1AIRCRACK-NG(1)              General Commands Manual             AIRCRACK-NG(1)
2
3
4

NAME

6       aircrack-ng - a 802.11 WEP / WPA-PSK key cracker
7

SYNOPSIS

9       aircrack-ng [options] <input file(s)>
10

DESCRIPTION

12       aircrack-ng  is  an  802.11 WEP, 802.11i WPA/WPA2, and 802.11w WPA2 key
13       cracking program.
14
15       It can recover the WEP key once enough encrypted packets have been cap‐
16       tured  with  airodump-ng. This part of the aircrack-ng suite determines
17       the WEP key using two fundamental methods. The first method is via  the
18       PTW  approach  (Pyshkin, Tews, Weinmann). The main advantage of the PTW
19       approach is that very few data packets are required to  crack  the  WEP
20       key.  The  second  method is the FMS/KoreK method. The FMS/KoreK method
21       incorporates various statistical attacks to discover the  WEP  key  and
22       uses these in combination with brute forcing.
23
24       Additionally,  the  program  offers a dictionary method for determining
25       the WEP key. For cracking WPA/WPA2 pre-shared keys, a wordlist (file or
26       stdin) or an airolib-ng has to be used.
27

INPUT FILES

29       Capture  files  (.cap, .pcap), IVS (.ivs) or Hashcat HCCAPX files (.hc‐
30       capx)
31

OPTIONS

33       Common options:
34
35       -a <amode>
36              Force the attack mode: 1 or wep for WEP (802.11) and  2  or  wpa
37              for WPA/WPA2 PSK (802.11i and 802.11w).
38
39       -e <essid>
40              Select  the  target  network  based on the ESSID. This option is
41              also required for WPA cracking if the SSID is cloaked. For  SSID
42              containing   special   characters,   see   https://www.aircrack-
43              ng.org/doku.php?id=faq#how_to_use_spaces_double_quote_and_sin‐
44              gle_quote_etc_in_ap_names
45
46       -b <bssid> or --bssid <bssid>
47              Select the target network based on the access point MAC address.
48
49       -p <nbcpu>
50              Set  this option to the number of CPUs to use (only available on
51              SMP systems) for cracking the  key/passphrase.  By  default,  it
52              uses all available CPUs
53
54       -q     If set, no status information is displayed.
55
56       -C <macs> or --combine <macs>
57              Merges  all  those APs MAC (separated by a comma) into a virtual
58              one.
59
60       -l <file>
61              Write the key into a file. Overwrites the file if it already ex‐
62              ists.
63
64       Static WEP cracking options:
65
66       -c     Search alpha-numeric characters only.
67
68       -t     Search binary coded decimal characters only.
69
70       -h     Search the numeric key for Fritz!BOX
71
72       -d <mask> or --debug <mask>
73              Specify mask of the key. For example: A1:XX:CF
74
75       -m <maddr>
76              Only  keep  the  IVs coming from packets that match this MAC ad‐
77              dress. Alternatively, use -m ff:ff:ff:ff:ff:ff to  use  all  and
78              every  IVs,  regardless  of the network (this disables ESSID and
79              BSSID filtering).
80
81       -n <nbits>
82              Specify the length of the  key:  64  for  40-bit  WEP,  128  for
83              104-bit  WEP,  etc., until 512 bits of length. The default value
84              is 128.
85
86       -i <index>
87              Only keep the IVs that have this key index (1 to 4). The default
88              behavior  is  to ignore the key index in the packet, and use the
89              IV regardless.
90
91       -f <fudge>
92              By default, this parameter is set to 2. Use a  higher  value  to
93              increase the bruteforce level: cracking will take more time, but
94              with a higher likelihood of success.
95
96       -k <korek>
97              There are 17 KoreK attacks. Sometimes one attack creates a  huge
98              false positive that prevents the key from being found, even with
99              lots of IVs. Try -k 1, -k 2, ... -k 17 to  disable  each  attack
100              selectively.
101
102       -x or -x0
103              Disable last keybytes bruteforce (not advised).
104
105       -x1    Enable last keybyte bruteforcing (default)
106
107       -x2    Enable last two keybytes bruteforcing.
108
109       -X     Disable bruteforce multithreading (SMP only).
110
111       -s     Shows ASCII version of the key at the right of the screen.
112
113       -y     This  is  an experimental single brute-force attack which should
114              only be used when the standard attack mode fails with more  than
115              one million IVs.
116
117       -z     Uses  PTW  (Andrei Pyshkin, Erik Tews and Ralf-Philipp Weinmann)
118              attack (default attack).
119
120       -P <num> or --ptw-debug <num>
