User Tools

Site Tools


aircrack-ng

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
aircrack-ng [2010/10/05 02:51]
netrolller3d Update the page a little.
aircrack-ng [2018/08/31 20:33] (current)
mister_x [Sample files to try] Updated sample files
Line 87: Line 87:
 You can specify multiple input files (either in .cap or .ivs format) or use file name wildcarding. ​ See [[aircrack-ng#​other_tips|Other Tips]] for examples. ​ Also, you can run both [[airodump-ng]] and aircrack-ng at the same time: aircrack-ng will auto-update when new IVs are available. You can specify multiple input files (either in .cap or .ivs format) or use file name wildcarding. ​ See [[aircrack-ng#​other_tips|Other Tips]] for examples. ​ Also, you can run both [[airodump-ng]] and aircrack-ng at the same time: aircrack-ng will auto-update when new IVs are available.
  
-Here's a summary of all available ​options:+=== Options === 
 +== Common ​options ​==
  
 ^Option^Param.^Description^ ^Option^Param.^Description^
-|-a|amode|Force attack mode (1 = static WEP, 2 = WPA/​WPA2-PSK).| +|-a|amode|Force attack mode (1 = static WEP, 2 = WPA/​WPA2-PSK)| 
-|-b|bssid|Long version --bssid. Select the target network based on the access point'​s MAC address.+|-e|essid|If set, all IVs from networks with the same ESSID will be used. This option is also required for WPA/​WPA2-PSK cracking if the ESSID is not broadcasted (hidden)
-|-e|essid|If set, all IVs from networks with the same ESSID will be used. This option is also required for WPA/​WPA2-PSK cracking if the ESSID is not broadcasted (hidden).| +|-b|bssid|Long version -''''​-bssidSelect the target network based on the access point'​s MAC address
-|-p|nbcpu|On SMP systems: # of CPU to use.  This option is invalid on non-SMP systems.+|-p|nbcpu|On SMP systems: # of CPU to use.  This option is invalid on non-SMP systems| 
-|-q|//​none//​|Enable quiet mode (no status output until the key is found, or not).| +|-q|//​none//​|Enable quiet mode (no status output until the key is found, or not)
-|-c|//​none//​|(WEP cracking) ​Restrict the search space to alpha-numeric characters only (0x20 - 0x7F).+|-C|MACs|Long version -''''​-combine Merge the given APs (separated by a comma) into virtual one| 
-|-t|//​none//​|(WEP cracking) ​Restrict the search space to binary coded decimal hex characters.+|-l|file name|(Lowercase L, ell) logs the key to the file specified. Overwrites the file if it already exists| 
-|-h|//​none//​|(WEP cracking) ​Restrict the search space to numeric characters (0x30-0x39) These keys are used by default in most Fritz!BOXes.+ 
-|-d|start|(WEP cracking) ​Long version --debug. ​ Set the beginning of the WEP key (in hex), for debugging purposes.+== Static WEP cracking options == 
-|-m|maddr|(WEP cracking) ​MAC address to filter WEP data packets. Alternatively,​ specify -m ff:​ff:​ff:​ff:​ff:​ff to use all and every IVs, regardless of the network.| + 
-|-M|number|(WEP cracking) Sets the maximum number of ivs to use.+^Option^Param.^Description^ 
-|-n|nbits|(WEP cracking) ​Specify the length of the key: 64 for 40-bit WEP, 128 for 104-bit WEP, etc. The default value is 128.+|-c|//​none//​|Restrict the search space to alpha-numeric characters only (0x20 - 0x7F)| 
-|-i|index|(WEP cracking) ​Only keep the IVs that have this key index (1 to 4). The default behaviour is to ignore the key index.+|-t|//​none//​|Restrict the search space to binary coded decimal hex characters| 
-|-f|fudge|(WEP cracking) ​By default, this parameter is set to 2 for 104-bit WEP and to 5 for 40-bit WEP. Specify a higher value to increase the bruteforce level: cracking will take more time, but with a higher likelyhood of success.| +|-h|//​none//​|Restrict the search space to numeric characters (0x30-0x39) These keys are used by default in most Fritz!BOXes| 
-|-H|//​none//​|Long version --help. ​ Output help information.| +|-d|start|Long version -''''​-debug. ​ Set the beginning of the WEP key (in hex), for debugging purposes| 
-|-l|file name|(Lowercase L, ell) logs the key to the file specified.| +|-m|maddr|MAC address to filter WEP data packets. Alternatively,​ specify -m ff:​ff:​ff:​ff:​ff:​ff to use all and every IVs, regardless of the network| 
-|-K|//​none//​|Invokes the Korek WEP cracking method.+|-n|nbits|Specify the length of the key: 64 for 40-bit WEP, 128 for 104-bit WEP, etc. The default value is 128| 
