Aircrack-ng Package Description
Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the all-new PTW attack, thus making the attack much faster compared to other WEP cracking tools.
Source: http://aircrack-ng.org/
Aircrack-ng Homepage | Kali Aircrack-ng Repo
- Author: Thomas d’Otreppe, Original work: Christophe Devine
- License: GPLv2
Tools included in the aircrack-ng package
airbase-ng – Configure fake access points
[email protected]:~# airbase-ng --help
Airbase-ng 1.2 beta3 - (C) 2008-2013 Thomas d'Otreppe
Original work: Martin Beck
http://www.aircrack-ng.org
usage: airbase-ng <options> <replay interface>
Options:
-a bssid : set Access Point MAC address
-i iface : capture packets from this interface
-w WEP key : use this WEP key to en-/decrypt packets
-h MAC : source mac for MITM mode
-f disallow : disallow specified client MACs (default: allow)
-W 0|1 : [don't] set WEP flag in beacons 0|1 (default: auto)
-q : quiet (do not print statistics)
-v : verbose (print more messages)
-A : Ad-Hoc Mode (allows other clients to peer)
-Y in|out|both : external packet processing
-c channel : sets the channel the AP is running on
-X : hidden ESSID
-s : force shared key authentication (default: auto)
-S : set shared key challenge length (default: 128)
-L : Caffe-Latte WEP attack (use if driver can't send frags)
-N : cfrag WEP attack (recommended)
-x nbpps : number of packets per second (default: 100)
-y : disables responses to broadcast probes
-0 : set all WPA,WEP,open tags. can't be used with -z & -Z
-z type : sets WPA1 tags. 1=WEP40 2=TKIP 3=WRAP 4=CCMP 5=WEP104
-Z type : same as -z, but for WPA2
-V type : fake EAPOL 1=MD5 2=SHA1 3=auto
-F prefix : write all sent and received frames into pcap file
-P : respond to all probes, even when specifying ESSIDs
-I interval : sets the beacon interval value in ms
-C seconds : enables beaconing of probed ESSID values (requires -P)
Filter options:
--bssid MAC : BSSID to filter/use
--bssids file : read a list of BSSIDs out of that file
--client MAC : MAC of client to filter
--clients file : read a list of MACs out of that file
--essid ESSID : specify a single ESSID (default: default)
--essids file : read a list of ESSIDs out of that file
--help : Displays this usage screen
aircrack-ng – Wireless password cracker
[email protected]:~# aircrack-ng --help
Aircrack-ng 1.2 beta3 - (C) 2006-2013 Thomas d'Otreppe
http://www.aircrack-ng.org
usage: aircrack-ng [options] <.cap / .ivs file(s)>
Common options:
-a <amode> : force attack mode (1/WEP, 2/WPA-PSK)
-e <essid> : target selection: network identifier
-b <bssid> : target selection: access point's MAC
-p <nbcpu> : # of CPU to use (default: all CPUs)
-q : enable quiet mode (no status output)
-C <macs> : merge the given APs to a virtual one
-l <file> : write key to file
Static WEP cracking options:
-c : search alpha-numeric characters only
-t : search binary coded decimal chr only
-h : search the numeric key for Fritz!BOX
-d <mask> : use masking of the key (A1:XX:CF:YY)
-m <maddr> : MAC address to filter usable packets
-n <nbits> : WEP key length : 64/128/152/256/512
-i <index> : WEP key index (1 to 4), default: any
-f <fudge> : bruteforce fudge factor, default: 2
-k <korek> : disable one attack method (1 to 17)
-x or -x0 : disable bruteforce for last keybytes
-x1 : last keybyte bruteforcing (default)
-x2 : enable last 2 keybytes bruteforcing
-X : disable bruteforce multithreading
-y : experimental single bruteforce mode
-K : use only old KoreK attacks (pre-PTW)
-s : show the key in ASCII while cracking
-M <num> : specify maximum number of IVs to use
-D : WEP decloak, skips broken keystreams
-P <num> : PTW debug: 1: disable Klein, 2: PTW
-1 : run only 1 try to crack key with PTW
WEP and WPA-PSK cracking options:
-w <words> : path to wordlist(s) filename(s)
WPA-PSK options:
-E <file> : create EWSA Project file v3
-J <file> : create Hashcat Capture file
-S : WPA cracking speed test
Other options:
-u : Displays # of CPUs & MMX/SSE support
--help : Displays this usage screen
airdecap-ng – Decrypt WEP/WPA/WPA2 capture files
[email protected]:~# airdecap-ng --help
Airdecap-ng 1.2 beta3 - (C) 2006-2013 Thomas d'Otreppe
http://www.aircrack-ng.org
usage: airdecap-ng [options] <pcap file>
Common options:
-l : don't remove the 802.11 header
-b <bssid> : access point MAC address filter
-e <essid> : target network SSID
WEP specific option:
-w <key> : target network WEP key in hex
WPA specific options:
-p <pass> : target network WPA passphrase
-k <pmk> : WPA Pairwise Master Key in hex
--help : Displays this usage screen
airdecloak-ng – Removes wep cloaking from a pcap file
[email protected]:~# airdecloak-ng --help
Airdecloak-ng 1.2 beta3 - (C) 2008-2013 Thomas d'Otreppe
http://www.aircrack-ng.org
usage: airdecloak-ng [options]
options:
Mandatory:
-i <file> : Input capture file
--ssid <ESSID> : ESSID of the network to filter
or
--bssid <BSSID> : BSSID of the network to filter
Optional:
--filters <filters> : Apply filters (separated by a comma). Filters:
signal: Try to filter based on signal.
