Airgeddon is a multi-purpose bash script used for auditing wireless networks. Its modular nature combines numerous individual tools under a single interactive interface. This unification allows ethical hackers and penetration testers to simulate real-world wireless attacks without writing custom scripts or handling complex configurations manually. The latest version of Airgeddon refines many existing modules and introduces several optimizations that improve usability, performance, and compatibility.
The toolkit supports both offensive and defensive security tasks. It allows users to gather intelligence about wireless networks, capture encrypted handshakes, launch denial-of-service attacks, and deploy Evil Twin access points. Built-in validation and logging features help document every action for later analysis, making Airgeddon a complete solution for structured Wi-Fi security assessments.
Compatibility and Cross-Platform Support
Supported Linux Distributions
Airgeddon is built to run on Unix-like systems, with primary support for Linux distributions. It works best on penetration testing platforms such as Kali Linux, Parrot OS, BlackArch, and Manjaro. These distributions offer easy access to the required dependencies and include updated versions of core tools such as aircrack-ng and hostapd. The script detects the platform type during startup and adjusts accordingly for better environment compatibility.
On Arch- or Fedora-based systems, additional setup steps may be required. Manual installations or alternative package names sometimes need to be addressed. Regardless of the Linux flavor used, the core requirement is that the system must support Bash scripting and wireless interface manipulation.
Dependency and Interface Detection Automation
The script begins each session with an environment check. It confirms that required tools like aircrack-ng, xterm, macchanger, and dnsmasq are installed. If missing, it offers installation instructions or triggers an auto-installer when supported. Airgeddon also scans for available wireless interfaces, classifies them as monitor-capable, and recommends those suitable for each module. This automation reduces setup time and ensures tool readiness.
Wireless Interface Management
Monitor Mode Activation and Adapter Selection
Monitor mode is required for most of Airgeddon’s modules. The script helps users activate this mode by listing supported wireless adapters and managing airmon-ng or iw commands in the background. Once activated, it confirms the mode switch and assigns the new interface to the next operation. This streamlined process improves usability for both new and experienced testers.
MAC Address Spoofing and Deauthentication Options
To enhance anonymity and prevent MAC-based detection, Airgeddon includes options to spoof the MAC address of the wireless adapter. This is especially useful in scenarios involving access control bypass or public network impersonation. The tool also supports sending deauthentication packets, which are often used to force clients to disconnect from legitimate networks. These packets are later used in handshake capture and Evil Twin setups.
WPA/WPA2 Handshake Attack Modules
Airodump-ng Integration for Target Monitoring
Airgeddon integrates airodump-ng to perform live monitoring of wireless traffic. It displays SSIDs, BSSIDs, encryption types, signal strengths, and connected clients in real time. Users can select a target access point and lock the interface to its channel. This configuration ensures all packets of interest remain within scope during the handshake capture session.
Aireplay-ng for Deauth Attacks
Deauthentication attacks can be launched through aireplay-ng to force clients to reconnect. This behavior allows Airgeddon to capture the four-way WPA handshake exchanged during re-authentication. These captured packets form the basis for offline password cracking and strength evaluation.
PMKID and Hashcat-Ready Formats
The tool supports PMKID capture, which eliminates the need for a connected client. Using hcxdumptool, Airgeddon retrieves the PMKID from the access point and saves it in a format compatible with hashcat. These files are useful for faster attack models that do not require timing a handshake.
Handshake Verification and Cleanup
After each capture session, Airgeddon verifies whether the handshake or PMKID was valid using built-in tools. It filters out invalid packets and prepares a clean .cap or .hccapx file for cracking. This cleanup process ensures compatibility with hashcat, aircrack-ng, and similar password auditing tools.
WPS-Based Attack Capabilities
Reaver, Bully, and Pixiewps Support
Airgeddon supports brute-force attacks on WPS-enabled access points using tools like Reaver, Bully, and Pixiewps. These tools attempt to exploit weaknesses in the WPS protocol, which is often left enabled by default on consumer-grade routers. Users can select from Pixie Dust mode or full brute-force mode, depending on the target configuration.
Pixie Dust and Brute-Force Modes
Pixie Dust attacks use offline calculations based on leaked public keys to determine the WPS PIN. If successful, they allow for rapid access without needing to complete a full attack cycle. Brute-force mode tries every PIN combination until success, which can be time-consuming but effective when Pixie Dust fails.
Real-Time PIN Capture and Feedback
Airgeddon displays the progress of WPS attacks in real time. It shows attempts made, the estimated time remaining, and whether intermediate keys have been found. This feedback is valuable during audits to gauge if a router is vulnerable to WPS-based compromise.
Evil Twin Attack Suite
Hostapd Configuration for Rogue AP Creation
The Evil Twin module in Airgeddon uses hostapd to create a fake access point. It mimics the SSID, MAC address, and channel of a real network to trick clients into connecting. This setup forms the base of phishing attacks and credential harvesting during audits.
Dnsmasq for DHCP and DNS Redirection
The tool configures dnsmasq to assign IP addresses to connecting clients and redirect all domain name queries to a local web server. This redirection forces browsers to open phishing portals when victims attempt to browse online. All interactions are confined to the tester’s environment, ensuring safe demonstration of risk.
