Free 802.11 software for linux

aircrack is a 802.11 sniffer and WEP/WPA key cracker.
It consists of: airodump (an 802.11 packet capture program), aireplay (an 802.11 packet injection program), aircrack (static WEP and WPA-PSK cracking), and airdecap (decrypts WEP/WPA capture files).
Enhancements:
- airodump: show probing clients as "not associated"
- airodump: dont substract the noise level unless madwifi
- airodump: fixed channel hopping with old orinoco
- airmon.sh: added detection of the zd1211 driver

DNSA and DNSA-NG are swiss knife tools for Linux designed to test several DNS security issues.

The most important one is a full wifi support using 2 cards:

- The first in monitor mode which capture 802.11 traffic
- The second associated to the AP and injecting DNS forged packets

Host-ap and madwifi drivers are already supported by DNSA-NG.

DNSA was initially thought because of a lack in DNS auditing tools. It uses libnet and libpcap :

"Libnet is a high-level API (toolkit) allowing the application programmer to construct and inject network packets. It provides a portable and simplified interface for low-level network packet shaping, handling and injection. Libnet hides much of the tedium of packet creation from the application programmer such as multiplexing, buffer management, arcane packet header information, byte-ordering, OS-dependent issues, and much more.

Libnet features portable packet creation interfaces at the IP layer and link layer, as well as a host of supplementary and complementary functionality. Using libnet, quick and simple packet assembly applications can be whipped up with little effort. With a bit more time, more complex programs can be written (Traceroute and ping were easily rewritten using libnet and libpcap).

Usage :

Usage: ./dnsa [ARGS]
DNS Swiss knife tool

-1 DNS ID spoofing [ Required : -S ]
-D [www.domain.org] Hostname query to fool. Dont use it if every DNS request sniffed has to be spoofed
-S [IP] IP address to send for dns queries
-s [IP] IP address of the host to fool
-i [interface] IP address to send for dns queries
-2 DNS IDs Sniffing [ Required : -s ]
-s [IP] IP address of the server which makes queries
-w [file] Output file for DNS IDs
-3 DNS cache poisoning [ Required : -S AND -b AND -a ]
-a [host.domain.org] Hostname to send in the additional record
-b [IP] IP to send in the additional record
-D [www.domain.org] Hostname for query. Use it if you want to fool just on
-S [IP] IP address to send for DNS queries (the normal one)
-s [IP] IP address of the server to fool
-i [interface] IP address to send for DNS queries

Aircrack-ng is a set of tools for auditing wireless networks.
- airodump: 802.11 packet capture program
- aireplay: 802.11 packet injection program
- aircrack: static WEP and WPA-PSK key cracker
- airdecap: decrypts WEP/WPA capture files
Aircrack-ng is the next generation of aircrack with lots of new features.
How do I crack a static WEP key ?
The basic idea is to capture as much encrypted traffic as possible using airodump. Each WEP data packet has an associated 3-byte Initialization Vector (IV): after a sufficient number of data packets have been collected, run aircrack on the resulting capture file. aircrack will then perform a set of statistical attacks developped by a talented hacker named KoreK.
How do I know my WEP key is correct ?
There are two authentication modes for WEP:
Open-System Authentication: this is the default mode. All clients are accepted by the AP, and the key is never checked: association is always granted. However if your key is incorrect you wont be able to receive or send packets (because decryption will fail), so DHCP, ping etc. will timeout.
Shared-Key Authentication: the client has to encrypt a challenge before association is granted by the AP. This mode is flawed and leads to keystream recovery, so its never enabled by default.
In summary, just because you seem to have successfully connected to the access point doesnt mean your WEP key is correct ! To check your WEP key, try to decrypt a capture file with the airdecap program.
How many IVs are required to crack WEP ?
WEP cracking is not an exact science. The number of required IVs depends on the WEP key length, and it also depends on your luck. Usually, 40-bit WEP can be cracked with 300.000 IVs, and 104-bit WEP can be cracked with 1.000.000 IVs; if youre out of luck you may need two million IVs, or more.
Theres no way to know the WEP key length: this information is kept hidden and never announced, either in management or data packets; as a consequence, airodump can not report the WEP key length. Thus, it is recommended to run aircrack twice: when you have 250.000 IVs, start aircrack with "-n 64" to crack 40-bit WEP. Then if the key isnt found, restart aircrack (without the -n option) to crack 104-bit WEP.
Enhancements:
- This release adds an ACX injection patch, and updates the rtl8187 patch for 2.6.21.
- It fixes madwifi-ng detection with airmon-ng.
- It fixes 2 bugs in aircrack-ng related to WPA cracking.
- It fixes an old Debian bug (#417388).
- It fixes the use of wlanng, and fixes IP address writing in the CSV file with airodump-ng.
- It fixes a bug in the GUI for Windows and adds a PTW option.

