Table of Contents


What version of Aircrack-ng am I running ?

Run 'aircrack-ng | head'. Version information is in the first line of text (second if the empty line is taken into account).

What is the best wireless card to buy ?

Which card to purchase is a hard question to answer. Each person's criteria is somewhat different, such as one may require 802.11n capability, or may require it to work via virtualization. However, having said that, if money is not a constraint then the following cards are considered the best in class:

If money is a constraint then consider purchasing a card with a RTL8187L or Atheros chipset, also read this first before purchasing. There are many available on the market for fairly low prices. You are simply trading off distance, sensitivity and performance for cost.

If you want to know if your existing card is compatible then use this page: Tutorial: Is My Wireless Card Compatible?

What tutorials are available ?

The Tutorials page has many tutorials specific to the aircrack-ng suite. If your question is not answered on this FAQ page, be sure to check out these other resources:

The links page also generic wireless information and tutorials.

Any GPS recommendation ?

The following 2 devices have been tested and work fine:

However, anything that is compatible with GPSd will work.

"command not found" error message

After you enter “make install” then try to use any of the aircrack-ng suite commands, you get the error message “command not found” or similar. See the tip with the same message in troubleshooting tips.

How do I crack a static WEP key ?

The basic idea is to capture as much encrypted traffic as possible using airodump-ng. Each WEP data packet has an associated 3-byte Initialization Vector (IV): after a sufficient number of data packets have been collected, run aircrack-ng on the resulting capture file. aircrack-ng will then perform a set of statistical attacks developed by a talented hacker named KoreK.

Since that time, the PTW approach (Pychkine, Tews, Weinmann) has been developed. The main advantage of the PTW approach is that very few data packets are required to crack the WEP key.

How many IVs are required to crack WEP ?

WEP cracking is not an exact science. The number of required IVs depends on the WEP key length, and it also depends on your luck. Usually, 40-bit WEP (64 bit key) can be cracked with 300,000 IVs, and 104-bit WEP (128 bit key) can be cracked with 1,500,000 IVs; if you're out of luck you may need two million IVs, or more.

There is no way to know the WEP key length: this information is kept hidden and never announced, either in management or data packets; as a consequence, airodump-ng can not report the WEP key length. Thus, it is recommended to run aircrack-ng twice: when you have 250,000 IVs, start aircrack-ng with “-n 64” to crack 40-bit WEP. Then if the key is not found, restart aircrack-ng (without the -n option) to crack 104-bit WEP.

The figures above are based on using the Korek method. With the introduction of the PTW technique in aircrack-ng 0.9 and above, the number of data packets required to crack WEP is dramatically lowered. Using this technique, 40-bit WEP (64 bit key) can be cracked with as few as 20,000 data packets and 104-bit WEP (128 bit key) with 40,000 data packets. PTW is limited to 40 and 104 bit keys lengths. Keep in mind that it can take 100K packets or more even using the PTW method. Additionally, PTW only works properly with selected packet types. Aircrack-ng defaults to the PTW method and you must manually specify the Korek method in order to use it.

How can I know what is the key length ?

You can't know what's the key length, there's no information at all in wireless packets, that's why you have to try different lengths. Most of the time, it's a 128 bit key.

How do I know my WEP key is correct ?

Just because you seem to have successfully connected to the access point doesn't mean your WEP key is correct! To check your WEP key, the best way is to decrypt a capture file with the airdecap-ng program.

How can I crack a WPA-PSK network ?

You must sniff until a handshake takes place between a wireless client and the access point. To force the client to reauthenticate, you can start a deauth attack with aireplay-ng. Also, a good dictionary is required.

FYI, it's not possible to pre-compute large tables of Pairwise Master Keys like rainbowcrack does, since the passphrase is salted with the ESSID.

Where can I find good wordlists ?

The easiest way is do an Internet search for word lists and dictionaries. Also check out web sites for password cracking tools. Many times they have references to word lists. A few sources follow. Please add comments or additions to this thread:

Remember that valid passwords are 8 to 63 characters in length. The Aircrack-ng Other Tips page has a script to eliminate passwords which are invalid in terms of length.

How do I recover my WEP/WPA key in windows ?

