Karma is a tool and technique for carrying out wireless Rogue AP attacks. Karma exploits the Wi-Fi probe request mechanism built into virtually every wireless device. When your phone, laptop, or IoT gadget has Wi-Fi turned on, it continuously broadcasts probe requests asking "Is network X here? Is network Y here?" — naming every SSID stored in its Preferred Network List (PNL). Karma listens for those probes and answers all of them, instantly impersonating whatever network each device is looking for.

Karma, together with SSLStrip, is an integral part of the Hak5 Wifi Pineapple. When you see a Pineapple grab the name of a network your device remembers and change its name to that network — that's Karma, bitch.

How Karma Works

Probe Requests

Every Wi-Fi client with auto-connect enabled periodically transmits 802.11 probe request frames containing the SSIDs of networks it has previously connected to. This is how your phone finds "HomeWiFi" or "CoffeeShop_WiFi" without you manually selecting it. Over time, a typical device accumulates dozens of SSIDs — every coffee shop, hotel, airport, gym, and friend's house you've ever joined.

The vulnerability lies in a fundamental gap in the 802.11 protocol: probe requests are unauthenticated. Any access point can claim to be any network, and the client has no way to verify the claim before associating.

The Karma Mechanism

A Karma-enabled rogue AP operates in three steps:

The rogue AP listens passively, capturing every probe request from every nearby device.
For each probe request received, the AP immediately responds with a matching beacon frame, claiming to be that SSID.
The client device, recognizing a "known" network, automatically associates and obtains a DHCP lease from the attacker's DHCP server.

At this point the attacker controls the network layer: they are the default gateway for all victim traffic. The classic reference implementation is hostapd-karma, a modified version of the standard hostapd daemon.

Karma Attacks

Classic Karma

The original Karma attack was identified around 2004–2005 by Dino dai Zovi and Shane Macaulay. Classic Karma exploits active probe requests — the client shouts the names of every network it remembers, and the rogue AP echoes back a beacon for every single one. The attack requires zero prior knowledge of the victim's preferred networks.

Unlike an Evil Twin attack, which clones one specific known SSID, Karma captures every device in range that's probing for any open network — simultaneously. At a crowded airport, a conference, or a public square, dozens of devices can be ensnared at once.

Modern Karma / SSID Dictionary Attack

Modern operating systems — iOS 14+, Android 10+, and recent versions of Windows — have reduced directed probe request verbosity. Instead of broadcasting every SSID in the PNL, they rely more heavily on passive scanning: waiting to hear a beacon before associating, rather than actively probing.

However, the Auto-Connect flag remains enabled by default on nearly all platforms. If an attacker can guess or enumerate an SSID in the victim's PNL, simply broadcasting a beacon with that SSID causes the device to associate automatically. Common SSIDs like "attwifi", "Starbucks WiFi", "DeltaWiFi", or "linksys" are highly effective. This is sometimes called a dictionary attack against the PNL.

MANA (Modified Advanced Next-generation Attack)

MANA, developed by Dominic White and Ian de Villiers and presented at DEF CON 22 (2014), extends Karma to defeat passive-scanning countermeasures. MANA introduces:

Loud Mode: The rogue AP actively broadcasts beacons for every SSID it has ever seen in any probe request, enticing passive-scanning clients that never probed.
Stealth Mode: Selective response — the AP only responds to probes for SSIDs it has previously captured, reducing noise and evading WIDS.
Hybrid Mode: Combines loud and stealth behaviors for different environmental conditions.

MANA also supports EAP credential harvesting (via the WPE — Wireless Pwnage Edition), device fingerprinting (Snoopy), and mass-client handling. See the hostapd-mana project.

Post-Connection Exploitation

Once a victim associates with the Karma AP, the attacker has a full Man-in-the-Middle (MITM) position and can apply:

Traffic interception — Unencrypted HTTP traffic, DNS queries, and session cookies are readable in plaintext.
SSL stripping — SSLStrip downgrades HTTPS connections to HTTP by intercepting the initial request before the browser enforces HTTPS.
DNS manipulation — Redirecting banking sites, corporate portals, or cloud services to phishing pages.
Captive portal injection — Serving a fake captive portal to harvest credentials for Wi-Fi, SSO, or email.

