airgeddon

Using airgeddon for WiFi Auditing

Table of Contents

What Is airgeddon?

airgeddon is a multi-use bash script designed for WiFi security auditing on Linux systems. It wraps dozens of established wireless security tools - aircrack-ng, hostapd, dnsmasq, bettercap, mdk4, and others - into a single menu-driven interface. Instead of memorizing the syntax for fifteen different command-line tools, you navigate through menus and let airgeddon construct and execute the commands for you.

The project is open source, maintained on GitHub, and has been in active development since 2016. It supports multiple languages, includes automatic dependency checking, and handles much of the tedious setup work that makes wireless auditing frustrating for newcomers.

A critical caveat before we go further: airgeddon is a security auditing tool. Using it against networks you don't own or have explicit written permission to test is illegal in most jurisdictions. Everything in this article assumes you're working on your own networks or in an authorized testing environment.

How airgeddon Works

graph TD
    subgraph Airgeddon["airgeddon Script"]
        A[Main Menu] --> B[Interface Selection]
        B --> C{Choose Attack}
        C --> D[Handshake Tools Menu]
        C --> E[Evil Twin Menu]
        C --> F[WPS Menu]
        C --> G[Enterprise Menu]
        C --> H[DoS Menu]
    end
    subgraph Backend["Underlying Tools"]
        D --> D1[aircrack-ng suite]
        D --> D2[hashcat]
        E --> E1[hostapd]
        E --> E2[dnsmasq]
        E --> E3[lighttpd / apache]
        E --> E4[bettercap]
        F --> F1[reaver]
        F --> F2[bully]
        F --> F3[pixiewps]
        G --> G1[hostapd-wpe]
        G --> G2[asleap]
        H --> H1[mdk4]
        H --> H2[aireplay-ng]
    end
    subgraph Output["Results"]
        D1 --> R1[Captured Handshakes]
        D2 --> R2[Cracked Passwords]
        E1 --> R3[Credential Capture]
        F1 --> R4[WPS PINs]
        G1 --> R5[Enterprise Credentials]
    end

airgeddon acts as a menu-driven orchestrator, calling specialized tools behind the scenes for each attack type.

airgeddon operates as an orchestration layer. When you select an option from the menu, the script checks that the required tools are installed, prompts you for necessary parameters (target network, interface, wordlist path), then constructs and runs the appropriate commands in the background.

For example, when you choose to capture a WPA handshake, airgeddon will:

  1. Put your wireless interface into monitor mode using airmon-ng
  2. Scan for nearby networks using airodump-ng
  3. Let you select a target network from the scan results
  4. Launch a targeted capture with airodump-ng focused on the selected network
  5. Optionally send deauthentication frames using aireplay-ng to force a client reconnection
  6. Monitor for the handshake and notify you when captured
  7. Offer to crack the handshake using aircrack-ng or hashcat

All of these steps can be done manually with individual commands, but airgeddon handles the sequence, error checking, and parameter passing between tools automatically.

Installation and Requirements

airgeddon runs on Linux systems and requires a wireless adapter capable of monitor mode and packet injection. Not all WiFi adapters support these features - you need a chipset with proper Linux driver support.

Popular compatible chipsets include:

  • Realtek RTL8812AU (dual-band, widely available)
  • Atheros AR9271 (single-band but very reliable)
  • Ralink RT3070 (older but well-supported)
  • MediaTek MT7612U (newer dual-band option)

Installation is straightforward:

git clone https://github.com/v1s1t0r1sh3r3/airgeddon.git
cd airgeddon
sudo bash airgeddon.sh

On first launch, airgeddon checks for all dependencies and tells you which optional tools are missing. The core requirements (bash 4.2+, the aircrack-ng suite, iw, ip) are pre-installed on Kali Linux. Additional tools unlock specific features:

  • hashcat - GPU-accelerated password cracking
  • bettercap - Man-in-the-middle framework for evil twin attacks
  • hostapd - Access point creation for rogue AP attacks
  • dnsmasq - DHCP and DNS server for captive portals
  • reaver/bully - WPS brute force tools
  • mdk4 - Wireless attack tool for deauthentication and flooding
  • hostapd-wpe - Enterprise AP impersonation

On Kali Linux, most of these are available through apt: sudo apt install hostapd dnsmasq reaver bully mdk4

The Menu Interface

airgeddon's interface is entirely text-based and menu-driven. When you launch it, you're presented with a main menu after selecting your wireless interface. The main sections are:

