First off all this will be updated again soon to explain this genius idea/future/integration
to the future, enhanced wifite, the v2.00 🥇 ;)

Anyways, lets get it straight from source, since Kali's still is missing out on the totally rewritten update of the tool (v6 is in their repos still, but v8 is available so we dont miss out on that goodies) SEE CHANGELOG

mdk3 DOCUMENTATION & SOURCE
mdk3 README @ https://svn.mdk3.aircrack-ng.org/mdk3/docs/Documentation_incomplete.html
mdk3 CHANGELOG @ https://svn.mdk3.aircrack-ng.org/mdk3/CHANGELOG
SVN Source: https://svn.mdk3.aircrack-ng.org/mdk3/

There are several uses/features the tool may offer, but my first thought was
-- adding it (integration) since Kali's outdated still [Reported to Kali bug repo]

-- adding the ability to avoid LOCKED routers by flooding/ddos'ing it. there actually are 2 ways to this,
1: Using the "Authentication DoS flood attack" (which has the potensial to reset some routers)
2: Using the "EAPOL start flood attack" (the shock attack)

-- adding a CHECK for LOCKED routers (allready in Wash of course),
but the question/ability to choose to UNLOCK (a short knockout)
when it gets reported LOCKED + some neat switches I'll add here later.

I also know that you had the mdk3 feature on your todo list @derv82
So come on, lets get started 💃

Best regards
-- More mdk3 usages will be added soon as mentioned

Allow user to store a database of commands for specific access points names where wifite will search before starting the wps cracking of some access point , wifite will consult the database to check if the first letters of that access point are in database and in case exists then will use the user setup instead the automatic setup .

example : Access point : ABCD-0000

Wifite will access its database to checkif ABCD exists , in case exists then will run the user pre configured settings , instead the default settings .
In case ABCD does not exist then wifite will automatically run its default cracking settings .

I say this would be a good option because some Access points i get , i have to use special switches in reaver to be able to crack the wps , while other APS i can use the normal brute-force switches without issues .

Not even mention the fact of most APS these days have protections against brute force , where to be able to deal with that is needed a delay between pin attempts .

my host is ubuntu 16.04 and airodump-ng version is 1.2 beta3
it doesn't support --write-interval option.
Is my airodump-ng too old?

Using wifite on OSX .

This possibility exists using the airport monitor? would only change in the source code ? aircrack -ng has been compiled successfully with the recover - wps ??

I seem to remember that there was an option to skip handshake capture in wifite if you had captured it before?

Can this be implemented in wifite2?

LINK:https://github.com/derv82/wifite2/blob/master/py/tests/test_Handshake.py
You included a mac address for testing(A4:2B:8C:16:6B:3A)
The mac lookup was :NETGEAR
Source:http://www.macvendors.com/

This is quite the hair puller. It seems that after approx. 60 seconds, replay packets stop flowing. I'm testing this against an older Cisco 1230 series AP (it runs IOS, so I can look at all the gory client details).

What I see is that the attack starts, and once the first arp packet is heard, replay begins (so far - textbook). I then monitor the client stats on the AP paying attention to the last activity counter. This constantly reads 0 seconds (ago) as the replay packets are streaming from the laptop. After about 60 sec or so - this counter starts incrementing - meaning that the "client" is idle. There is no disassocation on the AP or anything - wifite just shows that IVs aren't incrementing at the previous rate (essentially a trickle at this point). Looking at ps - aireplay is running fine. I've also compared the command line args. of this aireplay to what it looks like in original wifite - and it looks like the same command line.

I saw you also updated "original" wifite. The same 60 sec behavior is observed there.

I've tested this on the "original" wifite (r87 ?) - and it works as expected. In fact - I even lowered the pps to 200 to force it to run longer. At that rate, original wifite ran for ~ 4 min. to collect ~ 31k IVs and crack the (128 bit) WEP.

Is there anything in wifite2 that happens at around the 60 sec mark that might do something to the interface causing replays to stop ? As I said - ps shows it still running, so I'm not sure what could happen to that running process to make it stop sending. Since original wifite and running the aircrack suite by hand both work as expected consistently - it seems like something in wifite2 is causing the replay to be interrupted.

Anything I could do to further debug and troubleshoot this ?

