Thursday, April 6, 2023

How to Use Aircrack-ng: A Guide to Network Compromise

In this comprehensive Aircrack-ng tutorial, we’ll guide you through the ins and outs of using the powerful Aircrack-ng suite to assess and enhance the security of WiFi networks. Whether you’re a seasoned ethical hacker or a newcomer to the cyber security field, this tutorial will provide valuable insights and actionable steps to help you understand and effectively use the various tools within the Aircrack-ng suite.

Throughout this tutorial, we’ll cover the essential tools, including airmon-ng, airodump-ng, airgraph-ng, aireplay-ng, aircrack-ng, and airbase-ng. Along the way, we’ll include some helpful commands for each one. Additionally, we’ll discuss the requirements, such as compatible wireless adapters and operating systems, to ensure you’re well-equipped to tackle any wireless network security challenge.

Get ready to dive into wireless network security and auditing with the Aircrack-ng suite, and discover how you can fortify your WiFi network against potential threats.


Before diving into how to use Aircrack-ng, it’s essential to ensure you have the proper hardware and software requirements to make the most of the tools in the suite.

Requirements to run Aircrack-ng:

  • Wireless adapter capable of monitor mode and packet injection.
  • Sufficient storage space and processing power.
  • Aircrack-ng installed or available for installation.
  • A solid understanding of wireless networking concepts.

The specific WiFi adapter we’re using throughout this article is the Alfa AWUS036ACH, but you can find several others that meet this requirement in our review Best WiFi Adapters for Kali Linux to Buy in 2023. The processing power of your device really comes into play with aircrack-ng. If you’re using Kali Linux as a VM, it may be worth bumping up the processors and RAM allocated more than usual. We ran it with 4 cores and 4096MB of RAM.

As mentioned above, Aircrack-ng and all its tools that we’ll cover in this article come pre-installed on Kali Linux. However, you can download the suite on any Linux, macOS, or Windows device if you’d prefer. Additionally, you’ll need an understanding of wireless networking and the elements involved to truly appreciate the steps you’ll execute with some of the tools in Aircrack-ng and how to wargame a strategy for pentesting or ethical hacking.

If you need help setting up Kali Linux as a VM, read:

How to Install Kali Linux on VirtualBox & Start Hacking Now

If you want to recap some of the networking concepts or terms we’ll discuss here, read:

CompTIA Network+ Cheat Sheet (Updated for Latest Exam)

What Is Aircrack-ng?

Aircrack-ng is a comprehensive suite of tools designed for auditing and securing WiFi networks. Its primary purpose is to help ethical hackers and security professionals test the security of wireless networks by cracking WEP and WPA keys, creating fake access points, capturing and analyzing network traffic, and performing various other network-based attacks.

You can use the Aircrack-ng suite to assess the security posture of your wireless network, identify vulnerabilities, and test the strength of your network’s encryption. Additionally, Aircrack-ng can be used to identify rogue access points, simulate various attack scenarios, and perform penetration testing tasks.

Using the Aircrack-ng suite involves employing different tools within the suite, depending on the task. Each tool has a specific purpose and can be used independently or in conjunction with other tools in the suite to perform a wide range of wireless network security tasks.

Aircrack-ng comes preinstalled on Kali Linux, making it readily accessible for security professionals and ethical hackers alike. In this article, we’ll cover the following tools in the Aircrack-ng suite:

  1. Airmon-ng: Used to enable monitor mode on a wireless adapter, allowing you to capture network traffic.
  2. Airodump-ng: Captures network traffic, focusing on identifying wireless networks and capturing data packets.
  3. Airgraph-ng: Generates graphical representations of network traffic based on captured data, providing a visual representation of network activity.
  4. Aireplay-ng: Creates network traffic and performs various attacks, such as deauthentication and packet injection, to manipulate network behavior.
  5. Aircrack-ng: The flagship tool that cracks WEP and WPA/WPA2 encryption keys, allowing you to assess the strength of your network’s security.
  6. Airbase-ng: Creates fake access points for testing network security, performing man-in-the-middle attacks, or social engineering purposes.

