Tools included in the sqlninja package

sqlninja – SQL server injection and takeover tool
root@kali:~# sqlninja -h
Unknown option: h
Usage: /usr/bin/sqlninja
    -m <mode> : Required. Available modes are:
        t/test - test whether the injection is working
        f/fingerprint - fingerprint user, xp_cmdshell and more
        b/bruteforce - bruteforce sa account
        e/escalation - add user to sysadmin server role
        x/resurrectxp - try to recreate xp_cmdshell
        u/upload - upload a .scr file
        s/dirshell - start a direct shell
        k/backscan - look for an open outbound port
        r/revshell - start a reverse shell
        d/dnstunnel - attempt a dns tunneled shell
        i/icmpshell - start a reverse ICMP shell
        c/sqlcmd - issue a 'blind' OS command
        m/metasploit - wrapper to Metasploit stagers
    -f <file> : configuration file (default: sqlninja.conf)
    -p <password> : sa password
    -w <wordlist> : wordlist to use in bruteforce mode (dictionary method
    -g : generate debug script and exit (only valid in upload mode)
    -v : verbose output
    -d <mode> : activate debug
        1 - print each injected command
        2 - print each raw HTTP request
        3 - print each raw HTTP response
        all - all of the above
    ...see sqlninja-howto.html for details

sqlninja Usage Example

Connect to the target in test mode (-m t) with the specified config file (-f /root/sqlninja.conf):
root@kali:~# sqlninja -m t -f /root/sqlninja.conf 
Sqlninja rel. 0.2.6-r1
Copyright (C) 2006-2011 icesurfer <>
[+] Parsing /root/sqlninja.conf...
[+] Target is:
[+] Trying to inject a 'waitfor delay'....
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
  • Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase and SAP MaxDB database management systems.
  • Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query, stacked queries and out-of-band.
  • Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name.
  • Support to enumerate users, password hashes, privileges, roles, databases, tables and columns.
  • Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.
  • Support to dump database tables entirely, a range of entries or specific columns as per user’s choice. The user can also choose to dump only a range of characters from each column’s entry.
  • Support to search for specific database names, specific tables across all databases or specific columns across all databases’ tables. This is useful, for instance, to identify tables containing custom application credentials where relevant columns’ names contain string like name and pass.
  • Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
  • Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
  • Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user’s choice.
  • Support for database process’ user privilege escalation via Metasploit’s Meterpreter getsystem command.
sqlmap Homepage | Kali sqlmap Repo
  • Author: Bernardo Damele Assumpcao Guimaraes, Miroslav Stampar
  • License: GPLv2

Tools included in the sqlmap package

sqlmap – automatic SQL injection tool
root@kali:~# sqlmap -h
Usage: python sqlmap [options]

  -h, --help            Show basic help message and exit
  -hh                   Show advanced help message and exit
  --version             Show program's version number and exit
  -v VERBOSE            Verbosity level: 0-6 (default 1)

    At least one of these options has to be provided to define the

    -u URL, --url=URL   Target URL (e.g. "")
    -g GOOGLEDORK       Process Google dork results as target URLs

    These options can be used to specify how to connect to the target URL

    --data=DATA         Data string to be sent through POST
    --cookie=COOKIE     HTTP Cookie header value
    --random-agent      Use randomly selected HTTP User-Agent header value
    --proxy=PROXY       Use a proxy to connect to the target URL
    --tor               Use Tor anonymity network
    --check-tor         Check to see if Tor is used properly

    These options can be used to specify which parameters to test for,
    provide custom injection payloads and optional tampering scripts

    -p TESTPARAMETER    Testable parameter(s)
    --dbms=DBMS         Force back-end DBMS to this value

    These options can be used to customize the detection phase

    --level=LEVEL       Level of tests to perform (1-5, default 1)
    --risk=RISK         Risk of tests to perform (0-3, default 1)

    These options can be used to tweak testing of specific SQL injection

    --technique=TECH    SQL injection techniques to use (default "BEUSTQ")

    These options can be used to enumerate the back-end database
    management system information, structure and data contained in the
    tables. Moreover you can run your own SQL statements