GTK ACX Tool provides a tool that displays the status of the ACX100 driver.

The GTK ACX Tool displays the status of the Texas Instruments (TI) ACX100 IEEE 802.11 driver. This tool could be used just with driver developed by wlan.kewl.org Project on FreeBSD 5.2 and later versions.

It uses GTK+ and GtkDatabox (a GTK+ widget for fast data display). The ACX driver can be installed via the ports collection.

The GTK ACX Tool displays the status of the ACX driver. .

This tool could be used just with driver developed by wlan.kewl.org Project on FreeBSD 5.2 and later versions.

The ACX driver could be installed via the ports collection.

The GTK ACX Tool uses GTK+ - The GIMP Toolkit and GtkDatabox - A GTK+ Widget for Fast Data Display .

Current functionality is mostly based on The ACXTool from wlan.kewl.org Project and The acXmonitor from House of Craig .

This is a Linux driver for wireless LAN cards based on Intersils Prism2/2.5/3 chipset. The driver supports a so called Host AP mode, i.e., it takes care of IEEE 802.11 management functions in the host computer and acts as an access point.
This does not require any special firmware for the wireless LAN card. In addition to this, normal station operations in BSS (infrastructure) and in IBSS (ad hoc). Current version of the Host AP driver and tools supports WPA in AP (Authenticator) and client (Supplicant) modes.
Intersils station firmware for Prism2/2.5/3 chipset supports a so called Host AP mode in which the firmware takes care of time critical tasks like beacon sending and frame acknowledging, but leaves other management tasks to host computer driver.
Main features:
This driver implements basic functionality needed to initialize and configure Prism2/2.5/3-based cards, to send and receive frames, and to gather statistics. In addition, it includes an implementation of following IEEE 802.11 functions:
- authentication (and deauthentication).
- association (reassociation, and disassociation).
- data transmission between two wireless stations.
- power saving (PS) mode signaling and frame buffering for PS stations.
The driver has also various features for development debugging and for researching IEEE 802.11 environments like access to hardware configuration records, I/O registers, and frames with 802.11 headers.
Enhancements:
- fixed background scans (iwlist wlan0 scan) not to break data connection when in host_roaming 2 mode (e.g., when using wpa_supplicant)
- fixed beacon frame when moving from monitor mode to master mode (workaround for firmware bug that left IBSS IE in the Beacon frames)

PictoChat sniffer allows you to spy live on PictoChat communications between Nintendo DS gaming consoles.

Requires a 802.11 device with support for monitor mode and Radiotap (tested only under FreeBSD with the p54u driver). Based upon GTK2 and libpcap.

Kismet Parse project can be used after kismet has sniffed 802.11 traffic and produced .network files.

Kismet Parse is a Perl script that will parse these files to map the MAC addresses of the discovered wireless access point and clients to useful information. The information includes the hardware manufacturer of the device.

Raw Fake AP is a program that emulates valid IEEE 802.11 access points using wireless raw injection.
Raw Fake AP application aims to create both beacon and probe response frames and could be used to "hide" real networks from novice wardrivers or for testing wireless intrusion detection systems.
Main features:
Overall features:
- Raw injection of beacon and probe response frames in monitor mode
- Try to forge coherent sequence numbers and BSS timestamps (depending on driver injection capabilities)
- Try to have a coherent time interval between beacons (which is hard to achieve without a real time kernel)
Command line interface will help you to choose between:
- Randomize Open/WEP/WPA/RSN crypto
- Randomize b/g cards
- Channel hopping
- TXpower hopping
- Randomize ESSIDs (alnum or not)
- Randomize BSSIDs
- Choose beacon interval
- Choose number of fake access points
- Choose a file with valid OUIs
- Choose a file with ESSIDs
- Choose between beacon or probe response frames
- Select a destination MAC address