duplicate_sn: Remove all duplicate sequence numbers
for both the AP and the client.
duplicate_sn_ap: Remove duplicate sequence number for
the AP only.
duplicate_sn_client: Remove duplicate sequence number for the
client only.
consecutive_sn: Filter based on the fact that IV should
be consecutive (only for AP).
duplicate_iv: Remove all duplicate IV.
signal_dup_consec_sn: Use signal (if available), duplicate and
consecutive sequence number (filtering is
much more precise than using all these
filters one by one).
--null-packets : Assume that null packets can be cloaked.
--disable-base_filter : Do not apply base filter.
--drop-frag : Drop fragmented packets
--help : Displays this usage screen
airdriver-ng – Provides status information about the wireless drivers on your system
[email protected]:~# airdriver-ng --help
Found kernel: 3.3.12-kali1-686-pae.3.12-kali1-686-pae
usage: airdriver-ng <command> [drivernumber]
valid commands:
supported - lists all supported drivers
kernel - lists all in-kernel drivers
installed - lists all installed drivers
loaded - lists all loaded drivers
-----------------------------------------------------
insert <drivernum> - inserts a driver
load <drivernum> - loads a driver
unload <drivernum> - unloads a driver
reload <drivernum> - reloads a driver
-----------------------------------------------------
compile <drivernum> - compiles a driver
install <drivernum> - installs a driver
remove <drivernum> - removes a driver
-----------------------------------------------------
compile_stack <stacknum> - compiles a stack
install_stack <stacknum> - installs a stack
remove_stack <stacknum> - removes a stack
-----------------------------------------------------
install_firmware <drivernum> - installs the firmware
remove_firmware <drivernum> - removes the firmware
-----------------------------------------------------
details <drivernum> - prints driver details
detect - detects wireless cards
aireplay-ng – Primary function is to generate traffic for the later use in aircrack-ng
[email protected]:~# aireplay-ng --help
Aireplay-ng 1.2 beta3 - (C) 2006-2013 Thomas d'Otreppe
http://www.aircrack-ng.org
usage: aireplay-ng <options> <replay interface>
Filter options:
-b bssid : MAC address, Access Point
-d dmac : MAC address, Destination
-s smac : MAC address, Source
-m len : minimum packet length
-n len : maximum packet length
-u type : frame control, type field
-v subt : frame control, subtype field
-t tods : frame control, To DS bit
-f fromds : frame control, From DS bit
-w iswep : frame control, WEP bit
-D : disable AP detection
Replay options:
-x nbpps : number of packets per second
-p fctrl : set frame control word (hex)
-a bssid : set Access Point MAC address
-c dmac : set Destination MAC address
-h smac : set Source MAC address
-g value : change ring buffer size (default: 8)
-F : choose first matching packet
Fakeauth attack options:
-e essid : set target AP SSID
-o npckts : number of packets per burst (0=auto, default: 1)
-q sec : seconds between keep-alives
-Q : send reassociation requests
-y prga : keystream for shared key auth
-T n : exit after retry fake auth request n time
Arp Replay attack options:
-j : inject FromDS packets
Fragmentation attack options:
-k IP : set destination IP in fragments
-l IP : set source IP in fragments
Test attack options:
-B : activates the bitrate test
Source options:
-i iface : capture packets from this interface
-r file : extract packets from this pcap file
Miscellaneous options:
-R : disable /dev/rtc usage
--ignore-negative-one : if the interface's channel can't be determined,
