airbase-ng

airbase-ng interface [options]

-a bssid
    Set the BSSID (MAC address) of the fake AP.

-e essid
    Set the ESSID (network name) of the fake AP. Use '-e' with no argument for hidden ESSID.

-c channel
    Set the channel for the fake AP.

-w wep key
    Enable WEP encryption for the fake AP using the specified key.

-W 0/1
    Enable (1) or disable (0) WPA handshake capture. Useful for forcing clients to reauthenticate.

-N
    Enable Shared Key authentication capture. Requires a client to associate.

-L
    Enable LEAP authentication capture.

-D
    Deauthenticate clients that associate with the fake AP. Can be used to force reassociation.

-P
    Enable a fake WPA response. If a client attempts to associate, it will be prompted for WPA/WPA2.

-M
    Enable Man-in-the-Middle (MITM) attacks. Requires another instance for packet forwarding.

-0
    Send deauthentication packets to all clients in range, forcing them to reconnect to your fake AP.

-p
    Enable ARP request replay. Repeats captured ARP requests.

--randomize
    Randomize the MAC address and ESSID of the fake AP to avoid detection.

--ivs
    Create an IVS file for WEP cracking instead of a PCAP file.

--wps
    Enable WPS (Wi-Fi Protected Setup) support on the fake AP.

--wps-pin pin
    Specify a WPS PIN for the fake AP.

--eap-file file
    Specify a file containing EAP authentication credentials (e.g., username/password).

airbase-ng is a powerful and versatile tool from the aircrack-ng suite, designed to simulate an access point (AP) and perform various wireless network attacks. Its primary functionalities include creating honeypots or 'Evil Twin' APs, capturing WEP/WPA/WPA2 handshakes by forcing client reassociations, and performing packet injection. It supports advanced features like authentication simulation (Open, Shared Key, LEAP), ARP request replay, and the ability to bridge network traffic through a virtual interface (e.g., at0). This allows for sophisticated Man-in-the-Middle (MITM) attacks, client deauthentication, and other forms of traffic manipulation, making it an essential tool for wireless security auditing and penetration testing.

Using airbase-ng requires a wireless adapter capable of monitor mode and packet injection. The network interface must be manually put into monitor mode (e.g., using airmon-ng) before running the command. It requires root privileges. Always ensure you have explicit permission before performing any wireless security testing, as unauthorized use can be illegal.

When airbase-ng starts, it often creates a new virtual interface, typically named at0 (or tap0 on some systems). This interface acts as a TAP interface, allowing you to bridge network traffic to and from clients connected to the fake AP. You can then assign an IP address to at0, run a DHCP server, or use it for routing, enabling advanced attacks like DNS spoofing or serving malicious content to connected clients.

Beyond simply simulating an AP, airbase-ng has powerful packet injection capabilities. It can replay captured packets, inject custom packets, and perform various forms of frame manipulation. This makes it a versatile tool for both offensive and defensive wireless security operations, allowing for specific traffic generation and analysis.

airbase-ng is a core component of the aircrack-ng suite, a renowned collection of tools for wireless security auditing. It evolved from earlier standalone tools and was integrated into the suite to provide comprehensive functionalities for network analysis, packet injection, and AP simulation. Its development is community-driven, with continuous updates to address new wireless technologies and vulnerabilities.

aircrack-ng(1), aireplay-ng(1), airodump-ng(1), airmon-ng(1)