Man Linux: Main Page and Category List


       aircrack-ng - a 802.11 WEP / WPA-PSK key cracker


       aircrack-ng [options] <.cap / .ivs file(s)>


       aircrack-ng is an 802.11 WEP and WPA/WPA2-PSK key cracking program.
       It  can  recover  the  WEP  key once enough encrypted packets have been
       captured  with  airodump-ng.  This  part  of  the   aircrack-ng   suite
       determines  the WEP key using two fundamental methods. The first method
       is via the PTW approach (Pyshkin, Tews, Weinmann). The  main  advantage
       of the PTW approach is that very few data packets are required to crack
       the WEP key. The second method is the FMS/KoreK method.  The  FMS/KoreK
       method incorporates various statistical attacks to discover the WEP key
       and uses these in combination with brute forcing.
       Additionally, the program offers a dictionary  method  for  determining
       the WEP key. For cracking WPA/WPA2 pre-shared keys, a wordlist (file or
       stdin) or an airolib-ng has to be used.


       -H, --help
              Shows the help screen.

       Common options:

       -a <amode>
              Force the attack mode, 1 or wep for WEP and 2 or  wpa  for  WPA-

       -e <essid>
              Select  the  target  network  based on the ESSID. This option is
              also required for WPA cracking if the SSID is cloacked. For SSID
              containing    special   characters,   see   http://www.aircrack-

       -b <bssid>
              Select the target network based on the access point MAC address.

       -p <nbcpu>
              Set this option to the number of CPUs to use (only available  on
              SMP systems). By default, it uses all available CPUs

       -q     If set, no status information is displayed.

       -C <macs>
              Merges  all  those APs MAC (separated by a comma) into a virtual

       -l <file>
              Write the key into a file.

       Static WEP cracking options:

       -c     Search alpha-numeric characters only.

       -t     Search binary coded decimal characters only.

       -h     Search the numeric key for Fritz!BOX

       -d <mask>
              Specify mask of the key. For example: A1:XX:CF

       -m <maddr>
              Only keep the IVs  coming  from  packets  that  match  this  MAC
              address.  Alternatively, use -m ff:ff:ff:ff:ff:ff to use all and
              every IVs, regardless of the network (this  disables  ESSID  and
              BSSID filtering).

       -n <nbits>
              Specify  the  length  of  the  key:  64  for 40-bit WEP, 128 for
              104-bit WEP, etc., until 512 bits of length. The  default  value
              is 128.

       -i <index>
              Only keep the IVs that have this key index (1 to 4). The default
              behaviour is to ignore the key index in the packet, and use  the
              IV regardless.

       -f <fudge>
              By  default,  this  parameter is set to 2. Use a higher value to
              increase the bruteforce level: cracking will take more time, but
              with a higher likelihood of success.

       -k <korek>
              There  are 17 KoreK attacks. Sometimes one attack creates a huge
              false positive that prevents the key from being found, even with
              lots  of  IVs.  Try -k 1, -k 2, ... -k 17 to disable each attack

       -x or -x0
              Disable last keybytes bruteforce (not advised).

       -x1    Enable last keybyte bruteforcing (default)

       -x2    Enable last two keybytes bruteforcing.

       -X     Disable bruteforce multithreading (SMP only).

       -s     Shows ASCII version of the key at the right of the screen.

       -y     This is an experimental single brute-force attack  which  should
              only  be used when the standard attack mode fails with more than
              one million IVs.

       -z     Uses PTW (Andrei Pyshkin, Erik Tews and  Ralf-Philipp  Weinmann)
              attack (default attack).

       -P <num>
              PTW debug: 1 Disable klein, 2 PTW.

       -K     Use KoreK attacks instead of PTW.

       -D     WEP decloak mode.

       -1     Run only 1 try to crack key with PTW.

       -M <num>
              Specify maximum number of IVs to use.

       WPA-PSK cracking options:

       -w <words>
              Path  to  a dictionary file for wpa cracking. Specify "-" to use
              stdin.  Here  is  a  list  of  wordlists:   http://www.aircrack-
              <database> Path to the airolib-ng database. Cannot be used  with


       This  manual  page was written by Adam Cecile <> for
       the Debian system (but may be used by others).  Permission  is  granted
       to  copy, distribute and/or modify this document under the terms of the
       GNU General Public License, Version 2 or any later version published by
       the  Free  Software  Foundation On Debian systems, the complete text of
       the GNU General Public  License  can  be  found  in  /usr/share/common-