Wi-Fi Hacking, Part 17: Wi-Fi Hacking with Bettercap

Cybersecurity Cyberwarrior Hacking Vulnerabilities

Welcome back my aspiring cyberwarriors!

In this series on Wi-Fi (802.11) hacking, we have examined a multitude of approaches to Wi-Fi hacking including;

Wireless Hacking Strategies

Getting Started with aircrack-ng

Hacking WPA2-PSK

Continuous DoSing of a Wireless AP

Hacking WPS with Reaver

Hacking WPA2-PSK without Password Cracking

Evading Wi-Fi Authentication

Evil Twin Attack to Spy

Wi-Fi WPA2-PSK PMKID Attack

Anatomy of Wi-Fi Frames

Creating a Wi-Fi Scanner in Python and Scapy

Automating Wi-Fi Hacking with wifite

Bettercap

Many of you are familiar with Bettercap as an excellent MiTM attack framework but it can also be used to attack Wi-Fi AP’s as well.

In this tutorial, we will be using this versatile tool, Bettercap, to find Wi-Fi AP’s, de-authenticate the clients and capture their hashes with the PMKID attack.

Step #1: Install Bettercap

There are a number of ways of installing Bettercap but probably the easiest is to download and install from the Kali repository

kali > sudo apt install bettercap

In addition, you can install the dependencies and then do a gem install

kali > sudo gem install bettercap

Step #2: Check your Wi-Fi Adapter

Next, we need to check our Wi-Fi adapter. If you are using a VM such as VirtualBox or VMware Workstation, you will likely need an external USB Wi-Fi adapter (I’m using the Alfa card. Its simple, inexpensive and most importantly, it works!). Use the ifconfig command in Linux to find the name of your adapter.

kali > sudo ifconfig

Note that my adapter is named wlan0. Yours may be different. The key is to know what your system has named your Wi-Fi adapter

Step #3: Start Bettercap

Next, we need to start bettercap. As we will be using it for Wi-Fi hacking, we need to tell bettercap at startup to use wlan0 (it will use eth0 by default).

kali > sudo bettercap –iface wlan0

Let’s take a look at the help file before get started. That’s always a good idea when using a new tool.

kali > help

Note that just 2 modules are running, Events.stream and wifi. To get the help screen on any module, simply enter help followed by the module name. In this case, let’s get the wifi help screen.

kali > help wifi

To begin, let’s do some recon on the nearby wifi-AP’s.

Step #4: Wi-Fi AP Recon

To start the recon module of bettercap, we simply enter the command wifi.recon on.

kali > wifi.recon on

Bettercap now goes out and attempts to find all the AP’s within range and catalog their key parameters.

We can enter wifi.show to see all the found Wi-Fi AP’s and their key parameters such as BSSID, SSID, type of encryption, and whether they use WPS and the type of WPS (1.0 or 2.0).

kali > wifi.show

With this information, we can choose to use another application such as aircrack-ng to hack these AP’s or proceed to some of bettercap’s cracking applications.

Step #5: PKMID Attack

One of the newest wi-fi attacks is the PMKID attack (for more on the PMKID attack, click here). One of the key advantages of the PMKID attack is that you don’t have to wait for a client to associate with the AP to capture the password hash. The weakness of this attack is that it can be very slow.

To begin the PMKID attack, we first must use the wi-fi.assoc command. You can choose to associate with one or all of the AP’s within range. To associate with just one AP, follow the wifi.assoc command with the BSSID of the selected AP. To associate with all the AP’s, follow the command with all

kali > wifi.assoc all

When bettercap captures the handshake, it will place them in a file at ~/bettercap-wifi-handshakes.pcap (you can specify the handshake file by using the parameter wifi.handshakes.file followed by the location and name of the file).

kali > wifi-assoc all wifi.handshakes.file /home/kali/handshakes

To crack the handshake hashes, you will first need to process them and remove all the extraneous information in the handshake capture using hcxhextool and then use a tool like hashcat to crack them (for more on this process see my PMKID attack tutorial here).

For more on this process, see my tutorials on the PMKID attack and hashcat.

Step #5 De-Authenticate with Bettercap

One of the often overlooked attacks against Wi-Fi AP’s is the denial of service (DoS). Within the population of frames available in wi-fi is the deauthentication frame or deauth frame. This frame de-authenticates any users/clients on the AP and forces them to re-authenticate. This can be very useful to force the client to resend their hash in a traditional WPA2 attack or, if done continuously, can keep the user/client from ever being able to authenticate again, creating a denial of service condition.

Bettercap makes it simple to deauth the client/users by simply using the wifi.deauth command followed by the BSSID of the AP you want to deauth the clients from such as;

kali > wifi.deauth <BSSID>

To deauth all the clients on all the AP’s simply use the keyword all and bettercap will begin to iterate through all the AP’s and deauthenticate any clients connected to the AP.

Summary

Bettercap is an excellent tool for Man-in-the-Middle attacks, but I find it a bit clunky to use for Wi-Fi attacks. That being said, I have been using aircrack-ng for many years and I’m intimately familiar with it. To each their own. The beauty of this discipline is that there are SO many different tools and I’m sure you can find one that works well for you. Many beginners may prefer the easy-to-use interface and useful help screens of Bettercap for Wi-Fi hacking.