    -a, --all           Retrieve everything
    -b, --banner        Retrieve DBMS banner
    --current-user      Retrieve DBMS current user
    --current-db        Retrieve DBMS current database
    --passwords         Enumerate DBMS users password hashes
    --tables            Enumerate DBMS database tables
    --columns           Enumerate DBMS database table columns
    --schema            Enumerate DBMS schema
    --dump              Dump DBMS database table entries
    --dump-all          Dump all DBMS databases tables entries
    -D DB               DBMS database to enumerate
    -T TBL              DBMS database table(s) to enumerate
    -C COL              DBMS database table column(s) to enumerate

  Operating system access:
    These options can be used to access the back-end database management
    system underlying operating system

    --os-shell          Prompt for an interactive operating system shell
    --os-pwn            Prompt for an OOB shell, Meterpreter or VNC

    These options can be used to set some general working parameters

    --batch             Never ask for user input, use the default behaviour
    --flush-session     Flush session files for current target

    --wizard            Simple wizard interface for beginner users

[!] to see full list of options run with '-hh'

[*] shutting down at 15:52:48

sqlmap Usage Example

Attack the given URL (-u “”) and extract the database names (–dbs):
root@kali:~# sqlmap -u "" --dbs

    sqlmap/1.0-dev - automatic SQL injection and database takeover tool

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 13:11:04

Tools included in the aircrack-ng package

airbase-ng – Configure fake access points
root@kali:~# airbase-ng --help

  Airbase-ng 1.2 beta3 - (C) 2008-2013 Thomas d'Otreppe
  Original work: Martin Beck

  usage: airbase-ng <options> <replay interface>


      -a bssid         : set Access Point MAC address
      -i iface         : capture packets from this interface
      -w WEP key       : use this WEP key to en-/decrypt packets
      -h MAC           : source mac for MITM mode
      -f disallow      : disallow specified client MACs (default: allow)
      -W 0|1           : [don't] set WEP flag in beacons 0|1 (default: auto)
      -q               : quiet (do not print statistics)
      -v               : verbose (print more messages)
      -A               : Ad-Hoc Mode (allows other clients to peer)
      -Y in|out|both   : external packet processing
      -c channel       : sets the channel the AP is running on
      -X               : hidden ESSID
      -s               : force shared key authentication (default: auto)
      -S               : set shared key challenge length (default: 128)
      -L               : Caffe-Latte WEP attack (use if driver can't send frags)
      -N               : cfrag WEP attack (recommended)
      -x nbpps         : number of packets per second (default: 100)
      -y               : disables responses to broadcast probes
      -0               : set all WPA,WEP,open tags. can't be used with -z & -Z
      -z type          : sets WPA1 tags. 1=WEP40 2=TKIP 3=WRAP 4=CCMP 5=WEP104
      -Z type          : same as -z, but for WPA2
      -V type          : fake EAPOL 1=MD5 2=SHA1 3=auto
      -F prefix        : write all sent and received frames into pcap file
      -P               : respond to all probes, even when specifying ESSIDs
      -I interval      : sets the beacon interval value in ms
      -C seconds       : enables beaconing of probed ESSID values (requires -P)

  Filter options:
      --bssid MAC      : BSSID to filter/use
      --bssids file    : read a list of BSSIDs out of that file
      --client MAC     : MAC of client to filter
      --clients file   : read a list of MACs out of that file
      --essid ESSID    : specify a single ESSID (default: default)
      --essids file    : read a list of ESSIDs out of that file

      --help           : Displays this usage screen

aircrack-ng – Wireless password cracker

root@kali:~# aircrack-ng --help

  Aircrack-ng 1.2 beta3 - (C) 2006-2013 Thomas d'Otreppe

  usage: aircrack-ng [options] <.cap / .ivs file(s)>

  Common options:

      -a <amode> : force attack mode (1/WEP, 2/WPA-PSK)
      -e <essid> : target selection: network identifier
      -b <bssid> : target selection: access point's MAC
      -p <nbcpu> : # of CPU to use  (default: all CPUs)
      -q         : enable quiet mode (no status output)
      -C <macs>  : merge the given APs to a virtual one
      -l <file>  : write key to file

  Static WEP cracking options:

      -c         : search alpha-numeric characters only
      -t         : search binary coded decimal chr only
      -h         : search the numeric key for Fritz!BOX
      -d <mask>  : use masking of the key (A1:XX:CF:YY)
      -m <maddr> : MAC address to filter usable packets
      -n <nbits> : WEP key length :  64/128/152/256/512
      -i <index> : WEP key index (1 to 4), default: any
      -f <fudge> : bruteforce fudge factor,  default: 2
      -k <korek> : disable one attack method  (1 to 17)
      -x or -x0  : disable bruteforce for last keybytes
      -x1        : last keybyte bruteforcing  (default)
      -x2        : enable last  2 keybytes bruteforcing
      -X         : disable  bruteforce   multithreading
      -y         : experimental  single bruteforce mode
      -K         : use only old KoreK attacks (pre-PTW)
      -s         : show the key in ASCII while cracking
      -M <num>   : specify maximum number of IVs to use
      -D         : WEP decloak, skips broken keystreams
      -P <num>   : PTW debug:  1: disable Klein, 2: PTW
      -1         : run only 1 try to crack key with PTW

  WEP and WPA-PSK cracking options:

      -w <words> : path to wordlist(s) filename(s)

  WPA-PSK options:

      -E <file>  : create EWSA Project file v3
      -J <file>  : create Hashcat Capture file
      -S         : WPA cracking speed test

  Other options:

      -u         : Displays # of CPUs & MMX/SSE support
      --help     : Displays this usage screen

airdecap-ng – Decrypt WEP/WPA/WPA2 capture files

root@kali:~# airdecap-ng --help

  Airdecap-ng 1.2 beta3 - (C) 2006-2013 Thomas d'Otreppe

  usage: airdecap-ng [options] <pcap file>

  Common options:
      -l         : don't remove the 802.11 header
      -b <bssid> : access point MAC address filter
      -e <essid> : target network SSID

  WEP specific option:
      -w <key>   : target network WEP key in hex

  WPA specific options:
      -p <pass>  : target network WPA passphrase
      -k <pmk>   : WPA Pairwise Master Key in hex

      --help     : Displays this usage screen

airdecloak-ng – Removes wep cloaking from a pcap file

root@kali:~# airdecloak-ng --help

  Airdecloak-ng 1.2 beta3 - (C) 2008-2013 Thomas d'Otreppe

  usage: airdecloak-ng [options]


     -i <file>             : Input capture file
     --ssid <ESSID>        : ESSID of the network to filter
     --bssid <BSSID>       : BSSID of the network to filter

     --filters <filters>   : Apply filters (separated by a comma). Filters:
           signal:               Try to filter based on signal.
           duplicate_sn:         Remove all duplicate sequence numbers
                                 for both the AP and the client.
           duplicate_sn_ap:      Remove duplicate sequence number for
                                 the AP only.
           duplicate_sn_client:  Remove duplicate sequence number for the
                                 client only.
           consecutive_sn:       Filter based on the fact that IV should
                                 be consecutive (only for AP).
           duplicate_iv:         Remove all duplicate IV.
           signal_dup_consec_sn: Use signal (if available), duplicate and
                                 consecutive sequence number (filtering is
                                  much more precise than using all these
                                  filters one by one).
     --null-packets        : Assume that null packets can be cloaked.
     --disable-base_filter : Do not apply base filter.
     --drop-frag           : Drop fragmented packets

     --help                : Displays this usage screen

airdriver-ng – Provides status information about the wireless drivers on your system

root@kali:~# airdriver-ng --help
Found kernel: 3.3.12-kali1-686-pae.3.12-kali1-686-pae
usage: airdriver-ng <command> [drivernumber]
    valid commands:
        supported       - lists all supported drivers
        kernel          - lists all in-kernel drivers
        installed       - lists all installed drivers
        loaded          - lists all loaded drivers
        insert <drivernum>  - inserts a driver
        load <drivernum>    - loads a driver
        unload <drivernum>  - unloads a driver
        reload <drivernum>  - reloads a driver
        compile <drivernum> - compiles a driver
        install <drivernum> - installs a driver
        remove <drivernum>  - removes a driver
        compile_stack <stacknum>    - compiles a stack
        install_stack <stacknum>    - installs a stack
        remove_stack <stacknum> - removes a stack
        install_firmware <drivernum>    - installs the firmware
        remove_firmware <drivernum> - removes the firmware
        details <drivernum> - prints driver details
        detect          - detects wireless cards

aireplay-ng – Primary function is to generate traffic for the later use in aircrack-ng

root@kali:~# aireplay-ng --help

  Aireplay-ng 1.2 beta3 - (C) 2006-2013 Thomas d'Otreppe

  usage: aireplay-ng <options> <replay interface>

  Filter options:

      -b bssid  : MAC address, Access Point
      -d dmac   : MAC address, Destination
      -s smac   : MAC address, Source
      -m len    : minimum packet length
      -n len    : maximum packet length
      -u type   : frame control, type    field
      -v subt   : frame control, subtype field
      -t tods   : frame control, To      DS bit
      -f fromds : frame control, From    DS bit
      -w iswep  : frame control, WEP     bit
      -D        : disable AP detection

  Replay options:

      -x nbpps  : number of packets per second
      -p fctrl  : set frame control word (hex)
      -a bssid  : set Access Point MAC address
      -c dmac   : set Destination  MAC address
      -h smac   : set Source       MAC address
      -g value  : change ring buffer size (default: 8)
      -F        : choose first matching packet

      Fakeauth attack options:

      -e essid  : set target AP SSID
      -o npckts : number of packets per burst (0=auto, default: 1)
      -q sec    : seconds between keep-alives
      -Q        : send reassociation requests
      -y prga   : keystream for shared key auth
      -T n      : exit after retry fake auth request n time

      Arp Replay attack options:

      -j        : inject FromDS packets

      Fragmentation attack options:

      -k IP     : set destination IP in fragments
      -l IP     : set source IP in fragments

      Test attack options:

      -B        : activates the bitrate test

  Source options:

      -i iface  : capture packets from this interface
      -r file   : extract packets from this pcap file

  Miscellaneous options:

      -R                    : disable /dev/rtc usage
      --ignore-negative-one : if the interface's channel can't be determined,
                              ignore the mismatch, needed for unpatched cfg80211

  Attack modes (numbers can still be used):

      --deauth      count : deauthenticate 1 or all stations (-0)
      --fakeauth    delay : fake authentication with AP (-1)
      --interactive       : interactive frame selection (-2)
      --arpreplay         : standard ARP-request replay (-3)
      --chopchop          : decrypt/chopchop WEP packet (-4)
      --fragment          : generates valid keystream   (-5)
      --caffe-latte       : query a client for new IVs  (-6)
      --cfrag             : fragments against a client  (-7)
      --migmode           : attacks WPA migration mode  (-8)
      --test              : tests injection and quality (-9)

      --help              : Displays this usage screen

airmon-ng – This script can be used to enable monitor mode on wireless interfaces

root@kali:~# airmon-ng --help

usage: airmon-ng <start|stop|check> <interface> [channel or frequency]

airmon-zc – This script can be used to enable monitor mode on wireless interfaces

root@kali:~# airmon-zc --help

usage: airmon-zc <start|stop|check> <interface> [channel or frequency]

airodump-ng – Used for packet capturing of raw 802.11 frames

root@kali:~# airodump-ng --help

  Airodump-ng 1.2 beta3 - (C) 2006-2013 Thomas d'Otreppe

  usage: airodump-ng <options> <interface>[,<interface>,...]

      --ivs                 : Save only captured IVs
      --gpsd                : Use GPSd
      --write      <prefix> : Dump file prefix
      -w                    : same as --write
      --beacons             : Record all beacons in dump file
      --update       <secs> : Display update delay in seconds
      --showack             : Prints ack/cts/rts statistics
      -h                    : Hides known stations for --showack
      -f            <msecs> : Time in ms between hopping channels
      --berlin       <secs> : Time before removing the AP/client
                              from the screen when no more packets
                              are received (Default: 120 seconds)
      -r             <file> : Read packets from that file
      -x            <msecs> : Active Scanning Simulation
      --manufacturer        : Display manufacturer from IEEE OUI list
      --uptime              : Display AP Uptime from Beacon Timestamp
                  <formats> : Output format. Possible values:
                              pcap, ivs, csv, gps, kismet, netxml
      --ignore-negative-one : Removes the message that says
                              fixed channel <interface>: -1

  Filter options:
      --encrypt   <suite>   : Filter APs by cipher suite
      --netmask <netmask>   : Filter APs by mask
      --bssid     <bssid>   : Filter APs by BSSID
      --essid     <essid>   : Filter APs by ESSID
      -a                    : Filter unassociated clients

  By default, airodump-ng hop on 2.4GHz channels.
  You can make it capture on other/specific channel(s) by using:
      --channel <channels>  : Capture on specific channels
      --band <abg>          : Band on which airodump-ng should hop
      -C    <frequencies>   : Uses these frequencies in MHz to hop
      --cswitch  <method>   : Set channel switching method
                    0       : FIFO (default)
                    1       : Round Robin
                    2       : Hop on last
      -s                    : same as --cswitch

      --help                : Displays this usage screen

airodump-ng-oui-update – Downloads and parses IEEE OUI list

airodump-ng-oui-updater downloads and parses IEEE OUI list.

airolib-ng – Designed to store and manage essid and password lists

root@kali:~# airolib-ng --help

  Airolib-ng 1.2 beta3 - (C) 2007, 2008, 2009 ebfe

  Usage: airolib-ng <database> <operation> [options]


       --stats        : Output information about the database.
       --sql <sql>    : Execute specified SQL statement.
       --clean [all]  : Clean the database from old junk. 'all' will also
                        reduce filesize if possible and run an integrity check.
       --batch        : Start batch-processing all combinations of ESSIDs
                        and passwords.
       --verify [all] : Verify a set of randomly chosen PMKs.
                        If 'all' is given, all invalid PMK will be deleted.

       --import [essid|passwd] <file>   :
                        Import a text file as a list of ESSIDs or passwords.
       --import cowpatty <file>         :
                        Import a cowpatty file.

       --export cowpatty <essid> <file> :
                        Export to a cowpatty file.

airserv-ng – A wireless card server

root@kali:~# airserv-ng --help
airserv-ng: invalid option -- '-'

  Airserv-ng 1.2 beta3 - (C) 2007, 2008, 2009 Andrea Bittau

  Usage: airserv-ng <options>


       -h         : This help screen
       -p  <port> : TCP port to listen on (default:666)
       -d <iface> : Wifi interface to use
       -c  <chan> : Channel to use
       -v <level> : Debug level (1 to 3; default: 1)

airtun-ng – Virtual tunnel interface creator

root@kali:~# airtun-ng --help

  Airtun-ng 1.2 beta3 - (C) 2006-2013 Thomas d'Otreppe
  Original work: Martin Beck

  usage: airtun-ng <options> <replay interface>

      -x nbpps         : number of packets per second (default: 100)
      -a bssid         : set Access Point MAC address
                       : In WDS Mode this sets the Receiver
      -i iface         : capture packets from this interface
      -y file          : read PRGA from this file
      -w wepkey        : use this WEP-KEY to encrypt packets
      -t tods          : send frames to AP (1) or to client (0)
                       : or tunnel them into a WDS/Bridge (2)
      -r file          : read frames out of pcap file

  WDS/Bridge Mode options:
      -s transmitter   : set Transmitter MAC address for WDS Mode
      -b               : bidirectional mode. This enables communication
                       : in Transmitter's AND Receiver's networks.
                       : Works only if you can see both stations.

