell.edu/uscode/text/18/2511
- FCC on Wi-Fi blocking / deauthentication enforcement: https://www.fcc.gov/ (the hotel-Wi-Fi-blocking enforcement actions)
- Hack Tools shared posture:
../../../_shared/legal_ethics.md
Within this series
- Vol 3 — the technique catalog this volume governs
- Vol 8 — the operational-posture deep dive: OPSEC, capture-data handling, the pre-engagement checklist, discovery response
- Vol 17 — the per-use-case setup playbooks (incl. the blue-team attack-watching playbook)
- Vol 20 — the on-air detection signatures (the blue-team sensor reference)
Cross-tool
- [ESP32 Marauder Firmware deep dive Vol 11](../../ESP32%20Marauder%20Firmware/03-outputs/ESP32_Marauder_Firmware_Complete.html#vol11) (operational posture for the same technique class):
This is Volume 4 of a 21-volume series. Next: Vol 5 goes under the hood — the firmware foundation: the highly-modified OpenWrt every Pineapple runs, how the Pineapple firmware layers PineAP and the web UI on top, the Campaigns automation engine, and Hak5 Cloud C2 for remote command and control.