PS: Thanks for continuing to work on this project.

Based on the description on the main page I tried to use the 5ghz option but it doesn't like the parameter

5Ghz support for wireless cards that support 5ghz (use -5 option)

root@kali:~# wifite  -5
wifite: error: unrecognized arguments: -5

WiFite v2 (r87)

thanks

I am receiving the following errors while trying to run wifite and the runtests.sh, I am running on ubuntu 16.04. The older version of wifite was running fine except for the fact that I am unable to capture handshakes on wpa2 authentication

aircrack-ng is able to capture handshakes on 5ghz networks, but aireplay-ng can't deauth stations.

Might be my wireless card(s). Might be a bug in aireplay-ng. Might be how Wifite invokes aireplay-ng. Might be due to how 5ghz protocols are implemented.

Can we have a feature that ignores all APs with a specifc name of xxxxxxx

e.g. BTHome hub in the UK, has a 2/3 network for Guest Wifi... Some of these are like BTWifi-X , are WPA protected so they show up but just get in the way , would be nice to filter them out, or a specific AP if needed on an engagement...

While doing an area scan I got this stack trace:

[+] (1/30) starting attacks against 00:00:00:00:00:00 (Seegmiller)
[+] Seegmiller (00:00:00:00:00:00 @ 99db) WPS Pixie-Dust: Waiting for target to appear...
[!] Error: Could not find target (00:00:00:00:00:00) in airodump

[!] Full stack trace below

[!] Traceback (most recent call last):
[!] File "/usr/local/bin/wifite2", line 105, in run
[!] result = attack.run()
[!] File "/usr/share/wifite/py/AttackWPS.py", line 27, in run
[!] bully = Bully(self.target, pixie=True)
[!] File "/usr/share/wifite/py/Bully.py", line 44, in init
[!] self.run()
[!] File "/usr/share/wifite/py/Bully.py", line 61, in run
[!] self.target = self.wait_for_target(airodump)
[!] File "/usr/share/wifite/py/Attack.py", line 44, in wait_for_target
[!] 'Could not find target (%s) in airodump' % self.target.bssid)
[!] Exception: Could not find target (00:00:00:00:00:00) in airodump
[+] Seegmiller (00:00:00:00:00:00 @ 99db) WPA Handshake capture: Waiting for target to appear...
[!] Error: Could not find target (00:00:00:00:00:00) in airodump

That mac is a broadcast mac address, these addresses need to be filtered out.

These addresses are as follows:
ff:ff:ff:ff:ff:ff
00:00:00:00:00:00

Any address that starts with any in this list: ["01:00", "01:80:c2", "33:33"] are multicast addresses and should also be filtered out.

You could create a function like

def check_valid (mac):
    '''
        This function takes a mac address and checks that it is valid before using it.
    '''
    if mac in ["ff:ff:ff:ff:ff:ff", "00:00:00:00:00:00"]:
        return False

    for item in  ["01:00", "01:80:c2", "33:33"]:
        if mac.startswith(item):
            return False
    return True

Or you could possibly find a better way.

The command I used btw was: sudo wifite2 on kali linux 2017.1

Hi,

Actually, this not a big issue however it makes a little confusion while using the tool.
While WPS PIN attack, if AP configuration made with rate limit, Wifite2 says that the --skip-rate-limit can be used to try harder. (which was in the first wifite) However, in ./wifite2/Wifite.py --help option its written --ignore-rate-limit.
I'm reporting this just for your information again not a big deal.

Thanks.

Reported by sandman. Looks like there's no checks for how long WPA attack has been happening.

There are options in the --help to set the WPA handshake timeout:

  --wpat [seconds]     Time to wait before failing WPA attack (default: 500 sec)

Thanks for a great time saving tool. Could you please add configuration options for airodump to specify the "--band=a" argument? This enables 5Ghz testing on supported cards (by default airodump only scans through 2.4Ghz)

the below is the abend on screen message. Crashed at random times, but always the same error message (less the MAC address).