You have to use WZcook

Will WPA be cracked in the future ?

It's extremely unlikely that WPA will be cracked just like WEP was.

The major problem with WEP is that the shared key is appended to the IV; the result is directly used to feed RC4. This overly simple construction is prone to a statistical attack, since the first ciphertext bytes are strongly correlated with the shared key (see Andrew Roos' paper). There are basically two counter-measures against this attack:

  1. Mix the IV and the shared key using a hash function or
  2. Discard the first 256 bytes of RC4's output.

There has been some disinformation in the news about the “flaws” of TKIP:

For now, TKIP is reasonably secure but it is also living on borrowed time since it still relies on the same RC4 algorithm that WEP relied on.

Actually, TKIP (WPA1) is not vulnerable: for each packet, the 48-bit IV is mixed with the 128-bit pairwise temporal key to create a 104-bit RC4 key, so there's no statistical correlation at all. Furthermore, WPA provides counter-measures against active attacks (traffic reinjection), includes a stronger message integrity code (michael), and has a very robust authentication protocol (the 4-way handshake). The only vulnerability so far is a dictionary attack, which fails if the passphrase is robust enough.

WPA2 (aka 802.11i) is exactly the same as WPA1, except that CCMP (AES in counter mode) is used instead of RC4 and HMAC-SHA1 is used instead of HMAC-MD5 for the EAPOL MIC. Bottom line, WPA2 is a bit better than WPA1, but neither are going to be cracked in the near future.

How do I learn more about WPA/WPA2?

See the links page.

How do I decrypt a capture file ?

You may use the airdecap-ng program

What are the authentication modes for WEP ?

There are two authentication modes for WEP:

The NetGear Wireless Basics Manual has a good description of WEP Wireless Security including diagrams of the packet flows.

How do I merge multiple capture files ?

You may use File → Merge… in Wireshark or Ethereal.

From the command line you may use the mergecap program to merge .cap files (part of the Wireshark/Ethereal package or the win32 distribution):

mergecap -F pcap test1.cap test2.cap test3.cap -w out.cap

It will merge test1.cap, test2.cap and test3.cap into out.cap

mergecap -F pcap *.cap -w out.cap

It will merge all the .cap files contained in the current folder into out.cap

You may use the ivstools program to merge .ivs files (part of aircrack-ng package)

Can I convert cap files to ivs files ?

You may use the ivstools program (part of aircrack-ng package)

Can I use Wireshark/Ethereal to capture 802.11 packets ?

Under Linux, simply setup the card in monitor mode with the airmon-ng script. Under Windows, Wireshark can capture 802.11 packets using AirPcap. Except in very rare cases, Ethereal cannot capture 802.11 packets under Windows.

Can Wireshark/Ethereal decode WEP or WPA data packets ?

Recent versions of Ethereal and Wireshark can decrypt WEP. Go to Edit → Preferences → Protocols → IEEE 802.11, select 1 in the “WEP key count” and enter your WEP key below.

Wireshark 0.99.5 and above can decrypt WPA as well. Go to Edit → Preferences → Protocols → IEEE 802.11, select “Enable decryption”, and fill in the key according to the instructions in the preferences window. You can also select “Decryption Keys…” from the wireless toolbar if it's displayed.

Many times in this forum and on the wiki we suggest using Wireshark to review packets. There are two books which are available specifically for learning how to use Wireshark in detail. The books are are listed here.

The good news is that they have made Chapter 6 of the “Wireshark & Ethereal Network Protocol Analyzer Toolkit” covering wireless packets available online in PDF format. Here is the link to Chapter 6. As well, see this section on the Wireshark Wiki.

What are the different wireless filter expressions ?

The Wireshark display filter reference lists wlan (general 802.11), wlan_mgmt (802.11 management), wlancap (AVS capture header), wlancertextn (802.11 certificate extensions), and radiotap (radiotap header)

(Ethereal Wireless Filters from

See the previous item for detailed instructions on using Wireshark.

How do I change my card's MAC address ?

Under linux, the following information applies.

One method is:

ifconfig ath0 down
ifconfig ath0 hw ether 00:11:22:33:44:55
ifconfig ath0 up

Be aware that the example above does not work with every driver.

