1.1 Introduction
Password hashing is the standard method operating systems use to store credentials securely. Instead
of storing passwords in plain text, systems convert them into irreversible hash values using
algorithms like MD5, SHA-256, SHA-512, or bcrypt. When a user logs in, the entered password is
hashed and compared against the stored hash. If the hashes match, access is granted.
If an attacker obtains these hashes — through a database breach, misconfigured permissions, or local
privilege escalation — they do not need to reverse the hash mathematically. Instead, they can guess
passwords, hash each guess with the same algorithm, and compare the results. This is where password
cracking tools like John the Ripper become essential.
This chapter covers John the Ripper (JTR), one of the most widely used password-cracking tools in the
security industry. You will learn how to install it, prepare hash files, run multiple attack types,
and interpret the results — all within the context of authorized security testing on Kali Linux.
1.2 What Is John the Ripper?
John the Ripper is an open-source password cracker originally developed for Unix systems by Solar
Designer in 1996. Its primary purpose is to detect weak passwords by testing hashed values against
dictionaries, brute-force strategies, and rule-based transformations.
The version shipped with Kali Linux is the John the Ripper jumbo build, which
extends the original with additional hash formats, performance optimizations, and extra attack modes
not found in the core version. This community-maintained fork supports hundreds of hash types and is
actively updated.
John operates entirely from the command line. It reads one or more files containing password hashes
and attempts to recover the original plaintext passwords. Cracked passwords are stored in a pot
file (~/.john/john.pot) so that previously recovered hashes are not re-tested
in future sessions.
1.3 Why It Is Used
- Password auditing — Verifying that user accounts on a system do not have weak
or easily guessable passwords.
- Penetration testing — Demonstrating the impact of a credential breach during an
authorized engagement.
- Security assessments — Evaluating the strength of password policies enforced by
an organization.
- Recovery of lost passwords — Regaining access to a system when the legitimate
password has been forgotten (where permitted).
- Hash format research — Analyzing and testing the resilience of various hashing
algorithms.
1.4 Features
- Multiple attack modes — Single crack mode, wordlist mode (with optional rules),
incremental mode, and mask mode.
- Broad hash format support — Handles DES, MD5, SHA-256, SHA-512 (crypt), NTLM,
Kerberos, ZIP, RAR, PDF, Office documents, and many more.
- Configurable rules engine — Applies transformations to wordlist entries
(capitalization, substitutions, appending digits, leet speak, etc.).
- Session management — Interrupted sessions can be resumed from the point they
were stopped.
- Multi-platform — Runs on Linux, Windows, macOS, and other Unix-like systems.
- Open source — Freely available under a permissive license; the jumbo build is
actively maintained by the community.
- Automatic format detection — Identifies most hash formats without manual
specification (though explicit specification is recommended).
- GPU acceleration — Supports OpenCL and CUDA for significantly faster cracking
on compatible hardware.
1.5 Installation
On Kali Linux, John the Ripper can be installed directly from the APT repositories:
Install Command
┌──(kali㉿kali)-[~]
└─$ sudo apt update && sudo apt install -y john
i
Information
Kali Linux typically has John pre-installed. Verify by running john --version
before installing. The Kali repository ships the jumbo build by default.
1.6 Prerequisites
Before using John the Ripper to crack system password hashes, ensure the following:
- Root access — Reading
/etc/shadow requires elevated privileges.
- Understanding of hash types — Know which algorithm was used to hash the
passwords (e.g., MD5 crypt, SHA-512 crypt, NTLM).
- Wordlist files — Dictionary-based attacks require a wordlist. Kali Linux
includes several by default:
| Path |
Description |
/usr/share/john/password.lst |
Default John the Ripper wordlist |
/usr/share/dict/ |
System dictionary files |
/usr/share/wordlists/ |
Additional wordlists (includes rockyou.txt) |
★
Pro Tip
The rockyou.txt wordlist contains over 14 million passwords. Install it with
sudo apt install wordlists and decompress with
gunzip /usr/share/wordlists/rockyou.txt.gz.
1.7 Basic Syntax
The general syntax for running John the Ripper is:
General Syntax
john [options] [password-file]
The password-file argument can be an unshadowed file, a file containing raw hashes, or
any file in a format John recognizes. Options control the attack mode, hash format, wordlist path,
and session behavior.
1.8 Most Important Commands
| Command |
Purpose |
sudo apt install john |
Install John the Ripper |
unshadow /etc/passwd /etc/shadow > unshadowed.txt |
Combine passwd and shadow files |
john --format=sha512crypt -single unshadowed.txt |
Single crack mode |
john --format=sha512crypt --wordlist=/usr/share/john/password.lst --rules unshadowed.txt
|
Dictionary attack with rules |
john --show unshadowed.txt |
Display cracked passwords |
john -restore |
Resume interrupted session |
1.9 Command Explanation
Unshadowing Password Files
On Linux systems, /etc/passwd stores account information while /etc/shadow
stores the actual password hashes. The unshadow utility merges these two files:
Unshadow Command
┌──(kali㉿kali)-[~]
└─$ sudo unshadow /etc/passwd /etc/shadow > unshadowed.txt
Single Crack Mode
Uses the GECOS field from /etc/passwd to generate fast password guesses:
Single Crack Mode
┌──(kali㉿kali)-[~]
└─$ john --format=sha512crypt -single unshadowed.txt
Dictionary Attack with Rules
Reads each word from a wordlist, applies mangling rules, and tests against hashes:
Dictionary Attack
┌──(kali㉿kali)-[~]
└─$ john --format=sha512crypt --wordlist=/usr/share/john/password.lst --rules unshadowed.txt
Displaying Cracked Passwords
Show Cracked Passwords
┌──(kali㉿kali)-[~]
└─$ john --show unshadowed.txt
Resuming an Interrupted Session
Resume Session
┌──(kali㉿kali)-[~]
└─$ john -restore
1.10 Common Flags
| Flag |
Description |
-single |
Enable single crack mode |
--wordlist=FILE |
Specify a wordlist file |
--rules |
Enable word mangling rules |
--show |
Display cracked passwords |
-restore |
Resume interrupted session |
--restore=NAME |
Resume a named session |
--session=NAME |
Name the current session |
--format=FORMAT |
Set hash format explicitly |
--incremental |
Brute-force all character combinations |
--mask=MASK |
Enable mask mode with pattern |
--users=LIST |
Crack only specified users |
--list=formats |
List all supported hash formats |
!
Important
Always specify --format explicitly to avoid auto-detection delays and potential
misidentification.
