Updated: Dec 31, 2022
Welcome back my aspiring cyberwarriors!
In this series on Wi-Fi (802.11) hacking, we have examined a multitude of approaches to Wi-Fi hacking including;
Many of you are familiar with Bettercap as an excellent MiTM attack framework but it can also be used to attack Wi-Fi AP's as well.
In this tutorial, we will be using this versatile tool, Bettercap, to find Wi-Fi AP's, de-authenticate the clients and capture their hashes with the PMKID attack.
Step #1: Install Bettercap
There are a number of ways of installing Bettercap but probably the easiest is to download and install from the Kali repository
kali > sudo apt install bettercap
In addition, you can install the dependencies and then do a gem install
kali > sudo gem install bettercap
Step #2: Check your Wi-Fi Adapter
Next, we need to check our Wi-Fi adapter. If you are using a VM such as VirtualBox or VMware Workstation, you will likely need an external USB Wi-Fi adapter (I'm using the Alfa card. Its simple, inexpensive and most importantly, it works!). Use the ifconfig command in Linux to find the name of your adapter.
kali > sudo ifconfig
Note that my adapter is named wlan0. Yours may be different. The key is to know what your system has named your Wi-Fi adapter
Step #3: Start Bettercap
Next, we need to start bettercap. As we will be using it for Wi-Fi hacking, we need to tell bettercap at startup to use wlan0 (it will use eth0 by default).
kali > sudo bettercap --iface wlan0
Let's take a look at the help file before get started. That's always a good idea when using a new tool.
kali > help
Note that just 2 modules are running, Events.stream and wifi. To get the help screen on any module, simply enter help followed by the module name. In this case, let's get the wifi help screen.
kali > help wifi
To begin, let's do some recon on the nearby wifi-AP's.
Step #4: Wi-Fi AP Recon
To start the recon module of bettercap, we simply enter the command wifi.recon on.
kali > wifi.recon on
Bettercap now goes out and attempts to find all the AP's within range and catalog their key parameters.
We can enter wifi.show to see all the found Wi-Fi AP's and their key parameters such as BSSID, SSID, type of encryption, and whether they use WPS and the type of WPS (1.0 or 2.0).
kali > wifi.show
With this information, we can choose to use another application such as aircrack-ng to hack these AP's or proceed to some of bettercap's cracking applications.
Step #5: PKMID Attack
One of the newest wi-fi attacks is the PMKID attack (for more on the PMKID attack, click here). One of the key advantages of the PMKID attack is that you don't have to wait for a client to associate with the AP to capture the password hash. The weakness of this attack is that it can be very slow.
To begin the PMKID attack, we first must use the wi-fi.assoc command. You can choose to associate with one or all of the AP's within range. To associate with just one AP, follow the wifi.assoc command with the BSSID of the selected AP. To associate with all the AP's, follow the command with all
kali > wifi.assoc all
When bettercap captures the handshake, it will place them in a file at ~/bettercap-wifi-handshakes.pcap (you can specify the handshake file by using the parameter wifi.handshakes.file followed by the location and name of the file).
kali > wifi-assoc all wifi.handshakes.file /home/kali/handshakes
To crack the handshake hashes, you will first need to process them and remove all the extraneous information in the handshake capture using hcxhextool and then use a tool like hashcat to crack them (for more on this process see my PMKID attack tutorial here).
Step #5 De-Authenticate with Bettercap
One of the often overlooked attacks against Wi-Fi AP's is the denial of service (DoS). Within the population of frames available in wi-fi is the deauthentication frame or deauth frame. This frame de-authenticates any users/clients on the AP and forces them to re-authenticate. This can be very useful to force the client to resend their hash in a traditional WPA2 attack or, if done continuously, can keep the user/client from ever being able to authenticate again, creating a denial of service condition.
Bettercap makes it simple to deauth the client/users by simply using the wifi.deauth command followed by the BSSID of the AP you want to deauth the clients from such as;
kali > wifi.deauth <BSSID>
To deauth all the clients on all the AP's simply use the keyword all and bettercap will begin to iterate through all the AP's and deauthenticate any clients connected to the AP.
Bettercap is an excellent tool for Man-in-the-Middle attacks, but I find it a bit clunky to use for Wi-Fi attacks. That being said, I have been using aircrack-ng for many years and I'm intimately familiar with it. To each their own. The beauty of this discipline is that there are SO many different tools and I'm sure you can find one that works well for you. Many beginners may prefer the easy-to-use interface and useful help screens of Bettercap for Wi-Fi hacking.