The easier way is to use the macchanger package. The documentation and download is at: macchanger. This link tends to be slow or not answer. You can do an Internet search for “macchanger” or here are some alternate links:

If you are using mac80211 drivers and have a mon0 interface then:

 ifconfig mon0 down
 macchanger -a mon0
 Current MAC: 00:0f:b5:88:ac:82 (Netgear Inc)
 Faked MAC:   00:b0:80:3b:1e:1f (Mannesmann Ipulsys B.v.)
 ifconfig mon0 up
 macchanger -s mon0
 Current MAC: 00:b0:80:3b:1e:1f (Mannesmann Ipulsys B.v.)

IMPORTANT In the following scripts, newer versions of the madwifi-ng have deprecated (meaning discontinued) the “-bssid” option. If you get a warning to this effect, then use “-uniquebssid”.

Here are scripts which use the macchanger package and work well with madwifi-ng drivers:

Script 1 - Invoked with “ XX:XX:XX:XX:XX:XX”

 cardctl eject
 cardctl insert
 wlanconfig ath0 destroy
 ifconfig wifi0 up
 ifconfig wifi0 down
 macchanger wifi0 -m $1
 wlanconfig ath0 create wlandev wifi0 wlanmode monitor -bssid

Script 2 - For madwifi-ng driver devices

 # by darkAudax
 # Change the following variables to match your requirements
 # The interface is brought up and down twice otherwise
 # it causes a system exception and the system freezes
 ifconfig $IFACE down
 wlanconfig $IFACE destroy
 wlanconfig $IFACE create wlandev $WIFACE wlanmode monitor -bssid
 ifconfig $IFACE up
 ifconfig $IFACE down
 macchanger $WIFACE -m $FAKEMAC
 wlanconfig $IFACE destroy
 wlanconfig $IFACE create wlandev $WIFACE wlanmode monitor -bssid
 ifconfig $IFACE up
 ifconfig $IFACE
 echo " "
 echo "The wireless card MAC has been set to $FAKEMAC"
 echo " "

Script 3 - For madwifi-ng driver devices

 # - Atheros MAC Changer
 # by brad a
 # foundstone
 if [ -z "$1" ]; then
    echo Atheros MAC Changer
    echo -----------------------
    echo IMPORTANT: this assumes we want to change the MAC of wifi0
    echo " if you want to change the MAC of another wifi interface"
    echo " (i.e. wifi1, wifi2, etc...) change the script!"
    echo usage: $0 [mac]
 echo Atheros MAC Changer
 echo -------------------------
 echo -Destroying VAPs:
 for i in $( ls /proc/net/madwifi ); do
    wlanconfig $i destroy 2>&1 /dev/null
    echo -e "\t$i - destroyed"
 echo -Downing wifi0
 ifconfig wifi0 down
 echo -Using macchanger to change MAC of wifi0
 macchanger -m $1 wifi0
 echo -Bringing wifi0 back up
 ifconfig wifi0 up
 echo -Bringing up one VAP in station mode
 wlanconfig ath create wlandev wifi0 wlanmode monitor -bssid > /dev/null
 echo -All done!
 echo -Confirm your settings:
 echo ------------------------------------------------------
 ifconfig wifi0
 echo ------------------------------------------------------

Madwifi-ng Notes: The madwifi site has a detailed documentation page on changing the MAC address under madwifi-ng: How can I change the MAC address of my card? Starting in r2435 of the madwifi-ng driver, they changed the default way in which new VAPs get their MAC address. When creating a new VAP with wlanconfig, you must specify “-bssid” to have it use the underlying MAC address. If you don't do this, then the new VAP gets a unique MAC. This will cause problems with various aircrack-ng commands.

Under Windows, you may use:

Troubleshooting Tip: A normal MAC address looks like this: 00:09:5B:EC:EE:F2. The first half (00:09:5B) of each MAC address is the manufacturer. The second half (EC:EE:F2) is unique to each network card. Many access points will ignore invalid MAC addresses. So make sure to use a valid wireless card manufacturer code when you make up MAC addresses. Otherwise your packets may be ignored.

Is my card compatible with airodump-ng / aireplay-ng ?

Read the Tutorial: Is My Wireless Card Compatible? tutorial. Then check the Compatible Cards page.