ignore the mismatch, needed for unpatched cfg80211
Attack modes (numbers can still be used):
--deauth count : deauthenticate 1 or all stations (-0)
--fakeauth delay : fake authentication with AP (-1)
--interactive : interactive frame selection (-2)
--arpreplay : standard ARP-request replay (-3)
--chopchop : decrypt/chopchop WEP packet (-4)
--fragment : generates valid keystream (-5)
--caffe-latte : query a client for new IVs (-6)
--cfrag : fragments against a client (-7)
--migmode : attacks WPA migration mode (-8)
--test : tests injection and quality (-9)
--help : Displays this usage screen
airmon-ng – This script can be used to enable monitor mode on wireless interfaces
[email protected]:~# airmon-ng --help
usage: airmon-ng <start|stop|check> <interface> [channel or frequency]
airmon-zc – This script can be used to enable monitor mode on wireless interfaces
[email protected]:~# airmon-zc --help
usage: airmon-zc <start|stop|check> <interface> [channel or frequency]
airodump-ng – Used for packet capturing of raw 802.11 frames
[email protected]:~# airodump-ng --help
Airodump-ng 1.2 beta3 - (C) 2006-2013 Thomas d'Otreppe
http://www.aircrack-ng.org
usage: airodump-ng <options> <interface>[,<interface>,...]
Options:
--ivs : Save only captured IVs
--gpsd : Use GPSd
--write <prefix> : Dump file prefix
-w : same as --write
--beacons : Record all beacons in dump file
--update <secs> : Display update delay in seconds
--showack : Prints ack/cts/rts statistics
-h : Hides known stations for --showack
-f <msecs> : Time in ms between hopping channels
--berlin <secs> : Time before removing the AP/client
from the screen when no more packets
are received (Default: 120 seconds)
-r <file> : Read packets from that file
-x <msecs> : Active Scanning Simulation
--manufacturer : Display manufacturer from IEEE OUI list
--uptime : Display AP Uptime from Beacon Timestamp
--output-format
<formats> : Output format. Possible values:
pcap, ivs, csv, gps, kismet, netxml
--ignore-negative-one : Removes the message that says
fixed channel <interface>: -1
Filter options:
--encrypt <suite> : Filter APs by cipher suite
--netmask <netmask> : Filter APs by mask
--bssid <bssid> : Filter APs by BSSID
--essid <essid> : Filter APs by ESSID
-a : Filter unassociated clients
By default, airodump-ng hop on 2.4GHz channels.
You can make it capture on other/specific channel(s) by using:
--channel <channels> : Capture on specific channels
--band <abg> : Band on which airodump-ng should hop
-C <frequencies> : Uses these frequencies in MHz to hop
--cswitch <method> : Set channel switching method
0 : FIFO (default)
1 : Round Robin
2 : Hop on last
-s : same as --cswitch
--help : Displays this usage screen
airodump-ng-oui-update – Downloads and parses IEEE OUI list
airodump-ng-oui-updater downloads and parses IEEE OUI list.
airolib-ng – Designed to store and manage essid and password lists
[email protected]:~# airolib-ng --help
Airolib-ng 1.2 beta3 - (C) 2007, 2008, 2009 ebfe
http://www.aircrack-ng.org
Usage: airolib-ng <database> <operation> [options]
Operations:
--stats : Output information about the database.
--sql <sql> : Execute specified SQL statement.
--clean [all] : Clean the database from old junk. 'all' will also
reduce filesize if possible and run an integrity check.
--batch : Start batch-processing all combinations of ESSIDs
and passwords.
--verify [all] : Verify a set of randomly chosen PMKs.
If 'all' is given, all invalid PMK will be deleted.
--import [essid|passwd] <file> :
Import a text file as a list of ESSIDs or passwords.
--import cowpatty <file> :
Import a cowpatty file.
