# Aircrack-ng

### Airodump-ng:

```bash
# Specify the channel where airodump listens
airodump-ng --channel 11 --bssid <bssid>

# listen to a single bssid and write output to a file (it creates several files with different formats)
airodump-ng --channel 11 --bssid <bssid> --write <file name>

# scan both 2.4 and 5 GHz simultaneously
airodump-ng wlan0 --band abg

# load capture file in airodump
airodump-ng -r <file.cap>

# show WPS status for WPA networks
airodump-ng wlan0 --wps
```

### Airmon-ng:

```bash
# List interfaces
sudo airmon-ng  

# List programs that can interfere with aircrack-ng suite
sudo airmon-ng check 

# Kill processes that can interfere with aircrack-ng suite
sudo airmon-ng check kill

# Create an interface (wlan0mon) in monitor mode from an existing one (wlan0)
sudo airmon-ng start wlan0

# Stop monitor mode
sudo airmon-ng stop wlan0mon

# Start monitor mode only on channel 2 (only do this when the tool that will be used next doesn't change channels itself)
sudo airmon-ng start wlan0 2

# manually set channel
iw dev wlan0 set channel 13

# Check that we changed the channel correctly
sudo iw dev wlan0mon info

# verbose and debug mode
sudo airmon-ng --verbose
sudo airmon-ng --debug
```

### Aireplay-ng:

```bash
# deauth a client (1000000 is a large number of packets, to keep the deauth attack working for a while):
sudo aireplay-ng --deauth 4 -a <bssid> -c <client_MAC> wlan0mon

# To background the command and don't see output
sudo aireplay-ng --deauth 4 -a <bssid> -c <client_MAC> wlan0mon &> /dev/null &

# with "jobs" we can see the jobs backgrounded with &. each has an ID
jobs

# kill all backgrounded aireplay processes.
killall aireplay-ng 

# kill only the first process in the "jobs" list:
kill %1

# To deauth every client connected to a BSSID don't specify a client <MAC>
aireplay-ng --deauth 4 -a <bssid> wlan0mon &> /dev/null &

# check if we can inject in visible APs
sudo aireplay-ng -9 wlan0mon 

# check if we can inject in a specific AP
sudo aireplay-ng -e <ap_name> -a <MAC> wlan0mon

# Same as above, but without expecting to receive probes
sudo aireplay-ng -e <ap_name> -a <MAC> -D wlan0mon

# if we have two wifi cards, wlan0mon and wlan1mon, card-to-card test, to make sure they can inject. if it says (5/7 error, still can be used to attack an AP)
sudo aireplay-ng -9 -i wlan1mon wlan0mon
```

### Aircrack-ng:

```bash
#benchmark (dice k/s, que es el numero de palabras por segundo que puede crackear)
aircrack-ng -S  

# DON'T use a dictionary for WEP files!!!!
aircrack-ng wep.cap

# crack a handshake saved in a cap file:
aircrack-ng -w <path to wordlist> -e <ESSID> -b <ap bssid> file.pcap
aircrack-ng -w /usr/share/john/password.lst -e <ESSID> -b <ap bssid> file.cap

#crack using a db created with airolib (precomputed PMKs)
aircrack-ng -r wifu.sqlite wpa1-01.cap

```

### Airolib-ng:

manages password lists in SQLite (calculating pairwise master key (PMK) is slow, but it is constant for an AP. precomputing it saves time later).

```bash
# create a text file containing the ESSID of the target AP
echo wifu > essid.txt

# import the text file into an airolib-ng database
airolib-ng wifu.sqlite --import essid essid.txt

# info about database (ESSIDs and stored passwords)
airolib-ng wifu.sqlite --stats

# import a dictionary of passwords (ignores those shorter than 8 chars and larger than 63 chars, since they are not valid WPA passphrases)
airolib-ng wifu.sqlite --import passwd /usr/share/john/password.lst

# calculate the PMK corresponding to each inported password
airolib-ng wifu.sqlite --batch

#crack using a db
aircrack-ng -r wifu.sqlite wpa1-01.cap
```

### Airdecap-ng

```bash
# Keep the packets targeted to a specific <BSSID> and remove the rest from a cap file (creates a new file)
airdecap-ng -b <MAC> file.pcap

# decrypt saved traffic with a passphrase (check that the passphrase works, we may capture failed logins)
airdecap-ng -b <bssid> -e <essid> -p <pass> file.pcap
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://f1rstbyt3.gitbook.io/hacking-notes/networking/wireless/aircrack-ng.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.