1.11 Practical Examples
Example 1: Preparing the Hash File
Prepare Hash File
┌──(kali㉿kali)-[~]
└─$ sudo unshadow /etc/passwd /etc/shadow > unshadowed.txt
Example 2: Single Crack Mode
Run Single Crack Mode
┌──(kali㉿kali)-[~]
└─$ john --format=sha512crypt -single unshadowed.txt
Example 3: Dictionary Attack with Rockyou
Rockyou Wordlist Attack
┌──(kali㉿kali)-[~]
└─$ john --format=sha512crypt --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt
Example 4: Viewing Results
View Results
┌──(kali㉿kali)-[~]
└─$ john --show unshadowed.txt
1.12 Expected Output
During Cracking
Example Output During Cracking
Loaded 5 password hashes with 5 different salts (crypt, generic crypt(3) [?/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:05 0.00% (ETA: 2025-01-15 10:30:00) 0g/s 234.5p/s 234.5c/s 234.5C/s
1g 0:00:00:12 20.00% (ETA: 2025-01-15 10:30:01) 1g/s 180.2p/s 180.2c/s 180.2C/s user1:password123
After Running --show
Example Output After --show
user1:password123
user3:letmein
admin:admin2024
3 password hashes cracked, 2 left
1.13 Real-World Use Cases
- Internal penetration test — After gaining initial access to a Linux server, an
auditor dumps
/etc/shadow, runs John offline, and uses cracked credentials to
pivot.
- Active Directory assessment — Hashes extracted from NTDS.DIT are cracked with
John in NTLM format to evaluate password strength across the domain.
- Compliance audit — An organization uses John to verify that no accounts have
weak passwords violating PCI-DSS or HIPAA policy.
- Application security review — Hashes from a compromised database are identified
and cracked to evaluate breach impact.
1.14 Best Practices
✓
Best Practice — Specify Hash Format
Always use --format to avoid auto-detection delays. Run
john --list=formats to see all supported formats.
✓
Best Practice — Order Your Attacks
Run in order of speed: single crack → wordlist with rules → incremental as last resort.
✓
Best Practice — Name Your Sessions
Use --session=name to give sessions descriptive names for easy resumption.
✓
Best Practice — Secure Hash Files
Delete hash files after use and clear the pot file at ~/.john/john.pot when
sharing the system.
1.15 Common Mistakes
⚠
Mistake — Forgetting Root Privileges
Attempting to read /etc/shadow without root will fail. Always use
sudo.
⚠
Mistake — Not Specifying Hash Format
Relying on auto-detection can cause slow cracking or incorrect format identification.
⚠
Mistake — Using Small Wordlists
The default John wordlist is small. Use rockyou.txt or custom wordlists for serious cracking.
1.16 Troubleshooting
Problem: "No password hashes loaded"
Cause: The hash file is empty, incorrectly formatted, or the format doesn't match.
Solution: Verify with cat unshadowed.txt and ensure format matches.
Problem: Cracking is extremely slow
Cause: Wrong hash format or using CPU instead of GPU.
Solution: Verify format and install GPU-enabled John build.
Problem: Session won't restore
Cause: Running from a different directory than where the session started.
Solution: Navigate to the original directory or use
--restore=/absolute/path.
1.17 Related Tools
| Tool |
Description |
| Hashcat |
GPU-accelerated password cracker; faster for many hash types |
| Hydra |
Online password cracker for services (SSH, FTP, HTTP) |
| Medusa |
Parallel online password cracker |
| CrackMapExec |
Post-exploitation tool with password cracking |
| cewl |
Custom wordlist generator that spiders websites |
1.18 Security Notes
🔒
Security — Legal Authorization Required
Password cracking without explicit written authorization is illegal. Always obtain proper
authorization and document your scope.
🔒
Security — Handle Cracked Passwords Securely
Do not store cracked passwords in plaintext. Securely delete hash files and the pot file
after your assessment.
1.19 Summary
John the Ripper remains one of the most versatile password cracking tools available. Its strength
lies in supporting hundreds of hash formats, multiple attack modes, and session resumption.
- Always use
unshadow to combine /etc/passwd and
/etc/shadow
- Specify the hash format explicitly with
--format
- Run attacks in order: single crack → wordlist with rules → incremental
- Use
--session=name to organize multiple sessions
- Always obtain proper authorization before cracking passwords
1.20 Quick Reference Cheat Sheet
| Task |
Command |
| Install John |
sudo apt install john |
| Check version |
john --version |
| List formats |
john --list=formats |
| Unshadow files |
sudo unshadow /etc/passwd /etc/shadow > unshadowed.txt |
| Single crack mode |
john --format=sha512crypt -single unshadowed.txt |
| Wordlist + rules |
john --format=sha512crypt --wordlist=wordlist.txt --rules unshadowed.txt
|
| Incremental mode |
john --format=sha512crypt --incremental unshadowed.txt |
| Mask mode |
john --format=sha512crypt --mask='?u?l?l?l?d?d?d' unshadowed.txt |
| Resume session |
john -restore |
| Show cracked |
john --show unshadowed.txt |
| Clear pot file |
rm ~/.john/john.pot |
2.1 Introduction
Network reconnaissance is the foundational phase of any penetration test or security assessment.
Before you can exploit a vulnerability, you must first understand what exists on the target network
— which hosts are alive, what ports are open, what services are running, and what operating systems
are in use. This intelligence-gathering process directly determines the attack surface you'll be
working with.
Nmap (Network Mapper) is the industry-standard tool for this phase. It has been the go-to network
scanner for over two decades, used by security professionals, network administrators, and
researchers worldwide. Whether you're scanning a single host or an entire enterprise subnet, Nmap
provides the capabilities needed to map the network accurately.
This chapter covers Nmap in depth — from basic host discovery to advanced NSE scripting. You will
learn to run efficient, stealthy scans and interpret the results to build a clear picture of the
target environment.
2.2 What Is Nmap?
Nmap is a free, open-source network scanner created by Gordon Lyon (Fyodor) in 1997. It is designed
to discover hosts and services on a computer network by sending specially crafted packets and
analyzing the responses. Nmap supports multiple scanning techniques including TCP SYN scanning, TCP
connect scanning, UDP scanning, and various ping sweeps.
Beyond simple port scanning, Nmap can detect service versions, operating systems, MAC addresses, and
even run custom scripts through its Nmap Scripting Engine (NSE). It outputs results in multiple
formats including interactive terminal output, XML, grepable output, and can even interface with
databases for large-scale scanning.
Nmap ships pre-installed on Kali Linux and is available for Windows, macOS, and other Unix-like
systems. Its combination of flexibility, accuracy, and extensibility has made it the most widely
used network scanner in the world.
2.3 Why It Is Used
- Host discovery — Identifying which IP addresses are active on a network before
targeting specific hosts.
- Port scanning — Determining which TCP and UDP ports are open on a target,
revealing running services.
- Service version detection — Identifying the specific software and version
running on each open port.
- Operating system detection — Fingerprinting the target's OS based on network
stack behavior.
- Vulnerability scanning — Using NSE scripts to detect known vulnerabilities on
open services.
- Network inventory — Maintaining an up-to-date map of network assets for
security auditing.
