Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
AIRCRACK-NG(1)		    General Commands Manual		AIRCRACK-NG(1)

       aircrack-ng - a 802.11 WEP / WPA-PSK key	cracker

       aircrack-ng [options] <input file(s)>

       aircrack-ng  is	an  802.11 WEP,	802.11i	WPA/WPA2, and 802.11w WPA2 key
       cracking	program.

       It can recover the WEP key once enough encrypted	packets	have been cap-
       tured  with  airodump-ng. This part of the aircrack-ng suite determines
       the WEP key using two fundamental methods. The first method is via  the
       PTW  approach  (Pyshkin,	Tews, Weinmann). The main advantage of the PTW
       approach	is that	very few data packets are required to  crack  the  WEP
       key.  The  second  method is the	FMS/KoreK method. The FMS/KoreK	method
       incorporates various statistical	attacks	to discover the	 WEP  key  and
       uses these in combination with brute forcing.

       Additionally,  the  program  offers a dictionary	method for determining
       the WEP key. For	cracking WPA/WPA2 pre-shared keys, a wordlist (file or
       stdin) or an airolib-ng has to be used.

       Capture	files  (.cap,  .pcap), IVS (.ivs) or Hascat HCCAPX files (.hc-

       Common options:

       -a _amode_
	      Force the	attack mode: 1 or wep for WEP (802.11) and  2  or  wpa
	      for WPA/WPA2 PSK (802.11i	and 802.11w).

       -e _essid_
	      Select  the  target  network  based on the ESSID.	This option is
	      also required for	WPA cracking if	the SSID is cloaked. For  SSID
	      containing   special   characters,   see	 https://www.aircrack-

       -b _bssid_ or --bssid _bssid_
	      Select the target	network	based on the access point MAC address.

       -p _nbcpu_
	      Set  this	option to the number of	CPUs to	use (only available on
	      SMP systems). By default,	it uses	all available CPUs

       -q     If set, no status	information is displayed.

       -C _macs_ or --combine _macs_
	      Merges all those APs MAC (separated by a comma) into  a  virtual

       -l _file_
	      Write the	key into a file. Overwrites the	file if	it already ex-

       Static WEP cracking options:

       -c     Search alpha-numeric characters only.

       -t     Search binary coded decimal characters only.

       -h     Search the numeric key for Fritz!BOX

       -d _mask_ or --debug _mask_
	      Specify mask of the key. For example: A1:XX:CF

       -m _maddr_
	      Only keep	the IVs	coming from packets that match	this  MAC  ad-
	      dress.  Alternatively,  use  -m ff:ff:ff:ff:ff:ff	to use all and
	      every IVs, regardless of the network (this  disables  ESSID  and
	      BSSID filtering).

       -n _nbits_
	      Specify  the  length  of	the  key:  64  for 40-bit WEP, 128 for
	      104-bit WEP, etc., until 512 bits	of length. The	default	 value
	      is 128.

       -i _index_
	      Only keep	the IVs	that have this key index (1 to 4). The default
	      behavior is to ignore the	key index in the packet, and  use  the
	      IV regardless.

       -f _fudge_
	      By  default,  this  parameter is set to 2. Use a higher value to
	      increase the bruteforce level: cracking will take	more time, but
	      with a higher likelihood of success.

       -k _korek_
	      There  are 17 KoreK attacks. Sometimes one attack	creates	a huge
	      false positive that prevents the key from	being found, even with
	      lots  of	IVs.  Try -k 1,	-k 2, ... -k 17	to disable each	attack

       -x or -x0
	      Disable last keybytes bruteforce (not advised).

       -x1    Enable last keybyte bruteforcing (default)

       -x2    Enable last two keybytes bruteforcing.

       -X     Disable bruteforce multithreading	(SMP only).

       -s     Shows ASCII version of the key at	the right of the screen.

       -y     This is an experimental single brute-force attack	 which	should
	      only  be used when the standard attack mode fails	with more than
	      one million IVs.

       -z     Uses PTW (Andrei Pyshkin,	Erik Tews and  Ralf-Philipp  Weinmann)
	      attack (default attack).

       -P _num_	or --ptw-debug _num_
	      PTW debug: 1 Disable klein, 2 PTW.

       -K     Use KoreK	attacks	instead	of PTW.

       -D or --wep-decloak
	      WEP decloak mode.

       -1 or --oneshot
	      Run only 1 try to	crack key with PTW.

       -M _num_
	      Specify maximum number of	IVs to use.

       -V or --visual-inspection
	      Run  in  visual inspection mode. Can only	be used	when using Ko-

       WEP and WPA-PSK cracking	options

       -w _words_
	      Path to a	dictionary file	for wpa	cracking.  Separate  filenames
	      with  comma when using multiple dictionaries. Specify "-"	to use
	      stdin.  Here  is	a  list	 of  wordlists:	 https://www.aircrack-  In order
	      to use a dictionary with hexadecimal values, prefix the  dictio-
	      nary  with "h:". Each byte in each key must be separated by ':'.
	      When using with WEP, key length should be	specified using	-n.

       -N _file_ or --new-session _file_
	      Create a new cracking session. It	allows one to interrupt	crack-
	      ing  session and restart at a later time (using -R or --restore-
	      session).	Status files are saved every 5 minutes.	 It  does  not
	      overwrite	existing session file.

       -R _file_ or --restore-session _file_
	      Restore  and  continue a previously saved	cracking session. This
	      parameter	is to be used alone,  no  other	 parameter  should  be
	      specified	 when  starting	aircrack-ng (all the required informa-
	      tion is in the session file).

       WPA-PSK options:

       -E _file_
	      Create Elcomsoft Wireless	Security Auditor (EWSA)	 Project  file

       -j _file_
	      Create Hashcat v3.6+ Capture file	(HCCAPX).

       -J _file_
	      Create Hashcat Capture file (HCCAP).

       -S     WPA cracking speed test.

       -Z _sec_
	      WPA cracking speed test execution	length in seconds.

       -r _database_
	      Path to the airolib-ng database. Cannot be used with '-w'.

       SIMD selection:

	      Aircrack-ng  automatically  loads	and uses the fastest optimiza-
	      tion based on instructions available for your CPU. This  options
	      allows  one to force another optimization. Choices depend	on the
	      CPU and the following are	all the	possibilities that may be com-
	      piled  regardless	 of  the  CPU  type: generic, sse2, avx, avx2,
	      avx512, neon, asimd, altivec, power8.

	      Shows a list of the available SIMD architectures,	separated by a
	      space  character.	 Aircrack-ng automatically selects the fastest
	      optimization and thus it is rarely needed	to  use	 this  option.
	      Use  case	 would be for testing purposes or when a "lower" opti-
	      mization,	such as	"generic", is faster  than  the	 automatically
	      selected	one.  Before  forcing a	SIMD architecture, verify that
	      the instruction is supported by your CPU,	using -u.

       Other options:

       -H or --help
	      Show help	screen

       -u or --cpu-detect
	      Provide information on the number	of CPUs	and SIMD support

       This manual page	was written by Adam Cecile  <>  for
       the  Debian  system (but	may be used by others).	 Permission is granted
       to copy,	distribute and/or modify this document under the terms of  the
       GNU General Public License, Version 2 or	any later version published by
       the Free	Software Foundation On Debian systems, the  complete  text  of
       the  GNU	 General  Public License can be	found in /usr/share/common-li-


Version	1.5.2			 December 2018			AIRCRACK-NG(1)


Want to link to this manual page? Use this URL:

home | help