wifiscan 0.4.0

Wireless network scanner TUI with monitor mode, handshake capture, deauth, and evil twin
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95

# wifiscan

A wireless network scanner with a ratatui TUI. Captures WiFi access points, clients, and WPA/WPA2/WPA3 handshakes via monitor mode. Linux only.

## Features

- **AP Discovery** — real-time table of access points with signal, encryption, channel, vendor, WiFi generation (4/5/6/7), BSS color
- **Client Tracking** — associated clients per AP with signal, data counts, randomized MAC detection
- **Handshake Capture** — automatic EAPOL 4-way handshake detection (M1+M2 or M2+M3), saved as pcap files
- **PMKID Extraction** — extracts PMKIDs from M1 key data for hashcat cracking
- **Deauth** — broadcast and targeted (single client) deauth with live progress, injection failure detection, cancellable with Esc
- **Evil Twin** — clone any SSID and broadcast rogue beacons on the same channel
- **Probe Requests** — dedicated view showing which clients are searching for which SSIDs
- **Channel Graph** — frame-count bar chart and AP congestion table per channel
- **Alert Engine** — evil twin detection, open/WEP network warnings, channel congestion, handshake notifications
- **5 Export Formats** — CSV, JSON, Probes CSV, PMKID (hashcat 22000), WiGLE
- **Band Filtering** — filter to 2.4G, 5G, or 6G
- **Security Scoring** — 0-100 score per AP based on encryption stack

## Requirements

- Linux with root privileges
- WiFi adapter supporting monitor mode
- `libpcap-dev` installed
- `iw` and `ip` commands available

## Install

```bash
cargo install wifiscan
```

Or build from source:

```bash
git clone https://github.com/cybrly/wifiscan
cd wifiscan
cargo build --release
```

## Usage

```bash
sudo wifiscan -i wlan0
```

### Options

```
-i, --interface <IFACE>     WiFi interface (required)
-c, --channel <CH>          Lock to channel (0 = hop all)
-s, --sort <FIELD>          Sort: signal, ssid, channel, encryption, security, clients
-b, --band <BAND>           Band filter: all, 2g, 5g, 6g
    --min-signal <dBm>      Hide APs weaker than threshold
    --auto-expire <SECS>    Remove APs not seen for N seconds
    --deauth-burst <N>      Deauth burst count (default: 64)
    --deauth-dwell <SECS>   Dwell time after deauth (default: 15)
    --hs-timeout <SECS>     Handshake state timeout (default: 120)
    --no-handshakes         Disable handshake capture
    --skip-monitor          Don't auto-enable monitor mode
    --debug                 Write debug log to ./wifiscan_debug.log
    --dump-pcap <FILE>      Dump all packets to pcap for Wireshark
```

### Key Bindings

| Key | Action |
|-----|--------|
| `q` | Quit |
| `j/k` or arrows | Scroll |
| `Enter` | AP detail view |
| `Tab` | Switch view: APs / Probes / Channels |
| `s` | Cycle sort field |
| `r` | Reverse sort |
| `b` | Cycle band filter |
| `/` | Filter (Enter=apply, Esc=clear) |
| `d` | Deauth selected AP (all clients) |
| `D` | Deauth single client (in detail view) |
| `t` | Evil twin: broadcast cloned SSID |
| `a` | Toggle alerts panel |
| `e/E` | Export CSV / JSON |
| `P` | Export probe requests |
| `H` | Export PMKIDs (hashcat) |
| `W` | Export WiGLE CSV |
| `p` | Pause/resume |
| `c` | Clear stale APs |
| `?` | Help |

## Architecture

Multi-threaded: channel hopper, packet capture, and deauth/beacon injection run on background threads. The main thread drives the TUI event loop. Cross-thread state uses `Arc<Mutex<HashMap>>` with atomic counters for lock-free progress reporting.

## License

MIT