aircrack-ng [options] <capture file(s)>
Force attack mode (1 = static WEP, 2 = WPA/WPA2-PSK)
Long version - -bssid. Select the target network based on the access point's MAC address.
If set, all IVs from networks with the same ESSID will be used. This option is also required for WPA/WPA2-PSK cracking if the ESSID is not broadcasted (hidden).
On SMP systems: # of CPU to use. This option is invalid on non-SMP systems
Enable quiet mode (no status output until the key is found, or not)
(WEP cracking) Restrict the search space to alpha-numeric characters only (0x20 - 0x7F)
(WEP cracking) Restrict the search space to binary coded decimal hex characters
(WEP cracking) Restrict the search space to numeric characters (0x30-0x39) These keys are used by default in most Fritz!BOXes
(WEP cracking) Long version –debug. Set the beginning of the WEP key (in hex), for debugging purposes.
(WEP cracking) MAC address to filter WEP data packets. Alternatively, specify -m ff:ff:ff:ff:ff:ff to use all and every IVs, regardless of the network.
(WEP cracking) Sets the maximum number of ivs to use.
(WEP cracking) Specify the length of the key: 64 for 40-bit WEP, 128 for 104-bit WEP, etc. The default value is 128.
(WEP cracking) Only keep the IVs that have this key index (1 to 4). The default behaviour is to ignore the key index.
(WEP cracking) By default, this parameter is set to 2 for 104-bit WEP and to 5 for 40-bit WEP. Specify a higher value to increase the bruteforce level: cracking will take more time, but with a higher likelyhood of success.
Long version - -help. Output help information.
(Lowercase L, ell) logs the key to the file specified.
Invokes the Korek WEP cracking method. (Default in v0.x)
(WEP cracking) There are 17 korek statistical attacks. Sometimes one attack creates a huge false positive that prevents the key from being found, even with lots of IVs. Try -k 1, -k 2, … -k 17 to disable each attack selectively.
Allow the number of threads for cracking even if you have a non-SMP computer.
Utilizes a database generated by airolib-ng as input to determine the WPA key. Outputs an error message if aircrack-ng has not been compiled with sqlite support.
(WEP cracking) Disable last keybytes brutforce.
(WEP cracking) Enable last keybyte bruteforcing (default).
(WEP cracking) Enable last two keybytes bruteforcing.
(WEP cracking) Disable bruteforce multithreading (SMP only).
(WEP cracking) Experimental single bruteforce attack which should only be used when the standard attack mode fails with more than one million IVs
Long form - -cpu-detect. Provide information on the number of CPUs and MMX support. Example responses to “aircrack-ng - -cpu-detect” are “Nb CPU detected: 2” or “Nb CPU detected: 1 (MMX available)”.
(WPA cracking) Path to a wordlist or “-” without the quotes for standard in (stdin).
Invokes the PTW WEP cracking method. (Default in v1.x)
Long version - -ptw-debug. Invokes the PTW debug mode.
Long version - -combine. Merge the given APs to a virtual one.
Long version - -wep-decloak. Run in WEP decloak mode.
Long version - -visual-inspection. Run in visual inspection mode.
Long version - -oneshot. Run in oneshot mode.
WPA cracking speed test.
Show the key in ASCII while cracking
(WPA cracking) Create EWSA Project file v3
(WPA cracking) Create Hashcat Capture file