airserv-ng

airserv-ng [options] <interface>

<interface>
    Specifies the wireless interface to be used by airserv-ng. This interface must typically be in monitor mode.

-p <port>
    Sets the TCP port number on which airserv-ng will listen for incoming client connections. The default port is 666.

-r <root>
    Specifies the root directory for the server. The default is "/". This option is less commonly used for its core function.

-d <debug>
    Sets the debug level for output. Higher numbers usually mean more verbose output. The default is 0 (no debug).

-i <interval>
    Defines the interval (in milliseconds) at which the server updates. The default is 10.

-a <address>
    Specifies the IP address on which airserv-ng should listen. By default, it listens on all available interfaces (0.0.0.0).

-c <channel>
    Sets the wireless channel on which the interface should operate. The default is 0 (auto/no specific channel enforced by airserv-ng itself, relying on the interface's current channel).

-l <log>
    Specifies a file to which logging information will be written. By default, logs go to standard output (stdout).

-n <nb_clients>
    Sets the maximum number of clients that can concurrently connect to the airserv-ng instance. The default is 1.

airserv-ng is a crucial component of the Aircrack-ng suite, designed to enable other tools within the suite to access a wireless network interface card (NIC) remotely. It acts as a server, listening on a specified port for incoming connections from clients (e.g., airodump-ng, aireplay-ng running on another machine or a virtual machine).

The primary purpose of airserv-ng is to facilitate wireless security testing and packet capture in scenarios where direct access to the physical wireless card is not convenient or possible. This includes setups where the Aircrack-ng tools are running inside a virtual machine (VM) and need to use a wireless adapter attached to the host operating system, or when sharing a dedicated wireless sniffing card among multiple testers over a network.

It streams the raw wireless traffic from the specified interface over the network connection to the connected client, allowing the client to perform tasks like packet injection, deauthentication attacks, or simply capturing network traffic as if it had direct access to the physical card. The wireless card must be capable of and put into monitor mode (often using airmon-ng) before airserv-ng can effectively utilize it.

Using airserv-ng requires the wireless interface to be capable of monitor mode and to be properly configured (often using airmon-ng).

Exposing airserv-ng to untrusted networks can pose a security risk, as it grants remote access to the underlying wireless card's capabilities, including packet capture and potentially injection.

There can be performance overhead and latency when using airserv-ng due to network communication, which might affect time-sensitive operations like certain injection attacks.

A very common scenario for airserv-ng is when running the Aircrack-ng tools within a virtual machine (e.g., Kali Linux in VirtualBox or VMware). Instead of directly passing through a USB wireless adapter (which can be flaky), one can run airserv-ng on the host OS, serving the wireless card to the VM. The tools inside the VM then connect to localhost (or the host's IP) on the specified port.

Another use case involves sharing a high-gain or specialized wireless adapter located on a dedicated sniffing machine with multiple security researchers across a local network.

When connecting to airserv-ng from a client tool like airodump-ng or aireplay-ng, you would specify the remote host and port using the 'net' prefix for the interface, e.g., airodump-ng net<ip_address>:<port> or net<ip_address>:<port>/<interface_name>. For example, airodump-ng net192.168.1.100:666.

airserv-ng is an integral part of the Aircrack-ng suite, which itself evolved from the original Aircrack project. The Aircrack-ng suite was developed for assessing Wi-Fi network security, focusing on packet sniffing, WEP and WPA/WPA2 cracking, and various attacks against wireless networks. airserv-ng was introduced to address the growing need for remote access to wireless adapters, particularly with the rise of virtual machines and the desire to centralize specialized hardware for penetration testing.

aircrack-ng(1), airmon-ng(1), airodump-ng(1), aireplay-ng(1)