How To Crack WPA/WPA2 Wi-Fi Passwords Using Aircrack-ng

October 17, 2016 | Views: 313529

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

In this post I will tell you how to crack wpa/wpa2 wi-fi in kali linux using aircrack-ng. To do this,  first you should install kalinux or you can use live kali linux.
To make a kali-linux bootable click here.
To crack Wi-Fi,  first,  you need a computer with kali linux and a wireless card which supports monitor/injection mode. If your wireless card is not able to do this,  you need to get an external wireless card which is capable of monitor/injection mode.

Apart from these tools,  you need to have a word-list to crack the password from the captured packets.

First you need to understand how Wi-Fi works. Wi-Fi transmits signal in the form of packets in air so we need to capture all the packets in air so we use airodump to dump all the packets in air .After that we should see that if any one is connected to the victim Wi-Fi. If anyone is not connected the Wi-Fi, cracking is not possible as we need a wpa handshake. We can capture handshake by sending deauthentication packets to client connected to Wi-Fi. Aircrack cracks the password.


First open terminal. We need to know the name of the wireless adapter connected to the computer because computer has many adapters connected.

command for this is iwconfig.

In my case,  my wireless adapter is with the name wlan0. In your case, it may be different.  If connected to an external wireless card, it may be wlan1or2.


For some wireless cards, it gives error messages to enable monitor mode on wireless cards.  For that, you should use airmon-ng check kill.



In this step,  you need to enable the monitor mode on the wireless card. The command is as follows:

airmon-ng start wlan0(interface of wireless card).

Now this command will enable the monitor mode on the wifi card. So while using interface in any terminal or command line use wlan0mon.

Note:You should use the interface which is indicated with red mark.


          We need to use the command airodump-ng wlan0mon, this will display all the access points in your surroundings and also the clients connected to that access points.

Now this command captures the packets in the air. This will gather data from the wireless packets in the air.
Note:Do not close this terminal. This will be used to know wpa has been captured or not.
In this step we will add some parameters to airodump-ng.
command is airodump-ng -c channel –bssid [bssid of wifi] -w [path to write the data of packets]   wlan0mon[interface].
-bssid in my case bssid is indicated with red mark.
 -c channel is the channel of victim wifi in my case it is 10(see in previous screenshot for channel number)
-w It is used to write the captured data to a specified path in my case it is ‘/root/Desktop/hack’.
Interface in my case is wlan0mon.

In the above command the path /root/Desktop/hack  hack is the name of the file to be saved.

Above command displays this terminal.

In this step we deauthenticate the connected clients to the Wi-Fi.
The command is aireplay-ng –deauth 10 -a [router bssid] interface

In the above command it is optional to give the client mac address it is given by -c <client mac>
This will disconnects the client from access point.
Screen shot of a client connected to access point.

After this the client tries to connect to the Wi-Fi again. At that time, we will capture the packets which sends from client.  From this result, we will get wpa handshake.

Now we should start cracking the Wi-Fi with captured packets command for this is
aircrack-ng -b [bssid of router] -w [path to word list] [path to capture packets]
       -w path to word list in my case it is ‘/root/Desktop/wordlist.txt’
If you did not have word list, get one. If you want to generate your custom wordlist,  you can visit our other post: How generate word list using crunch.

Now press enter aircrack will start cracking the Wi-Fi.

Aircrack cracked Wi-Fi and key found.
Note:To use this method you need to have wordlist compulsory there are many wordlists available in internet you can download them.
This is my previous post on How To Create the Word list Click Here

    Leave a comment below in comment section if you have any related queries.

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. using wordlist to hack wifi needs years literally, try fluxion instead.
    also a 8-11 number list or 8-10 i cant remember needs more than 1.5 terabyte

  2. Pls, can this work on Windows

  3. You need to increase the Wireless Card signal power in order to actually make the client deauthenticate from the access point do you know how to do this ?

    • yeah,
      ifconfig wlan0 down
      iw reg set BO or US
      iwconfig wlan0 txpower 30
      ifconfig wlan0 up

      you can put Bo OR US

      switch wlan0 with your own.

  4. Unless you want to specifically target someones wifi, I suggest you capture as many wifi handshakes around you as you can and just use the word lists you have and try crack as many with the word lists you have as eventually you should get a weak wifi password as you can try crack one wifi pass with tons of different word lists, but I have found to try only a few word lists on as many I can capture.

    I got lazy a while ago and created a lil python script to do the airmon – airodump – aireplay so all the specific wifi I want to target while driving would collect all the files ready for me to go back home and run the files on the laptop while I work and around %30-40 I get success as I have a very good word list, but I also try a lot of wifi’s, Allegedly 😛

  5. Depending on the length of the password of the WPA/WPA2, this would take pretty long time for a lengthy password right?

    • Correct. It may take you 5 hours to depending on the word list size to find out that there password is not in the dictionary.(though) you would be surprised on the simplicity of some peoples networks passwords.

      • I’ve done the math, and I agree. It does but more than just length, it can also involve what characters are used and how they’re arranged as well. A password as weak as 12345678 or password can take less than a second and doesn’t require downloading a list since aircrack-ng can work off of .txt files.
        On the other hand something a little more moderate like theyearis2016 for example would take a word list that would be at least a few Megabytes (under the condition the password is more likely to be in there) and would take somewhere around being lucky and nailing it first thing to a few days.
        However, suppose you were going for a password as complicated as Q239ec4d!. It’s feasible, but it could take somewhere around getting lucky to a FEW YEARS (which in this case also depends on processing power).
        At this point a word list won’t cut it unless you literally have 15 Exabytes of storage to waste on every single possible password for WPA2 (= 1000 Petabytes, and a Petabyte is 1000 Terabytes) However, as I said, it’s feasible. If for some reason you want to switch to combinations rather than word lists, or if you’re really determined to crack the password, I would recommend piping crunch to it. Here’s the syntax…

        crunch [min] [max] [options] | aircrack-ng -b [bssid of router] [path to capture packets]


        crunch 8 25 abcdef | aircrack-ng -b FF:FF:FF:FF:FF:FF ~/Desktop/Capture_packet.cap

Page 1 of 212»
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?