Aircrack-ng Cheat Sheet
aircrack-ng is used to crack WEP and WPA/WPA2-PSK Wi‑Fi keys using captured packets or handshakes. It works together with tools like airodump-ng and aireplay-ng.
Supported Attacks
- WEP: IV-based statistical attacks
- WPA/WPA2-PSK: Dictionary / brute-force using captured handshakes
- PMKID: Offline cracking without deauth (if supported)
Basic Syntax
aircrack-ng [options] <capture.cap>
Crack WPA/WPA2 Handshake
aircrack-ng -w wordlist.txt handshake.cap
-w→ wordlisthandshake.cap→ capture with valid handshake
Tip
Handshake must be complete (Message 1–4).
Crack WPA with BSSID & ESSID
aircrack-ng -w rockyou.txt -b AA:BB:CC:DD:EE:FF capture.cap
PMKID Attack
aircrack-ng -w wordlist.txt pmkid.cap
Works when AP exposes PMKID during association.
Crack WEP
aircrack-ng wep_capture.cap
With IV count check:
aircrack-ng -n 64 wep_capture.cap
Specify Key Length (WEP)
aircrack-ng -n 128 wep.cap
Use Multiple Capture Files
aircrack-ng -w wordlist.txt *.cap
Show Cracking Progress
aircrack-ng -l found_key.txt -w wordlist.txt capture.cap
-l→ save cracked key
Common Workflow (WPA/WPA2)
airmon-ng start wlan0
airodump-ng wlan0mon
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon
aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF wlan0mon
aircrack-ng -w rockyou.txt capture-01.cap
Performance Tips
Tip
- Use small, targeted wordlists
- Prefer hashcat for GPU cracking
- Convert cap → hccapx for faster attacks
Common Errors
No valid WPA handshakes found
- Deauth client again
- Ensure correct channel
- Capture longer
KEY NOT FOUND
- Wordlist insufficient
- Try rules / larger lists
Related Tools
airodump-ng– capture packetsaireplay-ng– deauthenticationhashcat– GPU crackinghcxtools– PMKID extraction
Legal Notice
Danger
Use only on networks you own or have permission to test.