Show Menu
Cheatography
  1. Home >
  2. Software >

Aircrack-ng Suite Cheat Sheet by

Airbase-ng

Usage: 
airbase-ng <op­tio­ns> <replay interf­ace>
 
Syntax
Parameters
Descri­ption
 
-a
bssid
set Access Point MAC address
 
-i
iface
capture packets from this interface
 
-w
WEP key
use this WEP key to encryp­t/d­ecrypt packets
 
-W
0|1
[don't] set WEP flag in beacons 0|1 (default: auto)
 
-h
MAC
source mac for MITM mode
 
-f
disallow
disallow specified client MACs (default: allow)
 
-q
none
quiet (do not print statis­tics)
 
-v
none
verbose (print more messages) (long --verbose)
 
-M
none
M-I-T-M between [speci­fied] clients and bssids
 
-A
none
Ad-Hoc Mode (allows other clients to peer) (long --ad-hoc)
 
-Y
in|out­|both
external packet processing
 
-c
channel
sets the channel the AP is running on
 
-X
none
hidden ESSID (long --hidden)
 
-s
none
force shared key authen­tic­ation
 
-S
none
set shared key challenge length (default: 128)
 
-L
none
Caffe-­Latte attack (long --caff­e-l­atte)
 
-N
none
Hirte attack (cfrag attack), creates arp request against wep client (long –cfrag)
 
-x
nbpps
number of packets per second (default: 100)
 
-y
none
disables responses to broadcast probes
 
-0
none
set all WPA,WE­P,open tags. can't be used with -z & -Z
 
-z
type
sets WPA1 tags. 1=WEP40 2=TKIP 3=WRAP 4=CCMP 5=WEP104
 
-Z
type
same as -z, but for WPA2
 
-V type
type
fake EAPOL 1=MD5 2=SHA1 3=auto
 
-F
prefix
write all sent and received frames into pcap file
 
-P
none
respond to all probes, even when specifying ESSIDs
 
-I
interval
sets the beacon interval value in ms
 
-C
seconds
enables beaconing of probed ESSID values (requires -P)
 
Filter Options
Syntax
Parameters
Descri­ption
 
--bssids
<fi­le>
read a list of BSSIDs out of that file (short -B)
 
--bssid
<MA­C>
BSSID to filter/use (short -b)
 
--client
<MA­C>
MAC of client to accept (short -d)
 
--clients
<fi­le>
read a list of MACs out of that file (short -D)
 
--essid
<ES­SID>
specify a single ESSID (short -e)
 
--essids
<fi­le>
read a list of ESSIDs out of that file (short -E)

Airdec­loak-ng

Usage: 
airdec­loak-ng [options]
 
Syntax
Parameter
Descri­ption
-i
input file
Path to the capture file
–bssid
BSSID
BSSID of the network to filter.
–ssid
ESSID
ESSID of the network to filter (not yet implem­ented).
–filters
filters
Apply theses filters in this specific order. They have to be separated by a ','.
–null-­packets
none
Assume that null packets can be cloaked (not yet implem­ented).
–disab­le-­bas­e_f­ilter
none
Disable the base filter.
–drop-frag
none
Drop all fragmented packets. In most networks, fragme­ntation is not needed.

Airdrop-ng

Usage: 
airdrop-ng [options] <pcap file>
 
Syntax
Parameter
Descri­ption
 
-i
card
Wireless card in monitor mode to inject from
 
-t
csv file
Airodump txt file in CSV format NOT the pcap
 
-p
psyco
Disable the use of Psyco JIT
 
-r
Rule File
Rule File for matched deauths
 
-u
update
Updates OUI list
 
-d
Driver
Injection driver. Default is mac80211
 
-s
sleep
Time to sleep between sending each packet
 
-b
debug
Turn on Rule Debugging
 
-l
key
Enable Logging to a file, if file path not provided airdrop will log to default location
 
