The Wireless Toolkit

Wireless work is a small set of tools used in a predictable order: put a radio into monitor mode, see what is on the air, capture the material an attack needs, then crack or coerce it elsewhere. The tools below are the open-source standards for each of those jobs, and nearly all of them ship preinstalled on Kali Linux (and on most other security distributions). This page is judgment-first: it tells you when to reach for each tool against a Tala WTE network, and how they chain into one assessment. Pair it with the per-protocol pages, which name the exact tool and command for each attack: WEP, WPA2-Personal, WPS, and WPA2-Enterprise.

The one piece of setup every tool assumes is a monitor-mode interface. Stop the processes that fight you for the radio, then bring up the monitor interface:

sudo airmon-ng check kill
sudo airmon-ng start wlan0

That leaves you with a wlan0mon interface, which is what the commands below expect.

Everything else on this page is open source, and it is exactly what you should learn on and use by hand. For real engagements, VTEM Labs builds TALA, a professional wireless assessment platform that goes light years beyond this open-source toolkit. Where the tools here are run one command at a time, TALA drives the entire capture-to-crack and enterprise-attack workflow as one guided, repeatable assessment, at scale and with the reporting an engagement needs. Tala WTE, this open training range, is the proving ground TALA is validated against, so the attacks you practice here are the same ones TALA runs in the field.

TALA is included free for ARROW customers. If your organization is on ARROW, you already have access. To see what TALA can do, or to get it, visit arrow.vtemlabs.com.

The rest of this page is the open-source toolkit: what to reach for, and how the pieces chain together.

The aircrack-ng suite is the backbone of 802.11 testing and the first thing to reach for. It is three tools working together. airodump-ng is the radio scanner and recorder: it sweeps channels, lists every AP and client in range with BSSID, channel, encryption, and signal, and writes captures to disk. Lock it to your target's channel and BSSID so you do not miss the frames that matter:

airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w cap wlan0mon

aireplay-ng is the frame injector. Its most-used mode sends 802.11 deauthentication frames, which are unauthenticated on any network without Protected Management Frames (802.11w), to knock a client off so its reconnect replays the four-way handshake into your capture:

aireplay-ng -0 3 -a AA:BB:CC:DD:EE:FF wlan0mon

aircrack-ng itself is the cracker. It is the right tool for WEP, where it recovers the key statistically from captured IVs (the PTW method) in minutes, and it can also dictionary-crack a WPA/WPA2 handshake. For modern PSK cracking, though, export to hashcat (below) and use the GPU.

When there is no client to deauthenticate, hcxdumptool is the answer. It talks directly to the radio and solicits the PMKID straight from the access point's first handshake frame, so you can capture crackable material with no associated client at all. Against Tala WTE this is the clientless path that opens up when you enable PMKID Exposed on a WPA2-Personal network:

hcxdumptool -i wlan0mon -o pmkid.pcapng

hcxtools is the conversion layer that turns those captures into something a cracker reads. Run hcxpcapngtool to extract a clean hash file in the modern hc22000 format, which covers both PMKID and full handshake captures:

hcxpcapngtool -o pmkid.hc22000 pmkid.pcapng

Both ship on Kali. Keep them paired in your head: hcxdumptool harvests, hcxtools converts, hashcat cracks.

hashcat is where PSK and credential cracking actually happens, because it runs on the GPU and that is the only thing fast enough to make a real wordlist practical. Two modes cover almost all wireless work. Mode 22000 is the unified WPA/WPA2 mode and the one you will use most: it ingests the hc22000 file from either a four-way handshake or a PMKID and grinds candidate passphrases offline, with no further contact with the network:

hashcat -m 22000 cap.hc22000 wordlist.txt

Mode 5500 cracks the NetNTLMv1 / MSCHAPv2 challenge-response you collect from a WPA2-Enterprise rogue-RADIUS capture (why that exchange is crackable is on the enterprise page):

hashcat -m 5500 mschapv2.hash wordlist.txt

The workflow is always the same: capture with the right tool, convert if needed, then point hashcat at a wordlist (or rules) and let the card work. Because cracking is offline, network strength reduces almost entirely to passphrase strength.

