top of page
Search
  • Writer's pictureotw

Wi-Fi Hacking, Part 17: Wi-Fi Hacking with Bettercap

Updated: Dec 31, 2022

Welcome back my aspiring cyberwarriors!


In this series on Wi-Fi (802.11) hacking, we have examined a multitude of approaches to Wi-Fi hacking including;




Bettercap


Many of you are familiar with Bettercap as an excellent MiTM attack framework but it can also be used to attack Wi-Fi AP's as well.


In this tutorial, we will be using this versatile tool, Bettercap, to find Wi-Fi AP's, de-authenticate the clients and capture their hashes with the PMKID attack.


Step #1: Install Bettercap


There are a number of ways of installing Bettercap but probably the easiest is to download and install from the Kali repository


kali > sudo apt install bettercap




In addition, you can install the dependencies and then do a gem install


kali > sudo gem install bettercap




Step #2: Check your Wi-Fi Adapter


Next, we need to check our Wi-Fi adapter. If you are using a VM such as VirtualBox or VMware Workstation, you will likely need an external USB Wi-Fi adapter (I'm using the Alfa card. Its simple, inexpensive and most importantly, it works!). Use the ifconfig command in Linux to find the name of your adapter.


kali > sudo ifconfig

Note that my adapter is named wlan0. Yours may be different. The key is to know what your system has named your Wi-Fi adapter


Step #3: Start Bettercap


Next, we need to start bettercap. As we will be using it for Wi-Fi hacking, we need to tell bettercap at startup to use wlan0 (it will use eth0 by default).


kali > sudo bettercap --iface wlan0



Let's take a look at the help file before get started. That's always a good idea when using a new tool.


kali > help

Note that just 2 modules are running, Events.stream and wifi. To get the help screen on any module, simply enter help followed by the module name. In this case, let's get the wifi help screen.


kali > help wifi


To begin, let's do some recon on the nearby wifi-AP's.


Step #4: Wi-Fi AP Recon


To start the recon module of bettercap, we simply enter the command wifi.recon on.


kali > wifi.recon on

Bettercap now goes out and attempts to find all the AP's within range and catalog their key parameters.


We can enter wifi.show to see all the found Wi-Fi AP's and their key parameters such as BSSID, SSID, type of encryption, and whether they use WPS and the type of WPS (1.0 or 2.0).


kali > wifi.show


With this information, we can choose to use another application such as aircrack-ng to hack these AP's or proceed to some of bettercap's cracking applications.


Step #5: PKMID Attack


One of the newest wi-fi attacks is the PMKID attack (for more on the PMKID attack, click here). One of the key advantages of the PMKID attack is that you don't have to wait for a client to associate with the AP to capture the password hash. The weakness of this attack is that it can be very slow.


To begin the PMKID attack, we first must use the wi-fi.assoc command. You can choose to associate with one or all of the AP's within range. To associate with just one AP, follow the wifi.assoc command with the BSSID of the selected AP. To associate with all the AP's, follow the command with all


kali > wifi.assoc all

When bettercap captures the handshake, it will place them in a file at ~/bettercap-wifi-handshakes.pcap (you can specify the handshake file by using the parameter wifi.handshakes.file followed by the location and name of the file).





kali > wifi-assoc all wifi.handshakes.file /home/kali/handshakes


To crack the handshake hashes, you will first need to process them and remove all the extraneous information in the handshake capture using hcxhextool and then use a tool like hashcat to crack them (for more on this process see my PMKID attack tutorial here).





For more on this process, see my tutorials on the PMKID attack and hashcat.



Step #5 De-Authenticate with Bettercap


One of the often overlooked attacks against Wi-Fi AP's is the denial of service (DoS). Within the population of frames available in wi-fi is the deauthentication frame or deauth frame. This frame de-authenticates any users/clients on the AP and forces them to re-authenticate. This can be very useful to force the client to resend their hash in a traditional WPA2 attack or, if done continuously, can keep the user/client from ever being able to authenticate again, creating a denial of service condition.


Bettercap makes it simple to deauth the client/users by simply using the wifi.deauth command followed by the BSSID of the AP you want to deauth the clients from such as;


kali > wifi.deauth <BSSID>


To deauth all the clients on all the AP's simply use the keyword all and bettercap will begin to iterate through all the AP's and deauthenticate any clients connected to the AP.



Summary


Bettercap is an excellent tool for Man-in-the-Middle attacks, but I find it a bit clunky to use for Wi-Fi attacks. That being said, I have been using aircrack-ng for many years and I'm intimately familiar with it. To each their own. The beauty of this discipline is that there are SO many different tools and I'm sure you can find one that works well for you. Many beginners may prefer the easy-to-use interface and useful help screens of Bettercap for Wi-Fi hacking.

18,007 views2 comments

Recent Posts

See All

2 comentários


astriddavina54
astriddavina54
02 de jan. de 2023

i know of a very good hacker that can help you with any type of hacking, either phones or computers. My husband was so smooth at hiding his infidelity so I had no proof for months, I was referred to some hacker and decided to give him a try.. the result was incredible because all my cheating husband’s text messages, emails , facebook and even phone conversations was wired directly to my cellphone. Computerguru helped me put a round-the-clock monitoring on him and I got concrete evidence of his escapades..if you think your spouse is an expert at hiding his cheating adventure, you can contact them too at HENRYCLARKETHICALHACKER@GMAIL.COM on whatsapp12622367526.


Curtir

Hey everyone , I don’t really know much about this hacking things but I can direct you to a professional hacking company who helped me to track and hack my boyfriend’s iPhone and his Facebook respectively.. If you need to check on your partner’s sincerity, employee’s honesty, recover your email passwords, Social networks (i.e Facebook, Twitter, IG), change your school grades, clear your criminal records, gain access to bank accounts,spy on phone. you can just contact them at … Their charges are minimal and negotiable contact them at Henryclarkethicalhacker @ gmail, com]..tell him you are from me or text him or whatsapp +1 8 1 3 4 2 1 1 3 2 6…. You can thank me later.


Curtir
bottom of page