Lighttpd Serving Phishing Portals
Airgeddon includes a lightweight HTTP server powered by lighttpd to host phishing pages. These portals can simulate public Wi-Fi logins, social media pages, or enterprise login screens. When a client submits credentials, the data is logged and displayed to the tester. Users can also upload custom portals tailored to specific audit scenarios.
Built-in Captive Portal Templates
The latest version includes built-in portal templates that represent common network login pages. These templates are fully customizable and support input capture, automatic redirection, and multilingual interfaces. This flexibility helps testers simulate a wide range of real-world phishing environments.
DoS and Disruption Modules
Multiple Deauthentication Flood Options
Airgeddon supports sending large volumes of deauthentication packets to disrupt existing wireless connections. This method can deny service to legitimate users or prepare the environment for a forced handshake capture or Evil Twin attack. Parameters such as packet count and delay are user-adjustable.
Beacon Flood and Fake AP Broadcasting
The tool can flood the network with beacon frames, creating dozens of fake access points. These fake SSIDs confuse clients and sometimes trigger bugs in outdated client firmware. While typically used for demonstration, beacon flooding highlights the need for improved wireless filtering mechanisms.
Channel Interference Tools
By manipulating overlapping channels and injecting interference, Airgeddon can affect the performance of nearby networks. This form of disruption is useful for testing wireless infrastructure resilience and validating wireless intrusion prevention systems.
MITM and Sniffing Integration
SSLstrip and SSLsplit Modules
Man-in-the-middle (MITM) capabilities are supported through integration with sslstrip and sslsplit. These tools attempt to downgrade HTTPS connections or extract content from unencrypted traffic. While their effectiveness has declined with HSTS adoption, they remain valuable in legacy or misconfigured networks.
Packet Forwarding and Logging
Airgeddon enables IP forwarding and NAT rules to provide Internet access through the rogue AP. This setup helps make the phishing environment seem more legitimate. Meanwhile, tools log the browsing history, DNS queries, and POST data submitted by clients.
Traffic Injection Tools
During MITM scenarios, testers can inject custom JavaScript, advertisements, or popups into traffic streams. This feature helps simulate malware injection and study how browsers handle unsolicited content.
Utility Enhancements and Logging Features
Interactive Menu Interface and Progress Tracking
Airgeddon offers an interactive, text-based interface that guides users through each step. Menus display progress, errors, and success notifications in real time. This design allows beginners to navigate complex tools with confidence while still offering customization for advanced users.
Built-In Dependency Checker and Auto-Installer
The script performs a system check before launching modules. It verifies the presence of required tools and binaries and offers automatic installation where possible. Users are alerted about missing packages or outdated components that could affect reliability.
Structured Log Saving and Session History
Logs are saved in organized directories with timestamps, SSID references, and output from executed tools. This structure helps testers document findings for audit reports and replay captured scenarios for analysis. Logs include handshake files, command output, and captured credentials.
Customization and Extension Options
Custom Phishing Page Integration
Airgeddon allows users to replace built-in phishing portals with custom HTML content. This option is valuable when replicating login portals for internal enterprise networks or specific threat models. Portal behavior can include animations, timers, or redirect scripts for more convincing demonstrations.
Wordlist and Cracking Dictionary Support
Password cracking modules support user-supplied wordlists. These can include targeted terms, employee names, or localized phrases. Wordlist management ensures more efficient attacks when conducting audits against pre-shared key (PSK) based networks.
Adapter Pairing and Interface Chaining
Advanced configurations support multiple adapters for simultaneous monitoring, broadcasting, and sniffing. Interface chaining allows one card to handle deauthentication, another to host the rogue AP, and a third to sniff data. This modular setup improves performance and minimizes resource conflicts.
Ethical Usage Guidelines and Safeguards
Legal Scope Limitations
Airgeddon is designed for legal and authorized use. All wireless audits should occur within a defined scope approved by the network owner. Unauthorized access to networks or client devices is prohibited and can lead to legal consequences.
Responsible Data Handling Reminders
Captured data, especially user credentials and traffic logs, must be handled responsibly. Ethical testers must delete sensitive data after the audit or deliver it securely to the client as part of the final report. Strong encryption and file isolation should be used during transport.
Safe Lab Testing Environments
Testers are encouraged to use isolated environments such as Faraday cages or virtual networks to conduct training or tool demonstrations. This ensures that testing does not interfere with production networks or unauthorized devices nearby.
Conclusion
Airgeddon brings together dozens of wireless auditing tools into one unified interface. From handshake capture and cracking to full Evil Twin phishing campaigns, the latest version of Airgeddon enables comprehensive Wi-Fi security assessments. With built-in automation, detailed logging, and integration with external utilities like hashcat and Reaver, the toolkit is suitable for both beginners and seasoned penetration testers.
Security professionals using Airgeddon benefit from speed, modularity, and accuracy. Responsible usage combined with clearly defined testing scopes allows organizations to identify and fix weaknesses before they can be exploited in the wild.
