1. User Guide
AO can seem overwhelming at first view, this guide should help you understand the information being presented to you when running the tool.
current as of v0.8.3
sudo angryoxide -i wlan0
By specifying only the network interface, AngryOxide will run autonomously, actively, and with zero regard for nearby networks on channels 1, 6, and 11.
The purpose of this tool is NOT to act as a denial of service, and by default it will still rate-limit attacks to be as undetectable by users, while still effective in producing valid hashlines.
You can learn about the attack methodology and types at the Attack Summaries page.
You can customize the behavior of AO using the command-line arguments found in the --help.
❯ angryoxide --help
Does awesome things... with wifi.
Usage: angryoxide [OPTIONS] --interface <INTERFACE>
Options:
-i, --interface <INTERFACE> Interface to use
-c, --channel <CHANNEL> Optional - Channel to scan. Will use "-c 1,6,11" if none specified
-b, --band <2 | 5 | 6 | 60> Optional - Entire band to scan - will include all channels interface can support
-o, --output <Output Filename> Optional - Output filename
-h, --help Print help
-V, --version Print version
Targeting:
-t <MAC Address or SSID> Optional - Target (MAC or SSID) to attack - will attack everything if none specified
-w <MAC Address or SSID> Optional - Whitelist (MAC or SSID) to NOT attack
--targetlist <Targets File> Optional - File to load target entries from
--whitelist <Whitelist File> Optional - File to load whitelist entries from
Advanced Options:
-r, --rate <1 | 2 | 3> Optional - Attack rate (1, 2, 3 || 3 is most aggressive) [default: 2]
--combine Optional - Combine all hc22000 files into one large file for bulk processing
--noactive Optional - Disable Active Monitor mode
--rogue <MAC Address> Optional - Tx MAC for rogue-based attacks - will randomize if excluded
--gpsd <IP:PORT> Optional - Alter default HOST:Port for GPSD connection [default: 127.0.0.1:2947]
--autohunt Optional - AO will auto-hunt all channels then lock in on the ones targets are on
--headless Optional - Set the tool to headless mode without a UI. (useful with --autoexit)
--autoexit Optional - AO will auto-exit when all targets have a valid hashline
--notransmit Optional - Do not transmit - passive only
--nodeauth Optional - Do NOT send deauths (will try other attacks only)
--notar Optional - Do not tar output files
--dwell <Dwell Time (seconds)> Optional - Adjust channel hop dwell time [default: 2]
- Interfaces: The interface AngryOxide is currently running with.
- MacAddr: The MAC Address that AngryOxide is using for rogue messages (Both as an AP and Client, unless "shadowing" another device).
- Frequency: The current frequency/channel AngryOxide is running on.
- Runtime: The runtime of the tool in HOURS : MINUTES : SECONDS.
- Frames #: The number of frames collected and processed by AngryOxide to this point.
- Rate: The number of frames processed in the last second. This is NOT averaged.
- ERs: The amount of times in the last second AngryOxide has emptied the socket buffer (no more packets to process). A high number is an indicator of good processing speed, 0 means we are behind and may start to drop frames.
- UI: Whether or not the UI is Paused or Running. Paused simply means the UI isn't getting updates, making it easy to read or copy from.
The Access Points panel hold all the information about Access Points and any detected associated clients. You will also get a details panel with WPS information and the OUI from the MAC Address.
- TGT: This AP has been identified as a Target.
- MAC Address: The MAC Address of the Access Point
- CH: The channel AP last detected on - the channel seen broadcasted by the AP, not the channel we were on when we saw it.
- RSSI: The Last RSSI value of the AP in dbm (Blank means we have not detected a frame FROM this AP yet, just TO).
- Last: The elapsed time since we last saw a frame from this AP.
- SSID: The SSID of the AP. Blank indicates we have not seen this yet, or that it is Hidden. Hidden will be eventually be displayed if we detect it.
- Clients: The number of clients this AP has.
- Tx: The number of times we have transmitted frames (attacked) this AP (or client).
- 4wHS: A check here means we have collected a complete (validated) Four Way Handshake for this AP.
- PMKID: A check here means we have collected a PMKID (validated) for this AP.
The stations panel holds all information about unassociated stations that AngryOxide has collected.
- MAC Address: The Mac Address of the station, or a lists of Probes we have seen from this station.
- RSSI: The Last RSSI value of the station.
- Last: The elapsed time since we last saw a frame from this station.
- Tx: The number of times we have transmitted frames (attacked) this station.
- Rogue M2: A check here means we have collected a valid M1/M2 as a Rogue AP from this station. (and the network it was for).
- Probes: The amount of probes we have seen from this station.
The handshakes panel holds all information about EAPOL Messages AngryOxide has seen, organized into their respective Handshakes.
The Handshakes list is a collection of every EAPOL message that is seen- IE every check mark is a unique EAPOL. Check marks that are aggregated into a single row are assessed to be a part of a a single authentication sequence. The goal is to receive EAPOL messages, validate they are of the same sequence using several validation techniques, and then confirm that we have all required parts of that sequence to form a valid hashline. This is when they are marked as "OK". Seeing lots of EAPOL is the result of multiple sequences existing, and can be the result of frame retries or multiple attack attempts.. When an AP has a 4wHS or PMKID it is no longer attacked, but you may still see passively collected EAPOL for that network.
TLDR; When a handshake says "OK" you will generate a .hc22000 file ready to be cracked.
