Aircrack-ng Package Description(Kali linux)

Aircrack-ng Package Description(Kali linux)

Aircrack-ng Package Description

Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the all-new PTW attack, thus making the attack much faster compared to other WEP cracking tools.

Aircrack-ng Homepage | Kali Aircrack-ng Repo

  • Author: Thomas d’Otreppe, Original work: Christophe Devine
  • License: GPLv2

Tools included in the aircrack-ng package

airbase-ng – Configure fake access points

root@kali:~# airbase-ng –help

Airbase-ng 1.2 beta3 – (C) 2008-2013 Thomas d’Otreppe
Original work: Martin Beck

usage: airbase-ng <options> <replay interface>


-a bssid: set Access Point MAC address
-I iface: capture packets from this interface
-w WEP key: use this WEP key to en-/decrypt packets
-h MAC: source mac for MITM mode
-f disallow: disallow specified client MACs (default: allow)
-W 0|1           : [don’t] set WEP flag in beacons 0|1 (default: auto)
-q: quiet (do not print statistics)
-v: verbose (print more messages)
-A: Ad-Hoc Mode (allows other clients to peer)
-Y in|out|both   : external packet processing
-c channel: sets the channel the AP is running on
-X: hidden ESSID
-s: force shared key authentication (default: auto)
-S: set shared key challenge length (default: 128)
-L: Caffe-Latte WEP attack (use if the driver can’t send frags)
-N: frag WEP attack (recommended)
-x nbpps: number of packets per second (default: 100)
-y: disables responses to broadcast probes
-0: set all WPA, WEP, and open tags. can’t be used with -z & -Z
-z type: sets WPA1 tags. 1=WEP40 2=TKIP 3=WRAP 4=CCMP 5=WEP104
-Z type: same as -z, but for WPA2
-V type: fake EAPOL 1=MD5 2=SHA1 3=auto
-F prefix: write all sent and received frames into pcap file
-P: respond to all probes, even when specifying ESSIDs
-I interval: sets the beacon interval value in ms
-C seconds: enables beaconing of probed ESSID values (requires -P)

Filter options:
–bssid MAC      : BSSID to filter/use
–besides file: read a list of BSSIDs out of that file
–client MAC: MAC of the client to filter
–clients file: read a list of MACs out of that file
–essid ESSID: specify a single ESSID (default: default)
–sessions file: read a list of ESSIDs out of that file

–help: Displays this usage screen

aircrack-ng – Wireless password cracker

root@kali:~# aircrack-ng –help

Aircrack-ng 1.2 beta3 – (C) 2006-2013 Thomas d’Otreppe

usage: aircrack-ng [options] <.cap / .ivs file(s)>

Common options:

-a <amode> : force attack mode (1/WEP, 2/WPA-PSK)
-e <essid> : target selection: network identifier
-b <bssid>: target selection: access point’s MAC
-p <nbcpu>: # of CPU to use  (default: all CPUs)
-q: enable quiet mode (no status output)
-C <macs>: merge the given APs to a virtual one
-l <file>  : write key to file

Static WEP cracking options:

-c: search alpha-numeric characters only
-t: search binary coded decimal chr only
-h: search the numeric key for Fritz!BOX
-d <mask>  : use masking of the key (A1:XX:CF:YY)
-m <maddr>: MAC address to filter usable packets
-n <nbits>: WEP key length:  64/128/152/256/512
-i <index>: WEP key index (1 to 4), default: any
-f <fudge>: bruteforce fudge factor,  default: 2
-k <korek>: disable one attack method  (1 to 17)
-x or -x0  : disable brute force for last keynotes
-x1: last key byte brute-forcing  (default)
-x2: enable the last  2 key bytes brute-forcing
-X: disable  brute force   multithreading
-y         : experimental  single bruteforce mode
-K: use only old KoreK attacks (pre-PTW)
-s: show the key in ASCII while cracking
-M <num>: specify the maximum number of IVs to use
-D: WEP decloak, skips broken keystreams
-P <num>: PTW debug:  1: disable Klein, 2: PTW
-1: run only 1 try to crack the key with PTW

WEP and WPA-PSK cracking options:

-w <words> : path to wordlist(s) filename(s)

WPA-PSK options:

-E <file>  : create EWSA Project file v3
-J <file>  : create Hashcat Capture file
-S: WPA cracking speed test

Other options:

-u         : Displays # of CPUs & MMX/SSE support
–help: Displays this usage screen

recap-ng – Decrypt WEP/WPA/WPA2 capture files

root@kali:~# airdecap-ng –help

Airdecap-ng 1.2 beta3 – (C) 2006-2013 Thomas d’Otreppe

usage: recap-ng [options] <pcap file>

Common options:
-l: don’t remove the 802.11 header
-b <bssid> : access point MAC address filter
-e <essid> : target network SSID

WEP-specific option:
-w <key>: target network WEP key in hex

WPA-specific options:
-p <pass>  : target network WPA passphrase
-k <pmk>: WPA Pairwise Master Key in hex

–help: Displays this usage screen

air decloak-ng – Removes wep cloaking from a pcap file

root@kali:~# air decloak-ng –help

Airdecloak-ng 1.2 beta3 – (C) 2008-2013 Thomas d’Otreppe

usage: air decloak-ng [options]


-i <file>             : Input capture file
–ssid <ESSID>        : ESSID of the network to filter
–bssid <BSSID>       : BSSID of the network to filter

–filters <filters>: Apply filters (separated by a comma). Filters:
signal:               Try to filter based on the signal.
duplicate_sn:         Remove all duplicate sequence numbers
for both the AP and the client.
duplicate_sn_ap:      Remove duplicate sequence number for
the AP only.
duplicate_sn_client:  Remove duplicate sequence number for the
client only.
consecutive_sn:       Filter based on the fact that IV should
be consecutive (only for AP).
duplicate_iv:         Remove all duplicate IV.
signal_dup_consec_sn: Use signal (if available), duplicate and
consecutive sequence number (filtering is
much more precise than using all these
filters one by one).
–null-packets: Assume that null packets can be cloaked.
–disable-base_filter: Do not apply base filter.
–drop-frag: Drop fragmented packets

–help: Displays this usage screen

air driver-ng – Provides status information about the wireless drivers on your system

root@kali:~# air driver-ng –help
Found kernel: 3.3.12-kali1-686-pae.3.12-kali1-686-page
usage: air driver-ng <command> [drivernumber]
valid commands:
supported       – lists all supported drivers
kernel          – lists all in-kernel drivers
installed       – lists all installed drivers
loaded          – lists all loaded drivers
insert <drivernum>  – inserts a driver
load <drivernum>    – loads a driver
unload <drivernum>  – unloads a driver
reload <drivernum>  – reloads a driver
compile <drivernum> – compiles a driver
install <drivernum> – installs a driver
remove <drivernum>  – removes a driver
compile_stack <stacknum>    – compiles a stack
install_stack <stacknum>    – installs a stack
remove_stack <stacknum> – removes a stack
install_firmware <drivernum>    – installs the firmware
remove_firmware <drivernum> – removes the firmware
details <drivernum> – prints driver details
detect          – detects wireless cards

airplay-ng – Primary function is to generate traffic for later use in aircrack-ng

root@kali:~# airplay-ng –help

Aireplay-ng 1.2 beta3 – (C) 2006-2013 Thomas d’Otreppe

usage: airplay-ng <options> <replay interface>

Filter options:

-b bssid: MAC address, Access Point
-d mac: MAC address, Destination
-s smac: MAC address, Source
-m len: minimum packet length
-n len: maximum packet length
-u type: frame control, the type    field
-v subt: frame control, subtype field
-t tods: frame control, To      DS bit
-f from frame control, From    DS bit
-w iswep  : frame control, WEP     bit
-D: disable AP detection

Replay options:

-x nbpps  : number of packets per second
-p ctrl: set frame control word (hex)
-a bssid  : set Access Point MAC address
-c mac: set Destination  MAC address
-h smac: set Source       MAC address
-g value: change ring buffer size (default: 8)
-F: choose a first matching packet

Fakeauth attack options:

-e essid  : set target AP SSID
-o npckts: number of packets per burst (0=auto, default: 1)
-q sec: seconds between keep-alive
-Q: send reassociation requests
-y para   : keystream for shared key auth
-T n: exit after retrying fake auth request n time

Arp Replay attack options:

-j: inject FromDS packets

Fragmentation attack options:

-k IP: set destination IP in fragments
-l IP: set source IP in fragments

Test attack options:

-B: activates the bitrate test

Source options:

-i iface  : capture packets from this interface
-r file: extract packets from this cap file

Miscellaneous options:

-R: disable /dev/rtc usage
–ignore-negative-one: if the interface’s channel can’t be determined,
ignore the mismatch, needed for unpatched cfg80211