Can I have multiple instance of aireplay-ng running at the same time?

Yes, you can.

How to use spaces, double quote and single quote, etc. in AP names?

NOTE: If you enclose the AP name in single or double quotes, then you don't also need to escape special characters within the single or double quotes.

IMPORTANT EXCEPTION: If the AP name contains “!” then special care must be taken. The reason is that the bash interpreter thinks you want to repeat a previous command. Your options are:

Sometimes the AP name contains leading or trailing spaces. These can be very hard to identify from the airodump-ng screen. Here are a few methods to deal with this situation:

What is the size of ARP packets ?

When captured through a wireless interface, 68 bytes is typical for arp packets originating from wireless clients. 86 bytes is typical for arp requests from wired clients.

On Ethernet, ARP packets when received are typically 60 bytes long. When this is then relayed by a wireless access point, they are 86 bytes. This is, of course, because of the wireless headers. If a wireless client sends an ARP, they are typically 42 bytes long and they become 68 when relayed by the AP.

How can I resolve MAC addresses to IP addresses ?

You can try netdiscover or ARP tools

What are the allowed rates ?

ModulationAllowed rates
DSSS / CCK1M, 2M, 5.5M, 11M
OFDM (a/g)6M, 9M, 12M, 24M, 36M, 48M, 54M

What is the frequency for each channel?

To determine the frequency that a channel uses (or vice versa), check out: Wifi Channels. Or check out Wikipedia List of WLAN Channels. This is a nice graphic showing the channel assignments and their overlap.

How do I convert the HEX characters to ASCII?

Here are some conversion links. Remember to put % in front of each hex character when going from hex to ascii.

LatinSuD has developed a very useful tool - Javascript WEP Conversion Tool. It can perform a variety of WEP, ASCII and passphrase conversions.

Does the aircrack-ng suite support Airpcap adaptor?

See airpcap.

I have a Prism2 card, but airodump-ng / aireplay-ng doesn't seem to work !

First, make sure you aren't using the orinoco driver. If the interface name is wlan0, then the driver is HostAP or wlan-ng. However if the interface name is eth0 or eth1, then the driver is orinoco and you must disable the driver. The easiest way to do this is to blacklist it in /etc/modprobe.d/blacklist.

Also, it can be a firmware problem. Old firmwares have trouble with test mode 0x0A (used by the HostAP / wlan-ng injection patches), so make sure yours is up to date (see Prism2 flashing for instructions). The recommended station firmware version is 1.7.4. If it doesn't work well (kismet or airodump-ng stalls after capturing a couple of packets), try STA 1.5.6 instead (either s1010506.hex for old Prism2 cards, or sf010506.hex for newer ones).

On a side note, test mode 0x0A is somewhat unstable with wlan-ng. If the card seems stuck, you will have to reset it, or use HostAP instead. Injection is currently broken on Prism2 USB devices with wlan-ng.

I have an Atheros card, and the madwifi patch crashes the kernel / aireplay-ng keeps saying enhanced RTC support isn't available

There are quite a few problems with some versions of the Linux 2.6 branch (especially before 2.6.11 was released) that will cause a kernel panic when injecting with madwifi. Also, on many 2.6 kernels enhanced RTC support is just broken. Thus, is it highly recommended to use either Linux 2.6.11.x or newer.

Why do I have bad speeds when i'm too close to the access point?

Problem: The wireless card behaves badly if the signal is too strong. If you are too close (1-2m) to the access point, you get high quality signal but actual transmission rates drop (down to 5-11Mbps or less). The net result is TCP throughput of about 600KB/s.

This is called antenna and receiver saturation. The signal coming in to the preamplifier is too strong and clips the input of the amplifier, causing signal degradation. This is a normal phenomenon with most 802.11 hardware.

So, is it a driver problem or is it my network hardware?

Neither, really. It's a physics problem. The only solution is to either decrease transmission power, use an antenna with a lower gain factor, or move the access point farther away from the station. You should use wired ethernet when you're close to the access point. If you don't want or you don't have a wire, you can also decrease output power of your Access point or your card.

How do I download and compile aircrack-ng?

See the wiki home page for links to the relevant sub-pages.