There are other several other tools that fall under the suite, such as airdecap-ng, airdecloak-ng, and airtun-ng. However, for this tutorial, we will cover only the ones listed above because of the prevalence they have in security auditing and network hardening. These selected tools also have a natural flow, as you’ll soon see.

For the sake of clarity: During this article, we will distinguish between Aircrack-ng (meaning the suite) and aircrack-ng (meaning the tool).


We want to be absolutely clear on this point. Even though it might seem innocent enough to perform a scan on your neighbor’s wireless network, a server hosting a website, or other networks, don’t do it. You need permission from the network owner if you are to do any kind of hacking or penetration testing on their systems. 

It might not seem like a big deal, but hacking, or even scanning, a system without permission can hold extremely steep legal penalties, including jail time, depending on your location. Such laws include:

  • The Computer Fraud and Abuse Act (United States)
  • Sections 184, 342.1, 380, and 430 of the Criminal Code of Canada (Canada)
  • Computer Misuse Act 1990 (England)
  • Sec. 202a and 202b of the German Criminal Code (Germany)
  • Information Technology Act Sec. 43 and 66 (India)
  • The Act on the Prohibition of Unauthorised Computer Access (Japan)

Read our article Is port scanning legal? to learn more about this topic and to make sure you’re operating in the clear.


Airmon-ng is an essential tool in the Aircrack-ng suite, primarily used to enable monitor mode on your wireless adapter. Monitor mode allows your wireless adapter to listen to all the WiFi traffic in the air, even outside of the network your device belongs to. This is crucial for capturing packets, analyzing network traffic, and injecting packets into the target network when needed.

You use airmon-ng at the beginning of any wireless network auditing or penetration testing process. It sets the stage for using other tools in the Aircrack-ng suite, such as airodump-ng, aireplay-ng, and aircrack-ng itself.

Using airmon-ng is straightforward. First, identify the interface name of your wireless adapter (e.g., wlan0) using the ifconfig command and iwconfig. Once you have the interface name, you can enable monitor mode with the airmon-ng start command followed by the interface name.

Managed Mode: This means that your WiFi adapter is set to only receive packets directed to our specific MAC address. Think of this as only receiving letters delivered to your home.

Monitor Mode: When your device is in monitor mode it will be able to receive all packets that are in range of the WiFi adapter, even if they aren’t addressed to your machine’s MAC address. Think of this as standing in the postal receiving and sorting room and watching all of the envelopes come in.


Typically, you’ll run this in the following order: 

  • Run ifconfig to first check for the interface name. 
  • Run iwconfig to check the mode. If it’s in managed mode, continue with the next steps. If it’s already in monitor, then you likely left it in that state from a previous session and can skip the rest of this.
  • Next run sudo airmong-ng check to look for any conflicting process that might interfere with setting up monitor mode.
  • If you find any interesting processes, run sudo airmon-ng check kill to stop them.
  • Finally, run the sudo airmon-ng start <Name of Adapter>, in our example wlan0. This command is used to bring your adapter back up in monitor mode. This will append mon to the end, such as wlan0mon.
Airmon-ng check kill

Common airmon-ng commands:

Command Action
airmon-ng check kill Terminates interfering processes identified by the “airmon-ng check” command. Example: sudo airmon-ng check kill
airmon-ng start Enables monitor mode on the specified interface. Example: sudo airmon-ng start wlan0
airmon-ng stop Disables monitor mode on the specified interface. Example: sudo airmon-ng stop wlan0mon
airmon-ng --channel <num> Sets the default channel for the wireless adapter when entering monitor mode. Example: sudo airmon-ng start wlan0 --channel 6

The most common frequency to test is 2.4GHz, and the most common, non-overlapping channels operated are 1, 6, and 11.

