aircrack-ng
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
aircrack-ng [2011/01/16 01:42] – [Usage] - WPA cracking speed test option mister_x | aircrack-ng [2018/07/11 21:54] – [Usage] Fixed double quotes options mister_x | ||
---|---|---|---|
Line 87: | Line 87: | ||
You can specify multiple input files (either in .cap or .ivs format) or use file name wildcarding. | You can specify multiple input files (either in .cap or .ivs format) or use file name wildcarding. | ||
- | Here's a summary of all available | + | === Options === |
+ | == Common | ||
^Option^Param.^Description^ | ^Option^Param.^Description^ | ||
- | |-a|amode|Force attack mode (1 = static WEP, 2 = WPA/ | + | |-a|amode|Force attack mode (1 = static WEP, 2 = WPA/ |
- | |-b|bssid|Long version --bssid. Select the target network based on the access point' | + | |-e|essid|If set, all IVs from networks with the same ESSID will be used. This option is also required for WPA/ |
- | |-e|essid|If set, all IVs from networks with the same ESSID will be used. This option is also required for WPA/ | + | |-b|bssid|Long version -'''' |
- | |-p|nbcpu|On SMP systems: # of CPU to use. This option is invalid on non-SMP systems.| | + | |-p|nbcpu|On SMP systems: # of CPU to use. This option is invalid on non-SMP systems| |
- | |-q|// | + | |-q|// |
- | |-c|// | + | |-C|MACs|Long version -'''' |
- | |-t|// | + | |-l|file name|(Lowercase L, ell) logs the key to the file specified. Overwrites the file if it already exists| |
- | |-h|// | + | |
- | |-d|start|(WEP cracking) | + | == Static WEP cracking options == |
- | |-m|maddr|(WEP cracking) | + | |
- | |-M|number|(WEP cracking) Sets the maximum number of ivs to use.| | + | ^Option^Param.^Description^ |
- | |-n|nbits|(WEP cracking) | + | |-c|// |
- | |-i|index|(WEP cracking) | + | |-t|// |
- | |-f|fudge|(WEP cracking) | + | |-h|// |
- | |-H|//none//|Long version | + | |-d|start|Long version -'''' |
- | |-l|file name|(Lowercase L, ell) logs the key to the file specified.| | + | |-m|maddr|MAC address to filter WEP data packets. Alternatively, |
+ | |-n|nbits|Specify the length of the key: 64 for 40-bit WEP, 128 for 104-bit WEP, etc. The default value is 128| | ||
+ | |-i|index|Only keep the IVs that have this key index (1 to 4). The default behaviour is to ignore the key index| | ||
+ | |-f|fudge|By default, this parameter is set to 2 for 104-bit WEP and to 5 for 40-bit WEP. Specify a higher value to increase the bruteforce level: cracking will take more time, but with a higher likelyhood of success| | ||
+ | |-k|korek|There are 17 korek statistical attacks. Sometimes one attack creates a huge false positive that prevents the key from being found, even with lots of IVs. Try -k 1, -k 2, ... -k 17 to disable each attack selectively| | ||
+ | |-x/-x0|//none//|Disable last keybytes brutforce| | ||
+ | |-x1|// | ||
+ | |-x2|// | ||
+ | |-X|//none//|Disable bruteforce multithreading | ||
+ | |-s|// | ||
+ | |-y|// | ||
+ | |-z|// | ||
+ | |-P|number|Long version -'''' | ||
|-K|// | |-K|// | ||
- | |-k|korek|(WEP cracking) There are 17 korek statistical attacks. Sometimes one attack creates a huge false positive that prevents the key from being found, even with lots of IVs. Try -k 1, -k 2, ... -k 17 to disable each attack selectively.| | + | |-D|//none//|Long version |
- | |-p|threads|Allow the number of threads for cracking even if you have a non-SMP computer.| | + | |-1|//none//|Long version |
- | |-r|database|Utilizes a database generated by airolib-ng as input to determine the WPA key. | + | |-M|number|(WEP cracking) |
- | |-x/ | + | |-V|// |
- | |-x1|//none//|(WEP cracking) Enable last keybyte bruteforcing (default).| | + | |
- | |-x2|// | + | == WEP and WPA-PSK cracking options == |
- | |-X|// | + | |
- | |-y|//none//|(WEP cracking) | + | ^Option^Param.^Description^ |
- | |-u|// | + | |-w|words|Path to a wordlists |
- | |-w|words|(WPA cracking) | + | |-N|file|Create a new cracking session and save it to the specified file| |
