Airbash – A Shell Script For Automated WPA PSK Handshake Capture

Airbash is a POSIX-compliant, completely computerized WPA PSK handshake capture script went for penetration testing. It is perfect with Bash and Android Shell (tried on Kali Linux and Cyanogenmod 10.2) and utilizes aircrack-ng to filter for customers that are as of now associated with access points (AP). Those customers are then deauthenticated keeping in mind the end goal to catch the handshake when endeavoring to reconnect to the AP. Confirmation of a caught handshake is finished utilizing aircrack-ng. On the off chance that at least one handshakes are captured, they are gone into a SQLite3 database, alongside the season of catch and ebb and flow GPS information if legitimately designed.

After capture, the database can be tried for vulnerable router models using It will scan for passages that match the actualized modules, which presently incorporate algorithms to figure default keys for Speedport 500-700 arrangement, Thomson/SpeedTouch and UPC 7 digits (UPC1234567) switches.

Also Read SAWEF – Send Attack Web Forms

Requirements For Airbash

WiFi interface in monitor mode aircrack-ng SQLite3 openssl for compilation of modules discretionary wlanhc2hcx from hcxtools.

Keeping in mind the end goal to log GPS directions of handshakes, design your facilitate logging software to log to .loc/*.txt. Airbash will dependably utilize the yield of feline “$path$loc”*.txt 2>/dev/invalid | awk ‘NR==0; END{print}’, which equivalents to perusing all .txt records in .loc/and picking the second line. The explanation behind along these lines of usage is the usefulness of GPS Logger, which was utilized on the development device.

Calculating Default Keys

After capturing a new handshake, the database can be queried for vulnerable router models. If a module applies, the default keys for this router series are calculated and used as input for aircrack-ng to try and recover the passphrase.

Compiling Modules

The modules for calculating Thomson/SpeedTouch and UPC1234567 (7 random digits) default keys are included in src/

Credits for the code go to the authors Kevin Devine and

On Linux:
gcc -fomit-frame-pointer -O3 -funroll-all-loops -o modules/st modules/stkeys.c -lcrypto
gcc -O2 -o modules/upckeys modules/upc_keys.c -lcrypto

If on Android, you may need to copy the binaries to /system/xbin/ or to another directory where binary execution is allowed.


Running will create the database, prepare the folder structure and create shortlinks to both scripts which can be moved to a directory that is on $PATH to allow execution from any location.

After installation, you may need to manually adjust INTERFACE on line 46 in This will later be determined automatically, but for now the default is set to wlan0, to allow out of the box compatibility with bcmon on Android.

./ starts the script, automatically scanning and attacking targets that are not found in the database. ./ attempts to break known default key algorithms.

To view the database contents, run sqlite3 .db.sqlite3 "SELECT * FROM hs" in the main directory.


_n: number of access points found

__c/m: represents client number and maximum number of clients found, respectively

-: access point is blacklisted

x: access point already in database

?: access point out of range (not visible to airodump anymore)

The Database

The database contains a table called hs with seven columns.

id: incrementing counter of table entries

lat and lon: GPS coordinates of the handshake (if available)

bssid: MAC address of the access point

essid: Name identifier

psk: WPA Passphrase, if known

prcsd: Flag that gets set by to prevent duplicate calculation of default keys if a custom passphrase was used.

Currently, the SQLite3 database is not password-protected.