[!] Error: invalid literal for int() with base 10: 'B0:7F:B9:1A:AC:38'
[!] Full stack trace below
[!] Traceback (most recent call last):
[!] File "./Wifite.py", line 200, in
[!] w.main()
[!] File "./Wifite.py", line 38, in main
[!] self.run()
[!] File "./Wifite.py", line 82, in run
[!] s = Scanner()
[!] File "/root/wifite2/py/Scanner.py", line 40, in init
[!] self.targets = airodump.get_targets()
[!] File "/root/wifite2/py/Airodump.py", line 141, in get_targets
[!] targets = Airodump.get_targets_from_csv(csv_filename)
[!] File "/root/wifite2/py/Airodump.py", line 197, in get_targets_from_csv
[!] client = Client(row)
[!] File "/root/wifite2/py/Client.py", line 26, in init
[!] self.packets = int(fields[4].strip())
[!] ValueError: invalid literal for int() with base 10: 'B0:7F:B9:1A:AC:38'

more information on the feature/method may be found -right here- but there is also more info (for specially interested) -right here- too.

• also a feature that should find it's way into "wifite" in the future

thanks to @binarymaster for this feature, but also @kcdtv & @rofl0r at the t6x repo.

Reproduced by specifying channel & ESSID, e.g.:

./Wifite.py -c 7 -e ShittyWEP

 [+] Scanning. Found 0 target(s), 0 client(s). Ctrl+C when ready
 [!] Error: 'NoneType' object has no attribute 'lower'

 [!] Full stack trace below

 [!]    Traceback (most recent call last):
 [!]    File "./Wifite.py", line 201, in <module>
 [!]        w.main()
 [!]    File "./Wifite.py", line 39, in main
 [!]        self.run()
 [!]    File "./Wifite.py", line 83, in run
 [!]        s = Scanner()
 [!]    File "/root/wifite2/py/Scanner.py", line 42, in __init__
 [!]        if self.found_target():
 [!]    File "/root/wifite2/py/Scanner.py", line 86, in found_target
 [!]        if essid and essid.lower() == target.essid.lower():
 [!]    AttributeError: 'NoneType' object has no attribute 'lower'

 [!] Exiting

Looks like target.essid may be None...

It's a lofty idea I've been entertaining. Although it would probably be better branded as "Wifite3" (or as a Python library).

A big pain in Wifite is that it's just a "command-line proxy": It scrapes stderr and stdout, pipes into files, and (ab)uses regex to an uncomfortable proportion. Updates to these tools (and how they output information) can and does break Wifite.

It would be more-robust if Wifite used a library (Scapy) to read & interact with wireless networks.

Some basic stuff, like detecting wireless networks (airodump-ng) and deauthing clients (aireplay-ng), could easily be done using Scapy. And Scapy would provide more control over what the program is doing.

Rewriting some features would be more difficult, such as:

• Anything WEP, such as the attacks (fragmentation, chop chop),
• WEP cracking via IVS (it's mostly extracting bytes from packets, but still...)
• Anything WPS, e.g. understanding the protocol, detecting failure states, extracting nonces for the PixieDust attack

...we would be reinventing the wheel.

But I think there is a benefit to having all of this logic in a single place. Plus I would like to learn more about the 802.11 protocol.

Hello,
I am a kali linux 2017.2 user with an RT2800USB. For eg.
VODAFONE_WIFI_108 (70:2E:22:87:86:10 @ 24db) WPS Pixie-Dust: Trying PIN:87790405 (Timeout) (runtime:1m7s tries:0 failures:98 lockouts:0)

It always fails! Any help?

I tried chopchop last night and it didn't work for me.

The chopchop attack succeeded and generated a .xor which was forged into a replayable .cap file.

But the script did not replay the .cap file.

I'm worried other attacks are not working as-expected (e.g. when no clients are connected).

Also, the output of chopchop was terrible -- only showing IVs. Ideally the script would parse the output of aireplay-ng --chopchop, show the current % completed, and any errors/warnings output by the program.

