Jump to content

Darren Kitchen

Root Admin
  • Content Count

  • Joined

  • Days Won


Posts posted by Darren Kitchen

  1. I can see you're disappointed. I want to understand your frustration so we can do better. I put a lot into this product and feel that it's the best WiFi Pineapple yet -- both in terms of the hardware and software, and want the experience to be the best it can. I'll see to addressing your concerns:


    - Packet injection does indeed work on all 3 interfaces. You can test this with the aireplay-ng -9 command.
    - Gathering WPA2 handshakes is a passive process and does not require packet injection. Handshake capture does indeed work.
    - We have a highly documented module API and went as far as to commission modules for launch by one of the communities best developers. If there is a specific module you want, please let us know and we will put resources behind that.
    - The support for this device has not changed from the last generations of WiFi Pineapple, and you will find us responsive and helpful on the forums, in our Discord, and if you reach out to open a ticket.
    - I believe the videos I've published should get you started with a good understanding of the basics. Otherwise, I'm confident that the user interface is intuitive enough to figure out -- but if there is a specific concern you have please share it, maybe it'll make for a good video topic.
    - Greed? We're make *less* on each WiFi Pineapple generation than the one before because we *increase* the hardware capabilities, not to mention the non-recoverable engineering and software development costs. Over 7 generations now, with each new version, we've added physical radios, increased the CPU power, increased the RAM, increased the storage, refined the UI -- and we've never increased the price.


    In short, you get out what you put in. Which is to say that if you constructively bring specific criticism it may be addressed thoughtfully, and you will find us very receptive to making the product and your experience with it better. But broad, emotional, "pretty useless" strokes don't lend to addressing your concerns.

  2. Initial Setup


    I am using hidden Wi-Fi networks to connect to, and somehow that seems causing a lot of problems.

    The OTA installation from the stager (initial setup firmware) does not support hidden and open WiFi networks. It only supports WPA WiFi networks. This is addressed in a forthcoming update.


    WiFi Client Mode


    Connecting to the network often goes wrong, the system seems to hang.

    This is a known issue related to some WiFi networks on an old firmware (version 1.0.0) which has been solved on subsequent releases.


    When it works and the settings are saved, they are forgotten the next time I boot.

    In firmware 1.0.0 the WiFi Client Mode settings were not automatically saved. There was a save button for if you wished to manually save the profile, however we learned that many people were not noticing the save button. On firmware releases after 1.0.0 the WiFi profile is saved automatically.


    The worst thing is that in many cases, the system locks and I only get to see '()'

    This bug in the old firmware 1.0.0 was shown when no networks were found and was solved in version 1.0.1 onwards.




    I used Active scanning to populate the SSID Pool, but decided to clear it. After clearing the pool, the device just seems not to forget about the networks it has found, and even though I am 100% sure there is only ONE network in the SSID Pool, all other network SSID's are broadcast when I enable active mode.

    The Active Mode in PineAP will automatically populate the SSID Pool. If you don't want this feature enabled, you can use Advanced Mode and uncheck the Capture SSIDs to Pool box. 

    There was a bug in the old version 1.0.0 where clearing the SSID Pool did not work correctly, which was addressed in a subsequent firmware update.

    Also, it should be noted that some devices (I can speak from experience on older Android phones) will cache the ESSID from a single BSSID and incorrectly report the network name in the UI. Changing the BSSID (MAC Address) will force the client device to update.


    I have tried everything I can imagine to get a client connected to the system, but to no avail. Even though the SSID is broadcast in Active Mode and I connect to it. Forgetting the network on my device and re-connecting from scratch does not help. And yes, I have checked the filtering: the Client Filter is on Deny List which is empty, SSID Filter is on Allow and the SSID I want to use is in the list.

    If you run into this, open the terminal (icon on top-right) and run `logread` -- you will see the association attempts which will include insights on what's happening. Without seeing those logs, I can only speculate as to what's happening between the WiFi Pineapple and the client in question here. 



