wifikit

wifikit is a comprehensive WiFi pentesting toolkit designed for macOS (Apple Silicon and Intel) and Linux* (untested), developed purely in Rust. It offers a single-binary, real-time interactive command-line interface, eliminating the need for kernel extensions, aircrack-ng, or virtual machines.

Why This Exists

Traditional WiFi pentesting tools like aircrack-ng are Linux-centric and often require patched kernel drivers, which are incompatible with modern macOS, especially Apple Silicon. hashcat lacks Metal support, limiting it to CPU-only on Macs. Kismet and Wireshark are passive only, lacking injection and attack capabilities. wifikit solves this by communicating directly with WiFi chipsets over USB in userspace, requiring no root access beyond USB permissions.

Key Features and Use Cases

1. Scanner

• Channel Hopping: Covers 2.4 GHz, 5 GHz, and 6 GHz (WiFi 6E) bands.
• AP Discovery: Identifies access points with SSID, BSSID, channel, signal strength, and security protocols.
• Client Tracking: Maps client/station associations.
• Modes: Supports both active probing and passive-only scanning.
• OUI Lookup: Integrates IEEE MA-L/MA-M/MA-S databases for vendor identification.

2. Attack Engines (10 Modules)

• PMKID: Clientless WPA2 key extraction (no deauth, no disruption) with active association and EAPOL M1 capture.
• WPS: PIN cracking via Pixie Dust (offline, seconds), brute force, or null PIN, featuring lockout detection and MAC rotation.
• DoS: 14 types of denial-of-service attacks, from surgical to broad, including deauth, disassoc, flood attacks, and TKIP Michael.
• Rogue AP: Creates fake access points (Open, Evil Twin, KARMA, MANA Loud, Known Beacons).
• EAP: Targets enterprise networks with Evil Twin, credential harvesting (MSCHAPv2/LEAP/GTC/MD5), EAP downgrade, identity theft, and cert bypass attacks.
• KRACK: Key reinstallation attacks targeting 11 CVEs, including 4-way handshake, group key, FT, TDLS, and WNM (with PN reuse detection).
• FragAttacks: Exploits 12 CVEs related to frame aggregation/fragmentation vulnerabilities like A-MSDU injection, mixed key, cache poisoning, and plaintext injection.
• WPA3: Implements Dragonblood SAE attacks (8 modes) such as timing side-channel, group/transition downgrade, SAE DoS, invalid curve, reflection, and anti-clogging.
• Fuzzer: Protocol fuzzing for various domains (Frame/IE/EAP) with 9 mutation strategies and seedable RNG for reproducibility.

3. Capture & Export

• Packet Capture: Full packet capture to pcap format during any operation.
• Handshake Detection: Automatically detects and captures 4-way handshakes (WPA2, Group, FT, TDLS, WNM, SAE).
• Export Formats: Supports export to hashcat (.hc22000), John, and asleap formats.
• GPU Cracking Integration: Feeds directly into metal-crack for high-performance GPU cracking on Apple Silicon.

4. TX Feedback

• Provides ACK/NACK reporting for injected frames, ensuring packet delivery.
• Supports per-rate optimization (CCK 1M for range, LDPC, STBC).
• Offers TX power control up to 31 dBm (adapter dependent).

Supported Hardware

wifikit includes full userspace drivers for several chipsets, removing the need for airmon-ng:

• RTL8812BU (802.11ac, 2.4 + 5 GHz): TP-Link Archer T4U V3, ASUS USB-AC53 Nano, Netgear A6100 (Production status).
• RTL8812AU (802.11ac, 2.4 + 5 GHz): Alfa AWUS036ACH/AC, TP-Link Archer T4U V1/V2 (Production status).
• RTL8852AU (802.11ax/WiFi 6, 2.4 + 5 GHz): Comfast CF-953AX, BrosTrend AX4L, ASUS USB-AX56 (Production status).
• MT7921AU (802.11ax/WiFi 6E, 2.4 + 5 + 6 GHz): Fenvi FU-AX1800, COMFAST CF-952AX, Netgear A8000 (Production status).
• MT7612U (802.11ac, 2.4 + 5 GHz): COMFAST CF-WU785AC, Netgear A6210 (Basic RX, limited features).

Usage

wifikit operates through an interactive TUI (Terminal User Interface). The workflow typically involves adapter selection, launching the scanner to build an AP/client map, selecting a target and an attack module, and then capturing handshakes for export. It supports multi-adapter operations, allowing simultaneous scanning and attacking.

Unique Selling Points

Its unique proposition lies in providing a robust, native, and real-time WiFi pentesting solution for macOS, especially leveraging Apple Silicon's architecture without the typical complexities of driver installation or virtualization. The pure Rust implementation emphasizes security and performance, and its direct USB chipset interaction simplifies deployment.