wifite (now maintained as wifite2) is a Python-based Wi-Fi auditing tool that bundles wireless-attack tools — the aircrack-ng suite, reaver, bully, hcxdumptool, hashcat — behind a single command and runs them automatically. Originally released by derv82 and now shipped by default in Kali Linux as wifite2. Instead of invoking each tool by hand in sequence, wifite walks the whole flow — "enable monitor mode → scan nearby APs → pick targets → deauth clients → capture handshakes / grab PMKIDs / run WPS attacks → crack" — with minimal interaction. It's best understood as an "orchestrator" for Wi-Fi attacks.
It looks complex, but the essence is three points. (1) wifite is "a wrapper that fully automates the chore of running individual Wi-Fi attack tools in the right order." It didn't invent new attacks — it tries existing tools smartly, in sequence. (2) Its mainstays are WPA/WPA2 handshake capture → offline dictionary attack, and the more recent, powerful PMKID attack (which obtains key-exchange material even with no clients present). (3) Firing it at someone else's Wi-Fi violates Japan's Radio Act and Unauthorised Computer Access Act (and the equivalents elsewhere). Learn only on your own AP or a contracted pentest target. — Build on that and open each section in turn.
What wifite is — its place as an automation front-end #
The key to understanding wifite is that wifite itself crafts almost no packets. The actual radio operations, captures, and analysis are all delegated to well-established existing tools. wifite's job is to invoke them in the right order with the right arguments, interpret the output, and choose the next move.
| Tool wifite calls under the hood | Role it plays |
|---|---|
airmon-ng / iw | Switch the wireless interface into monitor mode |
airodump-ng | Scan nearby APs / clients and capture handshakes |
aireplay-ng | Inject deauth at clients (to force reconnection) |
hcxdumptool / hcxpcapngtool | Capture PMKIDs and convert them to a hash format |
reaver / bully | WPS PIN brute-force / Pixie-Dust attacks |
aircrack-ng / hashcat | Offline cracking of captured handshakes / PMKIDs |
tshark / cowpatty | Validate handshakes (is it a real 4-way handshake?) |
Done manually, you bounce between five or six commands: enable monitor mode → scan → lock the channel → deauth in another terminal → confirm the handshake → convert the format → crack. wifite folds this into one workflow, and even handles judgment calls like iterating over multiple APs or moving on to the next target the moment one succeeds. If you use wifite after understanding "Deauthentication Attack" and the individual aircrack-ng commands, you can see exactly what is happening.
Legal and ethical considerations — read this first #
wifite is a tool that emits radio, forcibly disconnects (deauths) other people's clients, and breaks keys. Precisely because it runs so easily, you must clear the legal bar first. Firing wifite at someone else's Wi-Fi without permission can be a clearly illegal act under Japan's Radio Act and Unauthorised Computer Access Act, and the equivalents elsewhere.
- An AP / home LAN you own and manage — a router you bought and set up yourself, an isolated learning lab
- A target you have explicit written authorization for — a pentest or wireless-assessment contract where the scope (target SSIDs, time window, methods) is documented
- Legitimate learning environments — a test AP you stood up at home, a hardware lab, anything the operator/owner permits
wifite's deauth can disconnect unrelated clients within range too. Even "just trying it" in a café or apartment building can expose you to Radio Act Article 109(2) (communications interference, up to 1 year imprisonment), the Unauthorised Computer Access Act, and — if you go as far as an Evil Twin — forcible obstruction of business. Always confirm the target and the authorization first.
wifite needs a wireless adapter that supports monitor mode and packet injection. Most built-in Wi-Fi cards don't support injection. Staple chipsets include the Atheros AR9271 (TP-Link TL-WN722N v1) and the Realtek RTL8812AU (5GHz-capable). In a VM you pass the USB adapter through.
