aircrack-ng(1)

1AIRCRACK-NG(1)              General Commands Manual             AIRCRACK-NG(1)
2
3
4

NAME

6       aircrack-ng - a 802.11 WEP / WPA-PSK key cracker
7

SYNOPSIS

9       aircrack-ng [options] <.cap / .ivs file(s)>
10

DESCRIPTION

12       aircrack-ng is an 802.11 WEP and WPA/WPA2-PSK key cracking program.
13       It can recover the WEP key once enough encrypted packets have been cap‐
14       tured with airodump-ng. This part of the aircrack-ng  suite  determines
15       the  WEP key using two fundamental methods. The first method is via the
16       PTW approach (Pyshkin, Tews, Weinmann). The main advantage of  the  PTW
17       approach  is  that  very few data packets are required to crack the WEP
18       key. The second method is the FMS/KoreK method.  The  FMS/KoreK  method
19       incorporates  various  statistical  attacks to discover the WEP key and
20       uses these in combination with brute forcing.
21       Additionally, the program offers a dictionary  method  for  determining
22       the WEP key. For cracking WPA/WPA2 pre-shared keys, a wordlist (file or
23       stdin) or an airolib-ng has to be used.
24

OPTIONS

26       -H, --help
27              Shows the help screen.
28
29       Common options:
30
31       -a <amode>
32              Force the attack mode, 1 or wep for WEP and 2 or  wpa  for  WPA-
33              PSK.
34
35       -e <essid>
36              Select  the  target  network  based on the ESSID. This option is
37              also required for WPA cracking if the SSID is cloacked. For SSID
38              containing    special   characters,   see   http://www.aircrack-
39              ng.org/doku.php?id=faq#how_to_use_spaces_double_quote_and_sin‐
40              gle_quote_etc._in_ap_names
41
42       -b <bssid>
43              Select the target network based on the access point MAC address.
44
45       -p <nbcpu>
46              Set  this option to the number of CPUs to use (only available on
47              SMP systems). By default, it uses all available CPUs
48
49       -q     If set, no status information is displayed.
50
51       -C <macs>
52              Merges all those APs MAC (separated by a comma) into  a  virtual
53              one.
54
55       -l <file>
56              Write the key into a file.
57
58       Static WEP cracking options:
59
60       -c     Search alpha-numeric characters only.
61
62       -t     Search binary coded decimal characters only.
63
64       -h     Search the numeric key for Fritz!BOX
65
66       -d <mask>
67              Specify mask of the key. For example: A1:XX:CF
68
69       -m <maddr>
70              Only  keep  the  IVs  coming  from  packets  that match this MAC
71              address. Alternatively, use -m ff:ff:ff:ff:ff:ff to use all  and
72              every  IVs,  regardless  of the network (this disables ESSID and
73              BSSID filtering).
74
75       -n <nbits>
76              Specify the length of the  key:  64  for  40-bit  WEP,  128  for
77              104-bit  WEP,  etc., until 512 bits of length. The default value
78              is 128.
79
80       -i <index>
81              Only keep the IVs that have this key index (1 to 4). The default
82              behaviour  is to ignore the key index in the packet, and use the
83              IV regardless.
84
85       -f <fudge>
86              By default, this parameter is set to 2. Use a  higher  value  to
87              increase the bruteforce level: cracking will take more time, but
88              with a higher likelihood of success.
89
90       -k <korek>
91              There are 17 KoreK attacks. Sometimes one attack creates a  huge
92              false positive that prevents the key from being found, even with
93              lots of IVs. Try -k 1, -k 2, ... -k 17 to  disable  each  attack
94              selectively.
95
96       -x or -x0
97              Disable last keybytes bruteforce (not advised).
98
99       -x1    Enable last keybyte bruteforcing (default)
100
101       -x2    Enable last two keybytes bruteforcing.
102
103       -X     Disable bruteforce multithreading (SMP only).
104
105       -s     Shows ASCII version of the key at the right of the screen.
106
107       -y     This  is  an experimental single brute-force attack which should
108              only be used when the standard attack mode fails with more  than
109              one million IVs.
110
111       -z     Uses  PTW  (Andrei Pyshkin, Erik Tews and Ralf-Philipp Weinmann)
112              attack (default attack).
113
114       -P <num>
115              PTW debug: 1 Disable klein, 2 PTW.
116
117       -K     Use KoreK attacks instead of PTW.
118
119       -D     WEP decloak mode.
120
121       -1     Run only 1 try to crack key with PTW.
122
123       -M <num>
124              Specify maximum number of IVs to use.
125
126       WPA-PSK cracking options:
127
128       -w <words>
129              Path to a dictionary file for wpa cracking. Specify "-"  to  use
130              stdin.   Here  is  a  list  of  wordlists:  http://www.aircrack-
131              ng.org/doku.php?id=faq#where_can_i_find_good_wordlists -r <data‐
132              base> Path to the airolib-ng database. Cannot be used with '-w'.
133

AUTHOR

135       This  manual  page was written by Adam Cecile <gandalf@le-vert.net> for
136       the Debian system (but may be used by others).  Permission  is  granted
137       to  copy, distribute and/or modify this document under the terms of the
138       GNU General Public License, Version 2 or any later version published by
139       the  Free  Software  Foundation On Debian systems, the complete text of
140       the GNU General Public  License  can  be  found  in  /usr/share/common-
141       licenses/GPL.
142

NAME

SYNOPSIS

DESCRIPTION

OPTIONS

AUTHOR

SEE ALSO