The driver won't compile

This usually happens because the linux headers don't match your current running kernel. In this situation, grab the kernel sources or just recompile a fresh kernel, install it and reboot. Then, try again compiling the driver. See this HOWTO for more details about kernel compilation.

Why can't I compile airodump-ng and aireplay-ng on other OSs ?

Both airodump-ng and aireplay-ng sources are Linux-specific.

Why do I get ioctl(SIOCGIFINDEX) failed: No such device ?

Double check that your device name is correct and that you haven't forgotten a parameter on the command line.

When using linux-wlan-ng driver, be sure to enable the interface first with airmon-ng.

Why do I get 'SIOCSIFFLAGS : No such file or directory' error message

Some drivers require a firmware to be loaded (b43, prism54, zd1211rw, …). The driver typically loads the firmware itself when started.
In this case, the driver didn't find it because the firmware was not in the right place or is missing from the computer. To find the firmware's correct location, read the driver documentation.

Why does my computer lock up when injecting packets ? Is there a solution?


Is VMware supported?

Yes, aircrack-ng suite successfully been run under VMware. One thing about doing VMware, you can't use PCMCIA or PCI cards. You can ONLY use compatible USB wireless cards. Some limited additional information is available here:

A virtual machine is available, see this page for more information.

What other tips do you have?

Various tips

Windows GUI Error message

Running the Windows GUI gives an error message similar to “the application failed to initialize properly (0xc0000135). Click on OK to terminate the application”. To correct this, ensure you have the Microsoft .NET framework 2.0 installed.

My network card changes it's name from eth0 to eth1

Or even to eth2 or from wlan0 to wlan1 or … You know the symptoms mean if you suffer this problem. This happens when you change your MAC and UDEV thinks it has detected a new network card. UDEV keeps track of this so that your nwc-naming keeps mixed up even after a reboot.

Solution: Disable this function in UDEV

Open /etc/udev/persistent-net-generator.rules in your preferred text editor

Search for

 KERNEL=="eth*|ath*|wlan*|ra*|sta*", DRIVERS=="?*",\
 	IMPORT{program}="write_net_rules $attr{address}"

and change it to

 #KERNEL=="eth*|ath*|wlan*|ra*|sta*", DRIVERS=="?*",\
 #	IMPORT{program}="write_net_rules $attr{address}"

Save and close.

Open /etc/udev/rules.d/z25_persistent-net.rules in your preferred text editor (“z25_” may be something different on your system).

Search for the lines concerning your nwc and delete or just disable them by inserting a leading “#”.

Reboot and everything should be back to normal and stay there.

Note: If you update udev to a newer revision you may have to do this again.

What is the format of a valid MAC address ?

A normal MAC address looks like this: 00:09:5B:EC:EE:F2. It is composed of six octets. The first half (00:09:5B) of each MAC address is known as the Organizationally Unique Identifier (OUI). Simply put, it is the card manufacturer. The second half (EC:EE:F2) is known as the extension identifier and is unique to each network card within the specific OUI. Many access points will ignore MAC addresses with invalid OUIs. So make sure you use a valid OUI code when you make up MAC addresses. Otherwise, your packets may be ignored by the Access Point. The current list of OUIs may be found here.

Make sure that that the last bit of first octet is 0. This corresponds to unicast addresses. If it is set to 1, this indicates a group address, which is normally exclusively used by multicast traffic. MAC addresses with a source set to multicast are invalid and will be dropped.

In particular, it is recommended that the first octet is 00.

What is ARP ?

The address resolution protocol (ARP) is explained in more detail here.

Is Mac OS X supported?

The aircrack-ng suite has limited Mac OS X support. Currently it only supports the following tools: aircrack-ng, packetforge-ng, ivstools and makeivs. Any program which requires opening a wireless interface is not supported.

What is RSSI?

RSSI means Received Signal Strength Indication. RSSI is a measurement of the received radio signal strength. It is the received signal strength in a wireless environment, in arbitrary units.

For more information, see

What is the difference with long and short preamble?

Every packet is sent with a preamble, which is just a known pattern of bits at the beginning of the packet so that the receiver can sync up and be ready for the real data. This preamble must be sent at the basic rate (1 Mbps), according to the official standard. But there are two different kinds of preambles, short and long. The long preamble has a field size of 128 bits, while the short preamble is only 56 bits.