-n
nap
Time to sleep between loops

Airdec­ap-ng

Usage: 
airdec­ap-ng [options] <pcap file>
 
Syntax
Parameter
Descri­ption
 
-l
none
don't remove the 802.11 header
 
-b
bssid
access point MAC address filter
 
-k
pmk
WPA/WPA2 Pairwise Master Key in hex
 
-e
essid
target network ascii identifier
 
-p
pass
target network WPA/WPA2 passphrase
 
-w
key
target network WEP key in hexade­cimal

Airgra­ph-ng

Usage: 
python airgra­ph-ng -i [airod­ump­fil­e.txt] -o [outpu­tfi­le.png] -g [CAPR OR CPG]
 
Syntax
Descri­ption
 
-i
Input File
 
-o
Output File
 
-g
Graph Type [CAPR (Client to AP Relati­onship) OR CPG (Common probe graph)]
 
-a
Print the about
 
-h
Print this help
 

Aircra­ck-ng

Usage: 
aircra­ck-ng [options] <ca­pture file(s­)>
 
Syntax
Parameter
Descri­ption
 
-a
amode
Force attack mode (1 = static WEP, 2 = WPA/WP­A2-PSK)
 
-b
bssid
Long version - -bssid. Select the target network based on the access point's MAC address.
 
-e
essid
If set, all IVs from networks with the same ESSID will be used. This option is also required for WPA/WP­A2-PSK cracking if the ESSID is not broadc­asted (hidden).
 
-p
nbcpu
On SMP systems: # of CPU to use. This option is invalid on non-SMP systems
 
-q
none
Enable quiet mode (no status output until the key is found, or not)
 
-c
none
(WEP cracking) Restrict the search space to alpha-­numeric characters only (0x20 - 0x7F)
 
-t
none
(WEP cracking) Restrict the search space to binary coded decimal hex characters
 
-h
none
(WEP cracking) Restrict the search space to numeric characters (0x30-­0x39) These keys are used by default in most Fritz!­BOXes
 
-d
start
(WEP cracking) Long version –debug. Set the beginning of the WEP key (in hex), for debugging purposes.
 
-m
maddr
(WEP cracking) MAC address to filter WEP data packets. Altern­ati­vely, specify -m ff:ff:­ff:­ff:­ff:ff to use all and every IVs, regardless of the network.
 
-M
number
(WEP cracking) Sets the maximum number of ivs to use.
 
-n
nbits
(WEP cracking) Specify the length of the key: 64 for 40-bit WEP, 128 for 104-bit WEP, etc. The default value is 128.
 
-i
index
(WEP cracking) Only keep the IVs that have this key index (1 to 4). The default behaviour is to ignore the key index.
 
-f
fudge
(WEP cracking) By default, this parameter is set to 2 for 104-bit WEP and to 5 for 40-bit WEP. Specify a higher value to increase the bruteforce level: cracking will take more time, but with a higher likelyhood of success.
 
-H
none
Long version - -help. Output help inform­ation.
 
-l
file name
(Lowercase L, ell) logs the key to the file specified.
 
-K
none
Invokes the Korek WEP cracking method. (Default in v0.x)
 
-k
korek
(WEP cracking) There are 17 korek statis­tical attacks. Sometimes one attack creates a huge false positive that prevents the key from being found, even with lots of IVs. Try -k 1, -k 2, … -k 17 to disable each attack select­ively.
 
-p
threads
Allow the number of threads for cracking even if you have a non-SMP computer.
 
-r
database
Utilizes a database generated by airolib-ng as input to determine the WPA key. Outputs an error message if aircra­ck-ng has not been compiled with sqlite support.
 
-x/-x0
none
(WEP cracking) Disable last keybytes brutforce.
 
-x1
none
(WEP cracking) Enable last keybyte brutef­orcing (default).
 
-x2
none
(WEP cracking) Enable last two keybytes brutef­orcing.
 
-X
none
(WEP cracking) Disable bruteforce multit­hre­ading (SMP only).
 
