Is using aircrack-ng legal?

The software itself is legal to install and run. Using it against a network you do not own and have no written authorization to test is not legal in almost every jurisdiction and is typically prosecutable under computer-misuse statutes. The guidance in this article is limited to auditing your own network.

Which wireless card should I use?

A USB adapter based on the Atheros AR9271, Realtek RTL8812AU, or Mediatek MT7612U chipset is the most reliable for monitor mode and packet injection. Internal laptop cards often work for passive capture but fail on injection. Kali Linux maintains a current supported-hardware list.

Do I need to deauth a client to capture the handshake?

No, but waiting for an organic reconnect can take hours. A short deauth burst against a client you own triggers an immediate reassociation and the 4-way handshake. Using deauth against clients you do not own is a different legal and ethical matter.

Why does aircrack-ng say no handshake even though airodump captured traffic?

Airodump stores everything, but only the 4-way handshake frames are usable for cracking. If the client completed a PMKSA cache resumption (fast roaming) or only M1 and M2 were captured, aircrack-ng will not find a complete handshake. Wait for a full reconnect or capture a PMKID instead.

What do I do with the .cap file after capture?

Convert it to the modern hc22000 format using hcxpcapngtool, then pass it to hashcat mode 22000 with a wordlist and rules. Our analyzer page tells you immediately whether a capture contains a usable handshake.

Hands-on / educational

Aircrack-ng Tutorial: Capture a WPA2 Handshake on Your Own Network

Aircrack-ng is the oldest and still the most portable suite of tools for Wi-Fi auditing on Linux. It gives you everything to turn an ordinary USB wireless card into a monitor-mode sniffer, scan the air for access points, target one by channel and BSSID, nudge an associated client into reconnecting, and dump the 4-way handshake into a .cap file you can crack offline or hand to a lab. This guide walks through the entire process on a 2026 Kali install, using only commands that work against a network you own. If you plan to audit anything you do not have written permission to touch, stop reading now — that is a crime in most places, and the rest of this page will not help you.

Legal boundary

Capturing a handshake from a network you do not own, even passively, crosses into unauthorized interception of electronic communications in most jurisdictions. Sending deauth frames at a network you do not own additionally violates computer-misuse law and radio-interference regulation. Every example command in this article assumes the SSID is yours, the BSSID is yours, and the client is a device you control. If that is not the case, bookmark the page for a lab exercise and close the tab.

Why aircrack-ng, in a world of hashcat and hcxtools

Aircrack-ng predates almost every other WiFi tool in common use. It was written in 2006 around the airodump-ng sniffer and an in-suite cracker that targeted WEP, then grew to cover WPA and WPA2. Today the cracker part is largely superseded by hashcat, which runs on a GPU and is an order of magnitude faster, and by hcxtools, which handles captures more cleanly for hashcat mode 22000. What the suite still owns is the capture side: airmon-ng reliably flips almost any supported card into monitor mode, airodump-ng is the canonical sniffer, and aireplay-ng is the reference implementation of 802.11 injection attacks. You use aircrack-ng to get the .cap. You use hashcat to crack it.

The suite ships out of the box on Kali and Parrot and is one apt install away on Debian, Ubuntu, and Arch. On macOS and Windows it is technically possible but dramatically less reliable because of driver limitations; this article assumes a Linux laptop with a supported USB card.

Installation on Kali and Debian-family Linux

On Kali, aircrack-ng is preinstalled. To confirm and update to the latest:

sudo apt update
sudo apt install -y aircrack-ng
aircrack-ng --help | head -n 5

On plain Debian 12 or Ubuntu 24.04 the same two commands install the entire suite (airmon-ng, airodump-ng, aireplay-ng, aircrack-ng, airbase-ng, packetforge-ng, ivstools, and a handful of helpers). On Arch use sudo pacman -S aircrack-ng. Verify the version is 1.7 or later; earlier releases have bugs in the WPA2 handshake detection and miss captures that modern routers produce.

You will also want a companion tool for the conversion step later:

sudo apt install -y hcxtools    # provides hcxpcapngtool

If apt does not have hcxtools in the stable repo of your distro, grab it from the upstream GitHub; the build is a one-liner and the binary is under 500 KB.

Step 1 — Identify the wireless interface

Plug your USB card in or turn on the internal radio, then ask the kernel what it sees:

iw dev
# Interface wlan0
#    ifindex 3
#    wdev 0x1
#    type managed
#    txpower 20.00 dBm

The interface you want is usually wlan0, occasionally wlx followed by a MAC (systemd predictable name). Write it down; every command below references it.