- | |-z|//none//|Invokes | + | |-R|file|Restore |
- | |-P|//none//|Long version | + | |
- | |-C|MACs|Long version | + | == WPA-PSK options == |
- | |-D|//none//|Long version --wep-decloak. | + | |
- | |-V|// | + | ^Option^Param.^Description^ |
- | |-1|// | + | |-E|file> |
- | |-S|// | + | |-j|file|Create Hashcat v3.6+ Capture file (HCCAPX)| |
+ | |-J|file|Create Hashcat Capture file| | ||
+ | |-S|//none//|WPA cracking speed test| | ||
+ | |-Z|sec|WPA cracking speed test execution length in seconds| | ||
+ | |-r|database|Utilizes a database generated by [[airolib-ng]] as input to determine | ||
+ | |||
+ | == SIMD Selection == | ||
+ | |||
+ | ^Option^Param.^Description^ | ||
+ | |-'''' | ||
+ | |-'''' | ||
+ | |||
+ | == Other options == | ||
+ | |||
+ | ^Option^Param.^Description^ | ||
+ | |-H|// | ||
+ | |-u|// | ||
===== Usage Examples ===== | ===== Usage Examples ===== | ||
Line 300: | Line 329: | ||
Now you have the passphrase and can connect to the network. | Now you have the passphrase and can connect to the network. | ||
+ | |||
+ | === SIMD === | ||
+ | |||
+ | Aircrack-ng is compiled with multiple optimizations based on CPU features we call crypto engines. CPU features are different based on the type of CPU. | ||
+ | |||
+ | On x86 (and 64 bit), typically SSE2, AVX and AVX2 are available (AVX512 can be compiled in but it should only be done if the current CPU supports it). On ARM, neon and ASIMD are usually available and on PowerPC, ASIMD and altivec. A generic optimization is always available no matter what architecture it is compiled on or for. A limited set of optimizations may be available depending on the OS/ | ||
+ | |||
+ | When running aircrack-ng, | ||
+ | |||
+ | In order to override, the option -'''' | ||
+ | |||
+ | aircrack-ng --simd=avx wpa.cap -w password.lst | ||
+ | |||
+ | In order to list all the available SIMD optimization, | ||
+ | |||
+ | aircrack-ng --simd-list | ||
+ | |||
+ | will display "avx2 avx sse2 generic" | ||
+ | |||
+ | ==== Cracking session ==== | ||
+ | |||
+ | Cracking can sometimes take a very long time and it is sometimes necessary to turn off the computer or put it to sleep for a while. In order to handle this kind of situation, a new set of option has been created. | ||
+ | |||
+ | It will create and/or update a session file saving the current status of the cracking (every 10 minutes) as well as all the options used, wordlists and capture files used. Multiple wordlists can be used and it works with WEP and WPA. | ||
+ | |||
+ | aircrack-ng --new-session current.session -w password.lst, | ||
+ | |||
+ | In order to restore the session, use -'''' | ||
+ | |||
+ | aircrack-ng --restore-session current.session | ||
+ | |||
+ | It will keep updating // | ||
+ | |||
+ | Limitations: | ||
+ | * The wordlist must be files. For now, they cannot be //stdin// or [[airolib-ng]] databases | ||
+ | * Session has to be restored from the same directory as when first using -'''' | ||
+ | * No new options can be added when restoring session | ||
===== Usage Tips ===== | ===== Usage Tips ===== | ||
==== General approach to cracking WEP keys ==== | ==== General approach to cracking WEP keys ==== | ||
Line 397: | Line 463: | ||
Although it is not part of aircrack-ng, | Although it is not part of aircrack-ng, | ||
- | | + | |
Line 506: | Line 572: | ||
If you are sure your capture file contains a valid handshake then use Wireshark or an equivalent piece of software and manually pull out the beacon packet plus a set of handshake packets. | If you are sure your capture file contains a valid handshake then use Wireshark or an equivalent piece of software and manually pull out the beacon packet plus a set of handshake packets. | ||
- | There is an open [[http://trac.aircrack-ng.org/ticket/651|trac ticket]] to correct this incorrect behavior. | + | There is an open [[https://github.com/ |
aircrack-ng.txt · Last modified: 2019/09/18 22:39 by mister_x