Skip to content

Aircrack-ng Suite

Aircrack-ng is an open-source suite for 802.11 wireless security assessment. Covers monitor mode setup, packet capture, traffic injection, and key recovery for WEP and WPA.

For offline WEP key recovery, prefer WEPWolf. It runs PTW, KoreK, FMS, and RC4-bias attacks from a single command with per-key-slot cracking and parallel directory ingestion. Use the aircrack-ng suite for active radio attacks (injection, replay, deauth) and for capturing traffic with airodump-ng. See the WEP cracking guide for the recommended workflow.

Tool Overview

Tool Purpose
airmon-ng Enable/disable monitor mode on wireless interfaces
airodump-ng Capture 802.11 frames, display live network/client summary
aireplay-ng Inject 802.11 frames: deauth, fake auth, ARP replay
aircrack-ng WEP key recovery (PTW/KoreK) and WPA dictionary attack
airdecap-ng Decrypt WEP/WPA captured frames given the key
airbase-ng Operate as a soft AP for testing

airmon-ng

# List interfaces and their driver info
airmon-ng

# Kill interfering processes (NetworkManager, wpa_supplicant)
airmon-ng check kill

# Enable monitor mode
airmon-ng start wlan0

# Enable on specific channel
airmon-ng start wlan0 6

# Disable monitor mode
airmon-ng stop wlan0mon
Flag Description
check List processes that may interfere
check kill Kill interfering processes
start <iface> Enable monitor mode, creates <iface>mon
stop <iface> Disable monitor mode

airodump-ng

# Scan all channels
airodump-ng wlan0mon

# Lock to channel, filter by BSSID, write to file
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon

# Show clients associated to specific BSSID
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF wlan0mon
Option Description
-c <channel> Lock to specific channel
--bssid <mac> Filter to single AP
-w <prefix> Write capture to prefix-01.cap, prefix-01.csv, etc.
--band <a/b/g> Scan specific band (default: bg)
-d <mac> Filter to clients with specific AP MAC

Column definitions:

Column Meaning
BSSID AP MAC address
PWR Signal level (lower negative = stronger)
#Data Unique IV count (WEP) or data frame count (WPA)
ENC Encryption: WEP, WPA, WPA2, OPN
ESSID Network name
STA Client MAC (lower table)

aireplay-ng

# Deauthenticate clients (force reconnect to capture handshake)
aireplay-ng -0 5 -a <BSSID> wlan0mon           # 5 deauths to all clients
aireplay-ng -0 5 -a <BSSID> -c <STA> wlan0mon  # target specific client

# Fake authentication (associate adapter with AP)
aireplay-ng -1 0 -e <ESSID> -a <BSSID> -h <your_mac> wlan0mon

# ARP replay injection (WEP IV generation)
aireplay-ng -3 -b <BSSID> -h <your_mac> wlan0mon

# ChopChop decryption (WEP)
aireplay-ng -4 -b <BSSID> -h <your_mac> wlan0mon

# Fragmentation attack (WEP keystream recovery)
aireplay-ng -5 -b <BSSID> -h <your_mac> wlan0mon
Attack Flag Use
Deauthentication -0 N Force clients to reconnect (WPA handshake capture)
Fake Authentication -1 Associate with AP for injection
Interactive Replay -2 Manually select a captured frame to replay
ARP Replay -3 Replay ARP requests to generate IVs (WEP)
KoreK ChopChop -4 Byte-by-byte decryption (WEP)
Fragmentation -5 PRGA (keystream) recovery (WEP)
Caffe-Latte -6 Client-side WEP attack without AP
WPA Migration -7 WPA Migration Mode attack
Hirte -8 Client-side ARP fragmentation (WEP)

aircrack-ng

# WEP key recovery (PTW default)
aircrack-ng capture*.cap

# WEP key recovery (KoreK, more IVs needed)
aircrack-ng -K capture*.cap

# WEP with known key length
aircrack-ng -l 13 capture*.cap    # 13 bytes = WEP-104

# WPA dictionary attack (requires 4-way handshake in capture)
aircrack-ng -w wordlist.txt -b <BSSID> capture*.cap

# Specify capture file explicitly
aircrack-ng -w wordlist.txt capture-01.cap
Option Description
-K Use KoreK statistical attack (WEP) instead of PTW
-l <len> Force key length in bytes (WEP)
-w <wordlist> Wordlist for WPA dictionary attack
-b <bssid> Target specific AP by BSSID
-e <essid> Target specific network by ESSID

WPA cracking in aircrack-ng vs hashcat

aircrack-ng performs WPA dictionary attacks on CPU only. For any serious WPA cracking, use hashcat with hcxpcapngtool extraction. GPU acceleration is 10-100× faster. Use aircrack-ng for WEP (where it excels) and quick wordlist tests; use hashcat for sustained WPA attacks.


airdecap-ng

# Decrypt WEP capture given the key
airdecap-ng -w AABBCCDDEEFF0011223344 capture-01.cap

# Decrypt WPA capture given the passphrase + ESSID
airdecap-ng -e "NetworkName" -p "passphrase" capture-01.cap

Produces a capture-01-dec.cap file with decrypted frames.