See https://bugs.kali.org/view.php?id=2704

E.g. we probably want to keep the wifite name

I'm trying to run wifi2 in the latest netunter on my nexus5 with it's own wireless chip, here is what i do:

source monstart-nh
python wifite2/Wifite.py

but i got this

 [!] Error: Expected 4, got 1 in ['Run it as root']

 [!] Full stack trace below

 [!]    Traceback (most recent call last):
 [!]    File "Wifite.py", line 201, in <module>
 [!]        w.main()
 [!]    File "Wifite.py", line 38, in main
 [!]        Configuration.get_interface()
 [!]    File "/root/wifite2/py/Configuration.py", line 106, in get_interface
 [!]        Configuration.interface = Airmon.ask()
 [!]    File "/root/wifite2/py/Airmon.py", line 186, in ask
 [!]        a = Airmon()
 [!]    File "/root/wifite2/py/Airmon.py", line 18, in __init__
 [!]        self.refresh()
 [!]    File "/root/wifite2/py/Airmon.py", line 22, in refresh
 [!]        self.interfaces = Airmon.get_interfaces()
 [!]    File "/root/wifite2/py/Airmon.py", line 56, in get_interfaces
 [!]        interfaces.append(Interface(fields))
 [!]    File "/root/wifite2/py/Interface.py", line 39, in __init__
 [!]        raise Exception("Expected 4, got %d in %s" % (len(fields), fields))
 [!]  Exception: Expected 4, got 1 in ['Run it as root']

 [!] Exiting

and i run airmon-ng, it returns this

####################################################
## nexmon ioctl hook active
## sa_family = ARPHRD_IEEE80211_RADIOTAP
## to change sa_family, set NEXMON_SA_FAMILY
## environment variable to ARPHRD_IEEE80211
####################################################
Run it as root####################################################
## nexmon ioctl hook active
## sa_family = ARPHRD_IEEE80211_RADIOTAP
## to change sa_family, set NEXMON_SA_FAMILY
## environment variable to ARPHRD_IEEE80211
####################################################
Run it as root

so, i think maybe it's because of the nexmon mode doesn't works fine with airmon-ng. But the old wifite works fine in this situation. I think we can add an option to force this script not to check airmon-ng to let it work.

PS: sorry for my poor English.

Tested on full Kali distro and Not getting handshake or finding clients using Alfa card...

Hi, are there plans to add the -mac option to wifite2 that was in the original wifite?

!/bin/bash

echo "Disabling monitor mode"
sudo airmon-ng stop wlan0mon
echo "Switching wlan0 to managed mode"
sudo iwconfig wlan0 mode managed
echo "Restarting Network Manager"
sudo /etc/init.d/network-manager restart
echo "Wifi should be fixed, If not restart your computer"

Noticed when dockerizing a few tools that WiFite2 would show new clients (which I confirmed with wireshark did include a handshake) but wouldn't then move onto the next stage, just sat at "WPA Handhshake capture" with a growing list of clients until the default 500 second timeout.

The issue was any of tshark / pyrit / cowpatty were not available and WiFite2 was calling these periodically to check the capture for WPA hanshakes.

It may be worth checking for these tools at startup or surfacing an error to the CLI if an exec doesnt happen behind the scenes.

Probably low priority! :)

If this is already possible please do tell because I spent quite a bit of time trying to run multiple processes and with its current state its not easily possible. Also, if someone knows how to background even a single instance of wifite2 it would be awesome if you could point me in the right direction. I love this project and thanks to all contributors!

1. None of my routers are susceptible to WPS Pixie-Dust attack.
2. All of my routers have hard rate-limits on WPS PIN attempts (requiring a router reboot after 3 failed attempts).

This means I can't test Wifite against susceptible routers.

I have the cash to buy more test routers, but I don't have the time to find routers that are still susceptible to Pixie-Dust -- and that do not rate limit PIN attacks.

If anyone knows of susceptible Wifi router models, please let me know.

I had a list of 50 targets , it was going fine up until target 15

` [+] (15/49) starting attacks against XX:XX:XX:XX:XX:XX: (XXXXXX)
[+] XXXXXXXXXX (XX:XX:XX:XX:XX:XX @ 27db) WPA Handshake capture: Waiting for target to appear...
[!] Error: Target did not appear after 20 seconds, stopping

[!] Full stack trace below

[!] Traceback (most recent call last):
[!] File "./Wifite.py", line 174, in
[!] w.main()
[!] File "./Wifite.py", line 38, in main
[!] self.run()
[!] File "./Wifite.py", line 123, in run
[!] attack.run()
[!] File "/root/apps/wifite2/py/AttackWPA.py", line 41, in run
[!] airodump_target = self.wait_for_target(airodump)
[!] File "/root/apps/wifite2/py/Attack.py", line 30, in wait_for_target
[!] % Attack.target_wait)
[!] Exception: Target did not appear after 20 seconds, stopping

[!] Exiting

`
then it just crashes and dies.

