Payload Library for the WiFi Pineapple Pager by Hak5
Note: This repository is under construction.
This repository contains community-developed payloads for the Hak5 WiFi Pineapple Pager. Community developed payloads are listed and developers are encouraged to create pull requests to make changes to or submit new payloads.
Payloads here are written in official DuckyScript™ + Bash specifically for the WiFi Pineapple Pager. Hak5 does NOT guarantee payload functionality. See Legal and Disclaimers
View Featured Pager Payloads and Leaderboard
Get your payload in front of thousands. Enter to win over $2,000 in prizes in the Hak5 Payload Awards!
Got Questions? Need some help? Reach out:
Follow the creators
Korben's Twitter |
Korben's Instagram
Dragorn's Mastodon |
Darren's Twitter |
Darren's Instagram
A WiFi Pineapple built for Hackers who don't stay put.
New WiFi Pineapple Pager
The first Payload-powered WiFi Pineapple is here — and it runs DuckyScript™, Hak5’s simple and powerful scripting language. Paired with Bash and backed by Linux, it brings serious scripting power to the palm of your hand.
Launch targeted attacks or set alert payloads to fire off based on live WiFi activity. Ringtones, vibes and visuals.
Take control of the airspace with the 8th generation PineAP engine — now over 100× faster. Rebuilt from the kernel up, this attack suite is hyper optimized for advanced WiFi operations, even in the most crowded RF environments.
Run Rogue AP, Man-in-the-Middle, and Deauth attacks. Nab handshakes, OSINT and more, all from a live dashboard.
DuckyScript is the payload language of Hak5 gear.
Originating on the Hak5 USB Rubber Ducky as a standalone language, the WiFi Pineapple Pager uses DuckyScript commands to bring the ethos of easy-to-use actions to the payload language.
DuckyScript commands are always in all capital letters to distinguish them from other system or script language commands. Typically, they take a small number of options (or sometimes no options at all).
Payloads can be constructed of DuckyScript commands alone, or combined with the power of bash scripting and system commands to create fully custom, advanced actions.
The files in this repository are the source code for your payloads and run directly on the device no compilation required - simply place your payload.sh in the appropriate directory and you're ready to go!
Take your DuckyScript™ payloads to the next level with this full-featured, web-based (entirely client side) development environment.
Payload studio features all of the conveniences of a modern IDE, right from your browser. From syntax highlighting and auto-completion to live error-checking and repo synchronization - building payloads for Hak5 hotplug tools has never been easier!
Supports your favorite Hak5 gear - USB Rubber Ducky, Bash Bunny, Key Croc, Shark Jack, Packet Squirrel & LAN Turtle!
Become a PayloadStudio Pro and Unleash your hacking creativity!
OR
Try Community Edition FREE
Payload Studio Themes Preview GIF
Payload Studio Autocomplete Preview GIF
View Featured Payloads and Leaderboard
Once you have developed your payload, you are encouraged to contribute to this repository by submitting a Pull Request. Reviewed and Approved pull requests will add your payload to this repository, where they may be publically available.
Please include all resources required for the payload to run. If needed, provide a README.md in the root of your payload's directory to explain things such as intended use, required configurations, or anything that will not easily fit in the comments of the payload.txt itself. Please make sure that your payload is tested, and free of errors. If your payload contains (or is based off of) the work of other's please make sure to cite their work giving proper credit.
Subject to change. Please ensure any submissions meet the latest version of these standards before submitting a Pull Request.
Please give your payload a unique, descriptive and appropriate name. Do not use spaces in payload, directory or file names. Each payload should be submit into its own directory, with - or _ used in place of spaces, to one of the categories such as exfiltration, interception, sniffing, or recon. Do not create your own category.
The payload itself should be named payload.
In many cases, payloads will require some level of configuration by the end payload user. Be sure to take the following into careful consideration to ensure your payload is easily tested, used and maintained.
- Remember to use PLACEHOLDERS for configurable portions of your payload - do not share your personal URLs, API keys, Passphrases, etc...
- Do not leave defaults that point at live services
- Make note of both required and optional configuration(s) in your payload using comments at the top of your payload or "inline" where applicable
Payloads should begin with comments specifying at the very least the name of the payload and author. Additional information such as a brief description, the target, any dependencies / prerequisites and the LED status used is helpful.
# Title: Example payload
# Description: Example payload with configuration options
# Author: Hak5
# Version: 1.0
# Category: Remote-Access
# Net Mode: NAT
#
# LED State Descriptions
# Magenta Solid - Configuring NETMODE
# LED OFF - Waiting for BUTTON
# Red Blink 2 Times - Connection Failed
# Amber Blink 5 Times - Connection Successful
# Red Blink 1 Time - Command Failed
# Cyan Blink 1 Time - Command Successful
Configurable options should be specified in variables at the top of the payload file:
# Options
SSH_USER="username"
SSH_HOST="hostname"
PORT=31337
"Staged payloads" are payloads that download code from some resource external to the payload.txt.
While staging code used in payloads is often useful and appropriate, using this (or another) github repository as the means of deploying those stages is not. This repository is not a CDN for deployment on target systems.
Staged code should be copied to and hosted on an appropriate server for doing so by the end user - Github and this repository are simply resources for sharing code among developers and users. See: GitHub acceptable use policies
Additionally, any source code that is intended to be staged (by the end user on the appropriate infrastructure) should be included in any payload submissions either in the comments of the payload itself or as a seperate file. Links to staged code are unacceptable; not only for the reasons listed above but also for version control and user safety reasons. Arbitrary code hidden behind some pre-defined external resource via URL in a payload could be replaced at any point in the future unbeknownst to the user -- potentially turning a harmless payload into something dangerous.
URLs used for retrieving staged code should refer exclusively to example.com using DEFINE in any payload submissions
Example scenario: your payload downloads a script and the executes it on a target machine.
- Include the script in the directory with your payload
- Provide instructions for the user to move the script to the appropriate hosting service.
- Provide a DEFINE with the placeholder example.com for the user to easily configure once they have hosted the script
Payloads from this repository are provided for educational purposes only. Hak5 gear is intended for authorized auditing and security analysis purposes only where permitted subject to local and international laws where applicable. Users are solely responsible for compliance with all laws of their locality. Hak5 LLC and affiliates claim no responsibility for unauthorized or unlawful use.
WiFi Pineapple and DuckyScript are the trademarks of Hak5 LLC. Copyright © 2010 Hak5 LLC. All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means without prior written permission from the copyright owner. WiFi Pineapple and DuckyScript are subject to the Hak5 license agreement (https://hak5.org/license) DuckyScript is the intellectual property of Hak5 LLC for the sole benefit of Hak5 LLC and its licensees. To inquire about obtaining a license to use this material in your own project, contact us. Please report counterfeits and brand abuse to legal@hak5.org. This material is for education, authorized auditing and analysis purposes where permitted subject to local and international laws. Users are solely responsible for compliance. Hak5 LLC claims no responsibility for unauthorized or unlawful use. Hak5 LLC products and technology are only available to BIS recognized license exception ENC favorable treatment countries pursuant to US 15 CFR Supplement No 3 to Part 740.
See also: