Wireless Tools & Software

Hotspotter – Automatic wireless client penetration

Download: hotspotter-0.4.tar.gz
Author: Max Moser

Hotspotter passively monitors the network for probe request frames to identify the preferred networks of Windows XP clients, and will compare it to a supplied list of common hotspot network names. If the probed network name matches a common hotspot name, Hotspotter will act as an access point to allow the client to authenticate and associate. Once associated, Hotspotter can be configured to run a command, possibly a script to kick off a DHCP daemon and other scanning against the new victim.

During a wireless assessment some time ago, I discovered a strange characteristic of the Microsoft Windows XP wireless client. It was possible to bring the client from a secure EAP/TLS network to an insecure one without any warnings from the operating system.

I discovered this was due to the configuration of multiple wireless profiles. One profile was established for the EAP/TLS network, and a second for the “ANY” network, using an empty network name (SSID). To evaluate this configuration, I established my own access point using the same SSID as the EAP/TLS network, without the privacy bit set (no encryption). Due to the configuration of the Windows XP client, I was able to force the client to switch to my network with a single deauthenticate frame; at which point the client reconnected to my “rogue” access point.

The victim station did not receive a warning from the operating system to indicate they left their production network, only a small indicator for temporary wireless signal. With this attack, I was able to force a client to leave their secure wireless network and reconnect to my rogue network, albeit at a loss of network connectivity. This allowed me to evaluate the host-based security of the victim host, without the protection of the EAP/TLS network. This behaviour seems to be fixed in Windows XP Service Pack 1.

I was unable to locate any documentation in the Microsoft Knowledge Base that indicated the resolution of this flaw, but there is a remaining vulnerability that can also be exploited based configured wireless profiles. A Windows XP client will probe for all the preferred network names listed in the wireless client configuration during startup, powersave-wakeup and when the driver reports signal loss for the current network name. Many coporate wireless users configure Windows XP with a business profile (secure network profile) and several other network names including commercial hotspots and home networks (insecure network profiles). Due to this configuration, it is possible to force a client to disclose the list of configured profiles, and then establish a connection to a rogue network using one of the preferred network names.

Depending on the configuration of the wireless client, the client will display a bubble message indicating it has joined a different wireless network name. Once the target associates to the rogue network, it is possible to interact with the client directly. This may include port scanning the victim, exploiting Windows-based vulnerabilities or simulating an otherwise “real” network using faked services and intercepted DNS queries. Note that the Apple OS X client exhibits similar behaviour, although it has not been thoroughly tested at this time.

Wellenreiter – Wireless discovery / auditing

Authors: Max Moser, Steffen Kewitz, Martin J. Muench


Wellenreiter is a wireless network discovery and auditing tool. Prism2, Lucent, and Cisco based cards are supported. It is one of the easiest to use linux wireless scanning tools available. No card configuration has to be done anymore. The whole look and feel is pretty self-explainatory. It can discover networks (BSS/IBSS), and detect ESSID broadcasting or non-broadcasting networks as well as their WEP capabilities and the manufacturer information automatically.

DHCP and ARP traffic are decoded and displayed to give you further information about the networks. A wireshark (formerly known as ethereal)/tcpdump-compatible dumpfile and an Application savefile will be automatically created. Using a supported GPS device and the gpsd you can track the location of the discovered networks.

Wellenreiter The project has started to move from perl to C++. Currently there are two “flavours” of Wellenreiter available. One is the perl/gtk based Version, with all the described functionality. The second one is the Wellenreiter II C++ based flavour. Wellenreiter II will run on Hanheld mobile devices (Zaurus/Ipaq/etc) within the Opie or X11 graphical environment.


Ultimate Bluetooth Mobile Phone Spy Software Edition


Ultimate Bluetooth Mobile Phone Spy Software Edition 2008 will work on All mobile devices that are bluetooth enabled. Not just phones but also laptops, computers, etc. YOU WILL RECEIVE SEPERATE SOFTWARE FOR OLD MODELS AND NEW MODELS (INCLUDING SYMBIAN PHONES). We don’t need to list compatible phones – this works on ALL phones!
Check what your kids, spouse, or partner are up to – and rest at peace!

Not just 1 program but an entire suite that will work on old phones, new phones, smart phones, java phones – on absolutely all of them!
NOTHING is logged, you leave absolutely NO TRACE of your spying activities!
This program is 100% software. You will NOT need to alter or modify your handset at all!

Ultimate Bluetooth Mobile Phone Spy Software Edition 2008

Extra Bonus!
2 extra bonus spy items!
* Bluetooth spy suite for your PC/laptop!
* A very special program that enables you to view incomming and outgoing e-mail for a given e-mail address.


WEP/WPA/WPA2 Dictionary Generator



A program to generate or manipulate several kinds of wordlists, to test how
strong are passwords, cookies, etc. Features:

– Incremental Brute Force (characters).
– The characters can be defined as numerical, alpha, alpha-numeric, alpha-numeric + symbols.
– Start and end number of characters that should be used to generate the wordlist.
– Open a wordlist and convert each word utilizing the “elite conversion”.
– Open a wordlist and convert each word to: caps on, caps off, only first caps on, inverted word.
– Generate a wordlist based in date of birth.
– Generate a wordlist from 2 to 4 incremental characters followed by birth.
– Generate a wordlist of default passwords used by Terra Provider (Brazil).
– Open a wordlist and increment (before or after) characters on each word.
– Generate a wordlist based in personal data.
– Open a file (Ex.: e-mail, article, information from MSN, ICQ, etc) and generate a wordlist.



Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the all-new PTW attack, thus making the attack much faster compared to other WEP cracking tools. In fact, Aircrack-ng

is a set of tools for auditing wireless networks.

Aircrack-ng is the next generation of aircrack with lots of new features:

*Better documentation (wiki, manpages) and support (Forum, trac, IRC: #aircrack-ng on Freenode).
*More cards/drivers supported
*More OS and platforms supported
*New WEP attack: PTW
*WEP dictionnary attack
*Fragmentation attack
*Improved cracking speed
*Capture with multiple cards
*New tools: airtun-ng, packetforge-ng (improved arpforge), wesside-ng, easside-ng, airserv-ng, airolib-ng, airdriver-ng and airbase-ng
*Optimizations, other improvements and bug fixing

Aircrack-ng 0.9.2 with AirPcap support.Download


Wireshark is the world’s foremost network protocol analyzer, and is the de facto (and often de jure) standard across many industries and educational institutions.

Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998.

Wireshark has a rich feature set which includes the following:

* Deep inspection of hundreds of protocols, with more being added all the time
* Live capture and offline analysis
* Standard three-pane packet browser
* Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others
* Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility
* The most powerful display filters in the industry
* Rich VoIP analysis
* Read/write many different capture file formats: tcpdump (libpcap), Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer® (compressed and uncompressed), Sniffer® Pro, and NetXray®, Network Instruments Observer, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others
* Capture files compressed with gzip can be decompressed on the fly
* Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platfrom)
* Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2
* Coloring rules can be applied to the packet list for quick, intuitive analysis
* Output can be exported to XML, PostScript®, CSV, or plain text

Wireshark with AirPcap support.Windows 2000/XP/2003/Vista Installer (.exe)

Cain & Abel

Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols. The program does not exploit any software vulnerabilities or bugs that could not be fixed with little effort. It covers some security aspects/weakness present in protocol’s standards, authentication methods and caching mechanisms; its main purpose is the simplified recovery of passwords and credentials from various sources, however it also ships some “non standard” utilities for Microsoft Windows users.

Cain & Abel has been developed in the hope that it will be useful for network administrators, teachers, security consultants/professionals, forensic staff, security software vendors, professional penetration tester and everyone else that plans to use it for ethical reasons. The author will not help or support any illegal activity done with this program. Be warned that there is the possibility that you will cause damages and/or loss of data using this software and that in no events shall the author be liable for such damages or loss of data. Please carefully read the License Agreement included in the program before using it.

The latest version is faster and contains a lot of new features like APR (Arp Poison Routing) which enables sniffing on switched LANs and Man-in-the-Middle attacks. The sniffer in this version can also analyze encrypted protocols such as SSH-1 and HTTPS, and contains filters to capture credentials from a wide range of authentication mechanisms. The new version also ships routing protocols authentication monitors and routes extractors, dictionary and brute-force crackers for all common hashing algorithms and for several specific authentications, password/hash calculators, cryptanalysis attacks, password decoders and some not so common utilities related to network and system security.

Download Cain & Abel v4.9.16 for Windows NT/2000/XP


NetStumbler is a tool for Windows that allows you to detect Wireless Local Area Networks (WLANs) using 802.11b, 802.11a and 802.11g. It has many uses:

* Verify that your network is set up the way you intended.
* Find locations with poor coverage in your WLAN.
* Detect other networks that may be causing interference on your network.
* Detect unauthorized “rogue” access points in your workplace.
* Help aim directional antennas for long-haul WLAN links.
* Use it recreationally for WarDriving.