- Firewall testing — Evaluating the effectiveness of firewall rules and intrusion
detection systems.
2.4 Features
- Multiple scan types — SYN scan (-sS), Connect scan (-sT), UDP scan (-sU), ACK
scan (-sA), FIN scan (-sF), and more.
- Service version detection (-sV) — Probes open ports to determine service name,
version, and sometimes configuration details.
- OS fingerprinting (-O) — Sends a series of packets and compares responses
against a database of known OS signatures.
- Nmap Scripting Engine (NSE) — Over 600 scripts for vulnerability detection,
exploitation, and information gathering.
- Timing templates (-T0 through -T5) — Control scan speed from paranoid (very
slow and stealthy) to insane (very fast but noisy).
- Multiple output formats — Normal (-oN), XML (-oX), Grepable (-oG), and JSON for
integration with other tools.
- Host discovery methods — ARP ping, ICMP ping, TCP ping, and reverse-DNS for
flexible host detection.
- Target specification — Supports IP ranges, CIDR notation, hostnames, and
reading targets from files.
- Decoy scanning (-D) — Spoofs source addresses to obscure the real scanner's IP.
- Fragmentation (-f) — Splits packets into tiny fragments to evade simple IDS/IPS
rules.
2.5 Installation
Nmap comes pre-installed on Kali Linux. If for some reason it is not available, install it with:
Install Nmap
┌──(kali㉿kali)-[~]
└─$ sudo apt update && sudo apt install -y nmap
Verify the installation:
Verify Installation
┌──(kali㉿kali)-[~]
└─$ nmap --version
Nmap version 7.95 ( https://nmap.org )
i
Information
For the graphical interface (Zenmap), install it separately with
sudo apt install zenmap. Zenmap provides a point-and-click interface and scan
comparison features.
2.6 Prerequisites
- Network access — You need network connectivity to the target(s). Physical
network access or VPN connection as per your engagement scope.
- Root/sudo privileges — SYN scans, OS detection, and some NSE scripts require
raw packet generation, which needs root.
- Proper authorization — Scanning networks without authorization is illegal in
most jurisdictions. Ensure you have a signed scope document.
- Understanding of TCP/IP — Knowledge of the TCP three-way handshake, common
ports, and protocol behavior is essential for interpreting results.
- Target scope — Know exactly which IP ranges, hosts, and ports you are
authorized to scan.
2.7 Basic Syntax
General Syntax
nmap [Scan Type(s)] [Options] {target specification}
Target specification can be:
- A single host:
192.168.1.1
- A range:
192.168.1.1-100
- CIDR notation:
192.168.1.0/24
- A hostname:
target.example.com
- From a file:
-iL targets.txt
- Excluding hosts:
192.168.1.0/24 --exclude 192.168.1.50
2.8 Most Important Commands
| Command |
Purpose |
sudo nmap -sS 192.168.1.0/24 |
SYN scan of entire subnet |
sudo nmap -sV -sC 192.168.1.100 |
Version detection + default NSE scripts |
sudo nmap -A 192.168.1.100 |
Aggressive scan (OS, version, scripts, traceroute) |
sudo nmap -sU --top-ports 100 192.168.1.100 |
Top 100 UDP ports scan |
sudo nmap -p- 192.168.1.100 |
Scan all 65535 TCP ports |
sudo nmap -sn 192.168.1.0/24 |
Host discovery only (no port scan) |
sudo nmap -O 192.168.1.100 |
Operating system detection |
sudo nmap -sS -p- -T4 192.168.1.100 |
Full port SYN scan with aggressive timing |
2.9 Command Explanation
SYN Scan (Stealth Scan)
The SYN scan (-sS) is the default scan type when running as root. It sends a SYN packet and waits for
a response. If it receives a SYN-ACK, the port is open. It then sends an RST to tear down the
connection before it's fully established. This makes it faster and stealthier than a full connect
scan.
SYN Scan
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sS 192.168.1.100
Service Version Detection
Version detection (-sV) probes open ports to determine the service name, version number, and
sometimes additional details like device type or OS. This information is critical for identifying
known vulnerabilities.
Version Detection
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sV 192.168.1.100
Aggressive Scan
The -A flag enables OS detection (-O), version detection (-sV), script scanning (-sC), and traceroute
(--traceroute) in a single command. It is the most comprehensive scan but also the noisiest.
Aggressive Scan
┌──(kali㉿kali)-[~]
└─$ sudo nmap -A 192.168.1.100
Host Discovery (Ping Scan)
The -sn flag tells Nmap to only perform host discovery — determining which hosts are up — without
scanning any ports. This is useful for mapping a network before detailed scanning.
Host Discovery
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sn 192.168.1.0/24
Full Port Scan
By default, Nmap scans only the top 1000 most common ports. The -p- flag scans all 65535 TCP ports,
ensuring no open services are missed.
Full Port Scan
┌──(kali㉿kali)-[~]
└─$ sudo nmap -p- -T4 192.168.1.100
2.10 Common Flags
| Flag |
Description |
-sS |
TCP SYN scan (stealth; requires root) |
-sT |
TCP connect scan (full handshake; works without root) |
-sU |
UDP scan |
-sV |
Probe open ports for service version info |
-sC |
Run default NSE scripts |
-O |
Enable OS detection |
-A |
Aggressive mode (OS + version + scripts + traceroute) |
-p- |
Scan all 65535 ports |
-p 80,443,8080 |
Scan specific ports |
--top-ports N |
Scan the top N most common ports |
-sn |
Host discovery only (no port scan) |
-Pn |
Skip host discovery; treat all hosts as up |
-T0 through -T5 |
Timing template (0=paranoid, 5=insane) |
-oN file.txt |
Output results in normal format to file |
-oX file.xml |
Output results in XML format |
-oG file.gnmap |
Output in grepable format |
-v / -vv |
Verbose / very verbose output |
-D RND:10 |
Use decoys to obscure scanner IP |
-f |
Fragment packets (evade simple IDS) |
--script=SCRIPT |
Run specific NSE script(s) |
-iL file.txt |
Read targets from a file |
--exclude host |
Exclude a host from scanning |
2.11 Practical Examples
Example 1: Quick Network Sweep
Host Discovery Scan
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sn 192.168.1.0/24
Quickly identifies all live hosts on the /24 subnet without scanning any ports.
Example 2: Standard Port Scan
Default SYN Scan
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sS 192.168.1.100
Scans the top 1000 TCP ports using SYN scan technique.
Example 3: Comprehensive Target Scan
Full Scan with Version and Scripts
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sS -sV -sC -p- -T4 -oN scan_results.txt 192.168.1.100
Full port SYN scan with version detection, default scripts, aggressive timing, and results saved to
file.
Example 4: UDP Scan
Top UDP Ports
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sU --top-ports 100 192.168.1.100
Scans the top 100 most common UDP ports. UDP scanning is slower than TCP, so limiting the port range
is recommended.
