Show Menu
Cheatography

Aircrack-ng Suite Cheat Sheet by

Airbase-ng

Usage: airba­se-ng <op­tio­ns> <replay interf­ace­>
 
Syntax
Para­met­ers
Desc­rip­tion
-a
bssid
set Access Point MAC address
-i
iface
capture packets from this interface
-w
WEP key
use this WEP key to encryp­t/d­ecrypt packets
-W
0|1
[don't] set WEP flag in beacons 0|1 (default: auto)
-h
MAC
source mac for MITM mode
-f
disallow
disallow specified client MACs (default: allow)
-q
none
quiet (do not print statis­tics)
-v
none
verbose (print more messages) (long --verbose)
-M
none
M-I-T-M between [speci­fied] clients and bssids
-A
none
Ad-Hoc Mode (allows other clients to peer) (long --ad-hoc)
-Y
in|ou­t|both
external packet processing
-c
channel
sets the channel the AP is running on
-X
none
hidden ESSID (long --hidden)
-s
none
force shared key authen­tic­ation
-S
none
set shared key challenge length (default: 128)
-L
none
Caffe-­Latte attack (long --caff­e-l­atte)
-N
none
Hirte attack (cfrag attack), creates arp request against wep client (long –cfrag)
-x
nbpps
number of packets per second (default: 100)
-y
none
disables responses to broadcast probes
-0
none
set all WPA,WE­P,open tags. can't be used with -z & -Z
-z
type
sets WPA1 tags. 1=WEP40 2=TKIP 3=WRAP 4=CCMP 5=WEP104
-Z
type
same as -z, but for WPA2
-V type
type
fake EAPOL 1=MD5 2=SHA1 3=auto
-F
prefix
write all sent and received frames into pcap file
-P
none
respond to all probes, even when specifying ESSIDs
-I
interval
sets the beacon interval value in ms
-C
seconds
enables beaconing of probed ESSID values (requires -P)
 
Filter Options
Syntax
Para­met­ers
Desc­rip­tion
--bssids
<f­ile­>
read a list of BSSIDs out of that file (short -B)
--bssid
<M­AC>
BSSID to filter/use (short -b)
--client
<M­AC>
MAC of client to accept (short -d)
--cli­ents
<f­ile­>
read a list of MACs out of that file (short -D)
--essid
<E­SSI­D>
specify a single ESSID (short -e)
--essids
<f­ile­>
read a list of ESSIDs out of that file (short -E)

Airdec­loak-ng

Usage: airde­clo­ak-ng [options]
 
Syntax
Para­meter
Desc­rip­tion
-i
input file
Path to the capture file
–bssid
BSSID
BSSID of the network to filter.
–ssid
ESSID
ESSID of the network to filter (not yet implem­ented).
–filters
filters
Apply theses filters in this specific order. They have to be separated by a ','.
–null-­packets
none
Assume that null packets can be cloaked (not yet implem­ented).
–disab­le-­bas­e_f­ilter
none
Disable the base filter.
–drop-frag
none
Drop all fragmented packets. In most networks, fragme­ntation is not needed.

Airdrop-ng

Usage: airdr­op-ng [options] <pcap file>
 
Syntax
Para­meter
Desc­rip­tion
-i
card
Wireless card in monitor mode to inject from
-t
csv file
Airodump txt file in CSV format NOT the pcap
-p
psyco
Disable the use of Psyco JIT
-r
Rule File
Rule File for matched deauths
-u
update
Updates OUI list
-d
Driver
Injection driver. Default is mac80211
-s
sleep
Time to sleep between sending each packet
-b
debug
Turn on Rule Debugging
-l
key
Enable Logging to a file, if file path not provided airdrop will log to default location
-n
nap
Time to sleep between loops

Airdec­ap-ng

Usage: airde­cap-ng [options] <pcap file>
 
Syntax
Para­meter
Desc­rip­tion
-l
none
don't remove the 802.11 header
-b
bssid
access point MAC address filter
-k
pmk
WPA/WPA2 Pairwise Master Key in hex
-e
essid
target network ascii identifier
-p
pass
target network WPA/WPA2 passphrase
-w
key
target network WEP key in hexade­cimal

Airgra­ph-ng

Usage: python airgra­ph-ng -i [airod­ump­fil­e.txt] -o [outpu­tfi­le.png] -g [CAPR OR CPG]
 
Syntax
Desc­rip­tion
-i
Input File
-o
Output File
-g
Graph Type [CAPR (Client to AP Relati­onship) OR CPG (Common probe graph)]
-a
Print the about
-h
Print this help
 