    Also, In the Recon menu, I can see a long list of access points, but only very seldom a client connected to them. Only occasionally I see a client connected. This is strange, because I have specifically created a new SSID on the 2,4 GHz band and I am connecting a device to it. Only very seldom this is shown.

    Recon will populate clients associated with access points when data is seen being transmitted between both nodes. The duration of the recon scan will determine how much data is seen, as the dedicated monitor radio will channel hop to see the full 2.4 GHz spectrum.


    I hope this gives you some insight on these particular issues. Thank you for the bug reports and I am happy to say all of these issues had been addressed. It's posts like these, and the discussions on Discord -- both of which we monitor -- that help us make the WiFi Pineapple better with each release, so thank you for contributing.

    • Like 1
    • Upvote 2
  3. I cannot speak to the kbeflo project you reference as I do not have experience with it - however if you are referencing the Evil Portal module from the WiFi Pineapple repository, I can say that exfiltrating loot from that module to the Cloud C2 server is the same as any other file.


    C2EXFIL STRING /path/to/log/file payload-name

    *payload-name is option
    *STRING indicates that the file is ASCII and may be viewed in the browser. Omit for binaries.

  4. If you run the `date` command on both your WiFi Pineapple and the server running Cloud C2 - are they the same?

    You also said that you have your WiFi Pineapple connected both to your computer and your LAN via WiFi, yet you are not providing the WiFi Pineapple with Internet access from the computer. Is this computer connected to the WiFi Pineapple via USB-C also the Cloud C2 server?

    If the WiFi Pineapple disconnects from the Cloud C2 server, does it reconnect after a few minutes?

    What do the server logs on the Cloud C2 server show after the WiFi Pineapple disconnects?

    After the WiFi Pineapple disconnects from the Cloud C2 server, has the date changed, and can it still ping the server running Cloud C2?

  5. Hi!

    Hak5 is proud to announce the second major annual update to our Command and Control platform — Cloud C2.

    Version 3.0.0 introduces Teams Edition with support for multiple users and multiple sites — further enabling red teams and pentest firms to conduct collaborative remote operations from anywhere. With granular real-time Role-Based Access Controls and advanced audit logging, administrators are provided comprehensive and historical insight into every aspect of Cloud C2.

    Moreover, architectural changes pave the way for more frequent releases to take advantage of the rich library of hardware, modules and payloads within the Hak5 ecosystem.

    The new user interface, inspired by the 7th generation WiFi Pineapple, will feel as familiar as it is refined — providing at-a-glance insight and simplified controls on desktop and mobile. We've even introduced some experimental features, such as the 3D Cartographer Recon view for 6th and 7th generation WiFi Pineapple platforms.

    Supported platforms will receive firmware updates — bringing higher performance with lower network throughput. As an example, 6th and 7th generation WiFi Pineapples will benefit from a PineAP engine optimization, reducing CPU utilization from a ~70% to ~3% average, all the while providing faster and more reliable Recon scans.

    Cloud C2 version 3.0 is available today as a free over-the-air update to all Community and Professional users. Installations are now simplified with a unified binary, while dynamic licensing allows you to scale your Cloud C2 instance by upgrading at any time.

    We hope you enjoy this monumental release. Thank you for your continued support, and as always please share your feedback here and from the link within Cloud C2.


    Cloud C2 version 3.0.0 Key Features

    • Introducing Teams Edition
    • Multiple Users
    • Multiple Sites
    • Role-Based Access Control / real-time permission controls
    • Advanced Auditing
    • Single binary for all editions (Community, Professional, Teams)
    • Automatic data migration for upgrades
    • Dynamic licensing enabling edition upgrades without redeployment
    • Avatars for users, sites and devices
    • Refined dashboard adopting style from 7th generation WiFi Pineapple
    • Experimental Cartographer Recon view for 6th and 7th generation WiFi Pineapples
    • Support for WiFi Pineapple Mark VII in addition to all networked Hak5 gear
    • Server side database administration controls
    • Device synchronization status and device state history
    • Command line password recovery option


    You can grab the download via the OTA system once the update becomes available to your Cloud C2 instance (this could take up-to an hour!), or via the Hak5 Download Portal. License upgrades (e.g. Pro -> Teams) will be available fromc2.hak5.org soon.