Hello everyone !
Hope you're doing well
I'm using the latest Kali version on USB live
And I was learning and working around with wifi pentesting to test my home network for vulnerabilities and flaws the tool at that time was wifite , I'm fimiliar with wifite but not experience in it's detailed usage and tweaks I'm trying to add --wpst and --wpsretry and started playing around with the options there is some issues that appeared to me while I was targeting my network locked with wps of course and almost vulnerable to the attack. The first issue was EAPfail and WPSFail whilst it's under progress , and also pixie dust is cracking the same pin over and over again and there is alot of timeouts and ttl in my success/ttl attempts , I'm aware I should change some lines inside of the script but I can't recall how did I do it before , I used to get the password with no time , now there is something wrong holding me back.

Thanks for reading until here
If someone can spare time to discuss and help I'd be pleased to listen , and I'm a good listener.
Until then
Best regards

Currently wifite tries all selected targets in-order, trying WPS pixie-dust, then the PIN attack, then WPA handshake capture.

Ideally the script would:

1. Target closest APs first
2. Target WEP networks first
3. Target WPS networks with Pixie Dust
4. WPA: Capture handshake, try small/medium sized word lists
5. Try WPS PIN attack

This way the most-vulnerablr targets are attacked first.

Ideally we would run multiple attacks against targets on the same channel/frequency, but this might screw up some things (eg deauthing multiple clients at the same time, reaver getting confused, etc).

Hi, thanks for wifite!

I tried looking in the --help but I could not find a way to send a custom number of de-auth packets like we can do it in aireplay-ng using the -0 option. I hope I didn't miss anything. Thanks again!

Client(s) scanning & handshake capturing issue(s) on RPI3 run through SSH.
No clients detected when scanning, but on the laptop there is no issues & clients are found again and capturing works again.

Anyone that may try reproducing the problem with an external adapter on RPI3 through SSH connection to ensure this is a problem too? Thanks!

Kali developers is asking of wifite2 status, if it's ready to be included in Kali.
Please take a look here and give feedback @derv82

Thank you for your work & your time!

Follow up from #15

E.g. how the automated WPA Handshake cracking works:

1. Runs aircrack-ng with necessary arguments
2. Watches output of aircrack-ng, prints status, percentage, etc. in a single line
3. Detects when password is cracked,stores it, shows to user.

The --crack option is just okay now that it prints the commands that should be run.

But:

1. User-running-commands will not update the cracked.txt database
2. The output of each cracking program is unique/different, and not easily parsed (see: john's output).
3. Wifite should make things easier, like cracking a handshake with a wordlist.

Would it be possible to have an option to output into john the ripper or oclhashcat format for cracking?

(Added by derv82@)

Other requirements mentioned below:

1. --later option to not crack captured handshakes (just capture & move on).
2. --quick to try the very-short Fern Wifi wordlist... although some machines might not have Fern's common.txt list so this may not be feasible
3. Platform-specific cracking via --crack cpu --crack cuda --crack opengl

• Probably not required; I don't know why we would need to know the GPU type

When running on my rpi3 with command sudo ./Wifite.py -i wlan1

 [+] Scanning. Found 0 target(s), 0 client(s). Ctrl+C when ready
 [!] Error: Airodump exited unexpectedly! Command ran: airodump-ng wlan1 -a -w /tmp/wifiteuJEH0o/airodump --write-i
terval 1 --output-format pcap,csv

 [!] Full stack trace below

 [!]    Traceback (most recent call last):
 [!]    File "./Wifite.py", line 201, in <module>
 [!]        w.main()
 [!]    File "./Wifite.py", line 39, in main
 [!]        self.run()
 [!]    File "./Wifite.py", line 83, in run
 [!]        s = Scanner()
 [!]    File "/home/pi/wifite2/py/Scanner.py", line 38, in __init__
 [!]        % ' '.join(airodump.pid.command))
 [!]  Exception: Airodump exited unexpectedly! Command ran: airodump-ng wlan1 -a -w /tmp/wifiteuJEH0o/airodump --wr
te-interval 1 --output-format pcap,csv

When I try the command manualy i get this error:
airodump-ng: unrecognized option '--write-interval'

if I remove the --write-interval option it will go through

airodump-ng 1.2

could be related to #30

As asked in #8 by blshkv@:

users are getting lost between wifite (which is outdated and broken), wifite-fork (with non-technical and unfriendly developers) and wifite2. Can take an initiative, port back any changes from the fork and release a one version which actually works?

