Aircrack-ng — Install, Use, Optimise (2026)

Manish Garg
Manish Garg Associate of (ISC)² · RingSafe
Apr 29, 2026
2 min read

WiFi security auditing suite — capture, deauth, crack WPA/WPA2 handshakes and PMKID.

Use case: WirelessDifficulty: IntermediateHomepage: https://www.aircrack-ng.org

Installation

Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.

Linux (apt)

sudo apt install aircrack-ng

macOS (brew)

brew install aircrack-ng

0

Hardware: monitor-mode capable adapter required (Alfa AWUS036ACH, Panda PAU09)

Core commands

The handful of invocations you’ll actually run on 90% of engagements:

Put interface in monitor mode

sudo airmon-ng start wlan0

Scan nearby networks

sudo airodump-ng wlan0mon

Target one network, save handshake

sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w cap wlan0mon

Deauth a client to force handshake

sudo aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF wlan0mon

Convert pcap to hashcat format

hcxpcapngtool -o out.hc22000 cap-01.cap

Crack with hashcat (PMKID/handshake)

hashcat -m 22000 out.hc22000 rockyou.txt

Performance optimisation

What separates a junior who runs the default invocation from a practitioner who knows the knobs:

  • PMKID attack (single packet) often easier than handshake (4-way). Use hcxdumptool instead of full Aircrack flow for PMKID.
  • Channel hopping: airodump-ng default hops 1-13. Lock to one channel (-c) once target identified.
  • Adapter quality matters: Alfa AWUS036ACH 2.4+5GHz is the practitioner default.
  • Aircrack-ng cracking itself is slow — pipe to hashcat for GPU. Aircrack only good for tiny dictionaries.
  • besside-ng automates capture+crack against all targets in range — useful for assessment scope.

Common pitfalls

Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.

  • Many adapters claim monitor mode but driver is broken. Always test with airmon-ng check kill; airmon-ng start wlan0; iwconfig before assessment.
  • NetworkManager interferes with monitor mode — airmon-ng check kill stops it. Restart afterwards.
  • 5GHz monitor mode is spotty on most adapters. Plan for 2.4GHz only unless you have AWUS036ACH or similar.
  • Deauth-based handshake capture is illegal in many jurisdictions without authorisation — get scope clearance.

Modern alternatives in 2026

The ecosystem moves fast. These are tools you should at least be aware of:

  • hcxdumptool — modern PMKID-first capture tool, much faster.
  • wifite2 — wraps the whole flow with sane defaults.
  • Kismet — passive WiFi sniffer, no injection.

India context and engagement notes

For India-context engagements: most office WiFi uses WPA2-PSK with weak passwords (company name + year). PMKID + hashcat with custom Indian-context wordlists yields hits in 60-80% of audits. Always document network policies and test under explicit written authorisation — Indian IT Act Section 66 covers unauthorised wireless intrusion.


⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.

Want this for your team?

Custom team training + practitioner advisory

Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.

Book team training call Replies in 4 working hrs · India-only · Senior consultants