Wireless Penetration Testing: Bettercap
According to its official repository here, bettercap is a powerful, easily extensible and portable framework written in Go that aims to offer to security researchers, red teamers and reverse engineers an easy to use, all-in-one solution with all the features they might possibly need for performing reconnaissance and attacking WiFi networks, Bluetooth Low Energy devices, wireless HID devices and Ethernet networks. In this article, we’d be seeing how to use bettercap to aid with Wi-Fi pentesting.
Table of Content
- Monitor mode and discovery
- Sorting filters
- Deauth attack using bettercap
- PMKID attack using bettercap
To install bettercap, we’d use:
apt install bettercap
After getting installed, we can see the main menu by typing in:
Now to navigate your way around this tool for all the Wi-Fi testing related options, the help page is available at
Now, This tool requires an older version of the pcap library so, we’ll first download that using wget.
wget http://old.kali.org/kali/pool/main/libp/libpcap/libpcap0.8_1.9.1-4_amd64.deb dpkg -i libpcap0.8_1.9.1-4_amd64.deb
Monitor Mode and Wi-Fi discovery
Monitor mode is a promiscuous mode for your IEEE802.11x receiver (aka Wi-Fi adapter or Wi-Fi NIC) and lets you capture signals from not only your access point but others as well. To put your Wi-Fi adapter in promiscuous mode:
bettercap -iface wlan0mon
To start discovering Access Points around you:
Often times knowing the vendor of an access point aids us in checking access point against known vulnerabilities. To do this we can use the following command:
set wifi.show.manufacturer true wifi.show
As you can see we are now able to see a majority of the manufacturers of access points around me. Now, what if I want to see the access points in descending order of the clients connected to it. As we already know that deauth attacks work on APs with clients to capture a handshake and hence, having more clients catalyses the capture process. So, for that we have:
set.wifi.show.sort clients desc wifi.show
As you can see the APs have arranged themselves in descending order of a number of clients connected.
Let’s do the same with ESSID too and arrange it in ascending order.
set.wifi.show.sort essid asc wifi.show
Here, you can see hidden SSIDs popping up too. The angular bracket is taken into consideration before A-Z as it is a special symbol.
Now, what if we want to limit the results to only, let’s say, the top 3? To do this:
set wifi.show.limit 3 wifi.show
And we’ve limited the result to only top 3. Now, let’s send deauthentication packets to open networks. Open networks are those which aren’t protected by a passphrase.
set wifi.deauth.open true
Here, we can see that clients from 2 APs have been deauthenticated.
Deauth attacks using Bettercap
We have already seen how to recon, sort and filter. Let’s conduct a short deauth attack on an access point.
First, put your wifi adapter in monitor mode
Now, we’ll first put up the list of APs found:
events.stream off wifi.show
events.stream is a logging feature in bettercap that shows logs, new hosts being found, etc. By default, it is enabled but to give a clear output we can turn it off.
Now, we’ll attack on AP “raaj.”
set wifi.recon.channel 5 set net.sniff.verbose true set net.sniff.filter ether proto 0*888e set net.sniff.output wifi.pcap set net.sniff on wifi.deauth 18:45:93:69:a5:19 events.stream on
It is operating on channel 5 and we’d first put our adapter to listen on channel 5.
By setting sniff.verbose to true, every captured and parsed packet will be sent to the events.stream for displaying.
Next, the net.sniff.filter ether proto 0*888e sets the sniffer to capture EAPOL frames. 0*888e is the standard code for EAPOL (IEEE 802.11X frames).
Output file is set to wifi.pcap
net.sniff on turns the bettercap sniffer on
wifi.deauth starts sending deauth packets to the specified MAC ID (BSSID) of the access point
events.stream on turns the logging on and now bettercap will run in verbose mode.
As you can see, the client has reauthenticated after being deauthenticated by bettercap and a handshake has been captured
Now, we’ll use aircrack-ng to crack hashes captured in this handshake file. We’ve already written an article on aircrack-ng for your reference here.
aircrack-ng bettercap-wifi-handshakes.pcap -w /root/dict.txt
Here, dict.txt is a long password file containing the most commonly used passwords and passwords I generated given the knowledge I have about my target.
And just like that, we have cracked the Wi-Fi passphrase of “raaj.”
PMKID Attack using Bettercap
We’ve discussed in detail PMKID and PMKID attacks in this article here. Now, let’s see a small tutorial where a bettercap can be used to conduct PMKID attacks.
bettercap set wifi.interface wlan0mon wifi.recon on
Let’s see the target APs available
For the PMKID attack to work we have to send an association request to the target Access Point. We do this with:
As we can see, we have successfully received the RSN frame containing PMKID and it has been saved in a pcap format. What is I want to send an association request to all the Wi-Fis available. To do that the command is:
And yes, all the vulnerable routers returned the RSN frame containing PMKID and it got saved in a pcap file.
Now we can use the hcxpcaptool to convert this pcap file in Hashcat crackable format and use Hashcat to crack the PMK hash.
hcxpcaptool -z hashpmkid bettercap-wifi-handshakes.pcap hashcat -m 16800 --force hashpmkid /usr/share/wordlists/rockyou.txt --show
Here, 16800 is the code for PMKID WPA/WPA2 hash type. We have used the rockyou dictionary here.
And it’s so simple. Bettercap is a sniffer with many other such functionalities besides Wi-Fi packet sniffing. We hope that this article helped you in developing opinions about tools available in the market today and forging your own Wi-Fi security audit toolkit. Thanks for reading. Have a nice day.
Author: Harshit Rajpal is an InfoSec researcher and left and right brain thinker. Contact here