-y
none
(WEP cracking) Experi­mental single bruteforce attack which should only be used when the standard attack mode fails with more than one million IVs
 
-u
none
Long form - -cpu-d­etect. Provide inform­ation on the number of CPUs and MMX support. Example responses to “aircr­ack-ng - -cpu-d­etect” are “Nb CPU detected: 2” or “Nb CPU detected: 1 (MMX availa­ble)”.
 
-w
words
(WPA cracking) Path to a wordlist or “-” without the quotes for standard in (stdin).
 
-z
none
Invokes the PTW WEP cracking method. (Default in v1.x)
 
-P
none
Long version - -ptw-d­ebug. Invokes the PTW debug mode.
 
-C
MACs
Long version - -combine. Merge the given APs to a virtual one.
 
-D
none
Long version - -wep-d­ecloak. Run in WEP decloak mode.
 
-V
none
Long version - -visua­l-i­nsp­ection. Run in visual inspection mode.
 
-1
none
Long version - -oneshot. Run in oneshot mode.
 
-S
none
WPA cracking speed test.
 
-s
none
Show the key in ASCII while cracking
 
-E
file>
(WPA cracking) Create EWSA Project file v3
 
-J
file
(WPA cracking) Create Hashcat Capture file

Airepl­ay-ng

Usage:
 airepl­ay-ng <op­tio­ns> <replay interf­ace>
 
Filter Options
Syntax
Parameters
Descri­ption
 
-b
bssid
MAC address, Access Point
 
-d
dmac
MAC address, Destin­ation
 
-s
smac
MAC address, Source
 
-m
len
minimum packet length
 
-n
len
maximum packet length
 
-u
type
frame control, type field
 
-v
subt
frame control, subtype field
 
-t
tods
frame control, To DS bit
 
-f
fromds
frame control, From DS bit
 
-w
iswep
frame control, WEP bit
 
Replay Options
Syntax
Parameters
Descri­ption
 
-x
nbpps
number of packets per second
 
-p
fctrl
set frame control word (hex)
 
-a
bssid
set Access Point MAC address
 
-c
dmac
set Destin­ation MAC address
 
-h
smac
set Source MAC address
 
-e
essid
For fakeauth attack or injection test, it sets target AP SSID. This is optional when the SSID is not hidden.
 
-j
none
arpreplay attack, inject FromDS pkts
 
-g
value
change ring buffer size (default: 8)
 
-k
IP
set destin­ation IP in fragments
 
-l
IP
set source IP in fragments
 
-o
npckts
number of packets per burst (-1)
 
-q
sec
seconds between keep-a­lives (-1)
 
-y
prga
keystream for shared key auth
 
-B or –bittest
none
bit rate test (Applies only to test mode)
 
-D
none
disables AP detection. Some modes will not proceed if the AP beacon is not heard. This disables this functi­ona­lity.
 
-F or –fast
none
chooses first matching packet. For test mode, it just checks basic injection and skips all other tests.
 
-R
none
disables /dev/rtc usage. Some systems experience lockups or other problems with RTC. This disables the usage.
 
Source options
Syntax
Parameters
Descri­ption
 
iface
none
capture packets from this interface
 
-r
file
extract packets from this pcap file
 
Attack modes
Syntax
Parameters
Descri­ption
 
--deauth
count
deauth­ent­icate 1 or all stations (-0)
 
--fakeauth
delay
fake authen­tic­ation with AP (-1)
 
--inte­ractive
none
intera­ctive frame selection (-2)
 
--arpr­eplay
none
standard ARP-re­quest replay (-3)
 
--chopchop
none
decryp­t/c­hopchop WEP packet (-4)
 
--fragment
none
generates valid keystream (-5)
 
--test
none
injection test (-9)
 

Metadata

  • Languages:
  • Published: 28th January, 2016
  • Last Updated: 12th May, 2016
  • Rated: 5 out of 5 stars based on 6 ratings

Favourited By

rce343 MobbinOnEm Headphones dustin255 Nazime MKBHD mikemikk antares

Comments

No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          Linux Command Line Cheat Sheet

          More Cheat Sheets by itnetsec