Step 2 — Kill NetworkManager and enter monitor mode

In normal (managed) mode the kernel only hands you frames addressed to your MAC. Monitor mode asks the driver to pass every 802.11 frame the radio can hear, including beacons, probes, and EAPOL handshakes that belong to other stations. Airmon-ng flips that switch and renames the interface by appending mon.

sudo airmon-ng check kill
sudo airmon-ng start wlan0

# expected output includes:
#   (monitor mode vif enabled on wlan0mon)
iw dev wlan0mon info    # should now show type monitor

The check kill step terminates wpa_supplicant and NetworkManager because they fight monitor mode by trying to reassociate your card every few seconds. Expect to lose internet on this interface until you bring managed mode back at the end.

If airmon-ng refuses to create the mon interface, your driver does not support monitor mode. USB cards based on the Atheros AR9271 (Alfa AWUS036NHA), RTL8812AU (Alfa AWUS036ACH), or MT7612U chipsets are the safest choices in 2026.

Step 3 — Scan the air with airodump-ng

Airodump-ng shows two live tables: access points (top) and associated stations (bottom). Run the unfocused scan first to locate your own SSID and note its BSSID and channel.

sudo airodump-ng wlan0mon

# top table columns of interest:
# BSSID               PWR  CH   ENC  ESSID
# AA:BB:CC:DD:EE:FF   -42  6    WPA2 MyHomeWiFi

# bottom table columns:
# BSSID               STATION           PWR  Rate
# AA:BB:CC:DD:EE:FF   11:22:33:44:55:66 -53  54e

Press Ctrl+C once you have your own BSSID and its channel. The PWR column is a negative signal number in dBm; closer to zero is stronger. If your own network reads worse than -70 dBm, move closer to the AP or your capture will be full of malformed frames.

Step 4 — Targeted capture on one channel

An unfocused capture hops across channels and misses frames. For a handshake you want the card pinned to the AP's channel, the BSSID as a filter, and a write target on disk:

sudo airodump-ng \
  -c 6 \
  --bssid AA:BB:CC:DD:EE:FF \
  -w capture \
  wlan0mon

# the header shows:
#  CH 6 ][ Elapsed: 42 s ][ 2026-04-21 14:33 ][ WPA handshake: AA:BB:CC:DD:EE:FF

When the WPA handshake marker appears in the top-right of the header, you have it. The -w capture flag writes capture-01.cap and a few companion files in the current directory. Leave airodump running another 10–20 seconds to let the full 4-way complete, then stop with Ctrl+C.

Step 5 — Trigger a reconnect with aireplay-ng (your device only)

A client already associated with the AP will not produce a handshake on its own. You have two options: wait for it to drop and reconnect organically (minutes to hours), or nudge it. On a network you own, with a client you own, the nudge is a short deauth burst:

# Deauth 3 frames, targeting your own phone only.
sudo aireplay-ng \
  --deauth 3 \
  -a AA:BB:CC:DD:EE:FF \
  -c 11:22:33:44:55:66 \
  wlan0mon

# --deauth 3    number of deauth frames (keep low)
# -a            AP BSSID
# -c            client MAC  (omit for broadcast deauth, which hits everyone — don't)

Three frames is plenty. Modern clients react to a single well-formed deauth and reassociate within a second. Flooding with hundreds of frames is noisy, stresses the AP, and trips some IDS sensors. The -c client filter is not optional on a shared network: omitting it sends a broadcast deauth that kicks every device, which in an apartment block hits your neighbours' devices too. That would be the unauthorized-access crime this tutorial avoids.

Switch back to the airodump terminal. Within two seconds you should see the WPA handshake marker appear. If it does not, wait, then fire another three-frame deauth. Five attempts in total is more than enough on any reasonable AP-client pair.

Step 6 — Verify the capture

Before you leave the target network's RF range, confirm the .cap contains a complete handshake. Aircrack-ng has a built-in sanity check:

aircrack-ng capture-01.cap

# Opening capture-01.cap
# Read 1834 packets.
#
#    #  BSSID              ESSID       Encryption
#    1  AA:BB:CC:DD:EE:FF  MyHomeWiFi  WPA (1 handshake)
#
# Choosing first network as target.

The (1 handshake) annotation is what you want. If you see (0 handshakes), airodump captured frames but not a complete 4-way. Run another deauth and extend the capture. For a deeper look at what a valid handshake contains see our handshake primer.

Step 7 — Convert to hc22000 for hashcat

Cracking with aircrack-ng's own CPU cracker is a museum exercise today. Every serious workflow pushes the capture into hashcat mode 22000, which runs on a GPU at 10–100x the speed. The conversion is one command:

hcxpcapngtool -o handshake.hc22000 capture-01.cap

# summary lines of interest:
# EAPOL messages (total).......: 12
# EAPOL pairs (total)..........: 2
# EAPOL pairs (best).............. 1
# EAPOL M1M2 ROGUE (total)........: 0
# EAPOL ANONCE error corrections..: 0

The resulting handshake.hc22000 is what hashcat wants. If you are unsure whether the conversion succeeded, upload it to the handshake analyzer — it parses the file and tells you which EAPOL messages are present and whether the hash is attackable. For format background and troubleshooting see the hccapx to hc22000 conversion guide.