121              PTW debug: 1 Disable klein, 2 PTW.
122
123       -K     Use KoreK attacks instead of PTW.
124
125       -D or --wep-decloak
126              WEP decloak mode.
127
128       -1 or --oneshot
129              Run only 1 try to crack key with PTW.
130
131       -M <num>
132              Specify maximum number of IVs to use.
133
134       -V or --visual-inspection
135              Run in visual inspection mode. Can only be used when  using  Ko‐
136              reK.
137
138       WEP and WPA-PSK cracking options
139
140       -w <words>
141              Path  to  a dictionary file for wpa cracking. Separate filenames
142              with comma when using multiple dictionaries. Specify "-" to  use
143              stdin.  Here  is  a  list  of  wordlists:  https://www.aircrack-
144              ng.org/doku.php?id=faq#where_can_i_find_good_wordlists In  order
145              to  use a dictionary with hexadecimal values, prefix the dictio‐
146              nary with "h:". Each byte in each key must be separated by  ':'.
147              When using with WEP, key length should be specified using -n.
148
149       -N <file> or --new-session <file>
150              Create a new cracking session. It allows one to interrupt crack‐
151              ing session and restart at a later time (using -R or  --restore-
152              session).  Status  files are saved every 10 minutes. It does not
153              overwrite existing session file.
154
155       -R <file> or --restore-session <file>
156              Restore and continue a previously saved cracking  session.  This
157              parameter  is  to  be  used  alone, no other parameter should be
158              specified when starting aircrack-ng (all the  required  informa‐
159              tion is in the session file).
160
161       WPA-PSK options:
162
163       -E <file>
164              Create  Elcomsoft  Wireless Security Auditor (EWSA) Project file
165              v3.02.
166
167       -j <file>
168              Create Hashcat v3.6+ Capture file (HCCAPX).
169
170       -J <file>
171              Create Hashcat Capture file (HCCAP).
172
173       -S     WPA cracking speed test.
174
175       -Z <sec>
176              WPA cracking speed test execution length in seconds.
177
178       -r <database>
179              Path to the airolib-ng database. Cannot be used with '-w'.
180
181       SIMD selection:
182
183       --simd=<option>
184              Aircrack-ng automatically loads and uses the  fastest  optimiza‐
185              tion  based on instructions available for your CPU. This options
186              allows one to force another optimization. Choices depend on  the
187              CPU and the following are all the possibilities that may be com‐
188              piled regardless of the CPU  type:  generic,  sse2,  avx,  avx2,
189              avx512, neon, asimd, altivec, power8.
190
191       --simd-list
192              Shows a list of the available SIMD architectures, separated by a
193              space character. Aircrack-ng automatically selects  the  fastest
194              optimization  and  thus  it is rarely needed to use this option.
195              Use case would be for testing purposes or when a  "lower"  opti‐
196              mization,  such  as  "generic", is faster than the automatically
197              selected one. Before forcing a SIMD  architecture,  verify  that
198              the instruction is supported by your CPU, using -u.
199
200       Other options:
201
202       -H or --help
203              Show help screen
204
205       -u or --cpu-detect
206              Provide information on the number of CPUs and SIMD support
207

AUTHOR

209       This  manual  page was written by Adam Cecile <gandalf@le-vert.net> for
210       the Debian system (but may be used by others).  Permission  is  granted
211       to  copy, distribute and/or modify this document under the terms of the
212       GNU General Public License, Version 2 or any later version published by
213       the  Free  Software  Foundation On Debian systems, the complete text of
214       the GNU General Public License can be  found  in  /usr/share/common-li‐
215       censes/GPL.
216

SEE ALSO

218       airbase-ng(8)
219       aireplay-ng(8)
220       airmon-ng(8)
221       airodump-ng(8)
222       airodump-ng-oui-update(8)
223       airserv-ng(8)
224       airtun-ng(8)
225       besside-ng(8)
226       easside-ng(8)
227       tkiptun-ng(8)
228       wesside-ng(8)
229       airdecap-ng(1)
230       airdecloak-ng(1)
231       airolib-ng(1)
232       besside-ng-crawler(1)
233       buddy-ng(1)
234       ivstools(1)
235       kstats(1)
236       makeivs-ng(1)
237       packetforge-ng(1)
238       wpaclean(1)
239       airventriloquist(8)
240
241
242
243Version 1.7.0                      May 2022                     AIRCRACK-NG(1)
Impressum