-|-k|korek|(WEP cracking) ​There are 17 korek statistical attacks. Sometimes one attack creates a huge false positive that prevents the key from being found, even with lots of IVs. Try -k 1, -k 2, ... -k 17 to disable each attack selectively.| +|-i|index|Only keep the IVs that have this key index (1 to 4). The default behaviour is to ignore the key index| 
-|-p|threads|Allow the number of threads for cracking even if you have a non-SMP computer.| +|-f|fudge|By default, this parameter is set to 2 for 104-bit WEP and to 5 for 40-bit WEP. Specify a higher value to increase the bruteforce level: cracking will take more time, but with a higher likelyhood of success| 
-|-r|database|Utilizes a database generated by airolib-ng as input to determine the WPA key.  Outputs an error message if aircrack-ng has not been compiled with sqlite support.+|-k|korek|There are 17 korek statistical attacks. Sometimes one attack creates a huge false positive that prevents the key from being found, even with lots of IVs. Try -k 1, -k 2, ... -k 17 to disable each attack selectively| 
-|-x/​-x0|//​none//​|(WEP cracking) ​Disable last keybytes brutforce.+|-x/​-x0|//​none//​|Disable last keybytes brutforce| 
-|-x1|//​none//​|(WEP cracking) ​Enable last keybyte bruteforcing (default).+|-x1|//​none//​|Enable last keybyte bruteforcing (default)| 
-|-x2|//​none//​|(WEP cracking) ​Enable last two keybytes bruteforcing.+|-x2|//​none//​|Enable last two keybytes bruteforcing| 
-|-X|//​none//​|(WEP cracking) ​Disable bruteforce multithreading (SMP only).+|-X|//​none//​|Disable bruteforce multithreading (SMP only)
-|-y|//​none//​|(WEP cracking) ​Experimental single bruteforce attack which should only be used when the standard attack mode fails with more than one million IVs| +|-s|//​none//​|Show the key in ASCII while cracking
-|-u|//​none//​|Long ​form --cpu-detect.  ​Provide information on the number of CPUs and MMX support ​Example responses to "​aircrack-ng --cpu-detect"​ are "Nb CPU detected: 2" or "Nb CPU detected: ​1  (MMX available)".+|-y|//​none//​|Experimental single bruteforce attack which should only be used when the standard attack mode fails with more than one million IVs| 
-|-w|words|(WPA crackingPath to a wordlist ​or "​-"​ without the quotes for standard in (stdin).| +|-z|//none//|Invokes the PTW WEP cracking method (Default in v1.x)| 
-|-z|//none//|Invokes ​the PTW WEP cracking ​method.| +|-P|number|Long version ​-''''​-ptw-debug.  ​Invokes ​the PTW debug mode: 1 Disable klein, 2 PTW.
-|-P|//none//|Long version ​--ptw-debug. ​ Invokes ​the PTW debug mode.| +|-K|//​none//​|Invokes the Korek WEP cracking method. (Default in v0.x)| 
-|-C|MACs|Long version ​--combine. ​ Merge the given APs to a virtual ​one.+|-D|//​none//​|Long version ​-''''​-wep-decloak. ​ Run in WEP decloak mode| 
-|-D|//none//|Long version --wep-decloak Run in WEP decloak mode.| +|-1|//​none//​|Long version -''''​-oneshot. ​ Run only 1 try to crack key with PTW| 
-|-V|//​none//​|Long version --visual-inspection.  ​Run in visual inspection mode.+|-M|number|(WEP crackingSpecify the maximum number of IVs to use
-|-1|//​none//​|Long ​version ​--oneshot.  ​Run in oneshot mode.|+|-V|//none//|Long version -''''​-visual-inspection. ​ Run in visual inspection mode (only with KoreK)| 
 + 
 +== WEP and WPA-PSK cracking ​options == 
 + 
 +^Option^Param.^Description^ 
 +|-w|words|Path to a wordlists ​or "​-"​ without the quotes for standard in (stdin). ​Separate multiple wordlists by comma
 +|-N|file|Create a new cracking session and save it to the specified file| 
 +|-R|file|Restore ​cracking ​session from the specified file| 
 + 
 +== WPA-PSK options == 
 + 
 +^Option^Param.^Description^ 
 +|-E|file>​|Create EWSA Project file v3
 +|-j|file|Create Hashcat v3.6+ Capture file (HCCAPX)| 
 +|-J|file|Create Hashcat Capture file| 
 +|-S|//none//|WPA cracking speed test| 
 +|-Z|sec|WPA cracking speed test execution length in seconds| 
 +|-r|database|Utilizes a database generated by [[airolib-ng]] as input to determine ​the WPA keyOutputs an error message if aircrack-ng has not been compiled with sqlite support| 
 + 
 +== SIMD Selection == 
 + 
 +^Option^Param.^Description^ 
 +|-''''​-simd|optimization|Use user-specified SIMD optimization instead of the fastest ​one| 
 +|-''''​-simd-list|//none//|Shows a list of the SIMD optimizations available| 
 + 
 +== Other options == 
 + 
 +^Option^Param.^Description^ 
 +|-H|//​none//​|Long version -''''​-help.  ​Output help information
 +|-u|//​none//​|Long ​form -''''​-cpu-detect.  ​Provide information on the number of CPUs and features available such as MMX, SSE2, AVX, AVX2, AVX512|
  