    Once logging in, existing devices will be unassigned to a site. Add them to the default site by going to Settings > Device Settings > All Devices and then assign them to an available site.

    3.0.1 Changelog

    • Fix an issue where UI license upgrades / reactivation returned error
    • Improved server output and logging
    • Add verbose flag (-v) to show timestamps in log output
    • Add -setLicenseKey and -setEdition flags
    • Improved server performance and stability under high load
    • Default avatars added to migration process
    • Devices will be automatically added to default site on upgrade to 3.X.X
    • Fix a Firefox caching bug that constantly refreshes the UI
    • Various minor UI fixes and improvements
    • Add links to the Hak5 icon library
    • Various improvements to mobile layout
    • Double clicking the server on Windows will now display server usage

    3.0.2 Changelog

    • Fix an issue preventing Signal Owl devices from being opened.


    • Like 1
  6. My apologies for the delay. We're very close on Cloud C2 v3.0, which we expected to be releasing today, however we are still in the QA phase and making UI tweaks which have postponed the launch. We are shooting for October 5th. It's going to be an exciting release with some really cool new features so I'm really grateful for your patience as we put the final touches on this release.

    • Like 1
    • Upvote 1
  7. Thanks for the report @drforbin - we can surely take a look at what's going on with the slow down when broadcasting the SSID pool. More details will be required so please post the contents of your SSID pool as well as the debug log which may be found from the help page.

    With regards to throughput, the MK7 should have about the same wireless client mode speeds as its predecessors. The focus has always been on balancing the hardware for its core functionality (identifying devices vulnerable to rogue ap/performing recon/new campaigns). If higher throughput is necessary for your application consider USB Ethernet or tethering/ICS.

    As others have mentioned, the notification about setting time is for your convenience. Clicking the notification will give you the option to sync the time with your browser, or you can wait after connecting the MK7 to the Internet, at which time it will sync with NTP.

  8. Yes, it *could* be a problem *if* someone submits a vulnerable module *and* we accept that module to the repository. Considering this isn't the case, and that this is removed from 1.0.1 and onward, and that we are not accepting modules with vulnerabilities - I don't see your hypothetical scenario playing out. Any information that was obtainable before a restriction was added would provide no benefit to an adversary. Again, thank you for the report, and I don't want to split hairs with you because I believe your intention is sound - however I do not believe a CVE is warranted.

    • Upvote 1
  9. Thanks for reporting this, and I understand you're trying to help. I wouldn't go as far as calling this a vulnerability. That's sort of akin to pointing out that the login page is accessible unauthenticated. There's nothing sensitive in the UI directory that's accessible - for example, the json file you mention is an element of progressive web apps. All of the configuration and loot data are stored elsewhere. As you've determined, after you reported this we removed it from 1.0.1. Again, I'm sure you have the best of intentions but, there's no data leak or pivot. Had there been I would absolutely understand a CVE, but as is I'm a bit perplexed. 

  10. I believe I speak for the entire team when I say how excited we are to finally share with you the hard work that has gone into making the most refined, polished, and precision-fit WiFi Pineapple to date.

    I can say with confidence that the Mark VII introduces the most intuitive WiFi Pineapple experience. That is because, in addition to vastly improving the hardware and PineAP engine capabilities, all pain-points from previous generations were considered when developing the 7th generation.

    From initial setup and provisioning to PineAP configuration, reconnaissance, engagement automation with campaigns, Internet connection, shell access, recovery, a host of first-class modules written in-house, and so many more subtle but important refinements—I hope you will find the Mark VII a joy to work with.

    Please, as always, share your feedback here. We endeavour to continuously refine and enhance the product to the best of our abilities.

    If you would like to get involved with the project—contributing mods & modules—please see the subforum. Please also find the new Hak5 Developer Program, which brings compensation and collaboration means. Having already seen what renowned makers have built, what seasoned module developers have written, we are excited for the future of the 7th generation WiFi Pineapple platform.

