Wireless Attacks
53 tools
aircrack-ng is a suite of tools for auditing wireless networks, capable of cracking WEP and WPA-PSK keys from captured packets using statistical attacks and dictionary methods.
Multi-use bash script for Linux systems to audit wireless networks. Menu driven 3rd party tools wrapper with many features for wireless network auditing.
berate-ap is a script for orchestrating mana rogue Wi-Fi Access Points. It can also handle regular hostapd APs and create access points easily.
BlueHydra is a Bluetooth device discovery service built on top of the bluez library. It uses ubertooth where available to track both classic and low energy (LE) Bluetooth devices over time.
Bluelog is a Bluetooth scanner designed to quickly identify the number of discoverable devices in an area. It logs discovered devices to a file and can run unattended for long periods.
BlueRanger is a simple Bash script that uses Bluetooth Link Quality to locate devices by sending L2CAP pings. It determines proximity based on the strength of the connection without requiring authentication.
Bluesnarfer is a Bluetooth bluesnarfing utility that extracts data such as device information and phonebook entries from vulnerable Bluetooth-enabled devices. It targets weaknesses in Bluetooth implementations to access unauthorized information.
BlueZ is the official Linux Bluetooth protocol stack providing tools and daemons for Bluetooth device management, testing, and interaction. It includes utilities for scanning, connecting, configuring, and testing Bluetooth and BLE devices.
Ncurses-based scanner for Bluetooth devices that extracts detailed information without pairing. It monitors RSSI and link quality while providing educated guesses on device types using IEEE OUI and class lookup tables.
Bully is a WPS brute force attack tool that exploits design flaws in the WPS specification to recover wireless network PINs. It supports monitor mode interfaces and offers improved performance over previous implementations.
CHIRP is a free, open-source tool for programming amateur radios, supporting numerous manufacturers and models via interface cables. It handles various data formats and provides command-line utilities for radio configuration and memory management.
Brute-force dictionary attack tool for cracking WPA-PSK and WPA2-PSK passphrases using precomputed PMK hash files and packet captures containing 4-way handshakes.
crackle cracks and decrypts Bluetooth Low Energy (BLE) encryption by exploiting a flaw in the pairing process to guess or brute force the Temporary Key (TK). It recovers the Short Term Key (STK) and Long Term Key (LTK) to decrypt communications between BLE master and slave devices.
Cupid-WPA is a set of forked wireless tools patched to exploit the Hertbleed vulnerability over EAP-TLS tunneled protocols in wireless networks. It includes modified hostapd and wpa_supplicant binaries for setting up rogue APs or attacking legitimate ones.
Toolkit for targeted evil twin attacks against WPA2-Enterprise networks. Designed for full scope wireless assessments and red team engagements with minimal manual configuration.
Automated Wi-Fi cracker for recovering WEP/WPA/WPS keys. Performs wireless security auditing and network-based attacks on wireless or ethernet networks.
Fluxion is a security auditing and social-engineering research tool that retrieves WPA/WPA2 keys from target access points via phishing attacks. It is a remake of linset with fewer bugs and more functionality, compatible with Kali Rolling.
FreeRadius Wireless Pawn Edition is a modified FreeRadius server for capturing credentials in wireless networks. It supports specific EAP types for authentication attacks.
GNU Radio is a software radio toolkit that provides signal processing blocks for implementing software-defined radios using low-cost RF hardware or simulation environments. It enables development of real-time radio systems through Python applications with C++ performance-critical paths.
Gqrx is a software defined radio receiver that works with hardware like RTL-SDR, HackRF, and Airspy. It supports AM/FM/SSB reception with audio output, FFT visualization, and AFSK1200 AX.25 decoding.
GNU Radio tool for blind IQ imbalance estimation and correction in quadrature receivers. Suppresses symmetrical images caused by IQ imbalance in the RX path.
GNU Radio blocks from the OsmoSDR project providing a common software API for various SDR hardware. Supports devices like RTL-SDR, HackRF, bladeRF, and USRP for spectrum analysis and signal generation.
HackRF is an open source Software Defined Radio peripheral that can receive and transmit between 30 MHz and 6 GHz with a 20 MHz bandwidth. It includes command line utilities for device configuration, transfer, and control.
Tools for converting wireless captures to hashcat or John the Ripper formats. Portable solution for capturing WLAN traffic and conversion to hashcat (recommended) and John the Ripper formats.
horst is a small, lightweight IEEE802.11 WLAN analyzer with a text interface for debugging wireless LANs. It provides aggregated information like signal values per station, channel utilization, and spectrum analysis, optimized for quick overviews rather than deep packet inspection.
Featureful rogue access point first presented at Defcon 22. User space daemon for IEEE 802.11 AP management and IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator.