Example 5: Vulnerability Scanning with NSE
Vuln Scan
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sV --script vuln 192.168.1.100
Runs all vulnerability-detection NSE scripts against the target. Useful for finding known CVEs on
open services.
Example 6: Stealthy Scan with Decoys
Decoy Scan
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sS -T2 -D RND:5 192.168.1.100
Uses 5 random decoy IPs and paranoid timing to make the scan harder to attribute to your IP.
2.12 Expected Output
Standard Port Scan Output
Example Output
Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-15 10:00 EST
Nmap scan report for 192.168.1.100
Host is up (0.0034s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6
80/tcp open http Apache httpd 2.4.52
443/tcp open ssl/https Apache httpd 2.4.52
3306/tcp open mysql MySQL 8.0.35-0ubuntu0.22.04.1
8080/tcp open http-proxy Squid http proxy 4.13
Nmap done: 1 IP address (1 host up) scanned in 2.45 seconds
The output shows each port's state (open/closed/filtered), the service name, and the version string.
The STATE column is critical: open means the port is accepting
connections, filtered means a firewall is blocking it, and closed
means no service is listening but the host responded.
Aggressive Scan Output
Example Aggressive Output
Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-15 10:05 EST
Nmap scan report for 192.168.1.100
Host is up (0.0034s latency).
Not shown: 65530 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 a1:b2:c3:d4:e5:f6:... (ECDSA)
|_ 256 f6:e5:d4:c3:b2:a1:... (ED25519)
80/tcp open http Apache httpd 2.4.52
|_http-title: Apache2 Ubuntu Default Page
|_http-server-header: Apache/2.4.52 (Ubuntu)
443/tcp open ssl/https Apache httpd 2.4.52
OS details: Linux 5.15 - 6.1, Ubuntu 22.04
Network Distance: 2 hops
TRACEROUTE (using port 443/tcp)
HOP RTT ADDRESS
1 1.2 ms 192.168.1.1
2 3.4 ms 192.168.1.100
Nmap done: 1 IP address (1 host up) scanned in 14.23 seconds
2.13 Real-World Use Cases
- External penetration test — Scanning a company's public IP ranges to identify
exposed services before attempting exploitation.
- Internal network assessment — Mapping an internal network to discover forgotten
servers, unauthorized devices, or misconfigured services.
- Web application reconnaissance — Identifying web servers, backend databases,
and administrative interfaces on a target host.
- IoT device discovery — Scanning a network segment to find IoT devices and their
exposed management interfaces.
- Firewall rule validation — Scanning from outside a firewall to verify that only
intended ports are accessible.
- Incident response — Rapidly scanning a compromised network to identify attacker
infrastructure or lateral movement paths.
- CTF competitions — Discovering hidden services and ports on CTF challenge
machines.
2.14 Best Practices
✓
Best Practice — Always Save Your Results
Use -oN, -oX, or -oA (all formats) to save scan
results. You will always need to reference them later.
✓
Best Practice — Start Broad, Then Narrow
Begin with host discovery (-sn), then a quick port scan, then full port scan with version
detection on interesting targets.
✓
Best Practice — Use Appropriate Timing
Use -T3 for normal scans, -T4 for fast scans on stable networks, and -T1/T2 for stealth.
Avoid -T5 unless you're on a local, low-latency network.
✓
Best Practice — Scan All Ports When It Matters
The default top-1000 scan misses non-standard ports. Use -p- for thorough
assessments, especially on CTF machines and external targets.
✓
Best Practice — Leverage NSE Scripts
Use --script vuln for vulnerability detection, --script auth for
brute-forcing, and --script discovery for information gathering.
2.15 Common Mistakes
⚠
Mistake — Scanning Without Authorization
Scanning networks you don't own or don't have permission to test is illegal. Always get
written authorization first.
⚠
Mistake — Only Scanning Default Ports
Services on non-standard ports (e.g., SSH on 2222, HTTP on 8080) will be missed if you only
scan defaults.
⚠
Mistake — Ignoring Filtered Ports
Filtered ports often indicate a firewall. These are worth investigating — they may hide
services accessible from other network segments.
⚠
Mistake — Not Saving Results
Running scans without output flags means you lose the data as soon as the terminal clears.
Always save to file.
⚠
Mistake — Running Aggressive Scans on Production
Using -A or -T5 on production systems can crash services or trigger IDS alerts. Use
appropriate timing and scan types.
2.16 Troubleshooting
Problem: "You requested a scan type which requires root privileges"
Cause: SYN scans, OS detection, and some scripts need raw socket access.
Solution: Run with sudo or use -sT for non-root connect
scans.
Problem: All ports show as "filtered"
Cause: A firewall is dropping all packets, or host discovery is failing.
Solution: Try -Pn to skip host discovery, or use -sT which
may bypass some firewall rules.
Problem: Scan is extremely slow
Cause: UDP scanning is inherently slow, or timing is too conservative.
Solution: Use -T4 for faster scanning. For UDP, limit ports with
--top-ports.
Problem: OS detection shows "No exact OS matches"
Cause: The target has few open ports, giving Nmap insufficient data for
fingerprinting.
Solution: Scan more ports with -p- and combine with -sV
for better OS detection accuracy.
2.17 Related Tools
| Tool |
Description |
| Masscan |
Mass IP port scanner; can scan the entire internet in minutes |
| RustScan |
Fast port scanner that pipes results into Nmap for service detection |
| Unicornscan |
Asynchronous scanner with its own packet injection engine |
| Nessus |
Commercial vulnerability scanner with Nmap-like discovery |
| OpenVAS |
Open-source vulnerability scanner with network scanning capabilities |
| Zenmap |
Graphical frontend for Nmap with profile management |
| Autorecon |
Automated network reconnaissance tool that wraps Nmap and other tools |
2.18 Security Notes
🔒
Security — Legal Requirements
Port scanning without authorization is illegal under the Computer Fraud and Abuse Act (CFAA)
in the US and similar laws in other countries. Even "just scanning" can be prosecuted.
🔒
Security — Scan Reports Contain Sensitive Data
Nmap output reveals your target's infrastructure details. Store reports securely and encrypt
them in transit.
🔒
Security — Defending Against Nmap
Use firewalls to limit exposed ports, implement IDS/IPS with Nmap detection signatures, and
use port knocking for sensitive services.
2.19 Summary
Nmap is the cornerstone tool of network reconnaissance. Mastering its scan types, timing options, and
NSE scripting will make you significantly more effective in any security engagement.