Handshake/PMKID tools menu - Capturing and cracking WPA/WPA2 authentication material

DoS attacks menu - Deauthentication and disassociation attacks for disrupting wireless networks (for testing resilience)

Evil Twin attacks menu - Creating rogue access points that mimic legitimate networks

WPS attacks menu - Exploiting WiFi Protected Setup vulnerabilities

Enterprise attacks menu - Attacking WPA-Enterprise (802.1X) networks

Navigation works by entering the number corresponding to the menu option you want. The interface includes color coding for status indicators (green for available features, red for missing dependencies) and provides descriptions of what each option does.

One of airgeddon's best UX decisions is contextual dependency checking. If you select a feature that requires a tool you don't have installed, it tells you exactly what's missing rather than failing silently. This makes it much easier to figure out what to install.

Handshake Capture

The most common use case for airgeddon is capturing WPA/WPA2 handshakes from your own networks to test password strength.

The process works like this:

  1. Select the handshake tools menu
  2. airgeddon puts your interface into monitor mode
  3. A scan window opens showing nearby networks with their SSIDs, BSSIDs, channels, and encryption types
  4. You stop the scan and select your target network
  5. airgeddon launches a targeted capture on that network's channel
  6. Optionally, it sends deauthentication frames to force a client to reconnect (creating a handshake)
  7. Once captured, you can crack the handshake using a wordlist or rule-based attack

airgeddon also supports PMKID capture, a newer technique that doesn't require deauthenticating any clients. The PMKID (Pairwise Master Key Identifier) can be extracted from the first message of the 4-way handshake, meaning you only need to attempt an association with the access point - no active clients needed.

For cracking, airgeddon supports both CPU-based cracking (aircrack-ng with wordlists) and GPU-accelerated cracking (hashcat). GPU cracking is dramatically faster - a mid-range graphics card can test billions of password combinations where a CPU tests thousands.

Evil Twin Attacks

Evil twin attacks create a rogue access point that impersonates a legitimate network. When users connect to the fake network, their traffic passes through your system, allowing credential capture or traffic analysis.

airgeddon's evil twin module automates the complex setup required:

  1. Creates a fake access point using hostapd with the same SSID as the target
  2. Configures dnsmasq to provide DHCP (IP addresses) and DNS to connected clients
  3. Optionally sets up a captive portal that presents a fake login page
  4. Deauthenticates clients from the real network, encouraging them to connect to your fake one
  5. Captures any credentials entered into the captive portal

The captive portal templates in airgeddon mimic common router login pages, prompting users to enter their WiFi password to "reconnect." In an authorized test, this demonstrates how social engineering combines with technical attacks - even strong WPA2 passwords can be captured if users willingly type them into a fake portal.

Evil twin attacks require two wireless interfaces: one to run the fake access point and another to deauthenticate clients from the real network. Some adapters support both functions simultaneously through virtual interfaces, but using two separate adapters is more reliable.

WPS Attacks

WiFi Protected Setup (WPS) was designed to make connecting devices to WiFi networks easier. It uses an 8-digit PIN that, due to a design flaw, can be brute-forced in a reasonable amount of time.

airgeddon provides access to two WPS attack tools:

Reaver performs online brute force attacks against WPS-enabled access points. It systematically tries PIN combinations, exploiting the fact that the 8-digit PIN is validated in two halves (reducing the keyspace from 100 million to roughly 11,000 combinations).

Bully is an alternative to Reaver that uses a different implementation of the same attack. Some access points respond better to one tool than the other.

Pixie Dust (via pixiewps) is an offline attack that exploits weak random number generation in certain WPS implementations. When it works, it recovers the PIN in seconds rather than hours. Not all access points are vulnerable, but many older routers are.

airgeddon first scans for WPS-enabled networks, then lets you choose which attack to use. It handles the configuration and retry logic automatically. Many modern routers have rate limiting or lockout mechanisms that make online WPS brute force impractical, but the Pixie Dust attack bypasses these since it works offline.

Enterprise Network Attacks

Enterprise WiFi (WPA-Enterprise, 802.1X) uses a RADIUS server for authentication instead of a shared password. Common configurations use PEAP with MSCHAPv2, where users authenticate with their corporate username and password.

airgeddon's enterprise attack module uses hostapd-wpe to create a rogue enterprise access point. When users connect to it, hostapd-wpe captures their username and a challenge-response hash that can potentially be cracked to recover their password.

