Option Param. Description
-a amode Force attack mode (1 = static WEP, 2 = WPA-PSK).
-e essid If set, all IVs from networks with the same ESSID will be used. This option is also required for WPA-PSK cracking if the ESSID is not broadcasted (hidden).
-b bssid Select the target network based on the access point's MAC address.
-p nbcpu On SMP systems, set this option to the number of CPUs.
-q none Enable quiet mode (no status output until the key is found, or not).
-c none (WEP cracking) Restrict the search space to alpha-numeric characters only (0x20 - 0x7F).
-d start (WEP cracking) Set the beginning the WEP key (in hex), for debugging purposes.
-m maddr (WEP cracking) MAC address to filter WEP data packets. Alternatively, specify -m ff:ff:ff:ff:ff:ff to use all and every IVs, regardless of the network.
-n nbits (WEP cracking) Specify the length of the key: 64 for 40-bit WEP, 128 for 104-bit WEP, etc. The default value is 128.
-i index (WEP cracking) Only keep the IVs that have this key index (1 to 4). The default behaviour is to ignore the key index.
-f fudge (WEP cracking) By default, this parameter is set to 2 for 104-bit WEP and to 5 for 40-bit WEP. Specify a higher value to increase the bruteforce level: cracking will take more time, but with a higher likelyhood of success.
-k korek (WEP cracking) There are 17 korek statistical attacks. Sometimes one attack creates a huge false positive that prevents the key from being found, even with lots of IVs. Try -k 1, -k 2, ... -k 17 to disable each attack selectively.
-x none (WEP cracking) Do not bruteforce the last two keybytes.
-y none (WEP cracking) This is an experimental single bruteforce attack which should only be used when the standard attack mode fails with more than one million IVs.
-w words (WPA cracking) Path to a wordlist.