- Start with host discovery (-sn) to map the network
- Use SYN scan (-sS) as your default scan type
- Always scan all ports (-p-) for thorough assessments
- Add version detection (-sV) and scripts (-sC) for detailed intelligence
- Save results with -oN, -oX, or -oA for reporting and analysis
- Adjust timing templates based on network conditions and stealth requirements
2.20 Quick Reference Cheat Sheet
| Task |
Command |
| Host discovery |
sudo nmap -sn 192.168.1.0/24 |
| Quick port scan |
sudo nmap -sS 192.168.1.100 |
| Full port scan |
sudo nmap -p- -T4 192.168.1.100 |
| Version detection |
sudo nmap -sV 192.168.1.100 |
| Aggressive scan |
sudo nmap -A 192.168.1.100 |
| OS detection |
sudo nmap -O 192.168.1.100 |
| UDP top 100 |
sudo nmap -sU --top-ports 100 192.168.1.100 |
| Vuln scan |
sudo nmap -sV --script vuln 192.168.1.100 |
| Stealthy scan |
sudo nmap -sS -T1 -D RND:5 192.168.1.100 |
| Save all formats |
sudo nmap -sV -oA results 192.168.1.100 |
| Scan from file |
sudo nmap -sS -iL targets.txt |
| Specific ports |
sudo nmap -sS -p 22,80,443 192.168.1.100 |
| Skip host discovery |
sudo nmap -Pn -sS 192.168.1.100 |
| List NSE scripts |
nmap --script-help="categories" |
3.1 Introduction
Before attacking a network, you must understand its topology — what devices are connected, how they
communicate, and what interfaces are available. On a wired local network, ARP (Address Resolution
Protocol) scanning reveals live hosts by mapping IP addresses to MAC addresses. On wireless
networks, putting your adapter into monitor mode allows you to capture all radio frames in the air,
not just those addressed to you.
This chapter covers two complementary skill sets: using ARP scanning tools like arp-scan
and arping to discover wired network hosts, and using the aircrack-ng
suite's airmon-ng to enable monitor mode on wireless adapters for packet capture and
analysis.
Both techniques are foundational for any local network assessment. Whether you're on a corporate
pentest or a CTF challenge, knowing how to enumerate local hosts and capture wireless traffic is
essential.
3.2 What Are These Tools?
arp-scan
arp-scan is a tool that sends ARP request packets to a range of IP addresses and listens
for ARP replies. Any device that responds is confirmed to be active on the local network. It
operates at Layer 2, making it more reliable than ICMP ping for local host discovery since it
bypasses firewalls that block ICMP.
arping
arping is a simpler tool that sends ARP or ICMP packets to a single host to verify its
presence on the network. It is useful for quickly checking if a specific IP is alive and resolving
its MAC address.
airmon-ng
airmon-ng is part of the Aircrack-ng suite. It manages wireless network interface modes,
specifically enabling and disabling monitor mode. Monitor mode allows a wireless adapter to capture
all frames on the channel it's tuned to, regardless of the destination MAC address — essentially
turning your adapter into a passive sniffer.
3.3 Why They Are Used
- Local host discovery — Finding all devices on a LAN segment, including those
that block ICMP.
- Network mapping — Building a picture of the local network topology with
IP-to-MAC mappings.
- Rogue device detection — Identifying unauthorized devices connected to the
network.
- Wireless reconnaissance — Capturing wireless frames for analysis, including
beacon frames, handshakes, and data packets.
- Pre-engagement reconnaissance — Understanding the wireless environment (SSIDs,
channels, encryption types) before targeting.
- ARP spoofing preparation — Identifying target MAC addresses needed for
man-in-the-middle attacks.
3.4 Features
arp-scan Features
- Sends ARP requests and displays responses with IP, MAC, and hardware manufacturer
- Supports multiple network interfaces
- Can specify custom ARP data patterns
- Detects duplicate IP addresses (ARP conflict detection)
- Can load a custom MAC/Vendor mapping file
airmon-ng Features
- Enables monitor mode on supported wireless adapters
- Kills interfering processes that may disrupt capture
- Lists available wireless interfaces and their current mode
- Checks for wireless driver and chipset compatibility
- Manages virtual monitor interfaces
3.5 Installation
Install arp-scan and arping
Install ARP Tools
┌──(kali㉿kali)-[~]
└─$ sudo apt update && sudo apt install -y arp-scan arping
Install Aircrack-ng Suite
Install Aircrack-ng
┌──(kali㉿kali)-[~]
└─$ sudo apt update && sudo apt install -y aircrack-ng
i
Information
Both tools are typically pre-installed on Kali Linux. Verify with
arp-scan --version and airmon-ng --version before installing.
3.6 Prerequisites
- Network interface — An active network interface connected to the target LAN
(wired for ARP, wireless for airmon-ng).
- Root/sudo privileges — ARP packet injection and wireless mode changes require
elevated privileges.
- Compatible wireless adapter — For monitor mode, you need an adapter with
chipset that supports monitor mode and packet injection (e.g., Atheros, Ralink, Realtek
RTL8812AU).
- Correct wireless drivers — Some adapters require specific drivers. Check
airmon-ng compatibility lists.
- Same subnet — ARP scanning only works within your broadcast domain (same Layer
2 segment).
★
Pro Tip — USB Wireless Adapters
For WiFi assessments, external USB adapters with the RTL8812AU or Atheros AR9271 chipsets are
widely recommended. Internal laptop adapters often lack monitor mode support.
3.7 Basic Syntax
arp-scan
arp-scan Syntax
arp-scan [options] [target specification]
arping
arping Syntax
arping [options] destination
airmon-ng
airmon-ng Syntax
airmon-ng [start|stop|check|kill] [interface]
3.8 Most Important Commands
| Command |
Purpose |
sudo arp-scan -l |
Scan the local subnet for live hosts |
sudo arp-scan 192.168.1.0/24 |
Scan a specific subnet |
sudo arping -c 3 192.168.1.1 |
Send 3 ARP pings to a single host |
sudo airmon-ng |
List wireless interfaces and their status |
sudo airmon-ng check kill |
Kill interfering processes |
sudo airmon-ng start wlan0 |
Enable monitor mode on wlan0 |
sudo airmon-ng stop wlan0mon |
Disable monitor mode |
3.9 Command Explanation
Scanning the Local Subnet with arp-scan
The -l flag tells arp-scan to automatically determine the local subnet based on the
interface's IP address and netmask, then scan all addresses in that range:
Local Subnet Scan
┌──(kali㉿kali)-[~]
└─$ sudo arp-scan -l
Pinging a Single Host with arping
Use arping to quickly verify if a specific host is reachable at Layer 2:
Single Host ARP Ping
┌──(kali㉿kali)-[~]
└─$ sudo arping -c 3 192.168.1.1
Checking Wireless Interfaces
Before enabling monitor mode, check which wireless interfaces are available and their current state:
List Wireless Interfaces
┌──(kali㉿kali)-[~]
└─$ sudo airmon-ng
Killing Interfering Processes
NetworkManager, wpa_supplicant, and other services can interfere with monitor mode. Kill them before
proceeding:
Kill Interfering Processes
┌──(kali㉿kali)-[~]
└─$ sudo airmon-ng check kill
Enabling Monitor Mode
Start Monitor Mode
┌──(kali㉿kali)-[~]
└─$ sudo airmon-ng start wlan0
This creates a new virtual interface (typically wlan0mon) in monitor mode. All capture
tools should use this interface.