If you’re auditing and testing on 5GHz, there are many more non-overlapping channels. Generally, every fourth channel between 36-144 and 149-165.

Using airmon-ng you can enable monitor mode to capture the necessary data and perform various wireless security tests. This crucial first step lays the foundation for the rest of the Aircrack-ng suite to work effectively.


Airodump-ng is another critical tool in the Aircrack-ng suite, primarily used for capturing packets from wireless networks. By capturing packets, you can analyze network traffic, identify connected devices, and obtain essential information such as encryption keys and handshakes required for cracking the network’s security.

You need to use airodump-ng after enabling monitor mode with airmon-ng. It allows you to gather valuable information about the target network and its clients, which will help you better understand the network’s structure and identify potential vulnerabilities.

Using airodump-ng involves executing the tool with the monitoring interface (e.g., wlan0mon) and specifying various parameters such as the channel to monitor, the BSSID to filter, and the output file prefix for the captured data. Once started, airodump-ng will display live information about the networks and clients it detects.

See all networks in range:

sudo airodump-ng wlan0mon


Common airodump-ng commands:

Command Action
--channel Specifies the channel to listen on. Example: --channel 6
--bssid Filters the captured data to a specific BSSID. Example: --bssid AA:BB:CC:DD:EE:FF
-w Sets the output file prefix for the captured data. Example: -w output
--encrypt Filters the captured data to networks with a specific encryption type. Example: --encrypt WPA
--showack Displays acknowledgment statistics for each client, useful for identifying packet injection vulnerabilities. Example: --showack

Example of a packet capture:

sudo airodump-ng wlan0mon --channel 6 --bssid AA:BB:CC:DD:EE:FF -w output

Example of a packet capture

Utilizing airodump-ng effectively, you can gather essential data (such as AP and client MAC addresses) for further analysis and set yourself up for more advanced attacks or security assessments using other tools in the Aircrack-ng suite.


Airgraph-ng can be a valuable tool in the Aircrack-ng suite, used to create graphical representations of wireless networks and their associated clients. These visualizations can help you better understand the relationships between networks and devices, making it easier to identify potential targets and vulnerabilities.

You would use airgraph-ng after capturing packets with airodump-ng. By converting the captured data into a graphical format, you can gain a clearer understanding of the network’s structure, which can help you plan and execute more targeted and effective attacks or security assessments.

Using airgraph-ng involves providing an input file (CSV) generated by airodump-ng and specifying an output file for the generated graph. The tool supports multiple graph types, allowing you to choose the one that best suits your needs.


Common airgraph-ng commands:

Command Action
-i Specifies the input CSV file generated by Airodump-ng. Example: -i output-01.csv
-o Sets the output file for the generated graph. Example: -o output.png
-g Specifies the graph type to generate. Example: -g CAPR or -g CPG
-c Sets the channel filter for the generated graph. Example: -c 6
--essid Filters the graph data to networks with a specific ESSID. Example: --essid MyNetwork

Example of generating a graph from the captured data:

sudo airgraph-ng -i output-01.csv -o output.png -g CAPR

Example of generating a graph from the captured data

Using Airgraph-ng, you can visually analyze the relationships between networks and clients, helping you identify potential targets and better understand the overall structure of the wireless environment. This insight can be crucial for planning and executing advanced wireless security assessments or ethical hacking operations.

If you’re going through this tutorial to improve your skills as an ethical hacker, you might be wondering which certificate is best to market yourself. Take a look at our article, CEH vs OSCP 2023: Which One Should You Pursue?, for some helpful insight.


Aireplay-ng is a great tool in the Aircrack-ng suite, designed to generate, inject, and manipulate wireless network traffic. It supports various attack types, including deauthentication, fake authentication, and ARP request injection, which can help facilitate different stages of wireless security assessments or ethical hacking operations.

You would use aireplay-ng after capturing packets with airodump-ng and analyzing the network traffic. Based on the information gathered, aireplay-ng can be employed to speed up the cracking process, force client disconnections, or test network security by injecting custom packets.

