Aircrack-ng (Tool)

Aircrack-ng Description

Aircrack-ng is a Wi-Fi security auditing tool specifically 802.11 WEP and WPA/WPA2-PSK. Aircrack-ng is used by security professionals to test the reliability of wireless networks. This program is covered in the Wireless Attacks (PEN-210) (WiFu) course from Offensive Security and many other information security courses.

This is a program for professionals in the field of IT security, its use requires the consent of the owner of the wireless network.

Using this program without the knowledge of the Wi-Fi owner is a legal violation.

Aircrack-ng can recover the WEP key once enough encrypted packets have been captured with airodump-ng. This part of the aircrack-ng suite determines the WEP key using two fundamental methods. The first method is via the PTW approach (Pyshkin, Tews, Weinmann). The default cracking method is PTW. This is done in two phases. In the first phase, aircrack-ng only uses ARP packets. If the key is not found, then it uses all the packets in the capture. Please remember that not all packets can be used for the PTW method. This Tutorial: Packets Supported for the PTW Attack page provides details. An important limitation is that the PTW attack currently can only crack 40 and 104 bit WEP keys. The main advantage of the PTW approach is that very few data packets are required to crack the WEP key. The second method is the FMS/KoreK method. The FMS/KoreK method incorporates various statistical attacks to discover the WEP key and uses these in combination with brute forcing.

Additionally, the program offers a dictionary method for determining the WEP key.

For cracking WPA/WPA2 pre-shared keys, only a dictionary method is used. SSE2 support is included to dramatically speed up WPA/WPA2 key processing. A “four-way handshake” is required as input. For WPA handshakes, a full handshake is composed of four packets. However, aircrack-ng is able to work successfully with just 2 packets. EAPOL packets (2 and 3) or packets (3 and 4) are considered a full handshake.


Author: Thomas d’Otreppe

License: GPLv2

Aircrack-ng Help

  usage: aircrack-ng [options] <input file(s)>

  Common options:

      -a <amode> : force attack mode (1/WEP, 2/WPA-PSK)
      -e <essid> : target selection: network identifier
      -b <bssid> : target selection: access point's MAC
      -p <nbcpu> : # of CPU to use  (default: all CPUs)
      -q         : enable quiet mode (no status output)
      -C <macs>  : merge the given APs to a virtual one
      -l <file>  : write key to file. Overwrites file.

  Static WEP cracking options:

      -c         : search alpha-numeric characters only
      -t         : search binary coded decimal chr only
      -h         : search the numeric key for Fritz!BOX
      -d <mask>  : use masking of the key (A1:XX:CF:YY)
      -m <maddr> : MAC address to filter usable packets
      -n <nbits> : WEP key length :  64/128/152/256/512
      -i <index> : WEP key index (1 to 4), default: any
      -f <fudge> : bruteforce fudge factor,  default: 2
      -k <korek> : disable one attack method  (1 to 17)
      -x or -x0  : disable bruteforce for last keybytes
      -x1        : last keybyte bruteforcing  (default)
      -x2        : enable last  2 keybytes bruteforcing
      -X         : disable  bruteforce   multithreading
      -y         : experimental  single bruteforce mode
      -K         : use only old KoreK attacks (pre-PTW)
      -s         : show the key in ASCII while cracking
      -M <num>   : specify maximum number of IVs to use
      -D         : WEP decloak, skips broken keystreams
      -P <num>   : PTW debug:  1: disable Klein, 2: PTW
      -1         : run only 1 try to crack key with PTW
      -V         : run in visual inspection mode

  WEP and WPA-PSK cracking options:

      -w <words> : path to wordlist(s) filename(s)
      -N <file>  : path to new session filename
      -R <file>  : path to existing session filename

  WPA-PSK options:

      -E <file>  : create EWSA Project file v3
      -j <file>  : create Hashcat v3.6+ file (HCCAPX)
      -J <file>  : create Hashcat file (HCCAP)
      -S         : WPA cracking speed test
      -Z <sec>   : WPA cracking speed test length of
      -r <DB>    : path to airolib-ng database
                   (Cannot be used with -w)

  SIMD selection:

      --simd-list       : Show a list of the available
                          SIMD architectures, for this
      --simd=<option>   : Use specific SIMD architecture.

      <option> may be one of the following, depending on
      your platform:


  Other options:

      -u         : Displays # of CPUs & MMX/SSE support
      --help     : Displays this usage screen

Aircrack-ng Usage Example

Using the provided wordlist (-w /usr/share/wordlists/nmap.lst), attempt to crack passwords in the capture file (capture-01.cap):

root@kali:~# aircrack-ng -w /usr/share/wordlists/nmap.lst capture-01.cap 
Opening capture-01.cap
Read 2 packets.

   #  BSSID              ESSID                     Encryption

   1  38:60:77:23:B1:CB  6EA10E                    No data - WEP or WPA

Choosing first network as target.

Opening capture-01.cap

How to install Aircrack-ng

The program is pre-installed on Kali Linux.

Installation on Linux (Debian, Mint, Ubuntu)

sudo apt-get install aircrack-ng

Aircrack-ng Screenshots


  • 1 = Keybyte
  • 2 = Depth of current key search
  • 3 = Byte the IVs leaked
  • 4 = Votes indicating this is correct


Aircrack-ng Tutorials

Related tools

Recommended for you:

Comments are Closed