This is a powerful demonstration of why enterprise WiFi security needs proper certificate validation. If client devices don't verify the server certificate (and many are misconfigured), they'll happily send credentials to a rogue AP.

The enterprise attack workflow in airgeddon:

  1. Scan for enterprise networks
  2. Create a rogue AP with the same SSID using hostapd-wpe
  3. Wait for clients to connect
  4. Capture challenge-response credentials
  5. Crack the captured hashes using asleap or hashcat

Understanding the Underlying Tools

airgeddon makes WiFi auditing more accessible, but relying on it without understanding what happens underneath creates a fragile skill set. The script handles the common cases well, but when something goes wrong - and in wireless testing, things frequently go wrong - you need to know what the actual tools are doing.

The core tools airgeddon orchestrates:

aircrack-ng suite:

  • airmon-ng - Enables/disables monitor mode on wireless interfaces
  • airodump-ng - Captures raw 802.11 frames, displays nearby networks and clients
  • aireplay-ng - Injects packets (deauth frames, fake authentication, ARP replay)
  • aircrack-ng - Cracks WPA handshakes using wordlists

hostapd creates software access points. It's the same tool used in legitimate access point configurations (like turning a Raspberry Pi into a hotspot). In security testing, it creates the rogue APs used in evil twin attacks.

dnsmasq provides DHCP and DNS services. When a client connects to your rogue AP, dnsmasq gives them an IP address and handles DNS resolution (or, in an evil twin scenario, redirects all DNS queries to your captive portal).

mdk4 performs various wireless attacks including deauthentication flooding, beacon flooding, and authentication attacks. It's more aggressive than aireplay-ng's deauth capability and supports more attack modes.

Learning these tools individually, even if you usually use airgeddon, makes you a more capable tester. When airgeddon can't handle an edge case, you'll know which tool to reach for and how to use it directly.

Limitations and Considerations

airgeddon is powerful but not perfect:

  • Linux only. It's a bash script designed for Linux. No native Windows or macOS support.
  • Adapter dependency. Not all wireless adapters support monitor mode and injection. If your adapter doesn't work, airgeddon can't help - you need compatible hardware.
  • Deauthentication legality. In some jurisdictions (notably the EU under RED), sending deauthentication frames is restricted or prohibited even in testing scenarios. Know your local laws. The BLEShark Nano, for example, disables deauth features in EU regions and restricts handshake capture to passive-only mode to comply with these regulations.
  • Rate limiting and protections. Modern access points include protections against many of these attacks. Management Frame Protection (802.11w/PMF) prevents deauthentication attacks. WPS rate limiting blocks brute force attempts. Enterprise certificate pinning prevents rogue AP credential capture.
  • It's a wrapper, not a replacement. airgeddon doesn't do anything that its underlying tools can't do individually. Its value is convenience, not capability. For unusual scenarios, you'll still need to use tools directly.
  • Updates lag behind tools. When underlying tools get new features or syntax changes, airgeddon needs to be updated to match. There can be a delay.

The Right Learning Approach

The ideal way to learn WiFi auditing with airgeddon is a two-phase approach:

Phase 1: Use airgeddon to understand the workflow. The menus make the process visible. You can see what steps are involved in a handshake capture or evil twin attack without getting lost in command-line syntax. This builds a mental model of how wireless attacks work.

Phase 2: Replicate what airgeddon does manually. Take each attack type and learn to perform it using the underlying tools directly. Put your interface in monitor mode with airmon-ng. Run airodump-ng yourself. Launch aireplay-ng deauth attacks manually. Configure hostapd by writing the config file yourself.

This two-phase approach gives you both the big-picture understanding (from airgeddon's guided workflow) and the technical depth (from manual tool use). When you're doing a professional assessment, you'll often start with automated tools for efficiency and then drop to manual commands when you need more control.

Set up a practice environment with your own access point and a few client devices. Use a dedicated wireless adapter for testing. Document what you learn. And always, always have written authorization before testing any network that isn't yours.

Want a purpose-built device for practicing wireless security? The BLEShark Nano supports WiFi scanning, handshake capture, BLE enumeration, and rogue AP testing in a pocket-sized form factor - ideal for building the hands-on skills that complement tools like airgeddon.

Get the BLEShark Nano - $36.99+
Back to blog

Leave a comment