optional arguments: -h, --help show this help message and exit
SETTINGS: -v, --verbose Shows more options (-h -v). Prints commands and outputs. (default: quiet) -i [interface] Wireless interface to use, e.g. wlan0mon (default: ask) -c [channel] Wireless channel to scan (default: all 2Ghz channels) -5, --5ghz Include 5Ghz channels (default: off) -mac, --random-mac Randomize wireless card MAC address (default: off) -p [scan_time] Pillage: Attack all targets after scan_time (seconds) --kill Kill processes that conflict with Airmon/Airodump (default: off) -b [bssid] BSSID (e.g. AA:BB:CC:DD:EE:FF) of access point to attack -e [essid] ESSID (e.g. NETGEAR07) of access point to attack -E [text] Hides targets with ESSIDs that match the given text --clients-only Only show targets that have associated clients (default: off) --showb Show BSSIDs of targets while scanning --nodeauths Passive mode: Never deauthenticates clients (default: deauth targets) --num-deauths [num] Number of deauth packets to send (default: 1)
WEP: --wep Show only WEP-encrypted networks --require-fakeauth Fails attacks if fake-auth fails (default: off) --keep-ivs Retain .IVS files and reuse when cracking (default: off) --pps [pps] Packets-per-second to replay (default: 600 pps) --wept [seconds] Seconds to wait before failing (default: 600 sec) --wepca [ivs] Start cracking at this many IVs (default: 10000 ivs) --weprs [seconds] Restart aireplay if no new IVs appear (default: 11 sec) --weprc [seconds] Restart aircrack after this delay (default: 30 sec) --arpreplay Use ARP-replay WEP attack (default: on) --fragment Use fragmentation WEP attack (default: on) --chopchop Use chop-chop WEP attack (default: on) --caffelatte Use caffe-latte WEP attack (default: on) --p0841 Use p0841 WEP attack (default: on) --hirte Use hirte WEP attack (default: on)
WPA: --wpa Show only WPA-encrypted networks (includes WPS) --hs-dir [dir] Directory to store handshake files (default: hs) --new-hs Captures new handshakes, ignores existing handshakes in hs (default: off) --dict [file] File containing passwords for cracking (default: /usr/share/dict/wordlist-top4800-probable.txt) --wpadt [seconds] Time to wait between sending Deauths (default: 15 sec) --wpat [seconds] Time to wait before failing WPA attack (default: 500 sec)
WPS: --wps Show only WPS-enabled networks --no-wps Never use WPS PIN & Pixie-Dustattacks on targets (default: off) --wps-only Only use WPS PIN & Pixie-Dust attacks (default: off) --pixie Only use WPS Pixie-Dust attack (do not use PIN attack) --no-pixie Never use WPS Pixie-Dust attack (use PIN attack) --bully Use bully program for WPS PIN & Pixie-Dust attacks (default: reaver) --ignore-locks Do not stop WPS PIN attack if AP becomes locked (default: stop) --wps-time [sec] Total time to wait before failing PixieDust attack (default: 300 sec) --wps-fails [num] Maximum number of WPSFail/NoAssoc errors before failing (default: 100) --wps-timeouts [num] Maximum number of Timeouts before failing (default: 100)
PMKID: --pmkid Only use PMKID capture, avoids other WPS & WPA attacks (default: off) --pmkid-timeout [sec] Time to wait for PMKID capture (default: 30 seconds)
COMMANDS: --cracked Print previously-cracked access points --check [file] Check a .cap file (or all hs/*.cap files) for WPA handshakes --crack Show commands to crack a captured handshake