Skip to content

CLI Reference

Jump to bottom
André Henrique edited this page Jun 8, 2026 · 1 revision

CLI Reference

Complete command reference for the WirelessXPL-Forge interactive shell.

Core Commands

use <module>

Load a module by its full path.

wxf > use generic/wifi_lab/handshake_snooper
wxf (HandshakeSnooper) >

Tab completion is available for module paths.

show modules

List all available modules.

wxf > show modules

Available modules (329+):

  generic/automotive/can_bus_attack
  generic/automotive/mercedes_mbux_bt_rce_cve_2023_37462
  generic/bluetooth/ble_btlejack
  generic/bluetooth/ble_crackle
  generic/bluetooth/ble_gatt_enum_unauth
  generic/bluetooth/ble_spoofing_impersonation
  generic/bluetooth/blueborne_attack
  generic/bluetooth/bt_baseband_attack
  generic/bluetooth/bt_hid_injection
  generic/bluetooth/bt_session_attack
  generic/bluetooth/knob_native_cve_2019_9506
  generic/bluetooth/sweyntooth/sweyntooth_cve_2019_16336
  generic/bluetooth/sweyntooth/sweyntooth_cve_2019_17517
  generic/bluetooth/sweyntooth/sweyntooth_scanner
  generic/cve/krack_attack
  generic/cve/pmkid_attack
  generic/cve/ssid_confusion
  generic/cve/zigbee_attack
  generic/drones/drone_scanner
  generic/drones/dji/dji_deauth
  generic/drones/dji/dji_quicktransfer_exfil_cve_2023_6951
  generic/drones/dji/dji_wifi_scan
  generic/drones/fpv/eachine_e52_tcp_takeover
  generic/drones/holystone/hsrid01_ble_dos_cve_2024_52876
  generic/drones/mavlink/mavlink_flood_dos
  generic/drones/mavlink/mavlink_force_disarm
  generic/drones/mavlink/mavlink_gps_spoof
  generic/drones/mavlink/mavlink_param_dump
  generic/drones/mavlink/mavlink_scanner
  generic/drones/mavlink/mavlink_waypoint_inject
  generic/drones/parrot/parrot_anafi_deauth_cve_2019_3944
  generic/evidence_vault/evidence_vault
  generic/external/airgeddon_bridge
  generic/external/bruce_serial_bridge
  generic/external/eaphammer_bridge
  generic/external/mdk4_bridge
  generic/external/wireless_tool_prereq_audit
  generic/external/wifiphisher_bridge
  generic/iot_proto/coap_resource_enum
  generic/iot_proto/mqtt_broker_enum_inject
  generic/lateral_iot/arp_spoof_iot_pivot
  generic/lorawan/lorawan_join_replay
  generic/maritime/ais_spoof
  generic/maritime/nmea_spoof
  generic/pcap/pcap_eapol_survey
  generic/pcap/pcap_handshake_extractor
  generic/pcap/pcap_pmkid_extractor
  generic/pcap/pcap_sql_workspace
  generic/session_manager/session_manager
  generic/subghz/br_gate_scanner
  generic/subghz/debruijn_bruteforce
  generic/subghz/ev1527_vehicle_cve_2025_70994
  generic/subghz/keeloq_decoder
  generic/subghz/keeloq_replay
  generic/subghz/static_code_replay
  generic/subghz/subghz_jammer
  generic/subghz/tools/ook_analyzer
  generic/subghz/tpms/tpms_decoder
  generic/subghz/tpms/tpms_spoof
  generic/vehicular_radar/fmcw_radar_attack
  generic/vehicular_radar/traffic_enforcement_scanner
  generic/wardrive/wardrive_logger
  generic/wearables/xiaomi_miband_ble_breakmi
  generic/wifi_lab/adaptive_harvest
  generic/wifi_lab/auth_flood
  generic/wifi_lab/beacon_flood
  generic/wifi_lab/captive_portal_modern_lab
  generic/wifi_lab/evil_twin_workflow
  generic/wifi_lab/fragattacks
  generic/wifi_lab/fragattacks/fragattacks_cve_2020_26140
  generic/wifi_lab/fragattacks/fragattacks_cve_2020_26141
  generic/wifi_lab/fragattacks/fragattacks_cve_2020_26143
  generic/wifi_lab/fragattacks/fragattacks_scanner
  generic/wifi_lab/gps_wardriving_ndjson
  generic/wifi_lab/handshake_snooper
  generic/wifi_lab/krack/krack_4way_retransmit
  generic/wifi_lab/krack/krack_group_key_retransmit
  generic/wifi_lab/krack/krack_scanner
  generic/wifi_lab/mitm_wifi_bridge
  generic/wifi_lab/momo_integrated_attack
  generic/wifi_lab/wardriving_deauth_loop
  generic/wifi_lab/wifi_kr00k_cve_2019_15126
  generic/wifi_lab/wifi_sniffer
  generic/wifi_lab/wireless_ids
  generic/wifi_lab/wpa3_attack_suite
  generic/wids/wifi_ids
  generic/zwave/zwave_replay_attack
  generic/zwave/zwave_s0_key_extract

