aircrack is a 802.11 WEP key cracker.

aircrack [options] <.cap / .ivs file(s)>

aircrack is a 802.11 WEP key cracker. It implements the so-called Fluhrer - Mantin - Shamir (FMS) attack, along with some new attacks by a talented hacker named KoreK. When enough encrypted packets have been gathered, aircrack can almost instantly recover the WEP key.

Common options:

-a <amode>

Force the attack mode, 1 for WEP and 2 for WPA-PSK.

-e <essid>

Select the target network based on the ESSID. This option is also required for WPA cracking if the SSID is cloacked.

-b <bssid>

Select the target network based on the access point's MAC address.

-p <nbcpu>

On SMP systems, set this option to the number of CPUs.

-q

If set, no status information is displayed.

Static WEP cracking options:

-c

Search alpha-numeric characters only.

-d <start>

Force the beginning of the WEP key. Only useful for debugging purposes.

-m <maddr>

Only keep the IVs coming from packets that match this MAC address. Alternatively, use -m ff:ff:ff:ff:ff:ff to use all and every IVs, regardless of the network (this disables ESSID and BSSID filtering).

-n <nbits>

Specify the length of the key: 64 for 40-bit WEP, 128 for 104-bit WEP, etc., until 256 bits of length. The default value is 128.

-i <index>

Only keep the IVs that have this key index (1 to 4). The default behaviour is to ignore the key index in the packet, and use the IV regardless.

-f <fudge>

By default, this parameter is set to 2. Use a higher value to increase the bruteforce level: cracking will take more time, but with a higher likelihood of success.

-k <korek>

There are 17 KoreK attacks. Sometimes one attack creates a huge false positive that prevents the key from being found, even with lots of IVs. Try -k 1, -k 2, ... -k 17 to disable each attack selectively.

-x

Don't bruteforce the last 2 keybytes.

-y

This is an experimental single brute-force attack which should only be used when the standard attack mode fails with more than one million IVs.

WPA-PSK cracking options:

-w <words>

Path to a dictionary file for wpa cracking.

This manual page was written by Adam Cecile <gandalf@le-vert.net> for the Debian system (but may be used by others). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 any later version published by the Free Software Foundation On Debian systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL.

airodump(1)

aireplay(1)

airdecap(1)

arpforge(1)

airmon(1)

Aircrack Website: http://www.cr0.net:8040/code/network/aircrack/