 ===== Usage Examples ===== ===== Usage Examples =====
Line 299: Line 329:
 Now you have the passphrase and can connect to the network. Now you have the passphrase and can connect to the network.
  
 +
 +=== SIMD ===
 +
 +Aircrack-ng is compiled with multiple optimizations based on CPU features we call crypto engines. CPU features are different based on the type of CPU.
 +
 +On x86 (and 64 bit), typically SSE2, AVX and AVX2 are available (AVX512 can be compiled in but it should only be done if the current CPU supports it). On ARM, neon and ASIMD are usually available and on PowerPC, ASIMD and altivec. A generic optimization is always available no matter what architecture it is compiled on or for. A limited set of optimizations may be available depending on the OS/​CPU/​compilers available.
 +
 +When running aircrack-ng,​ it will load the fastest optimization based on what your CPU supports. For package maintainers,​ it is very useful as they don't have to target the one supporting all the CPU which would be the slowest.
 +
 +In order to override, the option -''''​-simd can be used. Such as
 +
 +  aircrack-ng --simd=avx wpa.cap -w password.lst
 +
 +In order to list all the available SIMD optimization,​ use -''''​-simd-list. Such as
 +
 +  aircrack-ng --simd-list
 +
 +will display "avx2 avx sse2 generic"​ on x86.
 +
 +==== Cracking session ====
 +
 +Cracking can sometimes take a very long time and it is sometimes necessary to turn off the computer or put it to sleep for a while. In order to handle this kind of situation, a new set of option has been created.
 +
 +It will create and/or update a session file saving the current status of the cracking (every 10 minutes) as well as all the options used, wordlists and capture files used. Multiple wordlists can be used and it works with WEP and WPA.
 +
 +  aircrack-ng --new-session current.session -w password.lst,​english.txt wpa-01.cap ​
 +
 +In order to restore the session, use -''''​-restore-session:​
 +
 +  aircrack-ng --restore-session current.session
 +
 +It will keep updating //​current.session//​ every 10 minutes.
 +
 +Limitations:​
 +  * The wordlist must be files. For now, they cannot be //stdin// or [[airolib-ng]] databases
 +  * Session has to be restored from the same directory as when first using -''''​-new-session
 +  * No new options can be added when restoring session
 ===== Usage Tips ===== ===== Usage Tips =====
 ==== General approach to cracking WEP keys ==== ==== General approach to cracking WEP keys ====
Line 379: Line 446:
 There are a number of sample files that you can try with aircrack-ng to gain experience: There are a number of sample files that you can try with aircrack-ng to gain experience:
  