When you execute a deauthentication (deauth) attack with aireplay-ng, the tool sends a series of deauthentication frames to the target device and access point. These frames are designed to mimic legitimate management packets from the access point or the client device, instructing them to disconnect from each other. As a result, the target device is disconnected from the WiFi network, forcing it to re-establish the connection, which can be used to capture the handshake.

Using aireplay-ng involves specifying the attack type, target network, and relevant parameters depending on the attack. You may need to provide the monitoring interface (e.g., wlan0mon) and the MAC addresses of the target access point and client devices.

Common aireplay-ng commands:

Command Action
--deauth Executes a deauthentication attack, disconnecting clients from the target network. Example: --deauth 100
--fakeauth Performs a fake authentication attack, simulating a client connecting to the target network. Example: --fakeauth 60
--arpreplay Conducts an ARP request replay attack to generate more IVs for WEP cracking. Example: --arpreplay
-a Specifies the target access point’s BSSID. Example: -a AA:BB:CC:DD:EE:FF
-c Sets the target client’s MAC address. Example: -c 11:22:33:44:55:66

Example of a deauthentication command:

sudo aireplay-ng --deauth 100 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon

Example of a deauthentication command

When using aireplay-ng effectively, you can manipulate wireless network traffic, test network security, and gather additional information to aid in cracking WiFi encryption or identifying vulnerabilities. Its various attack types make it a valuable addition to the Aircrack-ng suite, offering flexibility and adaptability for different wireless security scenarios.


Aircrack-ng is the flagship tool of the Aircrack-ng suite, primarily used for cracking wireless networks encryption keys, such as WEP and WPA/WPA2. It employs various algorithms and techniques to recover encryption keys, enabling you to gain unauthorized access to a wireless network or verify the strength of your own network’s security.

You would use aircrack-ng after capturing packets with airodump-ng and potentially manipulating traffic with aireplay-ng. Once you have collected enough data, such as a WPA handshake or a sufficient number of WEP IVs (Initialization Vector), aircrack-ng can be employed to attempt a key recovery using a dictionary or brute-force attack.

Using aircrack-ng involves providing the captured data (in .cap format) and specifying the attack parameters, such as the dictionary file or the key length for brute-force attacks. The tool will then analyze the captured data and attempt to recover the encryption key.


Common aircrack-ng commands:

Command Action
-w Specifies the wordlist or dictionary file for a dictionary attack. Example: -w dictionary.txt
-b Sets the target access point’s BSSID. Example: -b AA:BB:CC:DD:EE:FF
-e Specifies the target network’s ESSID. Example: -e MyNetwork
-a Forces the attack mode to use between WEP and WPA/WPA2-PSK. Example (WPA/WPA2-PSK): -a 2

Hidden Networks

Cracking WPA/WPA2-PSK networks where the ESSID is not broadcasted (hidden) requires that the ESSID be specifically tagged as an optional command with -e <NetworkName>.

Example of cracking a WPA key:

sudo aircrack-ng -w dictionary.txt -b AA:BB:CC:DD:EE:FF output-01.cap

Example of cracking a WPA key

Executing aircrack-ng effectively, you can attempt to crack wireless network encryption keys and assess the security of WiFi networks. Its various attack options and algorithms make it a powerful tool for ethical hackers and security professionals alike, providing insights into potential vulnerabilities and the effectiveness of network security measures.

The Aircrack-ng suite is very powerful, but there are a host of other tools that come pre-installed on Kali Linux to help you with your ethical hacking efforts. Check out some of our top picks in 25 Top Penetration Testing Tools for Kali Linux in 2023.


Airbase-ng is a powerful and fun tool within the Aircrack-ng suite, designed to create fake access points (APs) for various purposes, such as testing client devices’ behavior, performing man-in-the-middle attacks, or social engineering attacks. By emulating legitimate access points, airbase-ng can trick nearby devices into connecting to the fake AP, allowing you to monitor or manipulate their network traffic.