Will I get better range with maximum output power?

No, this is a false assumption in most situations.

In a home environment, the best output power is not always the maximum. In most situations, 30mw is enough. However, if you are a long distance from the AP, then yes, maximum output power is the best.

Do wifi amplifiers have a better range?

No, amplifiers are not a very good idea because:

  1. Amplifiers also amplify noise and that's not a good thing for link quality
  2. With high amplification, you could get a headache

You are much better off purchasing a good antenna with high gain.

My card says that I have 20dBm (100mW) but i only have 18dBm, why?

Most cards have 100mW when combined with the antenna (2dBi antenna).

In 802.11a and 802.11g, the output power is 30mW due to modulation (it's a bit harder to use OFDM than CCK)

Will I have better reception with stronger transmit power?

No, the transmit power is not linked with receiving at all. For receiving, you should check the receive sensitivity of your card. As well, you are much better off purchasing a good antenna with high gain.

How do I choose an antenna?

You should see Antenna help, Selecting a Wifi Antenna and Netstumbler forum.

How Do I Put My Card Back Into Managed Mode

See airmon-ng documentation.

How Do I Check What Mode My Card Is In?

Use iwconfig to view the current speed setting of the wireless card. 1, 2, 5.5 and 11Mbit are 802.11b, 6, 9, 12, 18, 24, 36, 48, 54Mbit are 802.11a/g. Anything above 54Mbit is 802.11n.

How Do I Add a New USB Device ID to My Driver?

If you have a very new USB device, sometimes the device ID has not been included in the driver. The following article describes how to do this for a specific driver. The technique can be used for all USB drivers.

Adding new device IDs to zd1211rw

Why do I get "Error creating tap interface: Permission denied" or a similar message?

You receive one or both of the following errors:

 error creating tap interface: Permission denied
 error opening tap device: Permission denied

This is caused by SELinux (Security Enhanced Linux) preventing the interface from starting. To resolve, disable SELinux. See the support forums for your particular linux to determine how to do this.

Why airodump-ng doesn't display anything on Android terminal?

By default, in settings, stty rows and columns are set to 0. Here are the settings:

How much does Aircrack-ng cost?

Aircrack-ng is “free software”; you can download it without paying any license fee. The version of Aircrack-ng you download isn't a “demo” version, with limitations not present in a “full” version; it is the full version. The license under which Aircrack-ng is issued is mostly the GNU General Public License version 2. See the GNU GPL FAQ for some more information.

You may also want to check out the OpenSSL license included in our source code download.

But I just paid someone on eBay for a copy of Aircrack-ng! Did I get ripped off?

That depends. Did they provide any sort of value-added product or service, such as installation support, installation media, training, trace file analysis, or funky-colored socks? Probably not. Aircrack-ng is available for anyone to download, absolutely free, at any time. Paying for a copy implies that you should get something for your money.

Can I use Aircrack-ng commercially?

Yes, if, for example, you mean “I work for a commercial organization; can I use Aircrack-ng to capture and asses WiFi network security in our company's networks or in our customer's networks?”

If you mean “Can I use Aircrack-ng as part of my commercial product?”, see the next entry in the FAQ.

Can I use Aircrack-ng as part of my commercial product?

As noted, Aircrack-ng is licensed under the GNU General Public License, version 2. The GPL imposes conditions on your use of GPL'ed code in your own products; you cannot, for example, make a “derived work” from Aircrack-ng, by making modifications to it, and then sell the resulting derived work and not allow recipients to give away the resulting work. You must also make the changes you've made to the Aircrack-ng source available to all recipients of your modified version; those changes must also be licensed under the terms of the GPL. See the GPL FAQ for more details; in particular, note the answer to the question about modifying a GPLed program and selling it commercially, and the question about linking GPLed code with other code to make a proprietary program. You can combine a GPLed program such as Aircrack-ng and a commercial program as long as they communicate “at arm's length”, as per this item in the GPL FAQ.

We recommend keeping Aircrack-ng and your product completely separate.

You may also want to check out the OpenSSL license included in our source code download.