WiFi Testing Tools¶

reaver¶

Focused on WPA2 PMKID/EAPOL capture and conversion to cracking formats.

Command	Action
`-i <iface>`	Select interface (hcxdumptool will set monitor mode/MAC/channel).
`-w <file.pcapng>`	Write capture to pcapng (no overwrite).
`-c <ch><band>`	Set channel with band letter, e.g. `1a` (2.4 GHz), `36b` (5 GHz).
`-f <freqMHz>`	Set exact frequency, e.g. `2412`, `5180`.
`-F`	Hop all frequencies supported by the interface (discovery).
`-t <sec>`	Minimum dwell time per channel (default 5).
`--rcascan=p`	Passive discovery scan (no TX).
`--rcascan=a`	Active discovery scan (sends undirected probe requests).
`--rds=3`	Real‑time display with APs and clients during scan/capture.
`--exitoneapol=1`	Stop after first PMKID (AP‑originated).
`--exitoneapol=2`	Stop after first authorized 4‑way handshake (M1M2M3).
`--disable_disassociation`	Don’t send DISASSOC frames (PMKID‑only style).
`--associationmax 0`	Disable association attempts entirely.
`--bpfc="<tcpdump filter>"`	Compile a BPF from a filter string to stdout.
`--bpf=<file>`	Load compiled BPF (from `--bpfc` or `tcpdump -ddd`).
`-I <iface>`	Show detailed interface capabilities and exit.
`-L`	List physical interfaces and exit.
`-m <iface>`	Put interface into monitor mode and exit.

Command	Action
`-o <file.22000>`	Convert to Hashcat 22000 (combined PMKID+EAPOL) hash file.
`-E <file>`	Extract ESSIDs seen into a wordlist (autohex on non‑ASCII).
`-R <file>`	Extract probed SSIDs (from PROBEREQUESTs) into a wordlist.
`-I <file>`	Extract identities (EAP IDs) to a list.
`-U <file>`	Extract usernames (e.g., from EAP/MSCHAPv2) to a list.
`-D <file>`	Write device info list (MAC, vendor, model, serial, ESSID).
`--csv=<file>`	Write AP summary in CSV (time, BSSID, ESSID, ENC/AKM, channel, RSSI, GPS if present).
`--log=<file>`	Write processing log.
`--all`	Output all candidate hashes (not only the best); expect duplicates/overhead—filter later.
`--eapoltimeout=<ms>`	Set EAPOL timeout window (default 5000).
`--nonce-error-corrections=<n>`	Allow nonce error correction (default 0; >0 can yield uncrackable lines).
`--ignore-ie`	Ignore CIPHER/AKM checks and convert anyway (risky; may produce invalid hashes).
`--max-essids=<n>`	Keep up to n ESSIDs if the AP changes ESSID (default 1 = pick highest‑ranked).
`--add-timestamp`	Append date/time and EAPOL time‑gap to each hash line (strip before feeding hashcat).
`--prefix=<base>`	Emit multiple outputs at once using a common prefix (.22000, .essid, .identity, .username, etc.).
`--pmkid-client=<file>`	Output PMKID from client/mesh/repeater frames to 22000 file.
`-h` / `--help`	Show help.
`-v` / `--version`	Show version.

Command	Action
`airmon-ng start wlan0 <channel_#>`	Enable monitor mode on the interface and set the channel.
`airmon-ng stop wlan0 <channel_#>`	Disable monitor mode on the interface.
`airmon-ng check kill`	Kill processes that interfere with monitor mode (e.g., NetworkManager).

More info: https://www.aircrack-ng.org/doku.php?id=airmon-ng

Command	Action
`airodump-ng <iface_mon>`	Scan all channels (hopping) and list APs and clients.
`airodump-ng --channel <ch> <iface_mon>`	Lock to a single channel for focused capture.
`airodump-ng --channel <ch1>,<ch2> <iface_mon>`	Lock to a list of channels.
`airodump-ng --channel <start>-<end> <iface_mon>`	Lock to a channel range.
`airodump-ng --write <outfile> <iface_mon>`	Save capture files (cap, csv, etc.).
`airodump-ng --output-format pcap --write <outfile> <iface_mon>`	Save packets in PCAP format for external tools.
`airodump-ng --bssid <BSSID> --channel <ch> --write <outfile> <iface_mon>`	Target one AP and its clients while capturing to disk.
`airodump-ng --essid "<SSID>" --channel <ch> <iface_mon>`	Filter view/capture to a specific SSID on a channel.

Command	Action
`aireplay-ng -0 5 -a <AP_MAC> -c <CLIENT_MAC> <iface_mon>`	Deauthenticate a specific client (send 5 deauth frames).
`aireplay-ng -0 5 -a <AP_MAC> <iface_mon>`	Broadcast deauth all clients from an AP.
`aireplay-ng -1 0 -a <AP_MAC> -h <OUR_MAC> <iface_mon>`	Fake authenticate to AP (open/WEP).
`aireplay-ng -3 -b <AP_MAC> -h <OUR_MAC> <iface_mon>`	ARP request replay (generate traffic; speeds WEP key recovery).
`aireplay-ng -2 -r <packets.pcap> -b <AP_MAC> <iface_mon>`	Interactive packet replay from a capture file.
`aireplay-ng -4 -b <AP_MAC> -h <OUR_MAC> <iface_mon>`	ChopChop attack (recover keystream bytes; WEP).
`aireplay-ng -5 -b <AP_MAC> -h <OUR_MAC> <iface_mon>`	Fragmentation attack (forge/inject packets; WEP).
`aireplay-ng -6 -b <AP_MAC> -h <OUR_MAC> <iface_mon>`	Caffe-Latte attack (client-side WEP key recovery).
`aireplay-ng -9 -a <AP_MAC> <iface_mon>`	Injection test against AP.

Command	Action
`dumpcap -D`	List available capture interfaces.
`dumpcap -i <iface> -w <outfile.pcapng>`	Capture on an interface and write to file.
`dumpcap -i <iface> -f "<bpf_filter>" -w <outfile.pcapng>`	Capture with a BPF filter (e.g., `wlan type data`).
`dumpcap -i <iface> -a duration:60 -w <outfile.pcapng>`	Stop after N seconds.
`dumpcap -i <iface> -a filesize:100000 -w <outfile.pcapng>`	Stop after file reaches size (in kB).
`dumpcap -i <iface> -b files:5 -b filesize:100000 -w <outfile.pcapng>`	Ring buffer with max 5 files, each up to size.
`dumpcap -i <iface> -b files:10 -b duration:300 -w <outfile.pcapng>`	Ring buffer by time (rotate every 300s, keep 10 files).
`dumpcap -i <iface> -p -w <outfile.pcapng>`	Disable promiscuous mode if needed.

Check kernel version

uname -r

Kali Kernel 6.12 (Kali 2025.2) or older

sudo apt update
sudo apt install -y linux-headers-$(uname -r) realtek-rtl88xxau-dkms
sudo modprobe 88XXau

Kali Kernel 6.14 and newer

sudo apt update
sudo apt install -y firmware-realtek
sudo modprobe rtw88_8812au