You would use airbase-ng after gathering information about the target network and clients using tools like airodump-ng and aireplay-ng. Once you’ve identified a suitable target, airbase-ng can be employed to create a fake access point, luring unsuspecting users into connecting and potentially revealing sensitive information.

Airbase-ng involves specifying the parameters for the fake access point, such as the ESSID, channel, and encryption type. You will need to provide the monitoring interface (e.g., wlan0mon) and may need to configure additional settings to match the target network’s characteristics.

Common airbase-ng commands:

Command Action
-a Sets the fake access point’s BSSID (MAC address). Example: -a AA:BB:CC:DD:EE:FF
--essid Specifies the fake access point’s ESSID (network name). Example: --essid MyFakeAP
--channel Sets the channel for the fake access point. Example: --channel 6
-W 1 Enables WEP encryption for the fake access point. Example: -W 1
-z Sets the fake access point to use WPA/WPA2 encryption. Example: -z 2 (for WPA2)

Example usage:

sudo airbase-ng -a <AA:BB:CC:DD:EE:FF> --essid <FakeAPName> --channel <#> wlan0mon


By using airbase-ng correctly, you can create fake access points for various purposes, such as testing network security, performing man-in-the-middle attacks, or social engineering. Its flexibility and adaptability make it a valuable tool in the Aircrack-ng suite, offering unique opportunities for ethical hackers and security professionals to assess the behavior of client devices and the effectiveness of network security measures.



Throughout this Aircrack-ng tutorial, we’ve explored the powerful features of the Aircrack-ng suite and demonstrated how it could be used to assess and enhance the security of WiFi networks. If you’d like to see all of these steps chained together in a demonstration of hacking a WiFi network, you can find that in How to Hack WiFi With Kali Linux Like a Pro.

Remember that ethical hacking and network security testing should only be performed on networks you have permission to access, and always adhere to legal and ethical guidelines. As you continue to develop your skills in the cyber security field, using tools like Aircrack-ng will empower you to take a proactive approach to wireless network security, ensuring that your WiFi connections remain safe and secure in an ever-evolving digital landscape.

Elevate your cyber security expertise to new heights by enrolling in our engaging courses, designed to empower you with valuable knowledge and practical skills:

Frequently Asked Questions

Can WPA2 be cracked?

Yes, WPA2 can be cracked, but it is generally more secure than WEP and WPA. The most common method for cracking WPA2 involves capturing the four-way handshake that occurs when a client connects to the network and then performing a brute-force or dictionary attack to guess the pre-shared key. However, this can be a time-consuming process, and the chances of success depend on the strength of the password and the attacker’s resources.

Is WPA2 easy to hack?

WPA2 is not easy to hack compared to its predecessors, WEP and WPA. WPA2 has improved encryption and security measures that make it more challenging for attackers. However, it is still vulnerable to specific attacks, such as capturing the four-way handshake and performing a brute-force or dictionary attack. To protect your WPA2 network, use a strong, unique password and keep your router firmware up-to-date.

Can Aircrack-ng use GPU for password cracking?

Aircrack-ng itself does not support GPU acceleration for password cracking. However, there are other tools, like hashcat, that can leverage the power of GPUs to perform password cracking more efficiently. You can use Aircrack-ng to capture the handshake and then use hashcat (included with Kali Linux) with GPU support to perform the password-cracking process.

What is the most secure WiFi password?

A secure WiFi password should be long, unique, and contain a mix of uppercase and lowercase letters, numbers, and special characters. In line with NIST 800-63b guidelines, consider using a passphrase (a sequence of words or other text) instead of a traditional password. If using a passphrase, consider inserting random characters, numbers, or special characters in between the words.

Aim for a password or passphrase that is at least 12-16 characters long. Avoid using common words, phrases, or easily guessable information like names, birthdays, or addresses. A strong password or passphrase reduces the likelihood of a successful brute-force attack.

from StationX

No comments:

Post a Comment