WiFI Pineapple Mark VII: Evil Twin Attack using Captive Portal

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search


EvilPortal is a captive portal tool for the Wi-Fi Pineapple. It allows users to easily setup landing pages that are automatically displayed to clients who connect. In this guide, we will be using the Pineapple Mark VII to set up the Evil Portal module. This module is used for capturing victim devices, by using a rouge access point and fake login page:


Remember: The hacking tools and knowledge that we share here should not be used on a target without prior mutual consent. It is the end user's responsibility to obey all applicable local, state and federal laws. We assume no liability and are not responsible for any misuse or damage caused by this site.

To complete these steps, you must have followed Wi-Fi Pineapple Mark VII: Initial Setup before.



  • This project requires you to install Evil Portal captive portal module created by frozenjava. To install on the Pineapple, go to Modules → Manage Modules → Get Modules from Hak5 Community Repositories → Evil Portal 3.2.
  • Evil Portals [1] is a collection of portals that can be loaded into the Evil Portal module. It can be used for phishing attacks against Wi-Fi clients to obtain credentials or infect the victims with malware using the Hak5 Wi-Fi Pineapple Mark VII.


  • Targeted Portals
  • Static Portals
  • Creating/Editing/Activating/Deleting Portals
  • White listings clients by ip address
  • Dynamically adding and revoking authorized clients
  • Live Preview of your portal through the module interface


Step 1 (Download Module)

  • First, we will open a browser. In the URL box, we will type to access the login interface for the Pineapple:
  • After Login, we will be brought to the dashboard interface page. Select the Modules tab from the menu on the left side of the screen.
  • Then click on Manage Modules.
  • Next, click on Get Modules at the top of the screen. The following screenshot displays the screen you should be seeing in this step:
  • Select the Evil Portal module.
  • After you click on Evil Portal under the Modules tab (left side of screen), you will see the interface page for the module. (The following screenshot displays the interface page for the Evil Portal module):

Step 2 (Create & Activate Portal)

  • Now choose a given template, and we will start the portal by clicking Activate, located to the right of Portal Name. After you have clicked Activate, you will click Start in the Controls tab located toward the top left of the screen (the screenshot from Step 3 also displays where the start button is located).
  • Next, we will click on the Live Preview tab, located towards the bottom of the screen. We see the default Evil Portal page, which is the page our simulated victim will log in to when connecting through our rouge access point. Furthermore, the Evil Portal page can be customized to anything you want. For this lab, we will use the default page. We advise caution when cloning other landing pages to use as the Evil Portal page. The following screenshot displays what the Evil Portal default page looks like:
  • The final step is to see what a simulated victim looks like when they connect to the Evil Portal page. The victim device connects to the rogue access point the Pineapple is broadcasting. Once the victim connects, they will be presented with the Evil Portal default page, simulating a Wi-Fi landing page. The victim will click Authorize by entering E-Mail and Password and then will show up under the Authorized Clients tab, displaying the victim's IP. At this point, other modules can be used to launch a MITM attack by using modules like SSLsplit. In the Portal next to the template, you can retrieve email and password by opening the log file.

Used Hardware

WiFi Pineapple Mark VII