--export cowpatty <essid> <file> :
Export to a cowpatty file.
airserv-ng – A wireless card server
[email protected]:~# airserv-ng --help
airserv-ng: invalid option -- '-'
Airserv-ng 1.2 beta3 - (C) 2007, 2008, 2009 Andrea Bittau
http://www.aircrack-ng.org
Usage: airserv-ng <options>
Options:
-h : This help screen
-p <port> : TCP port to listen on (default:666)
-d <iface> : Wifi interface to use
-c <chan> : Channel to use
-v <level> : Debug level (1 to 3; default: 1)
airtun-ng – Virtual tunnel interface creator
[email protected]:~# airtun-ng --help
Airtun-ng 1.2 beta3 - (C) 2006-2013 Thomas d'Otreppe
Original work: Martin Beck
http://www.aircrack-ng.org
usage: airtun-ng <options> <replay interface>
-x nbpps : number of packets per second (default: 100)
-a bssid : set Access Point MAC address
: In WDS Mode this sets the Receiver
-i iface : capture packets from this interface
-y file : read PRGA from this file
-w wepkey : use this WEP-KEY to encrypt packets
-t tods : send frames to AP (1) or to client (0)
: or tunnel them into a WDS/Bridge (2)
-r file : read frames out of pcap file
WDS/Bridge Mode options:
-s transmitter : set Transmitter MAC address for WDS Mode
-b : bidirectional mode. This enables communication
: in Transmitter's AND Receiver's networks.
: Works only if you can see both stations.
Repeater options:
--repeat : activates repeat mode
--bssid <mac> : BSSID to repeat
--netmask <mask> : netmask for BSSID filter
--help : Displays this usage screen
besside-ng – Automatically crack WEP & WPA network
[email protected]:~# besside-ng --help
besside-ng: invalid option -- '-'
Besside-ng 1.2 beta3 - (C) 2010 Andrea Bittau
http://www.aircrack-ng.org
Usage: besside-ng [options] <interface>
Options:
-b <victim mac> : Victim BSSID
-s <WPA server> : Upload wpa.cap for cracking
-c <chan> : chanlock
-p <pps> : flood rate
-W : WPA only
-v : verbose, -vv for more, etc.
-h : This help screen
buddy-ng
[email protected]:~# buddy-ng -h
Buddy-ng 1.2 beta3 - (C) 2007,2008 Andrea Bittau
http://www.aircrack-ng.org
Usage: buddy-ng <options>
Options:
-h : This help screen
-p : Don't drop privileges
easside-ng – An auto-magic tool which allows you to communicate via an WEP-encrypted access point
[email protected]:~# easside-ng -h
Easside-ng 1.2 beta3 - (C) 2007, 2008, 2009 Andrea Bittau
http://www.aircrack-ng.org
Usage: easside-ng <options>
Options:
-h : This help screen
-v <victim mac> : Victim BSSID
-m <src mac> : Source MAC address
-i <ip> : Source IP address
-r <router ip> : Router IP address
-s <buddy ip> : Buddy-ng IP address (mandatory)
-f <iface> : Interface to use (mandatory)
-c <channel> : Lock card to this channel
-n : Determine Internet IP only
ivstools – This tool handle .ivs files. You can either merge or convert them.
[email protected]:~# ivstools
ivsTools 1.2 beta3 - (C) 2006-2013 Thomas d'Otreppe
http://www.aircrack-ng.org
usage: ivstools --convert <pcap file> <ivs output file>
Extract ivs from a pcap file
ivstools --merge <ivs file 1> <ivs file 2> .. <output file>
Merge ivs files
kstats
[email protected]:~# kstats
usage: kstats <ivs file> <104-bit key>
makeivs-ng – Generates initialization vectors
[email protected]:~# makeivs-ng --help
makeivs-ng 1.2 beta3 - (C) 2006-2013 Thomas d'Otreppe
http://www.aircrack-ng.org
usage: makeivs-ng [options]
Common options:
-b <bssid> : Set access point MAC address
-f <num> : Number of first IV
-k <key> : Target network WEP key in hex
-s <num> : Seed used to setup random generator
-w <file> : Filename to write IVs into
-c <num> : Number of IVs to generate
-d <num> : Percentage of dupe IVs
-e <num> : Percentage of erroneous keystreams
-l <num> : Length of keystreams
-n : Ignores ignores weak IVs
-p : Uses prng algorithm to generate IVs
--help : Displays this usage screen
packetforge-ng – Create encrypted packets that can subsequently be used for injection
[email protected]:~# packetforge-ng --help
Packetforge-ng 1.2 beta3 - (C) 2006-2013 Thomas d'Otreppe
Original work: Martin Beck
http://www.aircrack-ng.org
Usage: packetforge-ng <mode> <options>
Forge options:
-p <fctrl> : set frame control word (hex)