Download netstumbler 0.4.0

TrunkSniffer V1.0

TrunkSniffer is a revolutionary monitoring software for MPT1327 trunked radio networks. It works by sampling the audio from any radio receiver capable of tuning the frequencies of the control channels, and extracting and decoding the FSK data. This data is then presented in a very ergonomic and pleasing user interface, which makes monitoring these kind of networks an excellent experience.

For the professional user, decoding of control frames can help in diagnosing network problems (registration failures, call timeouts, RU roaming, etc.).

TrunkSniffer Pro is now available, and a reduced, more economic version for the less demanding user will be available soon. The most remarkable features of TrunkSniffer Pro are:
Decodes all common MPT1327 codewords, including SDMs
Serial port control of one or two receivers
Automatic tuning of the control channel and traffic channels
Easy network management with network profiles
Full filtering capabilities by creating fleets within the network
Logging of decoded data to disk, with dated log files
Call recording to .wav or .mp3
Direct control over the sound card, for mute and volume control
AudioTuner tool, which helps classify control channels and configure decoding for optimum performance
Password-protected telnet server, which gives remote access to decoded data in real time


StumbVerter V1.5

StumbVerter is a standalone application which allows you to import Network Stumbler’s summary files into Microsoft’s MapPoint 2004 maps. The logged WAPs will be shown with small icons, their colour and shape relating to WEP mode and signal strength.

As the AP icons are created as MapPoint pushpins, the balloons contain other information, such as MAC address, signal strength, mode, etc. This balloon can also be used to write down useful information about the AP.

Download StumbVerter_V150.zip


If one access point is good, 53,000 must be better.

Black Alchemy’s Fake AP generates thousands of counterfeit 802.11b access points. Hide in plain sight amongst Fake AP’s cacophony of beacon frames. As part of a honeypot or as an instrument of your site security plan, Fake AP confuses Wardrivers, NetStumblers, Script Kiddies, and other undesirables.

Fake AP is a proof of concept released under the GPL.

Fake AP runs on Linux (tested on RedHat 7.3). For *BSD versions, see the links below.

Perl 5.6 or later

One or more Prism2/2.5/3 based 802.11b cards with the CVS version of the Host AP Driver for Intersil Prism2/2.5/3 working



WifiScanner is a tool that has been designed to discover wireless node (i.e access point and wireless clients). It is distributed under the GPL License.
It work with CISCO® card and prism card with hostap driver or wlan-ng driver, prism54g, Hermes/Orinoco, Atheros, Centrino, …
An IDS system is integrated to detect anomaly like MAC usurpation.



AirSnare is another tool to add to your Wireless Intrusion Detection Toolbox.  AirSnare will alert you to unfriendly MAC addresses on your network and will also alert you to DHCP requests taking place.  If AirSnare detects an unfriendly MAC address you have the option of tracking the MAC address’s access to IP addresses and ports or by launching Ethereal upon a detection.



Included in airbase you will find an aircrack re-implementation, a distributed wep cracker (now with FPGA support), a library to help you craft/parse 802.11 packets, and various other supporting utilities. At the core of airbase is a C++ library called libairware. It does as much boring work related to 802.11 as it can


WIDZ – the Wireless 802.11b IDS

a beta version of the wireless IDS


WIDZV1.5 – the Wireless IDS for 802.11b

it has loads of new funtcions. Detects Rogue APs and Monkey-jacks. Null probes , floods has a Mac Backlist and ESSID blacklist so we can catch the obvious badguys


  1. Very excellent list of premium tools, it couldnt be better!

  2. Predator_Crack says:

    excellent site thx.

  3. Anon says:

    I love you.

  4. […] HomeAboutBluetoothDrivers & PatchesE-books WifiEventsFaqNewsSecurity Distro DownloadSocial Engineering(SE)WEP/WPA/WPA2 Cracking DictionaryWifi cards & AntennaWireless ConnectorsWireless Tools & Software […]

  5. mak ram says:


  6. Exactly where did u actually end up getting the points to
    publish ““Wireless Tools & Software All Your Wireless Belongs
    To Us”? I appreciate it -Andres

  7. I was wondering if you ever thought of changing the layout of your blog?
    Its very well written; I love what youve got to say.
    But maybe you could a little more in the way of content
    so people could connect with it better. Youve got
    an awful lot of text for only having 1 or two pictures.

    Maybe you could space it out better?

  8. sandeep says:

    which works fine with wps enabled router

  9. hhhhhhhhhhhh says:

    good site

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s