Aircrack-ng for WEP and WPA Troubleshooting and Securing

The difference in WEP and WPA is that WEP applies a static method to use pre-shared keys for encryption. It uses the same key to encrypt all the data.This means a large number of packet transfers with the same key, which makes cracking easy. Second, one has to manually update all the client machines when a WEP key is changed on the network. This is not practical for large installs. WPA, on the other hand, uses a pre-shared key to derive temporary key, using which all the traffic is encrypted. So, WPA generates a unique key for each client and access point link.Morever, the pre-shared key is very rarely used, making it difficult for sniffers to crack the key. I would like to make one point clear here- one can crack WPA passwords if they are too simple. This is not a flaw in WPA, but in the network manager who sets the weak password.WPA takes long time to get cracked because normally it uses dictionary attacks to crack WPA.

We will now see how to sniff a wireless network with WEP security and use the sniffed packets to crack the password.

There are many popular wireless sniffing and key sniffing tools available for linux like Air Snort,Air Crack,Wire Shark,etc.I am using Air Crack.

Aircrack-ng is basically a suite of tools that are crafted to achieve the following major objectives:

  1. Capturing raw Wi-Fi packets in an intended airspace, on various channels of interest, and then analysing the captured packets to show various Wi-Fi networks and Wi-Fi clients that were operating during the collection time period.

  2. Breaking WEP and WPA PSK (pre-shared key)-type Wi-Fi networks by exploiting the known vulnerabilities of such networks.

  3. Injection/replay of Wi-Fi packets into the airspace.

  4. Exploitation of weaknesses present in various Wi-Fi clients, to establish fake connections with such clients, in order to launch man-in-the-middle type of attacks.

Aircrack-ng utilities


This tool is very basic, and is used primarily for enabling or disabling the monitor mode on a wireless interface. It is frequently used in combination with other tools. Monitor mode puts the wireless interface into promiscuous state, to enable it to sniff all the Wi-Fi data within range. You can also specify the channel for the monitor mode via this tool.

The basic usage is airmon-ng <start|stop> <interface> [channel], where <start|stop> indicates if you wish to start or stop the interface; <interface> specifies the interface name; [channel] optionally sets the card to a specific channel.



This tool captures raw Wi-Fi packets through the wireless interface that’s in monitor mode, and dumps them into one or more file formats. The dumped file can be used by other tools for specific analysis. Along with capturing the raw traffic, Airodump-ng also displays in the output screen, a list of detected Access Points (APs) and wireless clients. The list contains details; for APs, SSID, channel, encryption mechanism, authentication method, power level, etc. For wireless clients, the list shows the connected AP, power level, data rate, etc. Airodump-ng provides a variety of options, such as the use of a single channel or multiple channels for capturing, filtering output screen results on the basis of AP BSSID, etc. These option provide great flexibility in various scenarios. If one has a connected GPS receiver, then Airodump-ng can also log the coordinates of the found APs.

The basic usage is airodump-ng <options> <interface>, where <options> indicates one or more options to be used while running the tool; <interface> indicates the monitor mode interface to be used for capturing the Wi-Fi traffic. Some commonly used options are:


-f <msecs>

Time in milliseconds between hopping channels, if multiple channels are used.

–output-format <formats>

possible output formats are pcap, ivs, cvs, gps, kismet, netxml. The option can be specified multiple times if more than one output format is required.

–bssid <BSSID>

filter APs by BSSID value.

–channel <channels>

comma-separated list of channels for capture.

–write <prefix>

dump file prefix.


Example: If you wish to limit Wi-Fi data capture to a single AP with BSSID ‘00:11:22:33:44:55’ operating on channel ‘11’ using the interface ‘wlan0’, and write the captured data into a file with prefix ‘capture’ and output format ‘pcap’, then your command will be:


airodump-ng -c 11 –bssid 00:11:22:33:44:55 -w capture –output-format pcap wlan0



This is the main tool, used for recovering keys of WEP- and WPA PSK-based Wi-Fi networks. Aircrack-ng is able to break the WEP key once enough encrypted packets have been captured with Airodump-ng. The two methods used for breaking the WEP key are PTW and FMS/Korek method. PTW is the default, and requires few data packets, particularly ARP request/reply packets, to crack the WEP key. However, PTW is limited to breaking of 40- and 104-bit WEP keys. The FMS/Korek method incorporates brute-force cracking and other statistical mechanisms to discover the WEP key. It requires a relatively large number of captured data packets, and is often used when the PTW method fails.

For cracking WPA/WPA2 PSK, only the dictionary method is supported, for which a capture of four WPA handshake packets is required.

The basic usage is aircrack-ng <options> <capture file(s)>, where <capture file(s)> is a comma-separated list of captured-data files, either in .pcap or .ivs format. Some of the commonly used options are:


-a <amode> Forces either WEP (by specifying the value 1) or WPA/WPA2-PSK (specify 2) cracking.
-b <bssid> BSSID value (AP MAC address) is used to select the target network for key cracking. All data packets in the capture files that contain the same BSSID value are used for cracking.
-e <essid> The ESSID value is used to select the target network for key cracking, and thus use only corresponding data packets in the capture files.
-K Invokes the Korek WEP cracking method.
-z Invokes the PTW WEP cracking method (the default in the latest version).
-w <word-list path> Used to specify the path of a word-list file for the WPA dictionary attack.


Example: If you wish to recover the WEP key for an AP with the MAC address ‘00:11:22:33:44:55′, and the corresponding capture file is ‘output.cap’, then one needs to invoke Aircrack-ng as:


aircrack-ng -b 00:11:22:33:44:55 output.cap


If the command is successful, the WEP key for the target network will be displayed on the screen.


