Manual Page - aircrack-ng(1)

Manual Reference Pages - AIRCRACK-NG (1)

NAME

aircrack-ng - a 802.11 WEP / WPA-PSK key cracker

Synopsis
Description
Options
Author
See Also

SYNOPSIS

aircrack-ng [options] <.cap / .ivs file(s)>

DESCRIPTION

aircrack-ng is a 802.11 WEP / WPA-PSK key cracker. It implements the so-called Fluhrer - Mantin - Shamir (FMS) attack, along with some new attacks by a talented hacker named KoreK. When enough encrypted packets have been gathered, aircrack-ng can almost instantly recover the WEP key.

OPTIONS

-H, --help
Shows the help screen.

Common options:
-a <amode>
Force the attack mode, 1 or wep for WEP and 2 or wpa for WPA-PSK.

-e <essid>
Select the target network based on the ESSID. This option is also required for WPA cracking if the SSID is cloacked.

-b <bssid>
Select the target network based on the access point MAC address.

-p <nbcpu>
Set this option to the number of CPUs to use (only available on SMP systems). By default, it uses all available CPUs

-q If set, no status information is displayed.

-C <macs>
Merges all those APs MAC (separated by a comma) into a virtual one.

Static WEP cracking options:
-c
Search alpha-numeric characters only.

-t Search binary coded decimal characters only.

-h Search the numeric key for Fritz!BOX

-d <mask>
Specify mask of the key. For example: A1:XX:CF

-m <maddr>
Only keep the IVs coming from packets that match this MAC address. Alternatively, use -m ff:ff:ff:ff:ff:ff to use all and every IVs, regardless of the network (this disables ESSID and BSSID filtering).

-n <nbits>
Specify the length of the key: 64 for 40-bit WEP, 128 for 104-bit WEP, etc., until 512 bits of length. The default value is 128.

-i <index>
Only keep the IVs that have this key index (1 to 4). The default behaviour is to ignore the key index in the packet, and use the IV regardless.

-f <fudge>
By default, this parameter is set to 2. Use a higher value to increase the bruteforce level: cracking will take more time, but with a higher likelihood of success.

-k <korek>
There are 17 KoreK attacks. Sometimes one attack creates a huge false positive that prevents the key from being found, even with lots of IVs. Try -k 1, -k 2, ... -k 17 to disable each attack selectively.

-x or -x0
Disable last keybytes bruteforce (not advised).

-x1 Enable last keybyte bruteforcing (default)

-x2 Enable last two keybytes bruteforcing.

-X Disable bruteforce multithreading (SMP only).

-s Shows ASCII version of the key at the right of the screen

-y This is an experimental single brute-force attack which should only be used when the standard attack mode fails with more than one million IVs.

-z Uses PTW (Andrei Pyshkin, Erik Tews and Ralf-Philipp Weinmann) attack (default attack).

-P <num>
PTW debug: 1 Disable klein, 2 PTW.

-K Use KoreK attacks instead of PTW.

-D WEP decloak mode.

WPA-PSK cracking options:
-w <words>
Path to a dictionary file for wpa cracking. Specify "-" to use stdin.

AUTHOR

This manual page was written by Adam Cecile <gandalf@le-vert.net> for the Debian system (but may be used by others). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation On Debian systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL.

Manual Reference Pages - AIRCRACK-NG (1)

NAME

CONTENTS

SYNOPSIS

DESCRIPTION

OPTIONS

AUTHOR

SEE ALSO

-H, --help
	Shows the help screen.
Common options: -a <amode>
	Force the attack mode, 1 or wep for WEP and 2 or wpa for WPA-PSK.
-e <essid>
	Select the target network based on the ESSID. This option is also required for WPA cracking if the SSID is cloacked.
-b <bssid>
	Select the target network based on the access point MAC address.
-p <nbcpu>
	Set this option to the number of CPUs to use (only available on SMP systems). By default, it uses all available CPUs
-q	If set, no status information is displayed.
-C <macs>
	Merges all those APs MAC (separated by a comma) into a virtual one.
Static WEP cracking options: -c
	Search alpha-numeric characters only.
-t	Search binary coded decimal characters only.
-h	Search the numeric key for Fritz!BOX
-d <mask>
	Specify mask of the key. For example: A1:XX:CF
-m <maddr>
	Only keep the IVs coming from packets that match this MAC address. Alternatively, use -m ff:ff:ff:ff:ff:ff to use all and every IVs, regardless of the network (this disables ESSID and BSSID filtering).
-n <nbits>
	Specify the length of the key: 64 for 40-bit WEP, 128 for 104-bit WEP, etc., until 512 bits of length. The default value is 128.
-i <index>
	Only keep the IVs that have this key index (1 to 4). The default behaviour is to ignore the key index in the packet, and use the IV regardless.
-f <fudge>
	By default, this parameter is set to 2. Use a higher value to increase the bruteforce level: cracking will take more time, but with a higher likelihood of success.
-k <korek>
	There are 17 KoreK attacks. Sometimes one attack creates a huge false positive that prevents the key from being found, even with lots of IVs. Try -k 1, -k 2, ... -k 17 to disable each attack selectively.
-x or -x0
	Disable last keybytes bruteforce (not advised).
-x1	Enable last keybyte bruteforcing (default)
-x2	Enable last two keybytes bruteforcing.
-X	Disable bruteforce multithreading (SMP only).
-s	Shows ASCII version of the key at the right of the screen
-y	This is an experimental single brute-force attack which should only be used when the standard attack mode fails with more than one million IVs.
-z	Uses PTW (Andrei Pyshkin, Erik Tews and Ralf-Philipp Weinmann) attack (default attack).
-P <num>
	PTW debug: 1 Disable klein, 2 PTW.
-K	Use KoreK attacks instead of PTW.
-D	WEP decloak mode.
WPA-PSK cracking options: -w <words>
	Path to a dictionary file for wpa cracking. Specify "-" to use stdin.