Applications using certificate pinning, HSTS-preloaded domains, end-to-end encryption (Signal, WhatsApp), or VPN tunnels are significantly more resistant.

Wireless Pineapple

The WiFi Pineapple is a dedicated hardware platform by Hak5 that brought Karma attacks from a specialized technique to a point-and-click operation. Originally released in 2008, the Pineapple made Karma accessible to penetration testers, security researchers, and red teams through a web-based interface.

Pineapple Generations

The platform has evolved through seven major hardware revisions:

Mark I–III (2008–2010) — Early experimental builds based on the Fonera router.
Mark IV (2011) — First widely-adopted model; on-board Karma support in the Jasager firmware.
Mark V (2014) — Dual-radio; introduced the PineAP suite, the successor to standalone Karma.
Mark VI — NANO / TETRA (2016) — Compact form factor (NANO) and high-power variant (TETRA); refined PineAP with Dogma module.
Mark VII (2021) — Gigabit Ethernet, 5 GHz support, and expanded module ecosystem.

PineAP Suite

Starting with the Mark V, the Pineapple's Karma capabilities evolved into the PineAP suite, a modular framework that subsumes Karma:

Log Probes — Continuously sniffs and logs all probe request frames from nearby clients.
PineAP Daemon — Responds to probe requests as Karma did, but with refined targeting and timing controls.
Dogma — Aggressively broadcasts beacons for all previously-seen SSIDs (the loud approach from MANA).
Beacon Response — Responds individually to probes with matching beacons.
Capture — Harvests handshake frames for offline cracking.

The Pineapple's combination of Karma, SSLStrip, and a captive-portal engine makes it a complete rogue-AP platform in a pocket-sized device. For full details, see the Wireless Pineapple page.

Defenses

Client-Side Mitigations

Disable auto-connect for open (unencrypted) networks. This is the single most effective OS-level control. On iOS: Settings → Wi-Fi → toggle "Auto-Join" off for untrusted networks. On Android and Windows, uncheck "Connect automatically" when joining networks.
Audit and prune your Preferred Network List. Remove SSIDs for public or one-time networks you no longer use.
Use an always-on VPN. Even if the device connects to a Karma AP, the VPN tunnel encrypts all traffic before it reaches the attacker's gateway.
Prefer WPA3 networks. WPA3's Simultaneous Authentication of Equals (SAE) and forward secrecy make impersonation substantially harder.
Enable MAC address randomization (default on modern iOS and Android) to reduce device tracking.

Enterprise Defenses

Deploy 802.1X / EAP authentication so that simply impersonating an SSID is insufficient — the rogue AP must also present valid credentials or certificates that it does not possess.
Use Wireless Intrusion Detection Systems (WIDS) such as Cisco CleanAir or Aruba RFProtect to monitor for Karma signatures: a single device responding to probes for multiple different SSIDs, or association events from devices connecting to an unknown BSSID.
Configure MDM-enrolled devices with strict Wi-Fi profiles that only permit connection to pre-configured, verified networks.

Tools

Tool	Type	Capability
hostapd-karma	Daemon	Original Karma reference implementation; responds to all probes
hostapd-mana	Daemon	Full MANA feature set: loud/stealth modes, EAP credential harvesting (WPE), Snoopy device tracking
wifiphisher	Framework	Rogue AP + phishing portal with multiple attack scenarios
WiFi Pineapple	Hardware + Software	Dedicated pentest platform with PineAP/Dogma suite
FruityWiFi	Web interface	Web-UI-driven rogue AP for Raspberry Pi and Debian
airbase-ng	Tool	Part of the aircrack-ng suite; supports basic Karma-style probe responses

Links

Project page: http://theta44.org/karma/
hostapd-mana (SensePost): https://github.com/sensepost/hostapd-mana
Pineapple, Karma, and SSLStrip overview: https://scotthelme.co.uk/wifi-pineapple-karma-sslstrip/
MANA (DEF CON 22 presentation): https://sensepost.com/blog/2015/improvement-in-rogue-access-points-mana-1-2/
Hak5 WiFi Pineapple documentation: https://documentation.hak5.org/

Flags

Karma

From charlesreid1

Contents