Bettercap PDF
Bettercap PDF
Penetration
Testing
Bettercap
Contents
Introduction ........................................................................................... 3
Installation ............................................................................................. 3
Monitor Mode and Wi-Fi discovery ....................................................... 6
Sorting filters .......................................................................................... 6
Deauth attacks using Bettercap ............................................................. 9
PMKID Attack using Bettercap ............................................................. 12
Page 2 of 15
Introduction
According to its official repository here, bettercap is a powerful, easily extensible, and portable framework
written in Go that aims to offer to security researchers, red teamers, and reverse engineers an easy to
use, all-in-one solution with all the features they might possibly need for performing reconnaissance and
attacking WiFi networks, Bluetooth Low Energy devices, wireless HID devices and Ethernet networks
Installation
To install bettercap, we’d use:
After getting installed, we can see the main menu by typing in:
bettercap
Page 3 of 15
Now to navigate your way around this tool for all the Wi-Fi testing related options, the help page is
available at
help wifi
Page 4 of 15
Now, this tool requires an older version of the pcap library so, we’ll first download that using wget.
wget http://old.kali.org/kali/pool/main/libp/libpcap/libpcap0.8_1.9.1-4_amd64.deb
dpkg -i libpcap0.8_1.9.1-4_amd64.deb
Page 5 of 15
Monitor Mode and Wi-Fi discovery
Monitor mode is a promiscuous mode for your IEEE802.11x receiver (aka Wi-Fi adapter or Wi-Fi NIC) and
lets you capture signals from not only your access point but others as well. To put your Wi-Fi adapter in
promiscuous mode:
wifi.recon on
Sorting filters
Often knowing the vendor of an access point aids us in checking access points against known
vulnerabilities. To do this we can use the following command:
Page 6 of 15
As you can see we are now able to see a majority of the manufacturers of access points around me.
Now, what if I want to see the access points in descending order of the clients connected to it. As we
already know that deauth attacks work on APs with clients to capture a handshake and hence, having
more clients catalyses the capture process. So, for that we have:
Page 7 of 15
As you can see the APs have arranged themselves in descending order of several clients connected.
Let’s do the same with ESSID too and arrange it in ascending order.
Here, you can see hidden SSIDs popping up too. The angular bracket is taken into consideration before A-
Z as it is a special symbol.
Now, what if we want to limit the results to only, let’s say, the top 3? To do this:
Page 8 of 15
set wifi.show.limit 3
wifi.show
And we’ve limited the result to only the top 3. Now, let’s send de-authentication packets to open
networks. Open networks are those which aren’t protected by a passphrase.
Here, we can see that clients from 2 APs have been de-authenticated.
Page 9 of 15
Now, we’ll first put up the list of APs found:
events.stream off
wifi.show
events.stream is a logging feature in bettercap that shows logs, new hosts being found, etc. By default, it
is enabled but to give a clear output we can turn it off.
Now, we’ll attack AP “raaj.”
set wifi.recon.channel 5
set net.sniff.verbose true
set net.sniff.filter ether proto 0*888e
set net.sniff.output wifi.pcap
set net.sniff on
wifi.deauth 18:45:93:69:a5:19
events.stream on
Page 10 of 15
It is operating on channel 5 and we’d first put our adapter to listen on channel 5.
By setting sniff.verbose to true, every captured and parsed packet will be sent to the events.stream for
displaying.
Next, the net.sniff.filter ether proto 0*888e sets the sniffer to capture EAPOL frames. 0*888e is the
standard code for EAPOL (IEEE 802.11X frames).
The output file is set to wifi.pcap
net.sniff on turns the bettercap sniffer on
wifi.deauth starts sending deauth packets to the specified MAC ID (BSSID) of the access point
events.stream turns the logging on and now bettercap will run in verbose mode.
As you can see, the client has reauthenticated after being deauthenticated by bettercap and a handshake
has been captured
Now, we’ll use aircrack-ng to crack hashes captured in this handshake file. We’ve already written an article
on aircrack-ng for your reference here.
Here, dict.txt is a long password file containing the most commonly used passwords and passwords I
generated given the knowledge I have about my target.
Page 11 of 15
And just like that, we have cracked the Wi-Fi passphrase of “raaj.”
bettercap
set wifi.interface wlan0mon
wifi.recon on
Page 12 of 15
Let’s see the target APs available
wifi.show
For the PMKID attack to work we have to send an association request to the target Access Point. We do
this with:
wifi.assoc <BSSID>
Page 13 of 15
As we can see, we have successfully received the RSN frame containing PMKID and it has been saved in a
pcap format. What is I want to send an association request to all the Wi-Fis available? To do that the
command is:
wifi.assoc all
And yes, all the vulnerable routers returned the RSN frame containing PMKID and it got saved in a pcap
file.
Now we can use the hcxpcaptool to convert this pcap file in Hashcat crackable format and use Hashcat
to crack the PMK hash.
Here, 16800 is the code for PMKID WPA/WPA2 hash type. We have used the rockyou dictionary here.
Page 14 of 15
And it’s so simple. Bettercap is a sniffer with many other such functionalities besides Wi-Fi packet sniffing.
********
Page 15 of 15