Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the all-new PTW attack, thus making the attack much faster compared to other WEP cracking tools.
- Author: Thomas d’Otreppe, Original work: Christophe Devine
- License: GPLv2
aircrack-ng – an 802.11 WEP and WPA/WPA2-PSK key cracking program
root@kali:~# aircrack-ng --help
Aircrack-ng 1.2 rc4 - (C) 2006-2015 Thomas d'Otreppe
http://www.aircrack-ng.org
usage: aircrack-ng [options] <.cap / .ivs file(s)>
Common options:
-a <amode> : force attack mode (1/WEP, 2/WPA-PSK)
-e <essid> : target selection: network identifier
-b <bssid> : target selection: access point's MAC
-p <nbcpu> : # of CPU to use (default: all CPUs)
-q : enable quiet mode (no status output)
-C <macs> : merge the given APs to a virtual one
-l <file> : write key to file
Static WEP cracking options:
-c : search alpha-numeric characters only
-t : search binary coded decimal chr only
-h : search the numeric key for Fritz!BOX
-d <mask> : use masking of the key (A1:XX:CF:YY)
-m <maddr> : MAC address to filter usable packets
-n <nbits> : WEP key length : 64/128/152/256/512
-i <index> : WEP key index (1 to 4), default: any
-f <fudge> : bruteforce fudge factor, default: 2
-k <korek> : disable one attack method (1 to 17)
-x or -x0 : disable bruteforce for last keybytes
-x1 : last keybyte bruteforcing (default)
-x2 : enable last 2 keybytes bruteforcing
-X : disable bruteforce multithreading
-y : experimental single bruteforce mode
-K : use only old KoreK attacks (pre-PTW)
-s : show the key in ASCII while cracking
-M <num> : specify maximum number of IVs to use
-D : WEP decloak, skips broken keystreams
-P <num> : PTW debug: 1: disable Klein, 2: PTW
-1 : run only 1 try to crack key with PTW
WEP and WPA-PSK cracking options:
-w <words> : path to wordlist(s) filename(s)
WPA-PSK options:
-E <file> : create EWSA Project file v3
-J <file> : create Hashcat Capture file
-S : WPA cracking speed test
-r <DB> : path to airolib-ng database
(Cannot be used with -w)
Other options:
-u : Displays # of CPUs & MMX/SSE support
--help : Displays this usage screen
Aircrack-ng 1.2 rc4 - (C) 2006-2015 Thomas d'Otreppe
http://www.aircrack-ng.org
usage: aircrack-ng [options] <.cap / .ivs file(s)>
Common options:
-a <amode> : force attack mode (1/WEP, 2/WPA-PSK)
-e <essid> : target selection: network identifier
-b <bssid> : target selection: access point's MAC
-p <nbcpu> : # of CPU to use (default: all CPUs)
-q : enable quiet mode (no status output)
-C <macs> : merge the given APs to a virtual one
-l <file> : write key to file
Static WEP cracking options:
-c : search alpha-numeric characters only
-t : search binary coded decimal chr only
-h : search the numeric key for Fritz!BOX
-d <mask> : use masking of the key (A1:XX:CF:YY)
-m <maddr> : MAC address to filter usable packets
-n <nbits> : WEP key length : 64/128/152/256/512
-i <index> : WEP key index (1 to 4), default: any
-f <fudge> : bruteforce fudge factor, default: 2
-k <korek> : disable one attack method (1 to 17)
-x or -x0 : disable bruteforce for last keybytes
-x1 : last keybyte bruteforcing (default)
-x2 : enable last 2 keybytes bruteforcing
-X : disable bruteforce multithreading
-y : experimental single bruteforce mode
-K : use only old KoreK attacks (pre-PTW)
-s : show the key in ASCII while cracking
-M <num> : specify maximum number of IVs to use
-D : WEP decloak, skips broken keystreams
-P <num> : PTW debug: 1: disable Klein, 2: PTW
-1 : run only 1 try to crack key with PTW
WEP and WPA-PSK cracking options:
-w <words> : path to wordlist(s) filename(s)
WPA-PSK options:
-E <file> : create EWSA Project file v3
-J <file> : create Hashcat Capture file
-S : WPA cracking speed test
-r <DB> : path to airolib-ng database
(Cannot be used with -w)
Other options:
-u : Displays # of CPUs & MMX/SSE support
--help : Displays this usage screen
aircrack-ng Usage Examples
WPA Wordlist Mode
Specify the wordlist to use (-w /usr/share/doc/aircrack-ng/examples/password.lst) and the path to the capture file (/root/wpa.cap) containing at least one 4-way handshake.