Example: If you wish to recover the WPA PSK for an AP with the MAC address ‘00:11:22:33:44:55′, using the word-list file ‘password.lst’ (required for a dictionary attack), and the corresponding capture file is ‘output.cap’, then one needs to run the command:

aircrack-ng -b 00:11:22:33:44:55 –w password.lst output.cap

If the command is successful, and the WPA PSK is contained in the word-list/dictionary file, then this key will be displayed on the screen.

Aircrack-ng includes many optimisations to standard key-cracking algorithms, and hence is much faster than other available Wi-Fi key cracking programs. One can run Aircrack-ng and Airodump-ng simultaneously, as Aircrack-ng will auto-update when new packets are captured by Airodump-ng. Aircrack-ng is widely used by hackers to recover keys of WEP and WPA/WPA2 PSK, to intrude into the network, while Wi-Fi penetration testers use the same tool to test the effectiveness of a WEP or WPA/WPA2-PSK key.



The primary goal of this tool is to generate Wi-Fi traffic to be used later by Aircrack-ng for cracking the WEP and WPA PSK keys. To achieve this goal, Aireplay is designed to implement the following attacks, which inject one or more Wi-Fi packets into the network:


  • De-authentication attack: Aireplay-ng can send de-authentication packets to one or more clients that are associated with an AP, in order to capture the WPA handshake, discover hidden SSIDs, or generate ARP requests (to be used in WEP cracking).

  • Fake authentication attack: In this attack, Aireplay-ng sends authentication and association packets to a WEP AP to associate with it. This may be needed when no clients are connected to the AP, and you need to generate Wi-Fi traffic to break the WEP key of the AP.

  • Interactive packet replay attack: In this attack, one can choose a specific packet to replay (inject), from the live flow of packets from the wireless card, or from a pcap format file. Replaying particular packets in a WEP Wi-Fi network can generate more traffic, which can be used by Aircrack-ng to recover the WEP key.

  • ARP request replay attack: This attack is very useful to generate enough ARP traffic that can be used by Aircrack-ng to break the WEP key using the PTW method. Here, Aireplay-ng listens for an ARP packet, and then retransmits it to the AP, which in turn generate an ARP packet again, which is then replayed once more by Aireplay-ng. This process is repeated until enough ARP packets (for WEP cracking) are generated by the AP.

  • Café Latte attack: This attack is useful to obtain the WEP key from an un-associated client. In this, Aireplay-ng listens for an ARP packet from the client, then modifies it and sends it back to the client, so that the client generates a new ARP packet. When enough ARP packets are generated by the client, encrypted correctly with the client WEP key, Aircrack-ng can be used to recover the WEP key from those packets.


The basic usage is aireplay-ng <options> <replay interface>, where <options> indicates the attack type and associated options and <replay interface> indicates the wireless interface to be used for replay (injection). Some of the common options are:


Attack options (select the attack type)

-0 De-authentication attack.


Fake authentication attack.


Interactive packet replay attack.


ARP request replay attack.


Café Latte attack.


Filter options (for filtering a packet from a source)

-b <bssid>

Mac address of the AP

-d <mac>

Destination MAC address

-s <mac>

Source Mac address

-m <len>

Minimum length of the packet

-n <len>

Maximum length of the packet

-u <type>

Type of packet

-v <subt>

Sub-type of packet


Replay options (To be used while replaying for a particular attack)

-x <nbpps>

Number of packets per second

-a <bssid>

Set AP MAC address

-c <dmac>

Set destination MAC address

-h <smac>

Set source MAC address


Source options (to select a source of packets for an interactive packet replay attack)

-r <file>: pcap file to be used for source of selection/filtering packets.


Example: If you wish to de-authenticate (disconnect) a client ‘00:0F:22:33:44:55′ associated to an AP with the MAC address ‘00:11:22:33:44:55′, using ‘wlan0’ as the replay interface, then you invoke Aireplay-ng as:


aireplay-ng -0 -a 00:11:22:33:44:55 -c 00:0F:22:33:44:55 wlan0



This tool is used to decrypt the WEP/WPA/WPA2 capture files. Also, it can be used to strip the wireless headers from an unencrypted wireless capture file. The output is a new file with the suffix as ‘-dec.cap’, which is basically the decrypted/stripped version of the input file. The basic usage is airdecap-ng <options> <pcap file>, where <pcap file> indicates the input pcap file. Some of the common options are:



Do not remove MAC header

-b <bssid>

Mac Address of the AP to select the packets in the input file for decryption

-k <pmk>

WPA/WPA2 Pairwise Master key in Hex

-w <key>

WEP key in Hex

-p <pass>

WPA/WPA2 passphrase

-e <essid>

SSID of the network to select the packets in the input file for decryption


Example: If you wish to decrypt the packets from a WPA network with the ESSID ‘decrypt-test’ and the pass-phrase ‘password’, from the input file ‘wpa.cap’ , then you need to invoke Airdecap-ng as:


airdecap-ng -e ‘decrypt-test’ -p password wpa.cap



People who are still unaware of Wi-Fi security weaknesses and loopholes, which can lead to intrusion and malicious attacks from outsiders, should learn that Aircrack-ng is really a great suite for testing your Wi-Fi set-up. With it, one can locate unwanted APs at an office place; check that authorised Wi-Fi networks are appropriately encrypted; and test the strength of the encryption pass-phrase and keys.


7 thoughts on “Aircrack-ng for WEP and WPA Troubleshooting and Securing

Add yours

  1. I can not participate now in discussion – there is no free time. But I will return – I will necessarily write that I think. 😀

  2. I’ve read several excellent stuff here. Certainly worth bookmarking for revisiting. I wonder how a lot attempt you place to create this type of great informative website.

  3. Pingback: URL

Join the Discussion

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Blog at

Up ↑

%d bloggers like this: