What Is Aircrack-ng? Security Definition
This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.
On This Page
Quick Definition
Aircrack-ng is a set of tools that let you check the security of Wi-Fi networks. It can capture data traveling over a wireless network, analyze it, and try to figure out the password if the network uses weak security. IT professionals use these tools to find vulnerabilities in wireless setups.
Commonly Confused With
Wireshark is a general-purpose network packet analyzer that can capture and display wireless traffic, but it does not have built-in cracking capabilities for WEP or WPA. Aircrack-ng is specifically designed for wireless security assessment and includes packet injection and key recovery tools.
If you use Wireshark, you can see the handshake packets but cannot crack the password directly. With Aircrack-ng, you capture the handshake and then feed it to the cracking engine.
Kismet is a wireless network detector, sniffer, and intrusion detection system. It is excellent for discovering networks and logging packets, but it does not include a built-in password cracker. Aircrack-ng focuses more on attacking the security mechanisms.
You might use Kismet to find a hidden SSID and then use aircrack-ng to capture a handshake and crack the password.
Reaver is a tool that exploits the WPS (Wi-Fi Protected Setup) PIN vulnerability to recover the WPA/WPA2 passphrase. It does not require a wordlist or handshake capture. Aircrack-ng, on the other hand, requires either a WEP packet capture or a WPA handshake and a wordlist.
If the router has WPS enabled and vulnerable, Reaver can crack the network in hours. If WPS is disabled, you must fall back to Aircrack-ng and a dictionary attack.
Must Know for Exams
Aircrack-ng appears in several major IT certification exams, although rarely as a pure recall objective. It is most relevant in the CompTIA Security+ (SY0-601) under domain 1.0 Attacks, Threats, and Vulnerabilities, specifically regarding wireless attacks. Candidates should understand that aircrack-ng is a tool used for cracking WEP and WPA, and that it often pairs with a deauthentication attack to capture the handshake. In Security+ exam questions, you may see a scenario where an attacker uses a tool to force a client off a network, then captures data, and later cracks the password, that is the aircrack-ng workflow.
For the Certified Ethical Hacker (CEH) exam, Aircrack-ng is covered under the wireless hacking module. The exam expects you to know the specific commands: airmon-ng start wlan0 to enable monitor mode, airodump-ng wlan0 to scan, airodump-ng –bssid [target] –c [channel] –w [file] to capture, aireplay-ng –deauth to send deauth packets, and aircrack-ng –w [wordlist] [capture file] to crack. The CEH exam may present a scenario and ask which tool or command was used at a specific step.
CompTIA Network+ (N10-008) touches on wireless security standards and mentions tools like Aircrack-ng in the context of securing wireless networks. While not heavy on tool-specific questions, candidates should know that WEP is weak and can be cracked in minutes, and that Aircrack-ng is a tool that does that. The exam may test understanding of the difference between WEP and WPA attacks: WEP requires many data packets, while WPA requires capturing the handshake.
In the Cisco CCNA (200-301), wireless security is covered, and while Cisco focuses on its own solutions (like Cisco Identity Services Engine and WPA2-Enterprise), familiarity with common attack tools like Aircrack-ng helps understand the threat landscape. Questions might describe an attacker successfully cracking a wireless network, and you need to infer which protocol weakness was exploited (WEP IV reuse or WPA weak PSK).
Overall, exam questions will not ask you to run aircrack-ng step-by-step, but they will expect you to recognize the attack pattern, the required conditions (monitor mode, packet injection, capture file), and the weaknesses it exploits.
Simple Meaning
Think of a Wi-Fi network like a walkie-talkie conversation between two people. If you stand close enough, you can hear every word they say. That is basically what wireless networks are like: radio waves travel through the air, and anyone with the right device can pick them up. Aircrack-ng is like a special radio scanner that not only listens to those conversations but can also record them and later try to decode the secret password that protects them.
Imagine you have a diary with a lock on it. If you want to test whether the lock is strong, you might try to pick it using different keys. That is what Aircrack-ng does with Wi-Fi passwords. It can try thousands of possible passwords very quickly to see if any of them work. But it can also do something clever: if it hears enough of the conversation between your computer and the router, it can use that information to figure out the password without even trying each one.
The name Aircrack-ng comes from "air" (because it works over the air), "crack" (because it cracks passwords), and "ng" (which stands for "next generation"). It is not a single program but a collection of tools that work together. For example, one tool captures the data, another listens for nearby networks, and another tries to crack the password. IT security experts use these tools to find weak spots in wireless networks so they can fix them before real attackers break in.
However, it is important to note that using Aircrack-ng on a network you do not own or have permission to test is illegal in most places. It is meant only for ethical hackers and network administrators who are authorized to test their own systems.
Full Technical Definition
Aircrack-ng is a comprehensive suite of wireless security assessment tools that focus on IEEE 802.11 wireless LANs. The suite supports both Linux and Windows (via Cygwin) and includes tools for packet capture, network detection, deauthentication attacks, fake access point creation, and cryptographic key recovery. The primary components are airodump-ng (packet capture), aireplay-ng (packet injection), aircrack-ng (key cracking), and airmon-ng (interface management).
From a protocol perspective, wireless networks use the 802.11 standard, which organizes data into frames. The security mechanisms include WEP (Wired Equivalent Privacy), WPA (Wi-Fi Protected Access), and WPA2. Aircrack-ng targets weaknesses in these protocols. For WEP, the attack exploits statistical weaknesses in the RC4 cipher combined with the initialization vector (IV). By capturing enough IVs (typically 20,000 to 40,000 packets), the tool can recover the WEP key using the KoreK attack or PTW attack, both of which are built into aircrack-ng.
For WPA/WPA2-PSK, the approach is different. The attack captures the 4-way handshake between the client and the access point during authentication. This handshake contains cryptographically bound information derived from the Pre-Shared Key (PSK). The tool then performs an offline dictionary attack: it takes each candidate password from a wordlist, derives the Pairwise Master Key (PMK) using the PBKDF2 function with the SSID as a salt, and compares the result against the captured handshake. The computational cost is high because PBKDF2 involves thousands of hash iterations, which is why GPU acceleration or cloud-based cracking often supplements aircrack-ng.
Real IT implementation often involves using airmon-ng to switch a wireless interface into monitor mode. Monitor mode allows the card to capture all packets on a channel without associating with any network. Then airodump-ng is run to list nearby access points and their clients, capture packets, and log them to a file. If the target uses WPA, the attacker must wait for a client to authenticate or force a re-authentication using a deauthentication attack (aireplay-ng). The captured handshake file is then fed to aircrack-ng along with a wordlist.
Aircrack-ng also supports WPA2 with AES-CCMP, which is the standard for modern networks. While AES is secure, the vulnerability remains in the PSK if the password is weak. Tools like hashcat or John the Ripper are often used for faster cracking, but aircrack-ng remains relevant for automated workflows. The suite includes tools like airbase-ng for fake AP attacks and packetforge-ng for crafting custom packets.
Real-Life Example
Imagine you are a security guard at a small office building. The manager asks you to check whether the building's main door lock is strong enough. You have a set of tools: a lockpick set, a bump key, and a special device that can listen to the lock's internal clicks. That is similar to what Aircrack-ng does for Wi-Fi networks.
First, you walk around the building to see where the door is and which kind of lock it has. You note down the lock brand and model. This is like using airodump-ng to discover nearby wireless networks and their encryption types. You see that the lock is an old padlock, which is like finding a WEP-encrypted network.
Next, you stand near the door and start taking recordings of people unlocking it throughout the day. Every time a person inserts their key and turns it, the lock makes a specific sequence of clicks. You record many of these sequences. This is like capturing packets with airodump-ng and gathering initialization vectors (IVs) for a WEP network.
After a few days, you have enough recordings to analyze the clicking patterns. Using your tool, you find a pattern that reveals how the pins inside the lock are arranged. You can then reconstruct a master key that works every time. That is exactly how aircrack-ng cracks WEP: it collects enough IVs and statistically figures out the key.
Now, imagine a modern electronic lock that requires a password typed on a keypad. You cannot see the password being typed directly, but you can record the electrical signals as someone enters it. That recorded signal is like the WPA handshake. Then you take a list of commonly used passwords and try each one in a simulator to see which one produces the same signal pattern. This is the offline dictionary attack that aircrack-ng performs on WPA handshakes.
Why This Term Matters
Wireless networks are everywhere, from cafes and airports to corporate offices and hospitals. Because radio waves travel through walls and into public spaces, any device within range can potentially listen in. Without proper security, an attacker could capture sensitive data, inject malicious traffic, or use the network as a launchpad for further attacks. Aircrack-ng matters because it is one of the most accessible and powerful ways to test wireless security.
For IT professionals, especially those in cybersecurity, understanding how Aircrack-ng works is essential for conducting penetration tests. It allows them to demonstrate to management exactly how easy it is to break a WEP key or crack a weak WPA password. This evidence often drives security policy changes, such as moving to WPA3, implementing certificate-based authentication, or enforcing stronger password policies.
Aircrack-ng is not just for attack; it is also used for network monitoring. Network admins can use airodump-ng to identify rogue access points or detect clients trying to connect to malicious networks. The suite's deauthentication capability can be used (with permission) to force clients to reconnect, which can be part of a troubleshooting or security response procedure.
In the context of compliance and auditing, many security frameworks require periodic wireless assessments. Aircrack-ng provides a free, open-source method to verify that encryption is functioning correctly and that weak keys are not in use. It also helps in identifying hidden SSIDs, measuring signal strength, and mapping wireless coverage, which are all valuable for network planning and security posture assessment.
How It Appears in Exam Questions
Aircrack-ng appears in exam questions primarily in scenario-based formats. A common pattern is: "An attacker sits outside a building with a laptop and a wireless card. He uses a tool to capture packets and then runs another tool to recover the network password. Which set of tools is he using?" The answer choices include Aircrack-ng alongside Nmap, Wireshark, and Metasploit. The correct answer is Aircrack-ng, often specifically airodump-ng for capture and aircrack-ng for cracking.
Another typical question involves the WPA handshake capture. For example: "A security administrator sees an alert indicating that a large number of deauthentication frames were sent to a single client, immediately followed by a new client connection. What is the most likely purpose?" The answer is to capture the 4-way handshake for offline cracking using a tool like Aircrack-ng. This tests the link between deauth attacks and handshake capture.
Configuration-based questions sometimes present command output. For instance: "Given the following airodump-ng output, which field indicates the encryption type?" The answer would be the "Enc" column showing WEP, WPA, or WPA2. Alternatively, a candidate might see a command like "airodump-ng –bssid 00:11:22:33:44:55 –c 6 –w capture wlan0" and be asked what the –c flag specifies (the channel).
Troubleshooting questions can involve Aircrack-ng as well. For example: "A penetration tester successfully captures a WPA handshake but cannot crack the password. Which of the following is the most likely reason?" The answer could be that the wordlist does not contain the password, or that the handshake is incomplete. This type of question tests understanding of the offline dictionary attack's limitations.
Multiple-choice questions may also test the difference between WEP and WPA attacks. A common trap: "Which of the following attacks requires aircrack-ng to capture thousands of packets?" The correct answer is WEP cracking, because WPA only needs a single handshake. Candidates must know that the packet count requirement is opposite to what some might expect.
Finally, some questions focus on the legality and ethics: "An intern uses Aircrack-ng on the company's guest Wi-Fi without authorization. What is this classified as?" The answer is unauthorized access or a violation of policy, reinforcing the ethical use of these tools.
Practise Aircrack-ng Questions
Test your understanding with exam-style practice questions.
Example Scenario
You are a network administrator for a medium-sized company called BrightPath Solutions. The CEO recently read a news article about Wi-Fi hacking and wants to know if the company's wireless network is safe. Your task is to assess the security of the office Wi-Fi, which uses WPA2-PSK with a password that employees have been using for years.
You start by installing Aircrack-ng on a laptop that has a compatible wireless adapter. You put the adapter into monitor mode using airmon-ng, so it can see all wireless traffic without connecting to any network. Then you run airodump-ng to see what networks are nearby. You notice your company's SSID, "BrightPath_Office," is using channel 11 and has WPA2 encryption.
Next, you start capturing packets with airodump-ng, targeting only your company's access point. The capture file is saved as office_handshake.cap. However, you quickly realize that nobody is connecting at that moment, so you need a client to authenticate. You walk over to the break room where an employee's phone is connected. Using aireplay-ng, you send a deauthentication packet to that phone, which disconnects it from the network. The phone immediately tries to reconnect, and during that process, you capture the 4-way handshake. You now have the handshake in your capture file.
Now you need to crack the password. You have a wordlist of 10 million common passwords. You run aircrack-ng with your wordlist against the capture file. After a few minutes, the tool outputs the password: "BrightPath2020." It was in the wordlist because it is a simple variation of the company name and year. You report to the CEO that the password is crackable in minutes, and you recommend changing to a much stronger passphrase and enabling WPA3 if possible. This scenario teaches you that even WPA2 networks are only as strong as their passwords, and that Aircrack-ng can demonstrate this vulnerability quickly.
Common Mistakes
Thinking that Aircrack-ng can crack any Wi-Fi password instantly without any special conditions.
Aircrack-ng requires specific prerequisites: for WEP, thousands of captured packets; for WPA, a valid 4-way handshake and a wordlist that contains the password. Without these, cracking is impossible.
Understand that Aircrack-ng is not a magical password finder. It depends on vulnerabilities already present in the network (weak encryption, weak passwords) and on the capture of appropriate cryptographic material.
Assuming that aircrack-ng can crack WPA2 Enterprise passwords in the same way as WPA2-PSK.
WPA2-Enterprise uses 802.1X authentication with individual credentials (e.g., username and password via RADIUS). The handshake is different and does not contain a single pre-shared key that can be dictionary attacked with aircrack-ng.
Remember that aircrack-ng works against WPA/WPA2-PSK (personal mode), not Enterprise. For Enterprise, other techniques like RADIUS credential harvesting or evil twin attacks are needed.
Believing that capturing any wireless packets will allow you to crack the password immediately.
For WPA cracking, you specifically need the 4-way handshake, which only occurs when a client successfully authenticates. Regular data traffic does not contain the needed information to derive the PSK.
Always verify that the capture file contains the EAPOL handshake packets. You can check using Wireshark or by looking at aircrack-ng's output, which will show if a handshake was found.
Using aircrack-ng on a network that belongs to someone else without permission, thinking it is just a learning exercise.
Unauthorized use of wireless hacking tools is illegal in most jurisdictions under computer fraud and abuse laws. Even if no harm is intended, it violates privacy and can lead to criminal charges.
Only use Aircrack-ng on networks you own or have explicit written permission to test. Set up a lab with your own access points and devices for practice.
Confusing the roles of the different tools in the suite, e.g., using aircrack-ng for capturing packets.
Each tool in the suite has a specific function. airodump-ng captures packets, aireplay-ng handles injection, and aircrack-ng does the cracking. Using the wrong command will not produce the desired result.
Memorize the primary function of each tool: airmon-ng (manage monitor mode), airodump-ng (capture), aireplay-ng (inject), aircrack-ng (crack). In exam contexts, the question will test this distinction.
Exam Trap — Don't Get Fooled
{"trap":"The exam asks: \"Which tool is used to capture the 4-way handshake for offline cracking of WPA?\" and the options include both airodump-ng and aircrack-ng.","why_learners_choose_it":"Learners see the word 'cracking' and immediately think of the tool named 'aircrack-ng' without reading the question carefully.
They assume the tool that cracks the password also captures the handshake.","how_to_avoid_it":"Read the question for the action: capturing vs. cracking. The handshake is captured using airodump-ng.
aircrack-ng only processes the captured file. Always associate capture with airodump-ng and cracking with aircrack-ng."
Step-by-Step Breakdown
Enable monitor mode on the wireless interface
Use airmon-ng to put the wireless card into monitor mode. This allows the card to capture all packets on a channel without needing to associate with a network. It is the foundation for all other tools. Without monitor mode, the card would only see packets from its own connection.
Discover target networks and their clients
Run airodump-ng to scan all channels and list nearby access points, their BSSIDs, channels, encryption types, and associated clients. This step identifies the target network and provides the information needed to focus the capture.
Capture packets from the target network
Using airodump-ng with specific options (BSSID, channel, output file), capture data packets to a file. For WEP, you need thousands of packets. For WPA, you wait for a client to authenticate and capture the 4-way handshake. The output file is the raw material for cracking.
Force a client reconnection if needed (for WPA)
If no client is actively connecting, use aireplay-ng to send deauthentication frames to a connected client. This forces the client to disconnect and reconnect, during which the 4-way handshake is exchanged and captured. This step is unnecessary for WEP because data packets alone suffice.
Crack the captured key using aircrack-ng
Run aircrack-ng with the capture file and a wordlist. The tool attempts each word as the password. For WEP, it uses statistical attacks. For WPA, it performs a dictionary attack against the handshake. Success depends on the password being in the wordlist.
Verify the cracked key
After aircrack-ng displays the key, you should verify it by attempting to connect to the network using that password. This ensures that the capture and cracking process was successful and there were no errors.
Practical Mini-Lesson
Aircrack-ng is not a single command; it is a workflow. The typical professional use case begins with reconnaissance. You need a wireless card that supports monitor mode and packet injection, not all cards do. Common compatible chipsets include Atheros, Ralink, and some Realtek models. On Kali Linux, Aircrack-ng is pre-installed.
To start, run 'airmon-ng' to check your interfaces. Then 'airmon-ng start wlan0' creates a virtual interface, usually wlan0mon. This new interface is in monitor mode. At this point, you can run 'airodump-ng wlan0mon' to see everything. Press Ctrl+C to stop, and note the target BSSID and channel.
The real skill lies in capturing the right data. For WPA attacks, the handshake is the goal. A common mistake is to let airodump-ng run for hours and get gigabytes of data, but without a handshake, the crack will fail. You can check for handshakes in real time by looking at the top-right corner of the airodump-ng screen; it shows the BSSID and the number of handshakes captured (e.g., "WPA handshake: 00:11:22:33:44:55").
Professionals often combine Aircrack-ng with other tools. For faster cracking, they may use hashcat to offload the work to a GPU, converting the handshake to a hash format that hashcat understands (using a tool like cap2hccapx). This can speed up cracking by orders of magnitude. Some also use cloud-based cracking services.
What can go wrong? The most common issue is the deauthentication attack failing because the client does not reconnect automatically, or the capture file is corrupted. Another issue is running on a crowded channel with interference, causing packet loss. Also, some modern routers implement protection against deauth attacks, such as 802.11w (Protected Management Frames), which makes it harder to force a handshake.
Ethical considerations are paramount. Always have written authorization before testing any network. In a professional penetration test, you should also log all actions and produce a report detailing the findings, including the cracked password, the time it took, and the strength of the original password. This report becomes the basis for improving wireless security policies.
Memory Tip
Remember 'A-D-C': A for airodump-ng captures (Assemble data), D for aireplay-ng (Deauth), C for aircrack-ng (Crack the key).
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
200-301Cisco CCNA →N10-009CompTIA Network+ →Legacy Exam Context
Older materials may mention these exam versions, but learners should use the current objectives for their target exam.
N10-008N10-009(current version)SY0-601SY0-701(current version)Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
5G is the fifth generation of cellular network technology, designed to deliver faster speeds, lower latency, and support for many more connected devices than previous generations.
An A record is a type of DNS resource record that maps a domain name to an IPv4 address.
Frequently Asked Questions
Do I need special hardware to run Aircrack-ng?
Yes. Most built-in laptop Wi-Fi cards do not support monitor mode or packet injection. You typically need an external USB wireless adapter with a chipset like Atheros or Ralink, and you must use Linux (or a live USB like Kali Linux).
Can Aircrack-ng crack WPA3?
No. WPA3 uses Simultaneous Authentication of Equals (SAE), which is resistant to offline dictionary attacks. Aircrack-ng is not designed to crack WPA3. Other vulnerabilities like the Dragonblood attack may exist, but they are not exploited by this tool.
How long does it take to crack a Wi-Fi password with Aircrack-ng?
It depends on the password strength and the wordlist. A weak password like 'password123' can be cracked in seconds if it is in the list. A 12-character random password with symbols and numbers may never be cracked with a standard wordlist. WEP can be cracked in under a minute with enough packets.
Is it legal to use Aircrack-ng on my own network?
Yes, as long as you own the network and the devices. However, if you are in a shared living situation (like an apartment), even testing the shared network without permission from the owner could be a violation of terms of service or local laws.
What is a good wordlist to use with Aircrack-ng?
Common choices include the rockyou.txt wordlist (containing millions of leaked passwords) or custom lists generated based on the target. For exam purposes, you do not need to remember specific wordlist names, just that the attack relies on a wordlist.
Why does my aircrack-ng command say 'No handshake found'?
This means the capture file does not contain a valid 4-way handshake. The client must successfully authenticate during the capture period. You need to either wait for a new client connection or use aireplay-ng to deauthenticate an existing client to trigger a reconnection.
Summary
Aircrack-ng is a vital tool in the wireless security toolkit, used for auditing the strength of WEP and WPA-PSK networks. It operates by capturing specific types of wireless traffic and using cryptographic weaknesses or dictionary attacks to recover the network key. For IT certification exams, you need to understand its role in the attack chain, the difference between WEP and WPA attacks, and the specific tools within the suite: airmon-ng, airodump-ng, aireplay-ng, and aircrack-ng.
The most common exam scenarios involve deauthentication attacks to capture a WPA handshake, followed by offline dictionary cracking. You should also remember that WEP requires many packets but no handshake, while WPA needs only the handshake but a strong wordlist. Misidentifying the tools or their functions is a frequent trap.
In the real world, Aircrack-ng demonstrates why weak passwords and outdated encryption are dangerous. IT professionals use it proactively to find and fix wireless vulnerabilities before attackers can exploit them. However, always use these tools ethically and legally. The key takeaway for your exam: Aircrack-ng captures and cracks, but only if the conditions are right, and knowing those conditions is what gets you the points.