  Repeater options:
      --repeat         : activates repeat mode
      --bssid <mac>    : BSSID to repeat
      --netmask <mask> : netmask for BSSID filter

      --help           : Displays this usage screen

besside-ng – Automatically crack WEP & WPA network

root@kali:~# besside-ng --help
besside-ng: invalid option -- '-'

  Besside-ng 1.2 beta3 - (C) 2010 Andrea Bittau

  Usage: besside-ng [options] <interface>


       -b <victim mac> : Victim BSSID
       -s <WPA server> : Upload wpa.cap for cracking
       -c       <chan> : chanlock
       -p       <pps>  : flood rate
       -W              : WPA only
       -v              : verbose, -vv for more, etc.
       -h              : This help screen


root@kali:~# buddy-ng -h

  Buddy-ng 1.2 beta3 - (C) 2007,2008 Andrea Bittau

  Usage: buddy-ng <options>


       -h        : This help screen
       -p        : Don't drop privileges

easside-ng – An auto-magic tool which allows you to communicate via an WEP-encrypted access point

root@kali:~# easside-ng -h

  Easside-ng 1.2 beta3 - (C) 2007, 2008, 2009 Andrea Bittau

  Usage: easside-ng <options>


       -h                : This help screen
       -v   <victim mac> : Victim BSSID
       -m      <src mac> : Source MAC address
       -i           <ip> : Source IP address
       -r    <router ip> : Router IP address
       -s     <buddy ip> : Buddy-ng IP address (mandatory)
       -f        <iface> : Interface to use (mandatory)
       -c      <channel> : Lock card to this channel
       -n                : Determine Internet IP only

ivstools – This tool handle .ivs files. You can either merge or convert them.

root@kali:~# ivstools

  ivsTools 1.2 beta3 - (C) 2006-2013 Thomas d'Otreppe

   usage: ivstools --convert <pcap file> <ivs output file>
        Extract ivs from a pcap file
       ivstools --merge <ivs file 1> <ivs file 2> .. <output file>
        Merge ivs files


root@kali:~# kstats
usage: kstats <ivs file> <104-bit key>

makeivs-ng – Generates initialization vectors

root@kali:~# makeivs-ng --help

  makeivs-ng 1.2 beta3 - (C) 2006-2013 Thomas d'Otreppe

  usage: makeivs-ng [options]

  Common options:
      -b <bssid> : Set access point MAC address
      -f <num>   : Number of first IV
      -k <key>   : Target network WEP key in hex
      -s <num>   : Seed used to setup random generator
      -w <file>  : Filename to write IVs into
      -c <num>   : Number of IVs to generate
      -d <num>   : Percentage of dupe IVs
      -e <num>   : Percentage of erroneous keystreams
      -l <num>   : Length of keystreams
      -n         : Ignores ignores weak IVs
      -p         : Uses prng algorithm to generate IVs

      --help     : Displays this usage screen

packetforge-ng – Create encrypted packets that can subsequently be used for injection

root@kali:~# packetforge-ng --help

  Packetforge-ng 1.2 beta3 - (C) 2006-2013 Thomas d'Otreppe
  Original work: Martin Beck

  Usage: packetforge-ng <mode> <options>

  Forge options:

      -p <fctrl>     : set frame control word (hex)
      -a <bssid>     : set Access Point MAC address
      -c <dmac>      : set Destination  MAC address
      -h <smac>      : set Source       MAC address
      -j             : set FromDS bit
      -o             : clear ToDS bit
      -e             : disables WEP encryption
      -k <ip[:port]> : set Destination IP [Port]
      -l <ip[:port]> : set Source      IP [Port]
      -t ttl         : set Time To Live
      -w <file>      : write packet to this pcap file
      -s <size>      : specify size of null packet
      -n <packets>   : set number of packets to generate

  Source options:

      -r <file>      : read packet from this raw file
      -y <file>      : read PRGA from this file


      --arp          : forge an ARP packet    (-0)
      --udp          : forge an UDP packet    (-1)
      --icmp         : forge an ICMP packet   (-2)
      --null         : build a null packet    (-3)
      --custom       : build a custom packet  (-9)

      --help         : Displays this usage screen

tkiptun-ng – This tool is able to inject a few frames into a WPA TKIP network with QoS

root@kali:~# tkiptun-ng --help

  Tkiptun-ng 1.2 beta3 - (C) 2008-2013 Thomas d'Otreppe

  usage: tkiptun-ng <options> <replay interface>

  Filter options:

      -d dmac   : MAC address, Destination
      -s smac   : MAC address, Source
      -m len    : minimum packet length (default: 80)
      -n len    : maximum packet length (default: 80)
      -t tods   : frame control, To      DS bit
      -f fromds : frame control, From    DS bit
      -D        : disable AP detection
      -Z        : select packets manually

  Replay options:

      -x nbpps  : number of packets per second
      -a bssid  : set Access Point MAC address
      -c dmac   : set Destination  MAC address
      -h smac   : set Source       MAC address
      -e essid  : set target AP SSID
      -M sec    : MIC error timout in seconds [60]

  Debug options:

      -K prga   : keystream for continuation
      -y file   : keystream-file for continuation
      -j        : inject FromDS packets
      -P pmk    : pmk for verification/vuln testing
      -p psk    : psk to calculate pmk with essid

  source options:

      -i iface  : capture packets from this interface
      -r file   : extract packets from this pcap file

      --help              : Displays this usage screen

wesside-ng – Auto-magic tool which incorporates a number of techniques to seamlessly obtain a WEP key

root@kali:~# wesside-ng -h

  Wesside-ng 1.2 beta3 - (C) 2007, 2008, 2009 Andrea Bittau

  Usage: wesside-ng <options>


       -h              : This help screen
       -i      <iface> : Interface to use (mandatory)
       -m      <my ip> : My IP address
       -n     <net ip> : Network IP address
       -a      <mymac> : Source MAC Address
       -c              : Do not crack the key
       -p   <min prga> : Minimum bytes of PRGA to gather
       -v <victim mac> : Victim BSSID
       -t  <threshold> : Cracking threshold
       -f   <max chan> : Highest scanned chan (default: 11)
       -k      <txnum> : Ignore acks and tx txnum times

wpaclean – Remove excess data from a pcap file

root@kali:~# wpaclean
Usage: wpaclean <out.cap> <in.cap> [in2.cap] [...]

airdriver-ng Usage Example

root@kali:~# airdriver-ng detect

USB devices (generic detection):
Bus 002 Device 009: ID 0846:9001 NetGear, Inc. WN111(v2) RangeMax Next Wireless [Atheros AR9170+AR9101]
Bus 001 Device 012: ID 050d:0017 Belkin Components B8T017 Bluetooth+EDR 2.1
Bus 001 Device 005: ID 0e0f:0008 VMware, Inc.

airmon-ng Usage Example

Start (start) monitor mode on the wireless interface (wlan0) on the desired channel (6):
root@kali:~# airmon-ng start wlan0 6

Interface   Chipset     Driver

wlan0       2-2: Atheros    carl9170 - [phy4]
                (monitor mode enabled on mon0)

airodump-ng Usage Example

Sniff on channel 6 (-c 6), filtering on a BSSID (–bssid 38:60:77:23:B1:CB), writing the capture to disk (-w capture), using the monitor mode interface (mon0):
root@kali:~# airodump-ng -c 6 --bssid 38:60:77:23:B1:CB -w capture mon0
 CH  6 ][ Elapsed: 4 s ][ 2014-05-15 17:21                                         
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
 38:60:77:23:B1:CB  -79   0        7        0    0   6  54e  WPA2 CCMP   PSK  6EA10E                                                                       
 BSSID              STATION            PWR   Rate    Lost    Frames  Probe

aircrack-ng Usage Example

Using the provided wordlist (-w /usr/share/wordlists/nmap.lst), attempt to crack passwords in the capture file (capture-01.cap):
root@kali:~# aircrack-ng -w /usr/share/wordlists/nmap.lst capture-01.cap 
Opening capture-01.cap
Read 2 packets.

   #  BSSID              ESSID                     Encryption

   1  38:60:77:23:B1:CB  6EA10E                    No data - WEP or WPA

Choosing first network as target.

Opening capture-01.cap