🚧 Work in Progress — This project is under active development and has not been rigorously tested. Expect bugs, incomplete features, and breaking changes. Use at your own risk.
Wireless AP scanner + 802.11 DoS attack orchestrator with terminal UI
smartdos is an interactive TUI tool for ethical wireless penetration testing. It discovers nearby access points via beacon frame capture, lets you select targets, and orchestrates deauth, Auth-DoS (auth+assoc flood), and CSA-Beacon attacks in round-robin or parallel mode — all from a keyboard-driven terminal interface.
This tool is for authorized security testing and educational purposes ONLY.
- Only use this software on networks you own or have explicit written permission to test.
- Deauthenticating stations from an access point is an active denial-of-service attack.
- Unauthorized use of deauth attacks violates:
- US 18 U.S.C. § 1030 (Computer Fraud and Abuse Act)
- EU Directive 2013/40/EU (Attacks against information systems)
- UK Computer Misuse Act 1990
- Similar laws in other jurisdictions
- Penalties include fines and imprisonment.
- The authors assume no liability for misuse. You are responsible for your own actions.
| Feature | Description |
|---|---|
| AP Scanning | Live 802.11 beacon/probe-response capture via pcap on 2.4 GHz, 5 GHz, and 6 GHz channels |
| Client Discovery | Detects associated clients per AP from data/management frames |
| Signal Display | dBm + percentage for each AP, color-coded (green/yellow/red) |
| Channel Detection | Reads channel from DS Parameter Set IE tag |
| Encryption Detection | Identifies OPEN / WPA / WPA2 / WPA3 / OWE / enterprise (from the RSN IE) |
| Vendor Lookup | OUI-based NIC vendor identification for APs and clients |
| Channel Hopping | Scanner hops across 2.4 GHz, 5 GHz, and 6 GHz channels every 250 ms |
| Feature | Description |
|---|---|
| Deauth Injection | Raw 802.11 deauth frames (FC 0xC0) with radiotap header via pcap sendpacket() |
| Auth-DoS | 802.11 auth+assoc flood — each spoofed unique MAC walks the full auth→association handshake (assoc request carries the AP's real SSID + rate IEs), consuming a real association-table slot and saturating the management CPU. Exhausts the table / crashes AP firmware (restart required). Not mitigated by WPA3 or 802.11w/PMF (auth/assoc frames are unprotected). |
| CSA-Beacon | Spoofs the target's beacon with a Channel-Switch-Announcement element, herding clients onto a dead channel → disconnect. Clones the AP's real captured beacon verbatim (refreshed seq, fresh CSA) for fidelity, falling back to a synthesized beacon. Beacons are unprotected → reaches WPA3/PMF clients that ignore deauth. |
| Broadcast Deauth | Deauthenticates all clients from a target AP (broadcast DA) |
| Client Deauth | Targeted deauth of a specific client MAC (bidirectional: AP→client and client→AP) |
| Round-Robin Mode | Cycles through targets one at a time with configurable inter-burst delay |
| Parallel Mode | Attacks all targets simultaneously |
| Configurable Burst | Adjustable burst size (200–10000) and send interval via in-app settings overlay (G) |
| Auto-Max Burst | Switching to Auth-DoS auto-sets burst to the max (10000 frames/target) for sustained association-table pressure; restores the previous burst on switch away |
Which attack to reach for depends on the target's role and security. Legend:
✅ reliable ·
| Target / scenario | Deauth | Auth-DoS | CSA-Beacon | Best choice |
|---|---|---|---|---|
| WPA2 AP, no PMF | ✅ | ✅ | ✅ | Deauth (kick) / CSA-Beacon |
| WPA3 / 802.11w (PMF) AP | ❌ | ✅ | CSA-Beacon | |
| Crash / wedge an AP (firmware/table) | ❌ | Auth-DoS | ||
| Disconnect a client behind PMF | ❌ | ❌¹ | ✅ | CSA-Beacon |
| Legacy IoT / old router | ✅ | ✅ | ✅ | Deauth |
| Android client (PMF on, modern) | ❌ | ❌¹ | ✅ | CSA-Beacon |
| Latest iPhone — as client (iOS 18, WPA3) | ❌ | ✅² | CSA-Beacon | |
| Latest iPhone — as hotspot (Personal Hotspot) | ❌ | ✅ | CSA-Beacon |
Field-observed: CSA-Beacon is the most effective attack overall — it reliably disconnects clients on both WPA2 and WPA3 (beacons are unprotected by 802.11w, and the verbatim beacon clone passes client-side CSA validation). Deauth stays reliable against any WPA2 (no-PMF) target. Auth-DoS also bypasses PMF and works against WPA2/WPA3, but in practice its disruption is less consistent than CSA-Beacon — keep it primarily for exhausting / crashing an AP's association table rather than as the first-line disconnect.
