Wireless Attacks

Wireless attacks have become a very common security issue when it comes to networks. This is because such attacks can get a lot of information that is being sent across a network and use it to commit crimes in other networks.

Airbase-ng Description

Airbase-ng is included in the aircrack-ng package. It is a multi-purpose tool aimed at attacking clients as opposed to the Access Point itself. Some of its many features are:

  • Implements the Caffe Latte WEP client attack
  • Implements the Hirte WEP client attack
  • Ability to cause the WPA/WPA2 handshake to be captured
  • Ability to act as an ad-hoc Access Point
  • Ability to act as a full Access Point
  • Ability to filter by SSID or client MAC addresses
  • Ability to manipulate and resend packets
  • Ability to encrypt sent packets and decrypt received packets

Aircrack-ng Description

Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the all-new PTW attack, thus making the attack much faster compared to other WEP cracking tools.

Airdecap-ng and Airdecloak-ng Package Description

Airdecap-ng can decrypt WEP/WPA/WPA2 capture files and it can also be used to strip the wireless headers from an unencrypted wireless capture. It outputs a new file ending with -dec.cap, which is the decrypted/stripped version of the input file.

Airdecloak-ng removes WEP cloaking from a pcap file. It works by reading the input file and selecting packets from a specific network. Each selected packet is put into a list and classified (default status is “unknown”). Filters are then applied (in the order specified by the user) on this list. They will change the status of the packets (unknown, uncloaked, potentially cloaked or cloaked). The order of the filters is important as each filter will base its analysis amongst other things on the status of the packets and different orders will give different results.

Aireplay-ng Description

Aireplay-ng is included in the aircrack-ng package and is used to inject wireless frames. Its main role is to generate traffic for later use in aircrack-ng for cracking WEP and WPA-PSK keys. Aireplay-ng has many attacks that can deauthenticate wireless clients for the purpose of capturing WPA handshake data, fake authentications, interactive packet replay, hand-crafted ARP request injection, and ARP-request reinjection.

Airmon-ng Description

Airmon-ng is included in the aircrack-ng package and is used to enable and disable monitor mode on wireless interfaces. It may also be used to go back from monitor mode to managed mode.

Airodump-ng Package Description

Airodump-ng is included in the aircrack-ng package and is used for packet capturing of raw 802.11 frames. It is ideal for collecting WEP IVs for use with aircrack-ng. If you have a GPS receiver connected to the computer, airodump-ng can log the coordinates of the discovered access points.

airodump-ng-oui-update Description

airodump-ng-oui-update is a small utility included in the aircrack-ng package and is used to download the OUI list from the IEEE.

Airolib-ng Description

Airolib-ng is an aircrack-ng suite tool designed to store and manage essid and password lists, compute their Pairwise Master Keys (PMKs) and use them in WPA/WPA2 cracking. The program uses the lightweight SQLite3 database as the storage mechanism which is available on most platforms.

Airserv-ng Description

Airserv-ng is a wireless card server that allows multiple wireless application programs to independently use a wireless card via a client-server TCP network connection. All operating system and wireless card driver specific code is incorporated into the server. This eliminates the need for each wireless application to contain the complex wireless card and driver logic. It is also supports multiple operating systems.

Airtun-ng Description

Airtun-ng is a virtual tunnel interface creator and is included in the aircrack-ng package. Airtun-ng two basic functions:

  • Allow all encrypted traffic to be monitored for wireless Intrusion Detection System (wIDS) purposes
  • Inject arbitrary traffic into a network

In order to perform wIDS data gathering, you must have the encryption key and the bssid for the network you wish to monitor.

Asleap Package Description

Demonstrates a serious deficiency in proprietary Cisco LEAP networks. Since LEAP uses a variant of MS-CHAPv2 for the authentication exchange, it is susceptible to accelerated offline dictionary attacks. Asleap can also attack the Point-to-Point Tunneling Protocol (PPTP), and any MS-CHAPv2 exchange where you can specify the challenge and response values on the command line.

Besside-ng Description

Besside-ng is a tool like Besside-ng but it support also WPA encryption. It will crack automatically all the WEP networks in range and log the WPA handshakes.

Bluelog Package Description

Bluelog is a Linux Bluetooth scanner with optional daemon mode and web front-end, designed for site surveys and traffic monitoring. It’s intended to be run for long periods of time in a static location to determine how many discoverable Bluetooth devices there are in the area.