Modified hostapd for AP impersonation attacks to capture client credentials via IEEE 802.1x EAP methods. Logs authentication attempts including MSCHAPv2 challenges and responses for offline cracking.
inspectrum is a tool for visualising captured radio signals, primarily from software-defined radio receivers. It supports analysis through spectrograms, plots, and measurements of various signal file formats.
iw is a command line tool for configuring and showing information about Linux wireless devices using the nl80211 kernel interface. It supports modern wireless hardware and replaces the deprecated iwconfig tool.
kalibrate-rtl scans for GSM base stations in specified frequency bands and calculates the local oscillator frequency offset using those stations. It uses RTL-SDR devices to measure frequency errors for improved radio tuning accuracy.
Kismet is a wireless network and device detector, sniffer, wardriving tool, and WIDS framework that works with Wi-Fi, Bluetooth, SDR hardware like RTLSDR, and specialized capture hardware.
mdk3 is a proof-of-concept tool to exploit common IEEE 802.11 (Wi-Fi) protocol weaknesses. It performs various attacks including Authentication DoS, beacon flooding, deauthentication, and WPA TKIP denial-of-service.
mdk4 is a proof-of-concept tool to exploit common IEEE 802.11 protocol weaknesses. It supports various Wi-Fi attack modes including beacon flooding, deauthentication, and IDS evasion techniques.
OWL provides an open implementation of Apple's Wireless Direct Link (AWDL) ad hoc protocol for Linux and macOS. It enables AWDL functionality in user space using Linux's networking stack.
Pixiewps is an offline WPS bruteforce tool that exploits low or non-existing entropy in some Access Points using the pixie dust attack. It recovers WPS PINs and WPA-PSK from captured WPS handshake data.
Proximoth is a command-line tool that detects Wi-Fi devices in proximity vulnerable to Control Frame Attacks. It uses packet injection and sniffing to identify susceptible targets.
Proxmark3 is a firmware, flasher, and client tool for the Proxmark3 hardware device used in RFID and NFC research. It supports interacting with Proxmark3 RDV4.0 and older hardware revisions.
PSKracker is a collection of WPA/WPA2/WPS default keys generators/piners for testing and auditing wireless networks. It includes bleeding edge algorithms written in C.
Reaver is a brute force attack tool against Wi-Fi Protected Setup PIN numbers. Once the WPS pin is found, the WPA PSK can be recovered or the AP's wireless settings reconfigured.
RedFang locates non-discoverable Bluetooth devices by brute forcing the last six bytes of the Bluetooth address and performing read_remote_name operations. It is a proof-of-concept tool for finding hidden Bluetooth devices.
Router Keygen generates default WPA/WEP keys for various router models from major ISPs. It supports routers like Thomson, DLink, Pirelli, and many others based on SSID or MAC address.
Graphical Wi-Fi Analyzer for Linux providing a comprehensive GUI-based replacement for tools like inSSIDer and linssid. Integrates Wi-Fi, software-defined radio (HackRF), advanced Bluetooth tools, and GPS functionalities in one solution.
Ubertooth is an open source 2.4 GHz wireless development platform for Bluetooth experimentation, capable of sniffing BLE (Bluetooth Smart) connections and some Basic Rate (BR) Bluetooth Classic data. It includes a spectrum analyzer for the 2.4 GHz band.
Universal Hardware Driver for Ettus Research USRP software-defined radio devices. Provides host libraries, utilities, and Python support for device discovery, configuration, firmware loading, and hardware calibration.
UHD Images provides various firmware images for UHD-supported software-defined radios. It enables compatibility and operation of USRP devices within Kali Linux environments.
vwifi-dkms provides a minimal interface for dummy Wi-Fi networks, supporting scanning, connecting, and disconnecting. It enables Station Mode and Host AP Mode with WPA/WPA2 security using cfg80211 and FullMAC drivers.
Userspace driver for USB Wi-Fi NICs and the Hak5 Wi-Fi Coconut. Provides tools to manage and interact with Wi-Fi Coconut devices for wireless operations.
Wi-Fi honeypot that automates creating multiple monitor mode interfaces to broadcast fake access points and capture handshakes. Runs in a screen session for easy monitoring and pairs with airodump-ng to capture WPA/WPA2 four-way handshake packets for cracking.
Automated phishing attacks against Wi-Fi networks to obtain secret passphrases or other credentials without brute forcing. It uses social engineering to trick users into entering WPA/WPA2 passphrases via fake captive portals or firmware upgrade pages.
Powerful framework for rogue access point attacks enabling man-in-the-middle operations over wireless networks. Includes subtools for captive portals, phishing pages, QR code attacks, and SSL stripping.
Wifite is a Python script that automates wireless auditing of WEP or WPA encrypted networks using aircrack-ng tools. It targets access points with customizable attacks including WPS, PMKID, and handshake capture.
WIG-NG is a utility for Wi-Fi device fingerprinting. It supports protocols like AWDL, CCX, HP Printers IE, Wi-Fi Direct, and WPS.
wpa-sycophant is a tool to relay phase 2 authentication attempts to access corporate wireless networks without cracking the password. It requires running a rogue access point to capture and relay legitimate user authentication attempts.