Disabling Monitor Mode
Stop Monitor Mode
┌──(kali㉿kali)-[~]
└─$ sudo airmon-ng stop wlan0mon
After disabling monitor mode, restart NetworkManager with
sudo systemctl start NetworkManager to restore normal WiFi connectivity.
3.10 Common Flags
| Flag |
Tool |
Description |
-l |
arp-scan |
Use local network configuration for target range |
-I eth0 |
arp-scan |
Specify the network interface to use |
-r file.txt |
arp-scan |
Read target IPs from a file |
-c N |
arping |
Send N ARP requests |
-D |
arping |
Duplicate address detection mode |
-I eth0 |
arping |
Specify source interface |
-U |
arping |
Send unsolicited ARP (gratuitous ARP) |
start |
airmon-ng |
Enable monitor mode on specified interface |
stop |
airmon-ng |
Disable monitor mode |
check |
airmon-ng |
List interfering processes |
check kill |
airmon-ng |
Kill all interfering processes |
3.11 Practical Examples
Example 1: Quick Local Network Scan
Scan Local Subnet
┌──(kali㉿kali)-[~]
└─$ sudo arp-scan -l
This is the most common arp-scan command. It automatically detects your subnet and scans all
addresses.
Example 2: Scan Specific Subnet on Specific Interface
Targeted Subnet Scan
┌──(kali㉿kali)-[~]
└─$ sudo arp-scan -I eth0 10.0.0.0/24
Useful when you have multiple interfaces and need to scan from a specific one.
Example 3: Verify Gateway Connectivity
Ping Gateway
┌──(kali㉿kali)-[~]
└─$ sudo arping -c 3 192.168.1.1
Example 4: Complete WiFi Monitor Mode Workflow
Full Monitor Mode Setup
┌──(kali㉿kali)-[~]
└─$ sudo airmon-ng check kill
┌──(kali㉿kali)-[~]
└─$ sudo airmon-ng start wlan0
PHY Interface Driver Chipset
phy0 wlan0 rt2800usb Ralink Technology, Corp. RT5370
(mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
┌──(kali㉿kali)-[~]
└─$ sudo airodump-ng wlan0mon
This complete workflow: kills interfering processes, enables monitor mode, then starts airodump-ng to
capture wireless traffic.
Example 5: Restoring Normal WiFi
Restore Managed Mode
┌──(kali㉿kali)-[~]
└─$ sudo airmon-ng stop wlan0mon
┌──(kali㉿kali)-[~]
└─$ sudo systemctl start NetworkManager
3.12 Expected Output
arp-scan Output
Example arp-scan Output
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.10.0 with 256 hosts
192.168.1.1 00:11:22:33:44:55 (Unknown)
192.168.1.50 aa:bb:cc:dd:ee:ff (Apple Inc.)
192.168.1.100 11:22:33:44:55:66 (Intel Corporate)
192.168.1.150 66:77:88:99:aa:bb (Samsung Electronics Co.,Ltd)
4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.321 seconds (110.21 hosts/sec)
4 responded
Each line shows the IP address, MAC address, and the hardware vendor identified from the MAC prefix
(OUI lookup). This vendor information helps identify device types quickly.
airmon-ng start Output
Example airmon-ng Output
PHY Interface Driver Chipset
phy0 wlan0 rt2800usb Ralink Technology, Corp. RT5370
(mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
3.13 Real-World Use Cases
- Internal pentest — Running arp-scan immediately after connecting to a client
network to map all visible devices before targeting.
- Rogue device detection — Comparing ARP scan results against the organization's
asset inventory to find unauthorized devices.
- WiFi assessment prep — Enabling monitor mode to capture the wireless
environment, identify all access points and clients, and plan the attack.
- ARP spoofing setup — Identifying the target and gateway MAC addresses needed
for tools like
arpspoof or bettercap.
- Physical security assessment — Discovering IoT devices, IP cameras, printers,
and other devices on the network that may be forgotten or unsecured.
- Incident response — Identifying new or unexpected MAC addresses on the network
that may indicate an attacker's presence.
3.14 Best Practices
✓
Best Practice — Always Kill Interfering Processes
Run airmon-ng check kill before enabling monitor mode. NetworkManager and
wpa_supplicant will constantly try to associate with networks, disrupting your capture.
✓
Best Practice — Restore Services After Use
Always run sudo systemctl start NetworkManager after disabling monitor mode to
restore normal WiFi connectivity.
✓
Best Practice — Use a Dedicated USB Adapter
For WiFi assessments, use a dedicated USB adapter with known-good monitor mode support. Don't
rely on internal laptop adapters.
✓
Best Practice — Combine ARP Scan with Nmap
Use arp-scan for fast Layer 2 discovery, then feed the results into Nmap for detailed service
enumeration.
3.15 Common Mistakes
⚠
Mistake — Forgetting to Kill Interfering Processes
Skipping check kill causes monitor mode to be unstable or fail entirely.
⚠
Mistake — Using an Incompatible Adapter
Not all wireless chipsets support monitor mode. Research your adapter's chipset before
attempting.
⚠
Mistake — Scanning Wrong Subnet
ARP scanning only works on your local broadcast domain. If you're on VLAN 10, you can't ARP
scan VLAN 20.
⚠
Mistake — Not Restoring NetworkManager
After check kill, your WiFi won't reconnect automatically. Always restart
NetworkManager.
3.16 Troubleshooting
Problem: "arp-scan: Could not obtain interface address"
Cause: The specified interface doesn't have an IP address or doesn't exist.
Solution: Check interface name with ip a and ensure it has an IP
assigned.
Problem: "airmon-ng: ERROR: No such device"
Cause: The wireless interface name is wrong or the adapter is not connected.
Solution: Run ip link or iwconfig to find the correct
interface name.
Problem: Monitor mode enables but no packets are captured
Cause: Wrong channel, or the adapter doesn't properly support monitor mode.
Solution: Manually set the channel with iwconfig wlan0mon channel 6 and
verify with iwlist wlan0mon channel.
Problem: "Device or resource busy" when starting monitor mode
Cause: Interfering processes still running.
Solution: Run sudo airmon-ng check kill again and manually kill any
remaining processes.