BlueMaho Package Description

BlueMaho is GUI-shell (interface) for suite of tools for testing security of bluetooth devices. It is freeware, opensource, written on python, uses wxPyhon. It can be used for testing BT-devices for known vulnerabilities and major thing to do – testing to find unknown vulns. Also it can form nice statistics.


  • scan for devices, show advanced info, SDP records, vendor etc
  • track devices – show where and how much times device was seen, its name changes
  • loop scan – it can scan all time, showing you online devices
  • alerts with sound if new device found
  • on_new_device – you can spacify what command should it run when it founds new device
  • it can use separate dongles – one for scaning (loop scan) and one for running tools or exploits
  • send files
  • change name, class, mode, BD_ADDR of local HCI devices
  • save results in database
  • form nice statistics (uniq devices by day/hour, vendors, services etc)
  • test remote device for known vulnerabilities (see exploits for more details)
  • test remote device for unknown vulnerabilities (see tools for more details)
  • themes! you can customize it

Bluepot Package Description

Bluepot is a Bluetooth Honeypot written in Java, it runs on Linux.

Bluepot was a third year university project attempting to implement a fully functional Bluetooth Honeypot. A piece of software designed to accept and store any malware sent to it and interact with common Bluetooth attacks such as “BlueBugging?” and “BlueSnarfing?”. Bluetooth connectivity is provided via hardware Bluetooth dongles.

The system also allows monitoring of attacks via a graphical user interface that provides graphs, lists, a dashboard and further detailed analysis from log files.

BlueRanger Package Description

BlueRanger is a simple Bash script which uses Link Quality to locate Bluetooth device radios. It sends l2cap (Bluetooth) pings to create a connection between Bluetooth interfaces, since most devices allow pings without any authentication or authorization. The higher the link quality, the closer the device (in theory).

Use a Bluetooth Class 1 adapter for long range location detection. Switch to a Class 3 adapter for more precise short range locating. The recision and accuracy depend on the build quality of the Bluetooth adapter, interference, and response from the remote device. Fluctuations may occur even when neither device is in motion.

Bluesnarfer Package Description

A Bluetooth bluesnarfing Utility.

Bully Package Description

Bully is a new implementation of the WPS brute force attack, written in C. It is conceptually identical to other programs, in that it exploits the (now well known) design flaw in the WPS specification. It has several advantages over the original reaver code. These include fewer dependencies, improved memory and cpu performance, correct handling of endianness, and a more robust set of options. It runs on Linux, and was specifically developed to run on embedded Linux systems (OpenWrt, etc) regardless of architecture.

Bully provides several improvements in the detection and handling of anomalous scenarios. It has been tested against access points from numerous vendors, and with differing configurations, with much success.

coWPAtty Package Description

Implementation of an offline dictionary attack against WPA/WPA2 networks using PSK-based authentication (e.g. WPA-Personal). Many enterprise networks deploy PSK-based authentication mechanisms for WPA/WPA2 since it is much easier than establishing the necessary RADIUS, supplicant and certificate authority architecture needed for WPA-Enterprise authentication. Cowpatty can implement an accelerated attack if a precomputed PMK file is available for the SSID that is being assessed.

crackle Package Description

crackle exploits a flaw in the BLE pairing process that allows an attacker to guess or very quickly brute force the TK (Temporary Key). With the TK and other data collected from the pairing process, the STK (Short Term Key) and later the LTK (Long Term Key) can be collected.

With the STK and LTK, all communications between the master and the slave can be decrypted.

eapmd5pass Package Description

EAP-MD5 is a legacy authentication mechanism that does not provide sufficient protection for user authentication credentials. Users who authenticate using EAP-MD5 subject themselves to an offline dictionary attack vulnerability. This tool reads from a live network interface in monitor-mode, or from a stored libpcap capture file, and extracts the portions of the EAP-MD5 authentication exchange. Once the challenge and response portions have been collected from this exchange, eapmd5pass will mount an offline dictionary attack against the user’s password.

Easside-ng Description

Easside-ng is an auto-magic tool which allows you to communicate via an WEP-encrypted access point (AP) without knowing the WEP key. It first identifies a network, then proceeds to associate with it, obtain PRGA (pseudo random generation algorithm) xor data, determine the network IP scheme and then setup a TAP interface so that you can communicate with the AP without requiring the WEP key. All this is done without your intervention.