Aircra­ck-ng

Usage: aircr­ack-ng [options] <ca­pture file(s­)>
 
Syntax
Para­meter
Desc­rip­tion
-a
amode
Force attack mode (1 = static WEP, 2 = WPA/WP­A2-PSK)
-b
bssid
Long version - -bssid. Select the target network based on the access point's MAC address.
-e
essid
If set, all IVs from networks with the same ESSID will be used. This option is also required for WPA/WP­A2-PSK cracking if the ESSID is not broadc­asted (hidden).
-p
nbcpu
On SMP systems: # of CPU to use. This option is invalid on non-SMP systems
-q
none
Enable quiet mode (no status output until the key is found, or not)
-c
none
(WEP cracking) Restrict the search space to alpha-­numeric characters only (0x20 - 0x7F)
-t
none
(WEP cracking) Restrict the search space to binary coded decimal hex characters
-h
none
(WEP cracking) Restrict the search space to numeric characters (0x30-­0x39) These keys are used by default in most Fritz!­BOXes
-d
start
(WEP cracking) Long version –debug. Set the beginning of the WEP key (in hex), for debugging purposes.
-m
maddr
(WEP cracking) MAC address to filter WEP data packets. Altern­ati­vely, specify -m ff:ff:­ff:­ff:­ff:ff to use all and every IVs, regardless of the network.
-M
number
(WEP cracking) Sets the maximum number of ivs to use.
-n
nbits
(WEP cracking) Specify the length of the key: 64 for 40-bit WEP, 128 for 104-bit WEP, etc. The default value is 128.
-i
index
(WEP cracking) Only keep the IVs that have this key index (1 to 4). The default behaviour is to ignore the key index.
-f
fudge
(WEP cracking) By default, this parameter is set to 2 for 104-bit WEP and to 5 for 40-bit WEP. Specify a higher value to increase the bruteforce level: cracking will take more time, but with a higher likelyhood of success.
-H
none
Long version - -help. Output help inform­ation.
-l
file name
(Lowercase L, ell) logs the key to the file specified.
-K
none
Invokes the Korek WEP cracking method. (Default in v0.x)
-k
korek
(WEP cracking) There are 17 korek statis­tical attacks. Sometimes one attack creates a huge false positive that prevents the key from being found, even with lots of IVs. Try -k 1, -k 2, … -k 17 to disable each attack select­ively.
-p
threads
Allow the number of threads for cracking even if you have a non-SMP computer.
-r
database
Utilizes a database generated by airolib-ng as input to determine the WPA key. Outputs an error message if aircra­ck-ng has not been compiled with sqlite support.
-x/-x0
none
(WEP cracking) Disable last keybytes brutforce.
-x1
none
(WEP cracking) Enable last keybyte brutef­orcing (default).
-x2
none
(WEP cracking) Enable last two keybytes brutef­orcing.
-X
none
(WEP cracking) Disable bruteforce multit­hre­ading (SMP only).
-y
none
(WEP cracking) Experi­mental single bruteforce attack which should only be used when the standard attack mode fails with more than one million IVs
-u
none
Long form - -cpu-d­etect. Provide inform­ation on the number of CPUs and MMX support. Example responses to “aircr­ack-ng - -cpu-d­etect” are “Nb CPU detected: 2” or “Nb CPU detected: 1 (MMX availa­ble)”.
-w
words
(WPA cracking) Path to a wordlist or “-” without the quotes for standard in (stdin).
-z
none
Invokes the PTW WEP cracking method. (Default in v1.x)
-P
none
Long version - -ptw-d­ebug. Invokes the PTW debug mode.
-C
MACs
Long version - -combine. Merge the given APs to a virtual one.
-D
none
Long version - -wep-d­ecloak. Run in WEP decloak mode.
-V
none
Long version - -visua­l-i­nsp­ection. Run in visual inspection mode.
-1
none
Long version - -oneshot. Run in oneshot mode.
-S
none
WPA cracking speed test.
-s
none
Show the key in ASCII while cracking
-E
file>
(WPA cracking) Create EWSA Project file v3
-J
file
(WPA cracking) Create Hashcat Capture file

Airepl­ay-ng

Usag­e: airepl­ay-ng <op­tio­ns> <replay interf­ace­>
 
Filter Options
Syntax
Para­met­ers
Desc­rip­tion
-b
bssid
MAC address, Access Point
-d
dmac
MAC address, Destin­ation
-s
smac
MAC address, Source
-m
len
minimum packet length
-n
len
maximum packet length
-u
type
frame control, type field
-v
subt
frame control, subtype field
-t
tods
frame control, To DS bit
-f
fromds
frame control, From DS bit
-w
iswep
frame control, WEP bit
 
Replay Options
Syntax
Para­met­ers
Desc­rip­tion
-x
nbpps
number of packets per second
-p
fctrl
set frame control word (hex)
-a
bssid
set Access Point MAC address
-c
dmac
set Destin­ation MAC address
-h
smac
set Source MAC address
-e
essid
For fakeauth attack or injection test, it sets target AP SSID. This is optional when the SSID is not hidden.
-j
none
arpreplay attack, inject FromDS pkts
-g
value
change ring buffer size (default: 8)
-k
IP
set destin­ation IP in fragments
-l
IP
set source IP in fragments
-o
npckts
number of packets per burst (-1)
-q
sec
seconds between keep-a­lives (-1)
-y
prga
keystream for shared key auth
-B or –bittest
none
bit rate test (Applies only to test mode)
-D
none
disables AP detection. Some modes will not proceed if the AP beacon is not heard. This disables this functi­ona­lity.
-F or –fast
none
chooses first matching packet. For test mode, it just checks basic injection and skips all other tests.
-R
none
disables /dev/rtc usage. Some systems experience lockups or other problems with RTC. This disables the usage.
 
Source options
Syntax
Para­met­ers
Desc­rip­tion
iface
none
capture packets from this interface
-r
file
extract packets from this pcap file
 
Attack modes
Syntax
Para­met­ers
Desc­rip­tion
--deauth
count
deauth­ent­icate 1 or all stations (-0)
--fak­eauth
delay
fake authen­tic­ation with AP (-1)
--int­era­ctive
none
intera­ctive frame selection (-2)
--arp­replay
none
standard ARP-re­quest replay (-3)
--cho­pchop
none
decryp­t/c­hopchop WEP packet (-4)
--fra­gment
none
generates valid keystream (-5)
--test
none
injection test (-9)

Help Us Go Positive!

We offset our carbon usage with Ecologi. Click the link below to help us!

We offset our carbon footprint via Ecologi
 

Comments

No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          Linux Command Line Cheat Sheet

          More Cheat Sheets by itnetsec