It is important to note that AO is conducting several types of logical validation to ensure all Handshakes listed here are valid:
- Temporal Validation
- Nonce Validation
- ReplayCount Validation
- Timestamp: The timestamp of the LAST message of the 4wHS.
- AP MAC: The MAC Address of the Access Point
- Client: The MAC Address of the Client
- SSID: The SSID of the network being authenticated with.
- M1: A check here indicates that this handshake contains an EAPOL Message 1.
- M2: A check here indicates that this handshake contains an EAPOL Message 2.
- M3: A check here indicates that this handshake contains an EAPOL Message 3.
- M4: A check here indicates that this handshake contains an EAPOL Message 4.
- PM: A check here indicates that this handshake contains a PMKID.
- OK: A check here indicates that this is a complete handshake that will generate a valid hash line. (We have all the parts we need)
- NC: This column indicates Nonce Correction, and values could be the following:
- Check Mark: This handshake is marked for Nonce Correction, with no indicator for endianess.
- BE: This handshake is marked for Nonce Correction and the Nonce values indicate Big Endian.
- LE: This handshake is marked for Nonce Correction and the Nonce values indicate Little Endian.
- RG: This handshake was acquired using an AP-Less attack (RogueM2) is marked as so.
The selected row show useful information about the FourWayHandshake:
- Relative: This is the relative time of the EAPOL messages.
- MIC: This is the Message Integrity Code of the EAPOL message.
- ReplayCounter: This is the Replay Counter value of the EAPOL message.
- NOnce:: This is the last four bytes of the Nonce (ANonce or SNonce) in the EAPOL message.
- M1: A check here indicates that this EAPOL is an EAPOL Message 1.
- M2: A check here indicates that this EAPOL is an EAPOL Message 2.
- M3: A check here indicates that this EAPOL is an EAPOL Message 3.
- M4: A check here indicates that this EAPOL is an EAPOL Message 4.
- PM: A check here indicates this message contained a PMKID.
Targets in AO can be used as a way to limit your interactions to a set of Access Points.
You can add targets on the command line by supplying them with the -t or --target parameter:
angryoxide -i wlan0 -t aabbccddeeff -t 112233445566 -t AA:BB:CC:11:22:33 -t SSID -t 'SSID-*'You can also add targets from within the UI by highlighting an access point and hitting "t" on your keyboard. This will add that Mac Address as a target, and will still proliferate.
An important note about targets is that they will automatically proliferate, meaning when the SSID associated to a MAC Target is found, it will automatically add that SSID as a target. If another MAC is found with the SAME SSID, it will automatically add that MAC as a target now too. This allows you to target multiple Access Points based on a single starting MAC or SSID.
SSID Targets are used to match against Access Point SSID's. Glob-matching is supported, with the following characters supported for glob:
? matches any single character. (If the literal_separator option is enabled, then ? can never match a path separator.) * matches zero or more characters. (If the literal_separator option is enabled, then * can never match a path separator.) {a,b} matches a or b where a and b are arbitrary glob patterns. (N.B. Nesting {...} is not currently allowed.) [ab] matches a or b where a and b are characters. Use [!ab] to match any character except for a and b. Metacharacters such as * and ? can be escaped with character class notation. e.g., [*] matches *
Note that SSID targets are case sensitive.
MAC targets are used to match against Access Point mac address's. These are NOT case sensitive, and support both ":" and "-" delimiters (or none at all).
Examples:
aabbccddeeff - Lowercase without delimiter aa:bb:cc:dd:ee:ff - Lowercase with ":" aa-bb-cc-dd-ee-ff - Lowercase with "-" AABBCCDDEEFF - Capitals without delimiter AA:BB:CC:DD:EE:FF - Capitals with ":" AA-BB-CC-DD-EE-FF - Capitals with "-" aAbbcCddEeFf - Mixed Case
The attack rates are fixed to three different speeds:
1: Slow 2: Normal (default) 3: Fast
These give you some choice to how rapidly you want to produce attack frames. You can read more here.
Using the same method as targets, you can also add networks to a whitelist, which will explicitly NOT attack a network once it has been identified as being whitelisted.
This also proliferates, however you can expect initial attacks to still occur pre-proliferation if you do not explicitly specify a whitelist on the command line and instead expect it to proliferate via MAC or SSID.
The auto hunt functionality is designed to help you lock in on the channels your targets are using. The general flow is as follows:
- Set channel hop interval to 200ms.
- Add all channels on interface to hop channels list.
- Rapidly move through channels, identifying targets.
- Channels will be cycled at a MINIMUM of three times, to help ensure all AP's matching the target are accurately located.
- When all targets have been located set the hop interval back to 2000ms and set hop channels to target channels.
- Continue AO operation as normal.
This process isn't perfect, but will help avoid having to run AO once to identify channels, and again to conduct attacks.
AngryOxide will by default generate the following files:
*.pcapng files are split at 100mb and contain the captured frames with appended GPS data (using the Kismet Custom Option Block) if it is available.
*.kismetdb is a kismetdb formatted sqLite3 database where the "packets" table is filled with the frames seen by AO, with GPS data. This is included because some post-processing tools already support this format.
*.hc22000 files are the actual hashlines. By default these will be produced for each unique Access Point that we have collected from, but using the --combine command line option will create a single .hc22000 files instead.
You can visit Hashcat to learn about how to crack the .hc22000 format, but as a quick example:
hashcat -a 0 -m 22000 hashes.hc22000 dictionary.txt
hashcat -a 3 -m 22000 hashes.hc22000 ?d?d?d?d?d?d?d?d