Fern Wifi Cracker Package Description

Fern Wifi Cracker is a Wireless security auditing and attack software program written using the Python Programming Language and the Python Qt GUI library, the program is able to crack and recover WEP/WPA/WPS keys and also run other network based attacks on wireless or ethernet based networks.

Fern Wifi Cracker currently supports the following features:

  • WEP Cracking with Fragmentation,Chop-Chop, Caffe-Latte, Hirte, ARP Request Replay or WPS attack
  • WPA/WPA2 Cracking with Dictionary or WPS based attacks
  • Automatic saving of key in database on successful crack
  • Automatic Access Point Attack System
  • Session Hijacking (Passive and Ethernet Modes)
  • Access Point MAC Address Geo Location Tracking
  • Internal MITM Engine
  • Bruteforce Attacks (HTTP,HTTPS,TELNET,FTP)
  • Update Support

freeradius-wpe Package Description

A patch for the popular open-source FreeRADIUS implementation to demonstrate RADIUS impersonation vulnerabilities by Joshua Wright and Brad Antoniewicz. This patch adds the following functionality:

  • Simplifies the setup of FreeRADIUS by adding all RFC1918 addresses as acceptable NAS devices;
  • Simplifies the setup of EAP authentication by including support for all FreeRADIUS supported EAP types;
  • Adds WPE logging in $prefix/var/log/radius/freeradius-server-wpe.log, can be controlled in radius.conf by changing the “wpelogfile” directive;
  • Simplified the setup of user authentication with a default “users” file that accepts authentication for any username;
  • Adds credential logging for multiple EAP types including PEAP, TTLS, LEAP, EAP-MD5, EAP-MSCHAPv2, PAP, CHAP and others

Ghost Phisher Package Description

Ghost Phisher is a Wireless and Ethernet security auditing and attack software program written using the Python Programming Language and the Python Qt GUI library, the program is able to emulate access points and deploy.

Ghost Phisher currently supports the following features:

  • HTTP Server
  • Inbuilt RFC 1035 DNS Server
  • Inbuilt RFC 2131 DHCP Server
  • Webpage Hosting and Credential Logger (Phishing)
  • Wifi Access point Emulator
  • Session Hijacking (Passive and Ethernet Modes)
  • ARP Cache Poisoning (MITM and DOS Attacks)
  • Penetration using Metasploit Bindings
  • Automatic credential logging using SQlite Database
  • Update Support

GISKismet Package Description

GISKismet is a wireless recon visualization tool to represent data gathered using Kismet in a flexible manner. GISKismet stores the information in a database so that the user can generate graphs using SQL. GISKismet currently uses SQLite for the database and GoogleEarth / KML files for graphing.

Gqrx Package Description

Gqrx is a software defined radio receiver powered by the GNU Radio SDR framework and the Qt graphical toolkit. Gqrx supports many of the SDR hardware available, including Funcube Dongles, rtl-sdr, HackRF and USRP devices. See supported devices for a complete list. Gqrx is free and hacker friendly software. It comes with source code licensed under the GNU General Public license allowing anyone to fix and modify it for whatever use. Currently it works on Linux and Mac and supports the following devices:. Funcube Dongle Pro and Pro+ RTL2832U-based DVB-T dongles (rtlsdr via USB and TCP) OsmoSDR USRP HackRF Jawbreaker Nuand bladeRF any other device supported by the gr-osmosdr library

The latest stable version of Gqrx is 2.2, it is available for Linux, FreeBSD and Mac and it offers the following features:

  • Discover devices attached to the computer.
  • Process I/Q data from the supported devices.
  • Change frequency, gain and apply various corrections (frequency, I/Q balance).
  • AM, SSB, FM-N and FM-W (mono and stereo) demodulators.
  • Special FM mode for NOAA APT.
  • Variable band pass filter.
  • AGC, squelch and noise blankers.
  • FFT plot and waterfall.
  • Record and playback audio to / from WAV file.
  • Spectrum analyzer mode where all signal processing is disabled.

gr-scan Package Description

gr-scan is a program written in C++, and built upon GNU Radio, rtl-sdr, and the OsmoSDR Source Block. It is intended to scan a range of frequencies and print a list of discovered signals. It should work with any device that works with that block, including Realtek RTL2832U devices. This software was developed using a Compro U620F, which uses an E4000 tuner. That product doesn’t seem to be available on the US site, but the Newsky DVB-T Receiver (RTL2832U/E4000 Device) has good reviews.

hostapd-wpe Package Description

hostapd-wpe is the replacement for FreeRADIUS-WPE.

It implements IEEE 802.1x Authenticator and Authentication Server impersonation attacks to obtain client credentials, establish connectivity to the client, and launch other attacks where applicable.

hostapd-wpe supports the following EAP types for impersonation:

  • EAP-FAST/MSCHAPv2 (Phase 0)

Once impersonation is underway, hostapd-wpe will return an EAP-Success message so that the client believes they are connected to their legitimate authenticator.

For 802.11 clients, hostapd-wpe also implements Karma-style gratuitous probe responses. Inspiration for this was provided by JoMo-Kun’s patch for older versions of hostapd.

ivstools Description

ivstools is included in the aircrack-ng package and is used to merge and covert .ivs files.

kalibrate-rtl Package Description

Kalibrate, or kal, can scan for GSM base stations in a given frequency band and can use those GSM base stations to calculate the local oscillator frequency offset.

KillerBee Package Description

KillerBee is a Python based framework and tool set for exploring and exploiting the security of ZigBee and IEEE 802.15.4 networks. Using KillerBee tools and a compatible IEEE 802.15.4 radio interface, you can eavesdrop on ZigBee networks, replay traffic, attack cryptosystems and much more. Using the KillerBee framework, you can build your own tools, implement ZigBee fuzzing, emulate and attack end-devices, routers and coordinators and much more.

Kismet Package Description

Kismet is an 802.11 layer-2 wireless network detector, sniffer, and intrusion detection system. It will work with any wireless card that supports raw monitoring (rfmon) mode, and can sniff 802.11a/b/g/n traffic. It can use other programs to play audio alarms for network events, read out network summaries, or provide GPS coordinates. This is the main package containing the core, client, and server.

makeivs-ng Description

makeivs-ng is part of the aircrack-ng package and is used to generate an IVS dump file with a given WEP key. The aim of the tool is to provide a way to create dumps with a known encryption key for testing.

mdk3 Package Description

MDK is a proof-of-concept tool to exploit common IEEE 802.11 protocol weaknesses. IMPORTANT: It is your responsibility to make sure you have permission from the network owner before running MDK against it.

mfcuk Package Description

Toolkit containing samples and various tools based on and around libnfc and crapto1, with emphasis on Mifare Classic NXP/Philips RFID cards. Special emphasis of the toolkit is on the following:

  • mifare classic weakness demonstration/exploitation
  • demonstrate use of libnfc (and ACR122 readers)
  • demonstrate use of Crapto1 implementation to confirm internal workings and to verify theoretical/practical weaknesses/attacks

mfoc Package Description

MFOC is an open source implementation of “offline nested” attack by Nethemba.

This program allow to recover authentication keys from MIFARE Classic card.

Please note MFOC is able to recover keys from target only if it have a known key: default one (hardcoded in MFOC) or custom one (user provided using command line).

mfterm Package Description

mfterm is a terminal interface for working with Mifare Classic tags.

Tab completion on commands is available. Also, commands that have file name arguments provide tab completion on files. There is also a command history, like in most normal shells.

Multimon-NG Package Description

MultimonNG a fork of multimon. It decodes the following digital transmission modes:

  • EAS
  • UFSK1200 CLIPFSK AFSK1200 AFSK2400 AFSK2400_2 AFSK2400_3
  • HAPN4800
  • FSK9600
  • DTMF

Packetforge-ng Description

The purpose of packetforge-ng is to create encrypted packets that can subsequently be used for injection. You may create various types of packets such as arp requests, UDP, ICMP and custom packets. The most common use is to create ARP requests for subsequent injection.

PixieWPS Package Description

Pixiewps is a tool written in C used to bruteforce offline the WPS pin exploiting the low or non-existing entropy of some APs (pixie dust attack). It is meant for educational purposes only. All credits for the research go to Dominique Bongard.


  • Checksum optimization: it’ll try first for valid PINs (11’000);
  • Reduced entropy of the seed from 32 to 25 bits for the C LCG pseudo-random function;
  • Small Diffie-Hellman keys: don’t need to specify the Public Registrar Key if the same option is used with Reaver.

The program will also try first with E-S0 = E-S1 = 0, then it’ll tries to bruteforce the seed of the PRNG if the –e-nonce option is specificed.

pyrit Package Description

Pyrit allows you to create massive databases of pre-computed WPA/WPA2-PSK authentication phase in a space-time-tradeoff. By using the computational power of Multi-Core CPUs and other platforms through ATI-Stream,Nvidia CUDA and OpenCL, it is currently by far the most powerful attack against one of the world’s most used security-protocols.