Step 8 — Restore the card to managed mode

When you are done, bring the card back so you can get online again:

sudo airmon-ng stop wlan0mon
sudo systemctl start NetworkManager

NetworkManager restarts wpa_supplicant and reconnects you to your normal SSID. Confirm with nmcli dev wifi or the system tray icon.

Common failure modes

Airmon-ng creates the interface but airodump sees nothing. The card is on a different regulatory domain than the AP. Run sudo iw reg set US (or your country code) and try again. Some firmware will not listen on channels 12–13 or the DFS band without this.
Airodump shows WPA handshake but aircrack-ng says 0 handshakes. You captured M1 and M2 but not M3 and M4. Deauth once more, keep airodump running for 30 extra seconds, do not Ctrl+C prematurely.
Capture file is huge but nothing useful. The channel hopped because you forgot -c. Set the channel explicitly and re-capture.
Client never deauths. Some iOS and modern Android builds rate-limit response to management frames. Try three deauth bursts 5 seconds apart. Or physically toggle WiFi on the client — the reconnect produces a genuine handshake.
Injection fails with "rate limiting reached". Your USB card is on USB 2.0 hub and the kernel buffer is full. Move to a direct USB 3.0 port.

What aircrack-ng will not do in 2026

The suite dates from the WEP era and carries the assumptions of that era. There are three modern attack surfaces it does not cover:

PMKID-only capture. A single associate frame contains a PMKID that is crackable offline without a full 4-way. Aircrack-ng captures it (it is just an EAPOL-M1 frame) but does not extract it; hcxpcapngtool does, and passes it into the same mode 22000 pipeline.
WPA3-SAE. WPA3 replaces the PSK handshake with SAE, which does not yield an offline-verifiable transcript. Aircrack-ng can sniff SAE frames but cannot crack them. See the WPA3 vs WPA2 comparison for the protocol detail.
Modern enterprise WPA2/802.1X. RADIUS-backed WPA2-Enterprise does not use a shared PSK; the credentials are per-user EAP identities. Different suite, different article.

Lab environment recommendations

The cleanest way to practice without touching a network you do not own is a dedicated lab AP. A cheap router flashed with OpenWrt, set to WPA2-PSK with a known passphrase on channel 6, and air-gapped from your real home network, is the correct setup. Total cost under 30 USD. Isolate it in a faraday bag or a metal box if you live close to neighbours and want to be certain your deauth traffic stays local. This is also the only way to practice aireplay-ng at higher packet rates without the ethical and legal footguns of open-air testing.

For troubleshooting workflow end-to-end, our full recovery guide maps every stage from capture to crack to deliverable password. For the command-line reference on Windows, macOS, and Linux outside the aircrack-ng suite, the CLI cheatsheet covers native OS tools.

Frequently asked questions

Can I do this on Windows with WSL?

Not realistically. WSL2 does not expose raw 802.11 frames to Linux userland because the Windows networking stack abstracts the radio. USB passthrough of a wireless card to WSL2 works in limited cases but monitor mode is broken on most drivers. Use a Kali Live USB or a dedicated Kali VM with a USB-passthrough wireless card.

Is there a GUI for this?

Yes, airoscript, Fern, and Wifite3 all wrap aircrack-ng. They are fine for learning but hide what is happening under the hood, which is the main value of running the CLI by hand once. Wifite3 in particular is well-maintained and runs the same commands you would type.

What if my router rotates the PTK during the session?

It does — modern WPA2 rekeys the session key every hour by default. None of that affects the initial 4-way handshake, which is the only part needed for cracking.

How long does the crack itself take?

Purely a function of password entropy and hardware. A 12-character random passphrase is safe. A human-chosen passphrase from a wordlist falls in hours on a single RTX 4090. See the hashcat 22000 tutorial for concrete numbers.

Is the .cap file useful on its own to law enforcement or a court?

Not typically. A capture proves the BSSID broadcast and a client reassociated at a given time. It does not prove the contents of encrypted traffic. Forensic value is narrow.

Captured your own handshake? Next step

Convert the .cap to hc22000 and run it through our GPU recovery service. See the authorized recovery form or read the hashcat 22000 tutorial to run the crack yourself.

Recap

Install aircrack-ng plus hcxtools (for the 22000 conversion).
Kill NetworkManager, start monitor mode on wlan0, verify with iw dev.
Unfocused airodump-ng to locate your SSID, then targeted capture pinned to the channel and BSSID.
Short, client-scoped deauth with aireplay-ng to trigger reconnect.
Verify with aircrack-ng, convert to hc22000, feed to hashcat or our recovery service.

Network tested: your own. Written authorization: yours. Keep it that way.