Aircrack-ng Suite Cheat Sheet by itnetsec

Usage: airba­se-ng <op­tio­ns> <replay interf­ace­>

capture packets from this interface

[don't] set WEP flag in beacons 0|1 (default: auto)

disallow specified client MACs (default: allow)

verbose (print more messages) (long --verbose)

Ad-Hoc Mode (allows other clients to peer) (long --ad-hoc)

sets the channel the AP is running on

force shared key authen­tic­ation

Caffe-­Latte attack (long --caff­e-l­atte)

number of packets per second (default: 100)

set all WPA,WE­P,open tags. can't be used with -z & -Z

same as -z, but for WPA2

write all sent and received frames into pcap file

sets the beacon interval value in ms

BSSID to filter/use (short -b)

read a list of MACs out of that file (short -D)

read a list of ESSIDs out of that file (short -E)

Usage: airde­clo­ak-ng [options]

–bssid

BSSID of the network to filter.

–filters

Apply theses filters in this specific order. They have to be separated by a ','.

–disab­le-­bas­e_f­ilter

Disable the base filter.

Usage: airdr­op-ng [options] <pcap file>

Airodump txt file in CSV format NOT the pcap

Rule File for matched deauths

Injection driver. Default is mac80211

Turn on Rule Debugging

Time to sleep between loops

Usage: airde­cap-ng [options] <pcap file>

access point MAC address filter

target network ascii identifier

target network WEP key in hexade­cimal

Usage: aircr­ack-ng [options] <ca­pture file(s­)>

Long version - -bssid. Select the target network based on the access point's MAC address.

On SMP systems: # of CPU to use. This option is invalid on non-SMP systems

(WEP cracking) Restrict the search space to alpha-­numeric characters only (0x20 - 0x7F)

(WEP cracking) Restrict the search space to numeric characters (0x30-­0x39) These keys are used by default in most Fritz!­BOXes

(WEP cracking) MAC address to filter WEP data packets. Altern­ati­vely, specify -m ff:ff:­ff:­ff:­ff:ff to use all and every IVs, regardless of the network.

(WEP cracking) Specify the length of the key: 64 for 40-bit WEP, 128 for 104-bit WEP, etc. The default value is 128.

(WEP cracking) By default, this parameter is set to 2 for 104-bit WEP and to 5 for 40-bit WEP. Specify a higher value to increase the bruteforce level: cracking will take more time, but with a higher likelyhood of success.

(Lowercase L, ell) logs the key to the file specified.

(WEP cracking) There are 17 korek statis­tical attacks. Sometimes one attack creates a huge false positive that prevents the key from being found, even with lots of IVs. Try -k 1, -k 2, … -k 17 to disable each attack select­ively.

Utilizes a database generated by airolib-ng as input to determine the WPA key. Outputs an error message if aircra­ck-ng has not been compiled with sqlite support.

(WEP cracking) Enable last keybyte brutef­orcing (default).

(WEP cracking) Disable bruteforce multit­hre­ading (SMP only).

Long form - -cpu-d­etect. Provide inform­ation on the number of CPUs and MMX support. Example responses to “aircr­ack-ng - -cpu-d­etect” are “Nb CPU detected: 2” or “Nb CPU detected: 1 (MMX availa­ble)”.

Invokes the PTW WEP cracking method. (Default in v1.x)

Long version - -combine. Merge the given APs to a virtual one.

Long version - -visua­l-i­nsp­ection. Run in visual inspection mode.

WPA cracking speed test.

(WPA cracking) Create EWSA Project file v3

MAC address, Access Point

MAC address, Source

maximum packet length

frame control, subtype field

frame control, From DS bit

set frame control word (hex)

set Destin­ation MAC address

For fakeauth attack or injection test, it sets target AP SSID. This is optional when the SSID is not hidden.

change ring buffer size (default: 8)

set source IP in fragments

seconds between keep-a­lives (-1)

bit rate test (Applies only to test mode)

chooses first matching packet. For test mode, it just checks basic injection and skips all other tests.

extract packets from this pcap file

deauth­ent­icate 1 or all stations (-0)

intera­ctive frame selection (-2)

decryp­t/c­hopchop WEP packet (-4)

injection test (-9)