Attack modes (numbers can still be used):

–death      count : reauthenticate 1 or all stations (-0)
–fake auth    delay: fake authentication with AP (-1)
–interactive: interactive frame selection (-2)
–arp replay         : standard ARP-request replay (-3)
–chop-chop          : decrypt/chop-chop WEP packet (-4)
–fragment: generates valid keystream   (-5)
–caffe-latte: query a client for new IVs  (-6)
–frag: fragments against a client  (-7)
–migmode           : attacks WPA migration mode  (-8)
–test: tests injection and quality (-9)

–help: Displays this usage screen

airman-ng – This script can be used to enable monitor mode on wireless interfaces

root@kali:~# airman-ng –help

usage: airmen-ng <start|stop|check> <interface> [channel or frequency]

airman-zc – This script can be used to enable monitor mode on wireless interfaces

root@kali:~# airman-zc –help

usage: airmen-zc <start|stop|check> <interface> [channel or frequency]

airodump-ng – Used for packet capturing of raw 802.11 frames

root@kali:~# airodump-ng –help

Airodump-ng 1.2 beta3 – (C) 2006-2013 Thomas d’Otreppe

usage: airodump-ng <options> <interface>[,<interface>,…]

–ivs: Save only captured IVs
–gpsd                : Use GPSd
–write      <prefix> : Dump file prefix
-w: same as –write
–beacons: Record all beacons in the dump file
–update       <secs> : Display update delay in seconds
–shock: Prints ack/cts/rts statistics
-h: Hides known stations for –shock
-f            <msecs>: Time in ms between hopping channels
–berlin       <secs>: Time before removing the AP/client
from the screen when no more packets
are received (Default: 120 seconds)
-r             <file> : Read packets from that file
-x            <msecs> : Active Scanning Simulation
–manufacturer: Display manufacturer from IEEE OUI list
–uptime: Display AP Uptime from Beacon Timestamp
<formats> : Output format. Possible values:
pcap, ivs, csv, gps, kismet, netxml
–ignore-negative-one: Removes the message that says
fixed channel <interface>: -1

Filter options:
–encrypt   <suite>   : Filter APs by cipher suite
–netmask <netmask>   : Filter APs by mask
–bssid     <bssid>   : Filter APs by BSSID
–essid     <essid>   : Filter APs by ESSID
-a: Filter unassociated clients

By default, airodump-ng hops on 2.4GHz channels.
You can make it capture on other/specific channel(s) by using:
–channel <channels>  : Capture on specific channels
–band <abg>          : Band on which airodump-ng should hop
-C    <frequencies>: Uses these frequencies in MHz to hop
–switch  <method>   : Set channel switching method
0: FIFO (default)
1: Round Robin
2: Hop on last
-s: same as –switch

–help: Displays this usage screen

airodump-ng-oui-update – Downloads and parses IEEE OUI list

airodump-ng-oui-updater downloads and parses IEEE OUI list.

airolib-ng – Designed to store and manage essid and password lists

root@kali:~# airolib-ng –help

Airolib-ng 1.2 beta3 – (C) 2007, 2008, 2009 ebfe

Usage: airolib-ng <database> <operation> [options]


–stats: Output information about the database.
–sql <sql>    : Execute specified SQL statement.
–clean [all]: Clean the database from old junk. ‘all’ will also
reduce filesize if possible and run an integrity check.
–batch: Start batch-processing all combinations of ESSIDs
and passwords.
–verify [all]: Verify a set of randomly chosen PMKs.
If ‘all’ is given, all invalid PMK will be deleted.

–import [essid|passwd] <file>   :
Import a text file as a list of ESSIDs or passwords.
–import cow patty <file>         :
Import a cow patty file.

–export cow patty <essid> <file> :
Export to a cow patty file.

air serv-ng – A wireless card server

root@kali:~# air serv-ng –help
air serv-ng: invalid option — ‘-‘

Airserv-ng 1.2 beta3 – (C) 2007, 2008, 2009 Andrea Bittau

Usage: airserv-ng <options>


-h: This helps screen
-p  <port> : TCP port to listen on (default:666)
-d <iface> : Wifi interface to use
-c  <chan> : Channel to use
-v <level> : Debug level (1 to 3; default: 1)

airgun-ng – Virtual tunnel interface creator

root@kali:~# airtun-ng –help

Airtun-ng 1.2 beta3 – (C) 2006-2013 Thomas d’Otreppe
Original work: Martin Beck

usage: airgun-ng <options> <replay interface>

-x nbpps         : number of packets per second (default: 100)
-a bssid         : set Access Point MAC address
: In WDS Mode this sets the Receiver
-i iface: capture packets from this interface
-y file: read PRGA from this file
-w WEP key: use this WEP-KEY to encrypt packets
-t tods: send frames to AP (1) or to the client (0)
: or tunnel them into a WDS/Bridge (2)
-r file: read frames out of pcap file

WDS/Bridge Mode options:
-s transmitter: set Transmitter MAC address for WDS Mode
-b: bidirectional mode. This enables communication: in Transmitter’s AND Receiver’s networks.
: Works only if you can see both stations.

Repeater options:
–repeat: activates repeat mode
–bssid <mac>    : BSSID to repeat
–netmask <mask> : netmask for BSSID filter

–help: Displays this usage screen

beside-ng – Automatically crack WEP & WPA network

root@kali:~# beside-ng –help
besside-ng: invalid option — ‘-‘

Besside-ng 1.2 beta3 – (C) 2010 Andrea Bittau

Usage: besside-ng [options] <interface>


-b <victim mac> : Victim BSSID
-s <WPA server>: Upload wpa.cap for cracking
-c       <chan> : chanlock
-p       <pps>  : flood rate
-W: WPA only
-v: verbose, -vv for more, etc.
-h: This helps screen


root@kali:~# buddy-ng -h

Buddy-ng 1.2 beta3 – (C) 2007,2008 Andrea Bittau

Usage: buddy-ng <options>


-h: This helps screen
-p: Don’t drop privileges

eastside-ng – An auto-magic tool that allows you to communicate via a WEP-encrypted access point

root@kali:~# eastside-ng -h

Easside-ng 1.2 beta3 – (C) 2007, 2008, 2009 Andrea Bittau

Usage: eastside-ng <options>


-h: This helps screen
-v   <victim mac> : Victim BSSID
-m      <src mac> : Source MAC address
-i           <ip> : Source IP address
-r    <router ip> : Router IP address
-s     <buddy ip>: Buddy-ng IP address (mandatory)
-f        <iface>: Interface to use (mandatory)
-c      <channel> : Lock card to this channel
-n: Determine Internet IP only

ivstools – This tool handles .ivs files. You can either merge or convert them.

root@kali:~# ivstools

ivsTools 1.2 beta3 – (C) 2006-2013 Thomas d’Otreppe

usage: stools –convert <pcap file> <ivs output file>
The extract is from a Pcap file
stools –merge <ivs file 1> <ivs file 2> .. <output file>
Merge ivs files


root@kali:~# kstats
usage: stats <ivs file> <104-bit key>

makes-ng – Generates initialization vectors

root@kali:~# makeivs-ng –help

makeivs-ng 1.2 beta3 – (C) 2006-2013 Thomas d’Otreppe

usage: makes-ng [options]

Common options:
-b <bssid> : Set access point MAC address
-f <num>   : Number of first IV
-k <key>: Target network WEP key in hex
-s <num>: Seed used to setup random generator
-w <file>  : Filename to write IVs into
-c <num>   : Number of IVs to generate
-d <num>   : Percentage of dupe IVs
-e <num>   : Percentage of erroneous keystreams
-l <num>   : Length of keystreams
-n: Ignores ignores weak IVs
-p: Uses prng algorithm to generate IVs

–help: Displays this usage screen

packet-forge-ng – Create encrypted packets that can subsequently be used for injection

root@kali:~# packet-forge-ng –help

Packetforge-ng 1.2 beta3 – (C) 2006-2013 Thomas d’Otreppe
Original work: Martin Beck

Usage: packet-forge-ng <mode> <options>

Forge options:

-p <fctrl>: set frame control word (hex)
-a <bssid>: set Access Point MAC address
-c <dmac>      : set Destination  MAC address
-h <smac>      : set Source       MAC address
-j: set FromDS bit
-o: clear ToDS bit
-e: disables WEP encryption
-k <ip[:port]> : set Destination IP [Port]
-l <ip[:port]> : set Source      IP [Port]
-t TTL: set Time To Live
-w <file>: write packet to this cap file
-s <size>: specify the size of the null packet
-n <packets>: set the number of packets to generate

Source options:

-r <file>: read packet from this raw file
-y <file>      : read PRGA from this file


–arp: forge an ARP packet    (-0)
–UDP: forge a UDP packet    (-1)
–ICMP: forge an ICMP packet   (-2)
–null: build a null packet    (-3)
–custom: build a custom packet  (-9)

–help: Displays this usage screen

Skipton-ng – This tool is able to inject a few frames into a WPA TKIP network with QoS

root@kali:~# tkiptun-ng –help

Tkiptun-ng 1.2 beta3 – (C) 2008-2013 Thomas d’Otreppe

usage: Skipton-ng <options> <replay interface>

Filter options:

-d mac   : MAC address, Destination
-s smac   : MAC address, Source
-m len: minimum packet length (default: 80)
-n len: maximum packet length (default: 80)
-t tods: frame control, To      DS bit
-f from : frame control, From    DS bit
-D: disable AP detection
-Z: select packets manually

Replay options:

-x nbpps  : number of packets per second
-a bssid  : set Access Point MAC address
-c mac   : set Destination  MAC address
-h smac   : set Source       MAC address
-e essid  : set target AP SSID
-M sec: MIC error timeout in seconds [60]

Debug options:

-K prga   : keystream for continuation
-y file: keystream-file for continuation
-j: inject FromDS packets
-P pm: pmk for verification/vuln testing
-p psk: psk to calculate pmk with essid

source options:

-i iface: capture packets from this interface
-r file: extract packets from this cap file

–help: Displays this usage screen

website-ng – Auto-magic tool which incorporates a number of techniques to seamlessly obtain a WEP key

root@kali:~# website-ng -h

Wesside-ng 1.2 beta3 – (C) 2007, 2008, 2009 Andrea Bittau

Usage: website-ng <options>


-h: This helps screen
-i      <iface>: Interface to use (mandatory)
-m      <my ip> : My IP address
-n     <net ip> : Network IP address
-a      <mymac> : Source MAC Address
-c: Do not crack the key
-p   <min prga> : Minimum bytes of PRGA to gather
-v <victim mac> : Victim BSSID
-t  <threshold> : Cracking threshold
-f   <max chan>: Highest scanned chan (default: 11)
-k      <txnum> : Ignore acks and tx txnum times

wpaclean – Remove excess data from a Pcap file

root@kali:~# wpaclean
Usage: wpaclean <out.cap> <in.cap> [in2.cap] […]

air driver-ng Usage Example

root@kali:~# air driver-ng detect

USB devices (generic detection):
Bus 002 Device 009: ID 0846:9001 NetGear, Inc. WN111(v2) RangeMax Next Wireless [Atheros AR9170+AR9101]
Bus 001 Device 012: ID 050d:0017 Belkin Components B8T017 Bluetooth+EDR 2.1
Bus 001 Device 005: ID 0e0f:0008 VMware, Inc.

airman-ng Usage Example

Start (start) monitor mode on the wireless interface (wlan0) on the desired channel (6):

root@kali:~# airman-ng start wlan0 6

Interface   Chipset     Driver

wlan0       2-2: Atheros    carl9170 – [phy4]
(monitor mode enabled on mon0)

airodump-ng Usage Example

Sniff on channel 6 (-c 6), filtering on a BSSID (–bssid 38:60:77:23:B1:CB), writing the capture to disk (-w capture), using the monitor mode interface (mon0):

root@kali:~# airodump-ng -c 6 –bssid 38:60:77:23:B1:CB -w capture mon0
CH  6 ][ Elapsed: 4 s ][ 2014-05-15 17:21

BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

38:60:77:23:B1:CB  -79   0        7        0    0   6  54e  WPA2 CCMP   PSK  6EA10E

BSSID              STATION            PWR   Rate    Lost    Frames  Probe

aircrack-ng Usage Example

Using the provided word list (-w /usr/share/wordlists/nmap.lst), attempt to crack passwords in the capture file (capture-01.cap):

root@kali:~# aircrack-ng -w /usr/share/wordlists/nmap.lst capture-01.cap
Opening capture-01.cap
Read 2 packets.

#  BSSID              ESSID                     Encryption

1  38:60:77:23:B1:CB  6EA10E                    No data – WEP or WPA

Choosing the first network as the target.

Opening capture-01.cap

We Provide Services In the Following Cities

Ethical Haker in Ludhiana
Ethical Hacking Services in Ludhiana
Ethical Hacking Services in Mumbai
Ethical Hacking Services in Delhi
Ethical Hacking Services in Gujarat
Ethical Hacking Services in Chandigarh

Leave a Reply

Your email address will not be published. Required fields are marked *