show options

Display all options for the currently loaded module.

wxf (HandshakeSnooper) > show options

Module: generic/wifi_lab/handshake_snooper
Description: PMKID-first + deauth handshake capture pipeline

Options:
  Name             Current  Required  Description
  ----             -------  --------  -----------
  INTERFACE        wlan0mon yes       Monitor mode interface
  TARGET_BSSID              yes       Target AP BSSID (AA:BB:CC:DD:EE:FF)
  TARGET_ESSID              no        Target AP SSID (optional filter)
  CHANNEL          0        no        Lock to channel (0 = all)
  CAPTURE_FILE     /tmp/capture.pcap no  Output PCAP path
  PMKID_FIRST      true     no        Try PMKID capture before deauth
  DEAUTH_COUNT     5        no        Deauth frames to send
  TIMEOUT          60       no        Capture timeout in seconds
  SIMULATE         false    no        Dry-run without transmitting

set <OPT> <value>

Set an option value.

wxf (HandshakeSnooper) > set INTERFACE wlan0mon
[*] INTERFACE => wlan0mon

wxf (HandshakeSnooper) > set TARGET_BSSID AA:BB:CC:DD:EE:FF
[*] TARGET_BSSID => AA:BB:CC:DD:EE:FF

unset <OPT>

Reset an option to its default value.

wxf (HandshakeSnooper) > unset CHANNEL
[*] CHANNEL reset to default (0)

check

Verify whether the target is reachable and potentially vulnerable before running.

wxf (HandshakeSnooper) > check

[*] Checking target AA:BB:CC:DD:EE:FF...
[+] AP visible on channel 6 | RSSI: -58 dBm
[+] Security: WPA2-PSK (CCMP)
[+] PMKID available: yes
[*] Target appears reachable. Ready to run.

run

Execute the loaded module with the current options.

wxf (HandshakeSnooper) > run

[*] Starting handshake capture on wlan0mon
[*] Target: AA:BB:CC:DD:EE:FF (HomeWifi) ch6
[*] Attempting PMKID capture...
[+] PMKID captured: 4d4f4e4f3a3a3a3a...
[*] Saving to /tmp/capture.pcap
[+] Capture complete. Use hashcat -m 22000 to crack.

back

Unload the current module and return to the main prompt.

wxf (HandshakeSnooper) > back
wxf >

search <keyword>

Search modules by name, description, or device tag.

wxf > search bluetooth

  generic/bluetooth/ble_btlejack           BTLEJack BLE sniff/jam/hijack
  generic/bluetooth/ble_crackle            BLE Legacy Pairing key recovery
  generic/bluetooth/ble_gatt_enum_unauth   BLE GATT enumeration without auth
  generic/bluetooth/blueborne_attack       BlueBorne L2CAP overflow
  generic/bluetooth/bt_hid_injection       Bluetooth HID keyboard injection
  generic/bluetooth/bt_session_attack      KNOB, BIAS, BLUFFS session attacks
  ...