The overall workflow — what wifite walks automatically #
Run sudo wifite with no arguments and roughly the following flow proceeds on its own.
airmon-ng. Stops interfering processes (NetworkManager, etc.) as needed.all works too). APs with strong signal and WPS enabled have higher success rates, so they rank near the top.aircrack-ng / hashcat. Keys are appended to cracked.txt (or cracked.json), and handshakes are saved under hs/.The four main attack methods #
From the target's encryption, wifite automatically picks among these attacks. Each differs in "what it grabs and how it breaks it."
| Attack | What it obtains | Client | Notes |
|---|---|---|---|
| PMKID | The AP's PMKID (1 frame) | Not needed | Clientless method published in 2018. Easiest |
| WPA handshake | 4-way handshake | Required | The classic. Deauth forces reconnection to capture |
| WPS Pixie-Dust | WPS PIN → PSK | Not needed | Seconds to minutes on weak implementations. Offline-ish |
| WEP | Large volume of IVs | Faster with one | Nearly extinct. Reliably broken in minutes |
① PMKID attack — works even with no clients present #
A method published in 2018 by hashcat developer atom (Jens Steube). Some WPA2 APs include the PMKID in the first association response (EAPOL M1). An attacker who grabs just that one frame obtains material for offline cracking — without waiting for a full handshake or for any client to exist. wifite collects PMKIDs with hcxdumptool and converts them to the hashcat format (mode 22000) with hcxpcapngtool.
Traditional handshake capture requires "a connected client" + "deauthing it to force reconnection." It fails on an AP nobody is connected to at 3 a.m. PMKID only needs you to talk to the AP itself, so it works with zero clients. The catch: it only works on APs that return a PMKID for roaming, and some models don't.
② WPA/WPA2 handshake capture #
The most classic and reliable path. Deauth a connected client once to disconnect it, and capture the 4-way handshake (M1–M4) on automatic reconnection via airodump-ng. The captured handshake is then taken to an offline dictionary/GPU crack. After capture, wifite validates with tshark / cowpatty that it really is a valid handshake before saving. See the Deauthentication Attack article for the underlying mechanics.
③ WPS attacks (Pixie-Dust / PIN brute-force) #
Attacks against WPS (Wi-Fi Protected Setup)'s 8-digit PIN. Pixie-Dust exploits weak random-number generation in certain chipsets (Ralink/Realtek/Broadcom, etc.) that lets the nonces used in the PIN computation be guessed offline — when it works, it recovers the PSK itself in seconds to minutes. When Pixie-Dust fails, it falls back to PIN brute-forcing with reaver / bully (a flaw in the PIN structure shrinks the space to roughly 11,000 tries).
④ WEP cracking #
WEP's flaws — RC4 plus short IVs — mean collecting enough IVs lets the key be derived statistically. wifite inflates the IV count via ARP replay and the like, then breaks it with aircrack-ng once enough have accumulated. WEP APs barely exist anymore, but occasionally linger in old IoT / industrial gear.
Basic usage #
The minimal form is launching with no arguments. After that you just pick interactively.
$ sudo wifite
# → auto monitor mode → scan all channels
# → once the AP list appears, Ctrl-C to stop
# → enter the number(s) of the AP(s) to attack (e.g. 1,3 / all)
# → runs the right attacks in order based on the encryptionIn practice you specify things like "narrow the target" and "pass a cracking wordlist" via options.
# Attack only a specific SSID via WPA + a chosen dictionary
$ sudo wifite --essid "MyLabAP" --wpa --dict /usr/share/wordlists/rockyou.txt
# Go for clientless PMKID only (quiet)
$ sudo wifite --pmkid
# Try Pixie-Dust against WPS-enabled APs
$ sudo wifite --wps --pixie
Cracked keys are appended to cracked.txt in the working directory (list them with wifite --cracked). Captured handshakes / PMKIDs are saved under the hs/ directory as .cap / .22000, so you can continue cracking later with hashcat -m 22000.
Key options #
wifite runs with no arguments, but it becomes far more practical once you learn to narrow targets and restrict the attack method.