root@kali:~# aircrack-ng -w /usr/share/doc/aircrack-ng/examples/password.lst /root/wpa.cap
Aircrack-ng 1.2 rc4
[00:00:00] 232/233 keys tested (1992.58 k/s)
Time left: 0 seconds 99.57%
KEY FOUND! [ biscotte ]
Master Key : CD D7 9A 5A CF B0 70 C7 E9 D1 02 3B 87 02 85 D6
39 E4 30 B3 2F 31 AA 37 AC 82 5A 55 B5 55 24 EE
Transient Key : 33 55 0B FC 4F 24 84 F4 9A 38 B3 D0 89 83 D2 49
73 F9 DE 89 67 A6 6D 2B 8E 46 2C 07 47 6A CE 08
AD FB 65 D6 13 A9 9F 2C 65 E4 A6 08 F2 5A 67 97
D9 6F 76 5B 8C D3 DF 13 2F BC DA 6A 6E D9 62 CD
EAPOL HMAC : 28 A8 C8 95 B7 17 E5 72 27 B6 A7 EE E3 E5 34 45
Aircrack-ng 1.2 rc4
[00:00:00] 232/233 keys tested (1992.58 k/s)
Time left: 0 seconds 99.57%
KEY FOUND! [ biscotte ]
Master Key : CD D7 9A 5A CF B0 70 C7 E9 D1 02 3B 87 02 85 D6
39 E4 30 B3 2F 31 AA 37 AC 82 5A 55 B5 55 24 EE
Transient Key : 33 55 0B FC 4F 24 84 F4 9A 38 B3 D0 89 83 D2 49
73 F9 DE 89 67 A6 6D 2B 8E 46 2C 07 47 6A CE 08
AD FB 65 D6 13 A9 9F 2C 65 E4 A6 08 F2 5A 67 97
D9 6F 76 5B 8C D3 DF 13 2F BC DA 6A 6E D9 62 CD
EAPOL HMAC : 28 A8 C8 95 B7 17 E5 72 27 B6 A7 EE E3 E5 34 45
Basic WEP Cracking
To have aircrack-ng conduct a basic WEP key attack on a capture file, pass it the filename, either in .ivs or .cap/.pcap format.
root@kali:~# aircrack-ng all-ivs.ivs
Aircrack-ng 1.2 rc4
[00:00:00] Tested 1514 keys (got 30566 IVs)
KB depth byte(vote)
0 0/ 9 1F(39680) 4E(38400) 14(37376) 5C(37376) 9D(37376)
1 7/ 9 64(36608) 3E(36352) 34(36096) 46(36096) BA(36096)
2 0/ 1 1F(46592) 6E(38400) 81(37376) 79(36864) AD(36864)
3 0/ 3 1F(40960) 15(38656) 7B(38400) BB(37888) 5C(37632)
4 0/ 7 1F(39168) 23(38144) 97(37120) 59(36608) 13(36352)
KEY FOUND! [ 1F:1F:1F:1F:1F ]
Decrypted correctly: 100%
Aircrack-ng 1.2 rc4
[00:00:00] Tested 1514 keys (got 30566 IVs)
KB depth byte(vote)
0 0/ 9 1F(39680) 4E(38400) 14(37376) 5C(37376) 9D(37376)
1 7/ 9 64(36608) 3E(36352) 34(36096) 46(36096) BA(36096)
2 0/ 1 1F(46592) 6E(38400) 81(37376) 79(36864) AD(36864)
3 0/ 3 1F(40960) 15(38656) 7B(38400) BB(37888) 5C(37632)
4 0/ 7 1F(39168) 23(38144) 97(37120) 59(36608) 13(36352)
KEY FOUND! [ 1F:1F:1F:1F:1F ]
Decrypted correctly: 100%
0 Comments