    Welcome, and cheers!

  11. Support for the Mark VI generation will conclude when the devices reach the end of their 5-year lifecycle. Until then, they will continue to receive critical bug fixes—as they have with over 50 firmware upgrades to date.

    Module submissions will stay open, so developers may continue to enhance the platform. The Hak5 infrastructure will continue to host community modules for over-the-air downloads. Should industry-wide changes occur impacting our ability to securely offer module downloads (such as the TLS updates which rendered OTA module downloads infeasible for Mark IV devices) then side-load documentation will be published at docs.hak5.org

    The WiFi Pineapple NANO and WiFi Pineapple TETRA will continue to operate within the scope of their initial design—and then some, having received 10 major feature releases since introduction in 2015.

    We will continue to serve all firmware versions, from 1.0.0–current, at downloads.hak5.org

  12. Username1031 –

    I understand you're upset. I'll try to shed some light on the situation.

    The notice isn't a pop-up, it's a large red note at checkout. See the screenshot below:


    I understand from your posts this wasn't apparent to you. I felt like this was an up-front and clear notice - however if you have ideas on how I could improve on making these notices should an item go into backorder again (rarely happens) I'd be keen on hearing your suggestions. I want to be as clear and up-front as possible when it comes to these situations, because the last thing I want is a customer feeling like you have in this situation.

    I'll speak with Jamie about the situation and see if we can't make it more clear going forward. There is no intention to blame anyone, but merely let you know the facts - which are simply that we were running out of the WiFi Pineapple TETRA at the same time that a shipment was coming in, and needed to allow the warehouse a few days to count and stock the inventory before they would be fulfilled. 

    Let me know if there's anything I can do to make this right in your eyes.


  13. You are close in your understanding of the roles each radio plays. 

    wlan0 runs the access point(s) (the "Allow Associations" checkbox) - though it's come a long way since the initial karma patches to hostapd digininja did back in 2007.

    wlan1 is responsible for monitor and frame injection functions, which are used by PineAP for Broadcast SSID Pool and Beacon Response, as well as Recon for Deauth and survey.

    There's a lot more going on - but that's the high level overview.

    I've found many IoT devices are eager to connect by simply allowing associations, while others are only interested when the SSID pool is broadcast with PineAP. Some devices require a beacon response to stay connected, and others require a little encouragement by way of deauth. It really depends on the client device and network in question. Hope that helps.

    • Like 1
  14. Kali Linux 2020 includes a network manager that is aggressive about managing network interfaces. It will take over settings specifically set from a root shell, including that of wp6.sh. It's only if you follow the instructions from the linked page that you can get it to behave.

    Personally I disable network-manager all together, as I know what I'm doing in the shell and it tends to just get in the way.

    • Upvote 1
  15. Jugru - 

    Good luck with the paper, and please share it with us when it's complete.

    In discussing this exact topic with others in the industry that are adopting the zero trust model, it's clear that - as always - the humans are the weakest link. It's for this reason that modules like Evil Portal, which are able to spin up a captive portal, are so valuable. By mimicking not only a preferred network, but a recognized landing page, credentials and other PII can be captured. Mobile devices are especially vulnerable to this attack because many, like Samsung for instance, do not display a URL bar when loading the captive portal.

    And while attacks like sslstrip/sslsplit may not be as effective as they once were, DNSMasq Spoof is great for redirecting traffic to a site to capture loot. Depending on the scope of engagement, this can be very effective.


  16. @JohnXovox thanks for reminding me that the setup video incorrectly recommends using USB for power. That video is very old and needs to be updated. Insufficient power is the #1 cause for issues with the device (aside from general misunderstandings of how filters & ICS work). I'll update the documentation.

    We pride ourselves on our ability to provide a robust platform that's effective out of the box, while also allowing for third party development. Some of the most exciting features have come from the community through their module contributions. That said, it is impossible for our small team to test and maintain every module - so they are provided on an as-is basis. 

    • Upvote 1
  • Create New...