-  * wpa.cap: ​ This is a sample file with a wpa handshake. ​ It is located in the "​test"​ directory of the install files. ​ The passphrase is "​biscotte"​. ​ Use the password file (password.lst) which is in the same directory. +  * [[https://​github.com/​aircrack-ng/​aircrack-ng/​raw/​master/​test/​wpa.cap|wpa.cap]]:  This is a sample file with a wpa handshake. ​ It is located in the "​test"​ directory of the install files. ​ The passphrase is "​biscotte"​. ​ Use the password file (password.lst) which is in the same directory. 
-  * wpa2.eapol.cap:​ This is a sample file with a wpa2 handshake. ​ It is located in the "​test"​ directory of the install files. ​ The passphrase is "​12345678"​. ​ Use the password file (password.lst) which is in the same directory.+  * [[https://​github.com/​aircrack-ng/​aircrack-ng/​raw/​master/​test/​wpa2.eapol.cap|wpa2.eapol.cap]]: This is a sample file with a wpa2 handshake. ​ It is located in the "​test"​ directory of the install files. ​ The passphrase is "​12345678"​. ​ Use the password file (password.lst) which is in the same directory.
   * [[http://​download.aircrack-ng.org/​wiki-files/​other/​test.ivs|test.ivs]]:​ This is a 128 bit WEP key file.  The key is "​AE:​5B:​7F:​3A:​03:​D0:​AF:​9B:​F6:​8D:​A5:​E2:​C7"​.   * [[http://​download.aircrack-ng.org/​wiki-files/​other/​test.ivs|test.ivs]]:​ This is a 128 bit WEP key file.  The key is "​AE:​5B:​7F:​3A:​03:​D0:​AF:​9B:​F6:​8D:​A5:​E2:​C7"​.
-  * [[http://dl.aircrack-ng.org/ptw.cap|ptw.cap]]:​ This is a 64 bit WEP key file suitable for the PTW method. ​ The key is "​1F:​1F:​1F:​1F:​1F"​.+  * [[https://github.com/aircrack-ng/​aircrack-ng/​raw/​master/​test/​wep_64_ptw.cap|ptw.cap]]:​ This is a 64 bit WEP key file suitable for the PTW method. ​ The key is "​1F:​1F:​1F:​1F:​1F". 
 +  * [[https://​github.com/​aircrack-ng/​aircrack-ng/​raw/​master/​test/​wpa-psk-linksys.cap|wpa-psk-linksys.cap]]:​ This is a sample file with a WPA1 handshake along with some encrypted packets. Useful for testing with airdecap-ng. The password is "​dictionary"​. 
 +  * [[https://​github.com/​aircrack-ng/​aircrack-ng/​raw/​master/​test/​wpa2-psk-linksys.cap|wpa2-psk-linksys.cap]]:​ This is a sample file with a WPA2 handshake along with some encrypted packets. Useful for testing with airdecap-ng. The password is "​dictionary".
  
 ==== Dictionary Format ==== ==== Dictionary Format ====
Line 396: Line 465:
 Although it is not part of aircrack-ng,​ it is worth mentioning an interesting piece of work is by SuD.  It is basically a wep hex dictionary already prepared and the program to run it: Although it is not part of aircrack-ng,​ it is worth mentioning an interesting piece of work is by SuD.  It is basically a wep hex dictionary already prepared and the program to run it:
  
-   ​http://​tv.latinsud.com/​wepdict/​+   ​http://​www.latinsud.com/pub/wepdict/
  
  
Line 505: Line 574:
 If you are sure your capture file contains a valid handshake then use Wireshark or an equivalent piece of software and manually pull out the beacon packet plus a set of handshake packets. If you are sure your capture file contains a valid handshake then use Wireshark or an equivalent piece of software and manually pull out the beacon packet plus a set of handshake packets.
  
-There is an open [[http://trac.aircrack-ng.org/ticket/651|trac ticket]] to correct this incorrect behavior.+There is an open [[https://github.com/​aircrack-ng/​aircrack-ng/​issues/651|GitHub issue]] to correct this incorrect behavior.
  
aircrack-ng.1286239889.txt.gz · Last modified: 2010/10/05 02:51 by netrolller3d