wxf > search CVE-2020

  generic/wifi_lab/fragattacks/fragattacks_cve_2020_26140  Plaintext injection
  generic/wifi_lab/fragattacks/fragattacks_cve_2020_26141  Fragment cache abuse
  generic/wifi_lab/fragattacks/fragattacks_cve_2020_26143  Mixed fragment acceptance
  generic/iot_proto/mqtt_broker_dos                        CVE-2020-... DoS

wxf > search device=drone

  generic/drones/drone_scanner
  generic/drones/mavlink/mavlink_scanner
  generic/drones/dji/dji_wifi_scan
  ...

info

Show detailed module information including description, references, and options.

wxf (HandshakeSnooper) > info

  Name:        HandshakeSnooper
  Module:      generic/wifi_lab/handshake_snooper
  Version:     1.8.0
  Author:      Andre Henrique (@mrhenrike)
  License:     BSD-3-Clause

  Description:
    PMKID-first capture pipeline. Attempts clientless PMKID capture;
    falls back to deauth-triggered 4-way EAPOL handshake if PMKID
    is unavailable. Outputs PCAP compatible with hashcat -m 22000.

  References:
    https://hashcat.net/forum/thread-7717.html
    https://www.aircrack-ng.org/

  Options:
    [see 'show options']

sessions

List all active module sessions.

wxf > sessions

Active sessions:

  ID  Module                    Status    Started             Target
  --  ------                    ------    -------             ------
   1  wids/wifi_ids             running   2026-06-08 08:00    wlan0mon
   2  wardrive/wardrive_logger  running   2026-06-08 08:05    wlan0mon

wxf > sessions -i 1
[*] Interacting with session 1 (WirelessIDS)

exit

Exit the framework.

wxf > exit
[*] Goodbye.

Global Options

These options can be set at the framework level and apply to all modules unless overridden per module.

wxf > set LOGLEVEL debug
[*] LOGLEVEL => debug (verbose output enabled)

wxf > set TIMEOUT 10
[*] TIMEOUT => 10 (connection timeout in seconds)

wxf > set THREADS 4
[*] THREADS => 4 (parallel execution threads)

wxf > set SIMULATE true
[*] SIMULATE => true (all modules will dry-run by default)
Option Default Description
LOGLEVEL info Log verbosity: debug, info, warning, error
TIMEOUT 30 Network/capture timeout in seconds
THREADS 2 Parallel threads for scan-type modules
SIMULATE false Global dry-run flag (overrides per-module SIMULATE)
OUTPUT_DIR /tmp Default output directory for captures and exports
SESSION_ID `` Identifier for Evidence Vault and Session Manager

Module Option Types

Type Example Description
String set INTERFACE wlan0mon Freeform text
Boolean set SIMULATE true true or false
Integer set TIMEOUT 30 Numeric value
Float set FREQUENCY 433.92 Decimal number
Hex set CODE 0xA3F21B Hexadecimal (0x prefix)
BSSID set TARGET_BSSID AA:BB:CC:DD:EE:FF MAC address
CIDR set TARGET_CIDR 192.168.1.0/24 Network range
File set WORDLIST /usr/share/wordlists/rockyou.txt Filesystem path

Tab Completion

The WXF shell supports tab completion for:

  • Module paths after use
  • Option names after set and unset
  • Module paths after search 
wxf > use generic/sub<TAB>
  generic/subghz/
wxf > use generic/subghz/<TAB>
  static_code_replay  debruijn_bruteforce  keeloq_decoder  keeloq_replay  ...

Next: Wi-Fi Attacks | Sub-GHz Attacks | Drone Security

Author: Andre Henrique (@mrhenrike) | Uniao Geek

WirelessXPL-Forge v1.8.0

Home-pt-BR | Home

Português (pt-BR)

Primeiros Passos

Ataques Wireless

Drones e UAV

Protocolos Especializados

Ferramentas de Pentest

Hardware

Clone this wiki locally