See also https://github.com/search?utf8=%E2%9C%93&q=wifite&type=

• https://github.com/aanarchyy/wifite-mod-pixiewps
• https://github.com/kbeflo/wifite-openwrt
• https://github.com/darkr4y/wifite-mod
• https://github.com/BlackArch/wifite

Can you have an option to convert the captured .cap file into a format we can punch straight into johntheripper or hashcat rather than us having to go and convert .cap file..

• Adding option to use "bully" instead of "reaver"

I have Wmare 14 and Kali Linux 32 bit VMware VM on my pc.

When i use Wifite
with --wps or only wifite;

in wps column All routers are RED.
I know that one of router is mine and it is wps enabled.

Screenshot: ZXV10 is mine. I think there are at least one WPS enabled wifi but all of them is NO.
https://imgur.com/a/3yFkp

I think this is a bug.

What should i do?

Attacking a WEP network fails with this message:

+ starting attacks against 00:24:01:XX:XX:X (Internett1412)
[+] attempting fake-authentication with 00:24:01:XX:XX:XX... success

[!] Error: Could not find the mac address for wlan1mon

[!] Exiting

However, no problems with WPA/WPS networks.

Im looking into the issue atm of the WPS networks not being detected as WPS thus, unable to be attacked when they should be able to, roughly know whats causing it so ill leave this bug-report open till ive submitted the code changes required to fix this issue (* will likely change the WPS method in 2 ways, 1) use Wash to confirm Lock status 2) allow a "IgnoreWPSNotDetected" toggle to attempt attacks on routers regardless of WPS status *)

When i captured the handshake wifite says not cracking because --dict not set.. how do i solve this? when i run wifite.py --dict it says it is not a command.

Iam running one plus one kali nethunter wifite2

So, started the scan and Wifite kills 3 processes including network manager... which disables whole networking and it can't find any APs

Anyone has a solution to this issue?

First of all, congratulations to the script and to spread it in the community. It's fantastic!

I created a post, in Portuguese from Brazil, in my blog about your script (wifite2). My intention is to spread knowledge and present to the Brazilian public its excellent tool. If at any time you can reference my post, I will be very happy!

When you have news on new tools and scripts, let me know!

Best regards,

[+] option: scanning for targets on channel 7

[!] Error: [Errno 2] No such file or directory

[!] Full stack trace below

[!] Traceback (most recent call last):
[!] File "./Wifite.py", line 201, in
[!] w.main()
[!] File "./Wifite.py", line 38, in main
[!] Configuration.get_interface()
[!] File "/home/akrem/pen/wifite2/py/Configuration.py", line 106, in get_interface
[!] Configuration.interface = Airmon.ask()
[!] File "/home/akrem/pen/wifite2/py/Airmon.py", line 173, in ask
[!] Airmon.terminate_conflicting_processes()
[!] File "/home/akrem/pen/wifite2/py/Airmon.py", line 235, in terminate_conflicting_processes
[!] out = Process(['airmon-ng', 'check']).stdout()
[!] File "/home/akrem/pen/wifite2/py/Process.py", line 81, in init
[!] self.pid = Popen(command, stdout=sout, stderr=serr, cwd=cwd, bufsize=bufsize)
[!] File "/usr/lib/python2.7/subprocess.py", line 711, in init
[!] errread, errwrite)
[!] File "/usr/lib/python2.7/subprocess.py", line 1343, in _execute_child
[!] raise child_exception
[!] OSError: [Errno 2] No such file or directory

[!] Exiting

Exception AttributeError: "'Process' object has no attribute 'pid'" in <bound method Process.del of <py.Process.Process object at 0x7fe3b6bb1350>> ignored