¹ Auth-DoS targets the AP, not the client — it can only affect a client by taking out the AP it relies on. ² Cloning the real beacon (this tool's default) is what gets latest iOS to honor the CSA; a synthetic beacon is often rejected.
| Feature | Description |
|---|---|
| Client Follow | Follow a specific client MAC — auto-updates target AP when client roams |
| Pursuit Mode | Single-adapter pursuit: triggers channel sweep when followed client goes silent |
| Client Naming | Assign friendly names to client MACs; persisted across sessions |
| AP Harvest Mode | Mark APs for passive client harvesting (H); auto-follows new clients seen on harvested APs; harvested APs highlighted with ◆ marker |
| Feature | Description |
|---|---|
| WPA Handshake Capture | Detects EAPOL frames from data captures; writes pcap files to ~/.smartdos/handshakes/ |
| PMKID Capture | Captures PMKID from EAPOL frame 1; compatible with aircrack-ng / hashcat |
| Libpcap Format Output | Radiotap (linktype 127) pcap files — crackable with aircrack-ng -w or hashcat |
| Feature | Description |
|---|---|
| Session Logging | All events written to ~/.smartdos/session.log with auto-rotation at size limit |
| Saved-List Restore | On launch, optionally restore a previously saved target/client list from ~/.smartdos/lists/ |
| AP List Persistence | Discovered APs saved to ~/.smartdos/aps.json |
| Attack Settings | Burst size, interval, attack type, attack mode, pursuit mode, and deauth scope persisted across sessions |
| Named Lists | Save/load named target or client lists via ~/.smartdos/lists/ |
| Feature | Description |
|---|---|
| Monitor Mode | Auto-enables via airmon-ng or falls back to iw |
| Live Counters | Real-time deauth frame counters per target |
| Event Log | Scrollable log panel showing actions and errors |
| Full-screen Events | Tab expands the event log to the whole screen (scrollable); Tab/Esc to return |
| Panel Navigation | ←/→ and c switch between AP list / Target list / Client list panels |
| Settings Overlay | In-app overlay to tune burst size, send interval, and 2.4/5/6 GHz band toggles without restarting |
| Clear Scan Results | R clears AP list and resets discovery state mid-session |
- Linux with wireless networking hardware
- Root privileges (for monitor mode and packet injection)
- libpcap development headers (
libpcap-devon Debian/Ubuntu) - aircrack-ng suite (
airmon-ngfor monitor mode setup) — optional, falls back toiw - Rust toolchain (for building from source)
# Debian/Ubuntu
sudo apt install libpcap-dev aircrack-ng
# Arch
sudo pacman -S libpcap aircrack-ng
# Fedora
sudo dnf install libpcap-devel aircrack-ng# Clone
git clone <repo-url> && cd smartdos
# Build release
cargo build --release
# Binary is at: target/release/smartdos# Run with auto-detected interface:
sudo ./target/release/smartdos
# Run with specific interface:
sudo ./target/release/smartdos wlan0
# If you already have a monitor interface:
sudo ./target/release/smartdos wlan0mon
# Demo mode (no hardware required — uses stub interface for UI development/testing):
./target/release/smartdos --demo| Key | Action |
|---|---|
↑ / ↓ |
Navigate list |
← / → |
Switch panels |
Tab |
Open full-screen Events page (Tab/Esc to return; ↑↓ / PgUp·PgDn scroll) |
t |
Toggle target — add/remove selected AP, or target selected client (in client view) |
d |
Remove selected target |
Space |
Enable/disable selected target |
c |
View clients of selected AP |
n |
Name selected client |
h |
Toggle harvest mode on selected AP (AP list panel only) |
A |
Cycle attack type (Deauth → Auth-DoS → CSA-Beacon) |
M |
Toggle attack mode (Round-Robin ↔ Parallel) |
P |
Toggle pursuit mode |
G |
Open settings overlay (burst size / send interval) |
S |
Start / Stop attack |
W |
Save current target/client list with a name |
L |
Load a saved target/client list |
R |
Clear scan results |
I |
Open interface setup |
Q / Esc |
Quit |
┌────────────── smartdos v0.1 — Wireless Deauth Toolkit ──────────────┐
│ [wlan0mon] SCANNING APs:23 | Targets:3 | Deauth:1427 │
├───────────────────────────┬──────────────────────────────────────────┤
│ Access Points │ Targets (3) │
│ ┌──────┬──────────┬──┬───┬┐│┌──────┬──────────┬──┬────────┬───────┐│
│ │SSID │BSSID │CH│dBm│││││SSID │BSSID │CH│Status │Sent ││
│ ├──────┼──────────┼──┼───┤│││├──────┼──────────┼──┼────────┼───────┤│
│ │MyNet │AA:BB:CC..│ 6│-45│││││Target│AA:BB:CC..│ 6│ ACTIVE │ 527 ││
│ │Office│DD:EE:FF..│11│-62│││││... │... │..│ OFF │ 0 ││
│ │... │... │..│...││││└──────┴──────────┴──┴────────┴───────┘│
│ └──────┴──────────┴──┴───┘││ │
├───────────────────────────┴──────────────────────────────────────────┤
│ Events │ Attack Controls │
│ Scanner started on wlan0mon │ Mode: Round-Robin │
│ Target added: MyNet (AA:BB:CC..) │ Status: RUNNING │
│ Attack started: 3 targets │ Targets: 3 │
│ Deauth sent to MyNet: 527 │ Deauth Sent: 1427 │
├──────────────────────────────────────────────────────────────────────┤
│ ↑↓ nav ←→ panels TAB events t target S start/stop Q quit │
└──────────────────────────────────────────────────────────────────────┘
- Opens a pcap capture on the monitor-mode interface
- Filters for 802.11 management frames (beacon + probe response) and data frames (for client discovery and EAPOL detection)
- Parses the radiotap header for signal strength (dBm)
- Parses the 802.11 frame header for BSSID, SSID, and tagged parameters (channel, encryption)
- Sends AP updates to the main thread via an mpsc channel
- Constructs raw 802.11 deauth management frames (Frame Control
0xC0) - Prepends a minimal radiotap header (TX-flags NOACK) for proper driver injection
- Sends via pcap
sendpacket()—burst_sizeframes per target per cycle (default 200, tunable viaG) - Round-robin: cycles through targets one at a time, sleeping the send interval (default 50 ms) between bursts
- Parallel: bursts every active target each cycle, then sleeps the send interval
Why deauth works (and its limit): 802.11 deauth/disassoc are notifications — a pre-PMF receiver acts on them without verifying the sender, so a spoofed deauth with the AP's MAC kicks the client instantly. The catch: 802.11w (PMF / Protected Management Frames) cryptographically signs these frames, so a WPA3 (or PMF-enabled WPA2) client silently drops the spoofed deauth. That's why deauth is reliable on plain WPA2 but ineffective against modern PMF devices — and why Auth-DoS and CSA-Beacon exist.
Builders: build_auth_dos_frames in src/attack.rs.
- For each frame, generates a fresh, unique source MAC — locally-administered
unicast (
0x02first byte) driven by a monotonic counter, so every fake client looks distinct to the AP. - Sends an Open-System authentication request (FC
0xB0) from that MAC — step 1 of the 802.11 join handshake. - Immediately follows with an association request (FC
0x00) from the same MAC, carrying the AP's real SSID element plus supported/extended rate IEs so the AP accepts it as a legitimate join. - Repeats thousands of times per second (burst size / send interval are tunable).
Why it's effective — and why WPA3/PMF can't stop it:
- The AP must allocate a real association-table slot and per-station state for every accepted assoc request. Flooding unique MACs exhausts that table (e.g. an iPhone Personal Hotspot caps at ~5 clients) and saturates the management CPU parsing the flood — legitimate clients can no longer join, and weak firmware crashes or reboots.
- An auth-only flood (the naive version) allocates almost nothing on modern APs — they defer real state until association. Sending the auth→assoc pair is what actually consumes resources. This is the key difference.
- PMF (802.11w) only protects post-association management frames (deauth, disassoc, action). Authentication and association requests happen before a key exists, so they are never protected — WPA3 provides zero defense here. This is why Auth-DoS works equally against WPA2 and WPA3.
Builders: build_csa_from_beacon (clone) / build_csa_beacon_frame (synth) in
src/attack.rs.
- The scanner stashes each AP's last raw beacon (
AccessPoint.raw_beacon, radiotap and trailing FCS stripped). - The attack clones that real beacon verbatim — keeping the AP's genuine RSN/HT/VHT/vendor IEs — then refreshes the sequence number, strips any existing CSA element, and inserts a fresh Channel Switch Announcement element (tag 37) pointing to a different (dead) channel, with switch mode = 1 (stop transmitting) and count = 1 (switch immediately).
- Injects this spoofed beacon repeatedly from the AP's BSSID. (If no real beacon was captured yet, it falls back to a synthesized minimal beacon.)
Why it's effective — and why it reaches PMF clients:
- CSA is a legitimate 802.11h feature: an AP uses it to tell associated clients "I'm moving to channel X, follow me" (for radar avoidance / DFS). Clients trust and obey a CSA that appears to come from their AP.
- The spoofed CSA points to a channel the real AP isn't on, so the client switches away and loses its AP → disconnected. Repeating it keeps the client chasing a phantom.
- Crucially, beacons are not protected by PMF/802.11w — only unicast robust management frames are. So a PMF (WPA3) client that ignores spoofed deauth will still honor a CSA beacon. This makes CSA-Beacon the only frame-level way to disconnect a client that has PMF enabled.
- Fidelity matters: modern clients (latest iOS especially) cross-check the CSA beacon against the AP's real beacon and validate the target channel / country / operating class. A stripped-down synthetic beacon is easy to flag and ignore — cloning the real beacon byte-for-byte (this tool's default) is what gets the CSA honored.
- Uses
airmon-ng start/stopto enable/disable monitor mode - Falls back to
iw dev set monitor noneif airmon-ng isn't available - Restores interface state on exit
MIT — see LICENSE
- aircrack-ng for the foundational wireless security tools
- pcap for packet capture capabilities
- ratatui for the terminal UI framework