These three are the WPS PIN toolkit. wash is the scanner: it lists nearby APs that have WPS enabled and, critically, whether they are locked, so you know whether an online attack is even worth starting:

wash -i wlan0mon

reaver and bully are two implementations of the same online PIN brute force against a WPS registrar (the design flaw that makes it cheap is on the WPS page). Every Tala WTE WPS network is built to allow this, so reaver or bully always recovers the PIN and then the WPA passphrase:

reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -vv

Reach for the online brute force whenever the offline Pixie Dust attack below does not apply, which on the lab AP is the default case.

pixiewps is the offline shortcut for WPS: when the AP's registration nonces are weak it recovers the PIN in seconds instead of grinding PINs against the AP. It does not run alone; reaver collects the WPS exchange and hands it to pixiewps, and modern reaver invokes it automatically:

reaver -i wlan0mon -b AA:BB:CC:DD:EE:FF -K 1 -vv

On Tala WTE this only works when you enable Pixie-Dust Downgrade on the WPS network. Left off, the AP resists Pixie Dust and you fall back to reaver or bully.

wifite is the orchestrator that wraps all of the above into one automated run. It scans with airodump-ng, deauthenticates with aireplay-ng, captures handshakes and PMKIDs, drives reaver, bully, and pixiewps for WPS, and even kicks off cracking, all from a single command and a target picker:

sudo wifite

It ships on Kali and is the fastest way to get a result, which makes it the natural first pass against a lab network. The reason to still learn the individual tools is judgment: when wifite stalls, you need to know which stage failed and run that stage by hand. Treat wifite as the express lane and the suite as the manual transmission.

Where the tools above target authentication and keys, bettercap is for what happens after a client is on the network, and for Open networks where there is no key at all. It is a modular framework for layer-2 and network attacks: sniffing, ARP poisoning and man-in-the-middle, DNS spoofing, and 802.11 reconnaissance and deauthentication, all driven from an interactive session or a caplet script:

sudo bettercap -iface wlan0

Reach for bettercap against an open hotspot or captive-portal lab, where passive sniffing and MITM are the lesson, rather than against a PSK you would crack offline. It complements the aircrack-ng suite rather than replacing it.

WPA2-Enterprise is a different game: there is no shared passphrase to crack, only per-user credentials handed to a RADIUS server. The attack is a rogue RADIUS (an evil-twin AP that presents its own certificate), and these are the two tools for it. hostapd-wpe is a patched build of hostapd that stands up the rogue enterprise AP and logs the inner MSCHAPv2 challenge-response from any client that does not validate the server certificate. eaphammer is the higher-level orchestrator that automates the same attack, including certificate generation, the evil-twin AP, and credential capture:

eaphammer --cert-wizard
eaphammer -i wlan0 --essid CorpWiFi --creds

Both ship on Kali. Feed the captured MSCHAPv2 exchange to hashcat mode 5500 to recover the password. This is exactly the lesson the WPA2-Enterprise network teaches: a client that skips certificate validation hands its credentials to the first AP that asks.

Not every tool is for attacking. wpa_supplicant is the standard Linux client, and on a training range it is the honest way to confirm a network actually works before you attack it, to join as a legitimate client, and to test the harder protocols. It is the practical way to bring up a real WPA3-Personal (SAE) or enterprise EAP-TLS client when you need to see the protocol behave correctly. Drive it from a small config file:

network={
    ssid="LabNet"
    psk="Summer2026!"
}

sudo wpa_supplicant -i wlan0 -c client.conf

Its companion eapol_test is the go-to for validating an 802.1X/EAP exchange against the RADIUS backend directly, which is invaluable when you are debugging an enterprise network rather than attacking it. Keep wpa_supplicant in the kit as the control case: if it cannot connect, the problem is the network, not your attack.