-a <bssid> : set Access Point MAC address
-c <dmac> : set Destination MAC address
-h <smac> : set Source MAC address
-j : set FromDS bit
-o : clear ToDS bit
-e : disables WEP encryption
-k <ip[:port]> : set Destination IP [Port]
-l <ip[:port]> : set Source IP [Port]
-t ttl : set Time To Live
-w <file> : write packet to this pcap file
-s <size> : specify size of null packet
-n <packets> : set number of packets to generate
Source options:
-r <file> : read packet from this raw file
-y <file> : read PRGA from this file
Modes:
--arp : forge an ARP packet (-0)
--udp : forge an UDP packet (-1)
--icmp : forge an ICMP packet (-2)
--null : build a null packet (-3)
--custom : build a custom packet (-9)
--help : Displays this usage screen
tkiptun-ng – This tool is able to inject a few frames into a WPA TKIP network with QoS
[email protected]:~# tkiptun-ng --help
Tkiptun-ng 1.2 beta3 - (C) 2008-2013 Thomas d'Otreppe
http://www.aircrack-ng.org
usage: tkiptun-ng <options> <replay interface>
Filter options:
-d dmac : MAC address, Destination
-s smac : MAC address, Source
-m len : minimum packet length (default: 80)
-n len : maximum packet length (default: 80)
-t tods : frame control, To DS bit
-f fromds : frame control, From DS bit
-D : disable AP detection
-Z : select packets manually
Replay options:
-x nbpps : number of packets per second
-a bssid : set Access Point MAC address
-c dmac : set Destination MAC address
-h smac : set Source MAC address
-e essid : set target AP SSID
-M sec : MIC error timout in seconds [60]
Debug options:
-K prga : keystream for continuation
-y file : keystream-file for continuation
-j : inject FromDS packets
-P pmk : pmk for verification/vuln testing
-p psk : psk to calculate pmk with essid
source options:
-i iface : capture packets from this interface
-r file : extract packets from this pcap file
--help : Displays this usage screen
wesside-ng – Auto-magic tool which incorporates a number of techniques to seamlessly obtain a WEP key
[email protected]:~# wesside-ng -h
Wesside-ng 1.2 beta3 - (C) 2007, 2008, 2009 Andrea Bittau
http://www.aircrack-ng.org
Usage: wesside-ng <options>
Options:
-h : This help screen
-i <iface> : Interface to use (mandatory)
-m <my ip> : My IP address
-n <net ip> : Network IP address
-a <mymac> : Source MAC Address
-c : Do not crack the key
-p <min prga> : Minimum bytes of PRGA to gather
-v <victim mac> : Victim BSSID
-t <threshold> : Cracking threshold
-f <max chan> : Highest scanned chan (default: 11)
-k <txnum> : Ignore acks and tx txnum times
wpaclean – Remove excess data from a pcap file
[email protected]:~# wpaclean
Usage: wpaclean <out.cap> <in.cap> [in2.cap] [...]
airdriver-ng Usage Example
[email protected]:~# airdriver-ng detect
USB devices (generic detection):
Bus 002 Device 009: ID 0846:9001 NetGear, Inc. WN111(v2) RangeMax Next Wireless [Atheros AR9170+AR9101]
Bus 001 Device 012: ID 050d:0017 Belkin Components B8T017 Bluetooth+EDR 2.1
Bus 001 Device 005: ID 0e0f:0008 VMware, Inc.
airmon-ng Usage Example
Start (start) monitor mode on the wireless interface (wlan0) on the desired channel (6):
[email protected]:~# airmon-ng start wlan0 6
Interface Chipset Driver
wlan0 2-2: Atheros carl9170 - [phy4]
(monitor mode enabled on mon0)
airodump-ng Usage Example
Sniff on channel 6 (-c 6), filtering on a BSSID (–bssid 38:60:77:23:B1:CB), writing the capture to disk (-w capture), using the monitor mode interface (mon0):
[email protected]:~# airodump-ng -c 6 --bssid 38:60:77:23:B1:CB -w capture mon0
CH 6 ][ Elapsed: 4 s ][ 2014-05-15 17:21
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
38:60:77:23:B1:CB -79 0 7 0 0 6 54e WPA2 CCMP PSK 6EA10E
BSSID STATION PWR Rate Lost Frames Probe
aircrack-ng Usage Example
Using the provided wordlist (-w /usr/share/wordlists/nmap.lst), attempt to crack passwords in the capture file (capture-01.cap):
[email protected]:~# aircrack-ng -w /usr/share/wordlists/nmap.lst capture-01.cap
Opening capture-01.cap
Read 2 packets.
# BSSID ESSID Encryption
1 38:60:77:23:B1:CB 6EA10E No data - WEP or WPA
Choosing first network as target.
Opening capture-01.cap