Skip to content


Aircrack-ng is a complete suite of tools to assess WiFi network security.

It focuses on different areas of WiFi security:

  • Monitoring: Packet capture and export of data to text files for further processing by third party tools
  • Attacking: Replay attacks, deauthentication, fake access points and others via packet injection
  • Testing: Checking WiFi cards and driver capabilities (capture and injection)
  • Cracking: WEP and WPA PSK (WPA 1 and 2)


aircrack-ng [options]

-aamodeForce attack mode (1 = static WEP, 2 = WPA/WPA2-PSK)
-bbssidLong version – -bssid. Select the target network based on the access point’s MAC address.
-eessidIf set, all IVs from networks with the same ESSID will be used. This option is also required for WPA/WPA2-PSK cracking if the ESSID is not broadcasted (hidden).
-pnbcpuOn SMP systems: no. of CPU to use. This option is invalid on non-SMP systems
-qnoneEnable quiet mode (no status output until the key is found, or not)
-cnone(WEP cracking) Restrict the search space to alpha-numeric characters only (0x20 – 0x7F)
-tnone(WEP cracking) Restrict the search space to binary coded decimal hex characters
-hnone(WEP cracking) Restrict the search space to numeric characters (0x30-0x39) These keys are used by default in most Fritz!BOXes
-dstart(WEP cracking) Long version –debug. Set the beginning of the WEP key (in hex), for debugging purposes.
-mmaddr(WEP cracking) MAC address to filter WEP data packets. Alternatively, specify -m ff:ff:ff:ff:ff:ff to use all and every IVs, regardless of the network.
-Mnumber(WEP cracking) Sets the maximum number of ivs to use.
-nnbits(WEP cracking) Specify the length of the key: 64 for 40-bit WEP, 128 for 104-bit WEP, etc. The default value is 128.
-iindex(WEP cracking) Only keep the IVs that have this key index (1 to 4). The default behaviour is to ignore the key index
-ffudge(WEP cracking) By default, this parameter is set to 2 for 104-bit WEP and to 5 for 40-bit WEP. Specify a higher value to increase the bruteforce level: cracking will take more time, but with a higher likelyhood of success
-HnoneLong version – -help. Output help information
-lfile name(Lowercase L, ell) logs the key to the file specified.
-KnoneInvokes the Korek WEP cracking method. (Default in v0.x)
-kkorek(WEP cracking) There are 17 korek statistical attacks. Sometimes one attack creates a huge false positive that prevents the key from being found, even with lots of IVs. Try -k 1, -k 2, … -k 17 to disable each attack selectively
-pthreadsAllow the number of threads for cracking even if you have a non-SMP computer.
-rdatabaseUtilizes a database generated by airolib-ng as input to determine the WPA key. Outputs an error message if aircrack-ng has not been compiled with sqlite support
– x/- x0none(WEP cracking) Disable last keybytes brutforce.
– x1none(WEP cracking) Enable last keybyte bruteforcing (default).
– x2none(WEP cracking) Enable last two keybytes bruteforcing
-Xnone(WEP cracking) Disable bruteforce multithreading (SMP only)
– ynone(WEP cracking) Experimental single bruteforce attack which should only be used when the standard attack mode fails with more than one million IVs
– unoneLong form – -cpu-detect. Provide information on the number of CPUs and MMX support. Example responses to “aircrack-ng – -cpu-detect” are “Nb CPU detected: 2” or “Nb CPU detected: 1 (MMX available)”.
– wwords(WPA cracking) Path to a
– znoneInvokes the PTW WEP cracking method. (Default in v1.x)
– PnoneLong version – -ptw-debug. Invokes the PTW debug mode
– CMACsLong version – -combine. Merge the given APs to a virtual one
– DnoneLong version – -wep-decloak. Run in WEP decloak mode
– VnoneLong version – -visual-inspection. Run in visual inspection mode
– 1noneLong version – -oneshot. Run in oneshot mode.
– SnoneWPA cracking speed test.
– snoneShow the key in ASCII while cracking
– Efile>(WPA cracking) Create EWSA Project file v3
– Jfile(WPA cracking) Create Hashcat Capture file