3.17 Related Tools
| Tool |
Description |
| netdiscover |
Active/passive ARP reconnaissance tool with curses interface |
| bettercap |
Network attack framework with built-in ARP discovery and spoofing |
| airodump-ng |
Wireless packet capture tool (part of Aircrack-ng suite) |
| iwconfig/iw |
Low-level wireless configuration tools |
| arpspoof |
ARP spoofing tool for MITM attacks (dsniff suite) |
| Responder |
LLMNR/NBT-NS/MDNS poisoner that uses ARP for local network attacks |
3.18 Security Notes
🔒
Security — ARP Scanning Is Detectable
ARP requests are visible to all devices on the LAN. Network monitoring tools will log your
scanning activity. On authorized engagements, inform the client about expected scan noise.
🔒
Security — Monitor Mode Legal Status
Enabling monitor mode and capturing wireless frames may be illegal depending on your
jurisdiction. Always ensure you have explicit authorization.
🔒
Security — Defending Against ARP Reconnaissance
Implement static ARP entries on critical systems, use port security on switches, and deploy
ARP monitoring tools to detect scanning activity.
3.19 Summary
ARP scanning and WiFi monitor mode are complementary skills for local network discovery. ARP scanning
provides fast, reliable host discovery on wired networks, while monitor mode opens the door to
wireless reconnaissance and attack.
- Use
arp-scan -l for quick local network discovery
- Use
arping for verifying individual hosts
- Always kill interfering processes before enabling monitor mode
- Use a dedicated USB adapter with known monitor mode support
- Restore NetworkManager after disabling monitor mode
- Combine ARP discovery results with Nmap for comprehensive enumeration
3.20 Quick Reference Cheat Sheet
| Task |
Command |
| Scan local subnet |
sudo arp-scan -l |
| Scan specific subnet |
sudo arp-scan 192.168.1.0/24 |
| Verify single host |
sudo arping -c 3 192.168.1.1 |
| List wireless interfaces |
sudo airmon-ng |
| Kill interfering processes |
sudo airmon-ng check kill |
| Enable monitor mode |
sudo airmon-ng start wlan0 |
| Disable monitor mode |
sudo airmon-ng stop wlan0mon |
| Restore connectivity |
sudo systemctl start NetworkManager |
4.1 Introduction
Wireless networks secured with WPA or WPA2-PSK (Pre-Shared Key) rely on a 4-way handshake process when a client device authenticates to an Access Point (AP). This handshake proves that both the AP and the client know the pre-shared key, without ever transmitting the key itself across the air.
However, if an attacker can capture this 4-way handshake, they can perform an offline dictionary attack against it. By repeatedly hashing passwords from a wordlist and comparing the results to the captured handshake, the attacker can recover the original Wi-Fi password.
This chapter focuses on using the Aircrack-ng suite to locate target networks, capture the WPA2 handshake using airodump-ng, actively force clients to reconnect using aireplay-ng, and finally crack the captured hash offline using aircrack-ng.
4.2 What Are These Tools?
The Aircrack-ng suite is a complete set of tools to assess Wi-Fi network security. For this workflow, we focus on three primary components:
- airodump-ng — A packet capture tool for 802.11 frames. It displays nearby Access Points, connected clients, and saves the raw captured data to disk (.cap files).
- aireplay-ng — A frame injection tool used to generate artificial traffic. In this workflow, it is used to send deauthentication (deauth) frames to force a client to disconnect and reconnect, triggering a new handshake.
- aircrack-ng — An 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets or a valid handshake has been captured.
4.3 Why It Is Used
- Wireless security auditing — Evaluating the strength of an organization's wireless passwords.
- Physical penetration testing — Gaining initial access to an internal network from the parking lot or lobby.
- Compliance testing — Ensuring that wireless networks meet regulatory standards for encryption and password complexity.
- Red teaming — Simulating real-world attacks where wireless networks are often the weakest link in the perimeter.
4.4 Features
- Passive capturing — airodump-ng can capture handshakes passively by just listening to the airwaves, remaining completely undetectable.
- Active deauthentication — aireplay-ng can actively disrupt connections to speed up the capture process.
- Offline cracking — Once the handshake is captured, aircrack-ng runs offline, meaning there is no risk of locking out accounts or generating network alerts during the cracking phase.
- Broad compatibility — Works with almost any wireless adapter that supports monitor mode and packet injection.
4.5 Installation
The Aircrack-ng suite is pre-installed on Kali Linux. If you need to install or update it, you can do so via APT:
Install Aircrack-ng
┌──(kali㉿kali)-[~]
└─$ sudo apt update && sudo apt install -y aircrack-ng
4.6 Prerequisites
- Monitor Mode adapter — Your wireless adapter must be in monitor mode (e.g.,
wlan0mon) as covered in Chapter 3.
- Packet Injection capability — Required for sending deauth frames with aireplay-ng. Test it with
sudo aireplay-ng --test wlan0mon.
- A good wordlist — The success of the attack entirely depends on the wordlist.
rockyou.txt is a standard starting point.
- Proximity to target — You need a strong enough signal to reliably capture the packets from both the AP and the client.
4.7 Basic Syntax
airodump-ng Syntax
airodump-ng [options] <interface>
aireplay-ng Syntax
aireplay-ng [options] <interface>
aircrack-ng Syntax
aircrack-ng [options] <capture file>
4.8 Most Important Commands
| Command |
Purpose |
sudo airodump-ng wlan0mon |
Scan all channels for networks |
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon |
Target a specific AP and save to file |
sudo aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon |
Send 5 deauth packets to a client |
aircrack-ng -w wordlist.txt capture-01.cap |
Crack the captured handshake |
4.9 Command Explanation
Targeting a Network
Once you identify a target AP, you must lock airodump-ng to its specific channel and BSSID (MAC address), and tell it to write the captured packets to a file:
Targeted Capture
┌──(kali㉿kali)-[~]
└─$ sudo airodump-ng -c 6 --bssid 00:11:22:33:44:55 -w handshake_capture wlan0mon
Deauthenticating a Client
To speed up the capture, you can force a connected client to disconnect. When they automatically reconnect, airodump-ng will capture the handshake. The -0 flag specifies the deauth attack, followed by the number of packets to send (e.g., 5):
Deauth Attack
┌──(kali㉿kali)-[~]
└─$ sudo aireplay-ng -0 5 -a 00:11:22:33:44:55 -c AA:BB:CC:DD:EE:FF wlan0mon
Cracking the Handshake
After successfully capturing the handshake, you can stop airodump-ng and use aircrack-ng to brute-force the password using a wordlist:
Offline Cracking
┌──(kali㉿kali)-[~]
└─$ aircrack-ng -w /usr/share/wordlists/rockyou.txt handshake_capture-01.cap
4.10 Common Flags
| Flag |
Tool |
Description |
-c <channel> |
airodump-ng |
Listen only on the specified channel |
--bssid <MAC> |
airodump-ng |
Filter capture to a specific AP |
-w <prefix> |
airodump-ng |
Write captured data to files starting with prefix |
-0 <count> |
aireplay-ng |
Perform deauthentication attack (count = number of packets) |
-a <MAC> |
aireplay-ng |
BSSID (MAC address of the Access Point) |
-c <MAC> |
aireplay-ng |
MAC address of the target client to deauth |
-w <wordlist> |
aircrack-ng |
Path to the dictionary file |
4.11 Practical Examples
Step 1: Locate Target
Start airodump-ng to scan all channels:
┌──(kali㉿kali)-[~]
└─$ sudo airodump-ng wlan0mon
Identify your target's BSSID and Channel. Press Ctrl+C to stop.
