1AIRCRACK-NG(1) General Commands Manual AIRCRACK-NG(1)
2
3
4
6 aircrack-ng - a 802.11 WEP / WPA-PSK key cracker
7
9 aircrack-ng [options] <.cap / .ivs file(s)>
10
12 aircrack-ng is an 802.11 WEP and WPA/WPA2-PSK key cracking program.
13 It can recover the WEP key once enough encrypted packets have been cap‐
14 tured with airodump-ng. This part of the aircrack-ng suite determines
15 the WEP key using two fundamental methods. The first method is via the
16 PTW approach (Pyshkin, Tews, Weinmann). The main advantage of the PTW
17 approach is that very few data packets are required to crack the WEP
18 key. The second method is the FMS/KoreK method. The FMS/KoreK method
19 incorporates various statistical attacks to discover the WEP key and
20 uses these in combination with brute forcing.
21 Additionally, the program offers a dictionary method for determining
22 the WEP key. For cracking WPA/WPA2 pre-shared keys, a wordlist (file or
23 stdin) or an airolib-ng has to be used.
24
26 Common options:
27
28 -a <amode>
29 Force the attack mode, 1 or wep for WEP and 2 or wpa for WPA-
30 PSK.
31
32 -e <essid>
33 Select the target network based on the ESSID. This option is
34 also required for WPA cracking if the SSID is cloacked. For SSID
35 containing special characters, see http://www.aircrack-
36 ng.org/doku.php?id=faq#how_to_use_spaces_double_quote_and_sin‐
37 gle_quote_etc._in_ap_names
38
39 -b <bssid> or --bssid <bssid>
40 Select the target network based on the access point MAC address.
41
42 -p <nbcpu>
43 Set this option to the number of CPUs to use (only available on
44 SMP systems). By default, it uses all available CPUs
45
46 -q If set, no status information is displayed.
47
48 -C <macs> or --combine <macs>
49 Merges all those APs MAC (separated by a comma) into a virtual
50 one.
51
52 -l <file>
53 Write the key into a file.
54
55 Static WEP cracking options:
56
57 -c Search alpha-numeric characters only.
58
59 -t Search binary coded decimal characters only.
60
61 -h Search the numeric key for Fritz!BOX
62
63 -d <mask> or --debug <mask>
64 Specify mask of the key. For example: A1:XX:CF
65
66 -m <maddr>
67 Only keep the IVs coming from packets that match this MAC
68 address. Alternatively, use -m ff:ff:ff:ff:ff:ff to use all and
69 every IVs, regardless of the network (this disables ESSID and
70 BSSID filtering).
71
72 -n <nbits>
73 Specify the length of the key: 64 for 40-bit WEP, 128 for
74 104-bit WEP, etc., until 512 bits of length. The default value
75 is 128.
76
77 -i <index>
78 Only keep the IVs that have this key index (1 to 4). The default
79 behaviour is to ignore the key index in the packet, and use the
80 IV regardless.
81
82 -f <fudge>
83 By default, this parameter is set to 2. Use a higher value to
84 increase the bruteforce level: cracking will take more time, but
85 with a higher likelihood of success.
86
87 -k <korek>
88 There are 17 KoreK attacks. Sometimes one attack creates a huge
89 false positive that prevents the key from being found, even with
90 lots of IVs. Try -k 1, -k 2, ... -k 17 to disable each attack
91 selectively.
92
93 -x or -x0
94 Disable last keybytes bruteforce (not advised).
95
96 -x1 Enable last keybyte bruteforcing (default)
97
98 -x2 Enable last two keybytes bruteforcing.
99
100 -X Disable bruteforce multithreading (SMP only).
101
102 -s Shows ASCII version of the key at the right of the screen.
103
104 -y This is an experimental single brute-force attack which should
105 only be used when the standard attack mode fails with more than
106 one million IVs.
107
108 -z Uses PTW (Andrei Pyshkin, Erik Tews and Ralf-Philipp Weinmann)
109 attack (default attack).
110
111 -P <num> or --ptw-debug <num>
112 PTW debug: 1 Disable klein, 2 PTW.
113
114 -K Use KoreK attacks instead of PTW.
115
116 -D or --wep-decloak
117 WEP decloak mode.
118
119 -1 or --oneshot
120 Run only 1 try to crack key with PTW.
121
122 -M <num>
123 Specify maximum number of IVs to use.
124
125 WEP and WPA-PSK cracking options
126
127 -w <words>
128 Path to a dictionary file for wpa cracking. Specify "-" to use
129 stdin. Here is a list of wordlists: http://www.aircrack-
130 ng.org/doku.php?id=faq#where_can_i_find_good_wordlists
131
132 WPA-PSK options:
133
134 -E <file>
135 Create Elcomsoft Wireless Security Auditor (EWSA) Project file
136 v3.02.
137
138 -J <file>
139 Create Hashcat Capture file.
140
141 -S WPA cracking speed test.
142
143 -r <database>
144 Path to the airolib-ng database. Cannot be used with '-w'.
145
146 Other options:
147
148 -H or --help
149 Show help screen
150
151 -u or --cpu-detect
152 Provide information on the number of CPUs and MMX/SSE support
153
155 This manual page was written by Adam Cecile <gandalf@le-vert.net> for
156 the Debian system (but may be used by others). Permission is granted
157 to copy, distribute and/or modify this document under the terms of the
158 GNU General Public License, Version 2 or any later version published by
159 the Free Software Foundation On Debian systems, the complete text of
160 the GNU General Public License can be found in /usr/share/common-
161 licenses/GPL.
162
164 airbase-ng(8)
165 aireplay-ng(8)
166 airmon-ng(8)
167 airodump-ng(8)
168 airodump-ng-oui-update(8)
169 airserv-ng(8)
170 airtun-ng(8)
171 besside-ng(8)
172 easside-ng(8)
173 tkiptun-ng(8)
174 wesside-ng(8)
175 airdecap-ng(1)
176 airdecloak-ng(1)
177 airolib-ng(1)
178 besside-ng-crawler(1)
179 buddy-ng(1)
180 ivstools(1)
181 kstats(1)
182 makeivs-ng(1)
183 packetforge-ng(1)
184 wpaclean(1)
185
186
187
188Version 1.2-rc4 February 2016 AIRCRACK-NG(1)