Framework For Wireless Pentesting – SniffAir

Last Release: 09/07/2018    

Framework For Wireless Pentesting – SniffAir


SniffAir is an open-source wireless security framework which allows you to collect, manage and analyze wireless traffic. It also provides the ability to perform sophisticated wireless attacks. SniffAir takes care of the hassle associated with managing large or multiple pcap files while thoroughly cross-examining and analyzing the traffic, looking for potential security flaws or malicious traffic.

This open-source framework for wireless security assessments was presented by its developers, Matthew Eidelberg & Steven Daracott, at Hackfest 2017 and GrrCON 2018.

SniffAir: Open-source Wireless Security Framework

Along with the prebuilt queries, SniffAir allows you to create custom queries for analyzing the wireless data which will be stored in the SQL database. These queries will extract data for wireless penetration test reports. The data can also be leveraged in setting up wireless attacks included in SniffAir as modules. It can perfom automated bruteforcing on EAP and PSK networks, fake portal based phishing attack, evil twin attack, etc.

SniffAir Modules:

  • Auto EAP – Automated Brute-Force Login Attack Against EAP Networks
  • Auto PSK – Automated Brute-Force Passphrase Attack Against PSK Networks
  • AP Hunter – Discover Access Point Within a Certain Range Using a Specific Type of Encrpytion
  • Captive Portal – Web Based Login Portal to Capture User Entered Credentials (Runs as an OPEN Network)
  • Certificate Generator – Generates a Certificate Used by Evil Twin Attacks
  • Exporter – Exports Data Stored in a Workspace to a CSV File
  • Evil Twin – Creates a Fake Access Point, Clients Connect to Divulging MSCHAP Hashes or Cleartext Passwords
  • Handshaker – Parses Database or .pcapdump Files Extracting the Pre-Shared Handshake for Password Guessing (Hashcat or JTR Format)
  • Mac Changer – Changes The Mac Address of an Interface
  • Probe Packet – Sends Out Deauth Packets Targeting SSID(s)
  • Proof Packet – Parses Database or .pcapdump Files Extracting all Packets Related to the Inscope SSDIS
  • Hidden SSID – Discovers the Names of HIDDEN SSIDS
  • Suspicious AP – Looks for Access Points that: Is On Different Channel, use a Different Vendor or Encrpytion Type Then the Rest of The Network
  • Wigle Search SSID – Queries wigle for SSID (i.e. Bob’s wifi)
  • Wigle Search MAC – Queries wigle for all observations of a single mac address

How it works?

  • SniffAir can use live capture, but it also can take pcap file/s (offline data).
  • First of all, SnifAirr identifies packets and group them into appropriate group type (access-points, probe-requests, probe-responses, enterprise packats).
  • Once that’s done, it parses each packet pulling out the important data and storing in the database.
  • After parsing and storing, it compares and stores only unique values.


SniffAir was developed with Python 2.7. Tested and supported on:

Clone it from the github repo:

$ git clone

To install, run the following:



To run SniffAir:

$ ./

Type help to list available commands:

                                                                    % *        ., %                         
                                                                    % ( ,#     (..# %                        
    /@@@@@&,    *@@%        &@,    @@#    /@@@@@@@@@   .@@@@@@@@@. ,/ # # (%%%* % (.(.  .@@     &@@@@@@%.    
  .@@&   *&@    %@@@@.      &@,    @@%    %@@,,,,,,,   ,@@,,,,,,,  .( % %  %%#  # % #   ,@@     @@(,,,#@@@.  
  %@%           %@@(@@.     &@,    @@%    %@@          ,@@          /* #   /*,   %.,,   ,@@     @@*     #@@  
  ,@@&          %@@ ,@@*    &@,    @@%    %@@          ,@@           .#   //#(,   (,    ,@@     @@*     &@%  
   .@@@@@.      %@@  .@@(   &@,    @@%    %@@%%%%%%*   ,@@%%%%%%#         (# ##.        ,@@     @@&%%%@@@%   
       *@@@@    %@@   .@@/  &@,    @@%    %@@,,,,,,    ,@@,,,,,,.        %#####%        ,@@     @@(,,%@@%    
          @@%   %@@     @@( &@,    @@%    %@@          ,@@              %  (*/  #       ,@@     @@*    @@@   
          %@%   %@@      @@&&@,    @@%    %@@          ,@@             %  #  .# .#      ,@@     @@*     @@%  
 .@@&/,,#@@@    %@@       &@@@,    @@%    %@@          ,@@            /(*       /(#     ,@@     @@*      @@# 
   *%@@@&*      *%#        ,%#     #%/    *%#           %%            #############.    .%#     #%.      .%% 
                                                                  (@Tyl0us & @theDarracott)

 >>  [default]# help
workspace                Manages workspaces (create, list, load, delete)
live_capture             Initiates a valid wireless interface to collect wireless pakcets to be parsed (requires the interface name)
offline_capture          Begins parsing wireless packets using a pcap file-kismet .pcapdump work best (requires the full path)
offline_capture_list     Begins parsing wireless packets using a list of pcap file-kismet .pcapdump work best (requires the full path)
query                    Executes a query on the contents of the acitve workspace
help                     Displays this help menu
clear                    Clears the screen
show                     Shows the contents of a table, specific information across all tables or the available modules
inscope                  Add ESSID to scope. inscope [ESSID]
SSID_Info                Displays all information (i.e all BSSID, Channels and Encrpytion) related to the inscope SSIDS
use                      Use a SniffAir module
info                     Displays all variable information regarding the selected module
set                      Sets a variable in module
exploit                  Runs the loaded module
run                      Runs the loaded module
exit                     Exit SniffAir
 >>  [default]#

To start, first you need to create or load a new or existing workspace. Available workspace commands:

  • create <workspace>load <workspace>workspace listdelete <workspace>
>>  [default]# workspace
     Manages workspaces
 Command Option: workspaces [create|list|load|delete]
>>  [default]# workspace create demo
[+]  Workspace demo created

Example: Loading data

To load data into a desired workplace from a pcap file, use the following:

>>  [demo]# offline_capture <the full path to the file containing the list of pcap file>

To load a series of pcap files:

>> [demo]# offline_capture_list <the full path to the file containing the list of pcap name>

If you want to capture live wireless traffic, use:

>> [demo]# live_capture <interface name>

Example: Module usage

You can use modules to analyze the data contained in the workspaces or to perform offensive wireless attacks. To list all available modules use show command:

>>  [demo]# show modules

Use one of them, and run info command for details (example: Captive Portal):

>>  [demo]# use Captive Portal
>>  [demo][Captive Portal]# info
Globally Set Varibles
 Module: Captive Portal
 Template: Cisco (More to be added soon)
 >>  [demo][Captive Portal]# set Interface wlan0
 >>  [demo][Captive Portal]# set SSID demo
 >>  [demo][Captive Portal]# set Channel 1
 >>  [demo][Captive Portal]# info
Globally Set Varibles
 Module: Captive Portal
 Interface: wlan0
 SSID: demo
 Channel: 1
 Template: Cisco (More to be added soon)
 >>  [demo][Captive Portal]#

To export all information stored in a workspace’s tables, use the Exporter module.

Download Box