Step 2: Targeted Capture
Focus airodump-ng on the target AP to capture the handshake (assuming BSSID 00:11:22:33:44:55 on channel 6):
┌──(kali㉿kali)-[~]
└─$ sudo airodump-ng -c 6 --bssid 00:11:22:33:44:55 -w corp_wifi wlan0mon
Leave this terminal open and running.
Step 3: Deauthenticate a Client
In a second terminal window, identify a connected client (STATION) from the airodump-ng output, and send deauth frames:
┌──(kali㉿kali)-[~]
└─$ sudo aireplay-ng -0 5 -a 00:11:22:33:44:55 -c AA:BB:CC:DD:EE:FF wlan0mon
Step 4: Verify Handshake and Crack
Check the first terminal. In the top right corner, you should see [ WPA handshake: 00:11:22:33:44:55 ]. If you see this, you can stop airodump-ng and proceed to cracking:
┌──(kali㉿kali)-[~]
└─$ aircrack-ng -w /usr/share/wordlists/rockyou.txt corp_wifi-01.cap
4.12 Expected Output
airodump-ng Handshake Capture
Successful Handshake Capture
CH 6 ][ Elapsed: 2 mins ][ 2025-01-15 14:30 ][ WPA handshake: 00:11:22:33:44:55
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:11:22:33:44:55 -45 100 1256 450 4 6 54e. WPA2 CCMP PSK CorpWiFi
BSSID STATION PWR Rate Lost Frames Notes Probes
00:11:22:33:44:55 AA:BB:CC:DD:EE:FF -50 0e-24e 0 45
aircrack-ng Success
Successful Cracking
Aircrack-ng 1.7
[00:00:15] 15000/14344391 keys tested (1000.00 k/s)
Time left: 3 hours, 59 minutes, 4 seconds 0.10%
KEY FOUND! [ Summer2025! ]
Master Key : AB CD EF 01 23 45 67 89 0A BC DE F0 12 34 56 78
90 AB CD EF 01 23 45 67 89 0A BC DE F0 12 34 56
Transient Key : 00 11 22 33 44 55 66 77 88 99 AA BB CC DD EE FF
00 11 22 33 44 55 66 77 88 99 AA BB CC DD EE FF
00 11 22 33 44 55 66 77 88 99 AA BB CC DD EE FF
00 11 22
EAPOL HMAC : 11 22 33 44 55 66 77 88 99 AA BB CC DD EE FF 00
4.13 Real-World Use Cases
- Red Team Engagements — Bypassing physical security by accessing the internal network from outside the building via a weak Wi-Fi password.
- Guest Network Auditing — Ensuring guest networks are properly isolated and that their PSK strength is adequate.
- Employee Awareness — Demonstrating the danger of using weak or easily guessable passwords for corporate Wi-Fi.
4.14 Best Practices
✓
Best Practice — Lock the Channel
Always lock airodump-ng to the specific channel of the target AP using the -c flag. If airodump-ng hops channels while the handshake occurs, you will miss packets.
✓
Best Practice — Targeted Deauth
Use targeted deauthentication (-c <Client MAC>) instead of a broadcast deauth. Broadcast deauths are highly noisy, disrupt the entire network, and often fail on modern APs.
✓
Best Practice — Use Hashcat for Speed
While aircrack-ng is excellent for validation, you can convert the .cap file to a hashcat format (using hcxpcapngtool) and crack it much faster using GPU acceleration with Hashcat.
4.15 Common Mistakes
⚠
Mistake — Attacking 5GHz on a 2.4GHz Adapter
Ensure your Wi-Fi adapter supports the frequency of the target AP. A 2.4GHz-only adapter cannot capture a handshake from a 5GHz network.
⚠
Mistake — Relying on Small Wordlists
If the password is not in your wordlist, aircrack-ng will fail. Use massive wordlists, custom rules, or targeted dictionaries for realistic assessments.
4.16 Troubleshooting
Problem: aircrack-ng says "1 handshake, with PMKID" but cracking fails immediately
Cause: The capture is incomplete and doesn't contain all 4 parts of the handshake.
Solution: Capture the handshake again. Ensure you are close enough to both the AP and the client to hear packets from both directions.
Problem: aireplay-ng fails with "No such BSSID available"
Cause: You are too far away from the AP, or the AP is on a different channel.
Solution: Verify you are locked to the correct channel in airodump-ng. Move physically closer.
4.17 Related Tools
| Tool |
Description |
| Wifite |
Automated script that runs airodump-ng and aireplay-ng to capture handshakes automatically |
| hcxdumptool |
Advanced tool to capture PMKID and handshakes without needing clients (client-less attacks) |
| Hashcat |
GPU-accelerated cracking tool that cracks WPA/WPA2 significantly faster than aircrack-ng |
| Kismet |
Passive wireless network detector, sniffer, and intrusion detection system |
4.18 Security Notes
🔒
Security — Deauthentication is an Active Attack
Sending deauthentication frames actively disrupts a network, causing Denial of Service (DoS) for the users. This is illegal without explicit consent and highly visible to Wireless Intrusion Prevention Systems (WIPS).
🔒
Security — PMF (Protected Management Frames)
WPA3 and properly configured WPA2 networks use 802.11w (PMF), which encrypts management frames. If PMF is enabled, deauthentication attacks via aireplay-ng will not work.
4.19 Summary
Capturing WPA2 handshakes is a core skill for any physical or wireless penetration test. The combination of passive monitoring and active deauthentication allows attackers to efficiently gather the cryptographic material needed to brute-force a network key.
- Use airodump-ng to locate the target and lock onto its channel.
- Use aireplay-ng to send targeted deauthentication frames to a connected client.
- Verify the handshake was captured in airodump-ng before stopping.
- Use aircrack-ng with a strong wordlist to crack the captured handshake offline.
4.20 Quick Reference Cheat Sheet
| Task |
Command |
| Scan all channels |
sudo airodump-ng wlan0mon |
| Target AP & save capture |
sudo airodump-ng -c 6 --bssid AP_MAC -w capture wlan0mon |
| Targeted deauth attack |
sudo aireplay-ng -0 5 -a AP_MAC -c CLIENT_MAC wlan0mon |
| Broadcast deauth (noisy) |
sudo aireplay-ng -0 10 -a AP_MAC wlan0mon |
| Crack handshake |
aircrack-ng -w wordlist.txt capture-01.cap |
| Test packet injection |
sudo aireplay-ng --test wlan0mon |