NAME
aircrack-ng is a 802.11 WEP / WPA-PSK key
cracker.
SYNOPSIS
aircrack-ng [options] <.cap / .ivs
file(s)>
DESCRIPTION
aircrack-ng is a 802.11 WEP / WPA-PSK
key cracker. It implements the so-called Fluhrer - Mantin - Shamir
(FMS) attack, along with some new attacks by a talented hacker
named KoreK. When enough encrypted packets have been gathered,
aircrack-ng can almost instantly recover the WEP key.
OPTIONS
- -H, --help
- Shows the help screen.
- Common options:
- -a <amode>
- Force the attack mode, 1 or wep for WEP and 2 or wpa for
WPA-PSK.
- -e <essid>
- Select the target network based on the ESSID. This option is
also required for WPA cracking if the SSID is cloacked.
- -b <bssid>
- Select the target network based on the access point MAC
address.
- -p <nbcpu>
- Set this option to the number of CPUs to use (only available on
SMP systems). By default, it uses all available CPUs
- -q
- If set, no status information is displayed.
- Static WEP cracking options:
- -c
- Search alpha-numeric characters only.
- -t
- Search binary coded decimal characters only.
- -h
- Search the numeric key for Fritz!BOX
- -d <mask>
- Specify mask of the key. For example: A1:XX:CF
- -m <maddr>
- Only keep the IVs coming from packets that match this MAC
address. Alternatively, use -m ff:ff:ff:ff:ff:ff to use all and
every IVs, regardless of the network (this disables ESSID and BSSID
filtering).
- -n <nbits>
- Specify the length of the key: 64 for 40-bit WEP, 128 for
104-bit WEP, etc., until 512 bits of length. The default value is
128.
- -i <index>
- Only keep the IVs that have this key index (1 to 4). The
default behaviour is to ignore the key index in the packet, and use
the IV regardless.
- -f <fudge>
- By default, this parameter is set to 2. Use a higher value to
increase the bruteforce level: cracking will take more time, but
with a higher likelihood of success.
- -k <korek>
- There are 17 KoreK attacks. Sometimes one attack creates a huge
false positive that prevents the key from being found, even with
lots of IVs. Try -k 1, -k 2, ... -k 17 to disable each attack
selectively.
- -x or -x0
- Disable last keybytes bruteforce (not advised).
- -x1
- Enable last keybyte bruteforcing (default)
- -x2
- Enable last two keybytes bruteforcing.
- -X
- Disable bruteforce multithreading (SMP only).
- -s
- Shows ASCII version of the key at the right of the screen
- -y
- This is an experimental single brute-force attack which should
only be used when the standard attack mode fails with more than one
million IVs.
- -z
- Uses PTW (Andrei Pyshkin, Erik Tews and Ralf-Philipp Weinmann)
attack.
- WPA-PSK cracking options:
- -w <words>
- Path to a dictionary file for wpa cracking. Specify "-" to use
stdin.
AUTHOR
This manual page was written by Adam Cecile
<gandalf@le-vert.net> for the
Debian system (but may be used by others). Permission is granted to
copy, distribute and/or modify this document under the terms of the
GNU General Public License, Version 2 or any later version
published by the Free Software Foundation On Debian systems, the
complete text of the GNU General Public License can be found in
/usr/share/common-licenses/GPL.
SEE ALSO
airmon-ng(1)
airdecap-ng(1)
aireplay-ng(1)
airodump-ng(1)
airtun-ng(1)
packetforge-ng(1)
ivstools(1)
kstats(1)