| Option | Effect |
|---|---|
-i wlan1 | Explicitly set the wireless interface (required with multiple adapters) |
--essid "Name" | Limit the target by SSID name (--bssid AA:BB:.. targets by MAC) |
-c 6 | Lock scan/attack to a specific channel (faster, avoids stray hits) |
--wpa / --wps / --wep | Target only APs with that encryption |
--pmkid | Run the PMKID attack only (clientless, quiet) |
--pixie | WPS via Pixie-Dust only (don't fall back to PIN brute-force) |
--dict | Specify the cracking wordlist (default wordlist-probable.txt) |
--kill | Stop interfering processes (NetworkManager/wpa_supplicant) |
-mac / --random-mac | Randomize the adapter MAC before attacking (anti-forensics) |
--no-deauth | Never send deauth (passively wait for handshakes) |
--num-deauths 5 | Tune the number of deauths sent per round |
-5 / --5ghz | Include the 5GHz band in scanning (assumes a capable adapter) |
--cracked | List keys broken so far (cracked.txt) |
(1) First try --pmkid for a quiet, clientless, deauth-free grab → (2) if that fails, use --wpa for handshake capture (with the minimum necessary deauth) → (3) on WPS-enabled APs, run a short Pixie-Dust with --wps --pixie. Rather than blasting deauth in all directions from the start, narrowing the target and restricting the method reduces both collateral damage to unrelated clients (= legal risk) and detection.
wifite from the defender's side — detection and mitigation #
Each of wifite's attacks leaves a clear trail from the defender's point of view. Here's what to block and which attack it neutralizes.
| Mitigation | Attack it neutralizes | Notes |
|---|---|---|
| Enable WPA3 / PMF (802.11w) | Deauth / handshake capture | Management-frame protection makes deauth ineffective |
| Disable WPS | Pixie-Dust / PIN brute-force | Keeping WPS off is the iron rule |
| Long, complex PSK | Cracking PMKID / handshake | Even if grabbed, no harm if the dictionary can't crack it |
| Abolish WEP entirely | WEP cracking | The only fix is migrating to WPA2/WPA3 |
| Monitor deauth with WIDS | Detecting the attack | Kismet / commercial AP anomaly detection |
Everything wifite exploits is an old hole you can close with configuration. With three things in place — (1) WPA3 (or WPA2 + PMF Required), (2) WPS off, (3) a sufficiently long, unguessable PSK — wifite's main attacks largely stop working. Conversely, an AP wifite breaks easily is missing these basic settings. Firing wifite at your own AP is a quick self-assessment that surfaces the gaps in your configuration.
Where it sits among similar tools #
There are many wireless-attack tools, but wifite occupies a distinct layer: "an automated orchestrator that bundles existing tools."
| Tool | Layer | Characteristics |
|---|---|---|
wifite / wifite2 | Automation front-end | Bundles aircrack-ng et al. fully automatically. Best opening move |
aircrack-ng suite | Foundational tools | The industry standard. For fine manual control |
hcxdumptool / hcxtools | PMKID-focused | The original for clientless PMKID collection |
reaver / bully | WPS-focused | Dedicated implementations of WPS PIN / Pixie-Dust |
bettercap | Versatile MITM | A general framework including Wi-Fi. GUI/interactive |
airgeddon | Menu-driven wrapper | Close to wifite, but also covers Evil Twin / WPA3 downgrade |
wifite is most efficient as a "broad and shallow" opening move to learn what's grabbable. The playbook is two-staged: take the captured handshakes / PMKIDs home and do the serious GPU cracking with hashcat. Meanwhile, intricate scenarios like Evil Twin or WPA Enterprise (EAP) attacks are outside wifite's wheelhouse — switch to dedicated tools like airgeddon / EAPHammer / bettercap. If you understand both the convenience of automation and what's happening underneath, you can drop down to the manual tools and isolate the cause when wifite stalls.
Summary #
- wifite (wifite2) is a Wi-Fi auditing tool that bundles aircrack-ng / reaver / bully / hcxdumptool / hashcat behind a single command and runs them automatically. Not a new attack — a smart orchestrator of existing tools
- It auto-selects attacks from the encryption. The mainstays are clientless PMKID and WPA handshake capture → offline cracking; Pixie-Dust / PIN brute-force when WPS is on, and IV collection for WEP
- In practice, narrow the target and method:
--pmkid(quiet) →--wpa(reliable) →--wps --pixie. This minimizes collateral damage and detection - Defense is largely a shutout with three points: WPA3 / PMF + WPS off + a strong PSK. An AP wifite breaks is proof those basics are missing
- It requires a monitor-mode, injection-capable adapter. And firing it at someone else's Wi-Fi violates Japan's Radio Act Article 109(2) / Unauthorised Computer Access Act. Learn only on your own AP or a contracted pentest target