Reaver Package Description

Reaver implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases, as described in http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf.

Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations.

On average Reaver will recover the target AP’s plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase

redfang Package Description

RedFang is a small proof-of-concept application to find non discoverable Bluetooth devices. This is done by brute forcing the last six (6) bytes of the Bluetooth address of the device and doing a read_remote_name().

RTLSDR Scanner Package Description

A cross platform Python frequency scanning GUI for USB TV dongles, using the OsmoSDR rtl-sdr library. In other words a cheap, simple Spectrum Analyser.

The scanner attempts to overcome the tuner’s frequency response by averaging scans from both the positive and negative frequency offets of the baseband data.

Spooftooph Package Description

Spooftooph is designed to automate spoofing or cloning Bluetooth device information. Make a Bluetooth device hide in plain site.


  • Clone and log Bluetooth device information
  • Generate a random new Bluetooth profile
  • Change Bluetooth profile every X seconds
  • Specify device information for Bluetooth interface
  • Select device to clone from scan log

Tkiptun-ng Description

Tkiptun-ng is the proof-of-concept implementation the WPA/TKIP attack. This attack is described in the paper, Practical attacks against WEP and WPA written by Martin Beck and Erik Tews. The paper describes advanced attacks on WEP and the first practical attack on WPA.

Wesside-ng Description

Wesside-ng is an auto-magic tool which incorporates a number of techniques to seamlessly obtain a WEP key in minutes. It first identifies a network, then proceeds to associate with it, obtain PRGA (pseudo random generation algorithm) xor data, determine the network IP scheme, reinject ARP requests and finally determine the WEP key. All this is done without your intervention.

Wifi Honey Package Description

This script creates five monitor mode interfaces, four are used as APs and the fifth is used for airodump-ng. To make things easier, rather than having five windows all this is done in a screen session which allows you to switch between screens to see what is going on. All sessions are labelled so you know which is which.

wifiphisher Package Description

Wifiphisher is a security tool that mounts automated phishing attacks against Wi-Fi networks in order to obtain credentials or infect the victims with ‘malware’. It is a social engineering attack that can be used to obtain WPA/WPA2 secret passphrases and unlike other methods, it does not require any brute forcing. After achieving a man-in-the-middle position using the Evil Twin attack, Wifiphisher redirects all HTTP requests to an attacker-controlled phishing page.

From the victim’s perspective, the attack takes place in three phases:

  • Victim is deauthenticated from their access point.
  • Victim joins a rogue access point. Wifiphisher sniffs the area and copies the target access point settings.
  • Victim is served a realistic specially-customized phishing page.

Wifitap Package Description

Wifitap is a proof of concept for communication over WiFi networks using traffic injection.

Wifitap allows any application do send and receive IP packets using 802.11 traffic capture and injection over a WiFi network simply configuring wj0, which means :

  • setting an IP address consistent with target network address range
  • routing desired traffic through it

In particular, it’s a cheap method for arbitrary packets injection in 802.11 frames without specific library.

In addition, it will allow one to get rid of any limitation set at access point level, such as bypassing inter-client communications prevention systems (e.g. Cisco PSPF) or reaching multiple SSID handled by the same access point.

Wifite Package Description

To attack multiple WEP, WPA, and WPS encrypted networks in a row. This tool is customizable to be automated with only a few arguments. Wifite aims to be the “set it and forget it” wireless auditing tool.


  • sorts targets by signal strength (in dB); cracks closest access points first
  • automatically de-authenticates clients of hidden networks to reveal SSIDs
  • numerous filters to specify exactly what to attack (wep/wpa/both, above certain signal strengths, channels, etc)
  • customizable settings (timeouts, packets/sec, etc)
  • “anonymous” feature; changes MAC to a random address before attacking, then changes back when attacks are complete
  • all captured WPA handshakes are backed up to wifite.py’s current directory
  • smart WPA de-authentication; cycles between all clients and broadcast deauths
  • stop any attack with Ctrl+C, with options to continue, move onto next target, skip to cracking, or exit
  • displays session summary at exit; shows any cracked keys
  • all passwords saved to cracked.txt

wpaclean Description

wpaclean is a small utility included in the aircrack-ng package that is used to clean capture files to get only the 4-way handshake and a beacon.