Authorized Use Only
Many flags below cause active RF transmission or disruptive behavior. Use them only on networks and systems for which you have explicit written authorization. See docs/RESPONSIBLE_USE.md for the authorization checklist.
🔴 EXTERNAL HIGH-GAIN ADAPTER REQUIRED
All live RF modes require an external high-gain USB Wi-Fi adapter with Monitor Mode and Packet Injection support. Built-in laptop wireless is not supported.
This document describes every command-line flag for alfa_arsenal.py. For the live list from your install, run:
python3 alfa_arsenal.py -hMost RF operations need root (sudo) for monitor mode and injection.
sudo python3 alfa_arsenal.pyStarts the full text UI: assessment runs, policy, reports, rogue analysis, session resume, etc. Does not require one of the mode flags below.
These flags select a single primary behavior. You cannot combine two of them in one invocation.
| Flag | What it does |
|---|---|
--scan |
Discover nearby networks and store results; duration from --timeout (default 30s unless you override). |
--handshake |
Capture a WPA/WPA2 4-way handshake against --target (BSSID) on --channel. |
--pmkid |
Attempt PMKID capture against the target AP. |
--wps |
WPS posture check (Pixie / brute phases per plugin) against the target. |
--evil-twin |
Rogue access-point simulation workflow (needs target context; may use --password if you already have the PSK). |
--beacon-flood |
Transmit a beacon stress test (DoS-class; ROE-gated). Use only where explicitly authorized. |
--crack |
Offline credential-strength test using --capture-file and optional --wordlist (no live RF required for the test itself). |
--autopwn |
Automated assessment chain: scan → ranked targets → PMKID → handshake → WPS (pixie-first), then credential-strength testing when material exists. See Automated assessment chain options below. |
--c2 |
Start the remote coordination API / web UI server only (see --port; config may set host/port). |
--diag |
Run diagnostics only (no assessment). |
| Flag | Argument | What it does |
|---|---|---|
--report-run |
ID |
Build a report for assessment run ID from the database. Does not use the wireless adapter. |
--report-out |
path | Output file for --report-run (default: work_dir/report_<ID>.<ext>). |
--report-format |
markdown | html | pdf |
Output format for --report-run (default: markdown). |
If --report-run is set, it runs first and the process exits after generating the report (other modes are not combined in one run).
| Flag | What it does |
|---|---|
--policy-file |
Path to JSON rules of engagement (ROE): allowed operations, optional BSSID allowlist, require_active_assessment, etc. See policies/example_roe.json. |
--no-single-instance-lock |
Allow two processes to use the same work_dir at once (default is a single-instance lock). Not recommended unless you know why. |
The FastAPI surface runs as a separate module (not a flag on alfa_arsenal.py):
sudo python3 -m api.app
# OpenAPI: http://127.0.0.1:8787/docs (host/port from config: api_host, api_port)Bind address, port, and api_secret_key are set in your JSON config or config/arsenal.defaults.json.
sudo python3 -m api.grpc_server --port 50051Configure grpc_cert_path, grpc_key_path, and grpc_api_key in config for TLS and API-key auth.
| Flag | Short | What it does |
|---|---|---|
--target |
-t |
BSSID (MAC) of the access point, e.g. AA:BB:CC:DD:EE:FF. |
--essid |
-e |
ESSID (network name) when the tool supports name-based selection. |
--channel |
-c |
Channel number (e.g. 6, 36) to lock the radio for the operation. |
| Flag | Default | What it does |
|---|---|---|
--timeout |
30 |
Operation timeout in seconds (e.g. scan duration, operation phase limits — exact use depends on the plugin). |
--wordlist |
— | Path to a wordlist file for credential-strength testing (--crack, --autopwn test phase). |
--capture-file |
— | Capture file for --crack (e.g. .cap, hash file). |
--config |
— | Path to JSON config (work dir, interfaces, API keys, etc.). |
--iface |
— | Force a specific wireless interface name (overrides auto-detection when supported). |
--port |
4443 |
Port for --c2 remote coordination API server. |
--no-stealth |
off | Disable MAC randomization / stealth behavior where applicable. |
--debug |
off | Verbose logging. |
--password |
— | WPA PSK for modes that need it (e.g. rogue AP simulation when supplying the known password). |
| Flag | Default | What it does |
|---|---|---|
--max-targets |
15 |
How many top-scored APs to try after the scan (ranked list). Lower = shorter run, fewer APs. |
(any --autopwn) |
— | On WPS-capable targets: Pixie, then full WPS (bully phases + Reaver fallback inside the WPS plugin). Wifite as a subprocess runs per target only with --field unless you set autopwn_wifite_without_field in JSON config. |
--field |
off | Field assessment mode: longer scan, longer PMKID/handshake windows, Wifite per target, then last-resort Wifite on the best-scored AP. Long and noisy — authorized testing only. |
--field-evil-twin |
off | With --autopwn --field: after a successful credential-strength test, attempt rogue access-point simulation using the recovered PSK. Only add if rogue AP simulation is in scope. |
# Interactive menu
sudo python3 alfa_arsenal.py
# Scan 60 seconds
sudo python3 alfa_arsenal.py --scan --timeout 60
# Handshake on a known BSSID/channel
sudo python3 alfa_arsenal.py --handshake -t AA:BB:CC:DD:EE:FF -c 6
# Offline credential-strength test
python3 alfa_arsenal.py --crack --capture-file ./handshake.cap --wordlist /usr/share/wordlists/rockyou.txt
# Default automated assessment chain
sudo python3 alfa_arsenal.py --autopwn
# Broadest built-in assessment chain (field mode)
sudo python3 alfa_arsenal.py --autopwn --field
# Field mode + rogue AP simulation only after credential-strength test
sudo python3 alfa_arsenal.py --autopwn --field --field-evil-twin
# Field mode + fewer APs + custom wordlist
sudo python3 alfa_arsenal.py --autopwn --field --max-targets 5 --wordlist /path/to/list.txt
# ROE file + config
sudo python3 alfa_arsenal.py --autopwn --field --policy-file ./policies/example_roe.json --config ./my_config.json
# REST API (OpenAPI /docs)
sudo python3 -m api.app
# gRPC on port 50051
sudo python3 -m api.grpc_server --port 50051Use these tools only on networks and systems you are authorized to test. Many flags cause active transmission (deauthentication, WPS, rogue AP simulation, beacon stress tests) that can affect third parties and may be illegal without permission.