Automatic handshake and PMKID capture from all access points

This tutorial is devoted to a program that can collect handshakes and PMKIDs from all access points near your in the access range. The program can work in a fully autonomous mode:

  • scan for APs
  • initiate connections to collect PMKID
  • deauthenticate clients of found APs
  • capture handshakes
  • repeat all these steps in a loop without user participation

If you missed and do not know what PMKID is, then see the article “Hacking Wi-Fi without users” - there is an explanation.

For a similar program that knows how to capture handshakes, but cannot capture PMKID – about Hashcatch, see the article “How to capture handshakes of Wi-Fi networks automatically” - there you will find links to other programs to automate these processes.

In the current manual we will consider bettercap. The second version of the program received a lot of changes and new features. The program is under active development and is constantly gaining new features. For an overview of the bettercap basic usage, see the article “bettercap 2.x: how to install and use in Kali Linux” and I strongly recommend starting the acquaintance with that article.

The referenced article already mentions working with Wi-Fi networks, but, firstly, since then a lot has been added specifically for the wifi module, and secondly, this tuturial focuses on Wi-Fi capabilities of bettercap and it will show how to make an autonomous system, which itself will collect hashes for hacking Wi-Fi.

Let's start with a review of the new features. Added a new wifi.assoc command to perform an RSN PMKID attack, i.e. client-less attack.

As well added wifi.region and wifi.txpower parameters. They are responsible for the region in which the Wi-Fi adapter operates and for its power. You will find more details in the article “How to increase TX-Power of Wi-Fi adapters in Kali Linux”. These parameters are important not even because they can improve something, but because they can degrade! The fact is that I have ALREADY set up the desired region and the TX-Power has been increased to the maximum. But the bettercap program also has default values, after launch it sets the region to BO and tries to increase the power to 30. For my adapter, this does not work! That is, BEFORE launching bettercap, my Wi-Fi adapters operates at 30 dBm, and AFTER running bettercap, my adapters switch to 20 dBm… It is possible that you have a similar situation, so we will consider how to avoid problems with this.

New capabilities for parsing WPS and the wifi.show.wps command have been added. By the way, in general, collected the information looks like this:

Now the wifi.recon module intercepts, parses and saves a full 4-step WPA handshake to a file automatically.

Other changes are less significant:

  • new wifi.clear command to clear access points collected by wifi.recon
  • wifi.deauth and wifi.assoc now support BSSID autocompletion (start typing MAC access points and press the TAB button)
  • new wifi.rssi.min parameter
  • wifi.recon now reports wifi.client.new and wifi.client.lost events.
  • wifi.show.wps now supports '*' and 'all' as shortcuts for 'ff:ff:ff:ff:ff:ff'.
  • wifi.deauth now supports '*' and 'all' as shortcuts for 'ff:ff:ff:ff:ff:ff'.
  • wifi.recon will now activate the interface if it's down instead of failing.
  • wifi.show and net.show columns are now decorated according to sorting
  • wifi.show.filter, wifi.show.limit and wifi.show.sort parameters to control wifi.show

Wi-Fi attack in bettercap

The bettercap program can set wireless interfaces to monitor mode and can set it from the down state to the up state, but I DO NOT like how it does it)))) Therefore, I will do it manually.

This is optional, but I prefer to stop the NetworkManager service:

sudo systemctl stop NetworkManager

We look at the name of the wireless interface:

iw dev

My wireless interface is called wlp0s20f0u2, so I set it into monitor mode with the commands (replace wlp0s20f0u2 in them with the name of your wireless interface):

sudo ip link set wlp0s20f0u2 down
sudo iw wlp0s20f0u2 set monitor control
sudo ip link set wlp0s20f0u2 up

I launch bettercap, specifying the name of my Wi-Fi interface:

sudo bettercap -iface wlp0s20f0u2

I start collecting data on Wi-Fi in the district:

wifi.recon on

Data is displayed in a list as new devices are discovered:

To display the table, run the command:

wifi.show

To analyze only certain channels, you can set the value of the wifi.recon.channel variable as follows:

set wifi.recon.channel 1,2,3,4,5,6,7,8,9,11,12

But the changes will not take effect immediately – you had to set them either before launching Wi-Fi reconnaissance, or restart the recon module:

wifi.recon off
wifi.recon on

Although personally for me, the settings of wifi.recon.channel does not affect anything – the dongle continues to scan all the frequencies that it supports.

What did we do to capture handshakes before? It was necessary to configure and run the sniffing module as follows:

set net.sniff.verbose true
set net.sniff.filter ether proto 0x888e
set net.sniff.output wpa.pcap
net.sniff on

Now this is NOT necessary!

The wifi module itself can save handshakes. By default, they are written to the ~/bettercap-wifi-handshakes.pcap file. This value can be changed by setting the variable wifi.handshakes.file:

set wifi.handshakes.file ~/hs-test.pcap

Please note that ~ does not indicate the current user's home directory, but the root directory, since the program starts with sudo.

To capture the PMKID of a specific access point, run the command

wifi.assoc BSSID

where, instead of the BSSID, specify the MAC address of the target AP.

If you need to try to capture the PMKID of all APs around you, then do:

wifi.assoc all

Similarly, with captures of a full 4-ways handshake – to attack the target AP:

wifi.deauth BSSID

To attack all APs:

wifi.deauth all

The total number of captured handshakes will be shown by the command:

wifi.show

For a more thorough analysis, it is recommended to use aircrack-ng:

sudo aircrack-ng /root/bettercap-wifi-handshakes.pcap

pwnagotchi

The author of bettercap, his name is Simone Margaritelli (evilsocket), has created a twitter account for pwnagotchi. The pwnagotchi device is an ARM computer with a battery and an electronic ink screen on which bettercap and custom software are installed. Pwnagotchi is able to independently collect PMKID and full handshakes from Wi-Fi networks. If I understand correctly, Simone has so far assembled only two of these devices. In replies to tweets, people wrote, “Yes, yes, they’ve already been waiting.” In principle, it is not necessary to wait – all the functionality is already in the bettercap itself, you just need to write a small caplet with commands, all this can be run on the laptop and you will get a pwnagotchi-godzilla. Well, or you can also buy an ARM board, a battery, a small screen and assemble your own prototype of pwnagotchi.

Let’s try to reproduce pwnagotchi functionality on our usual hardware. To do this, we need to create the pwnagotchi.cap file:

gedit pwnagotchi.cap

Copy into it:

# set wifi.recon.channel 1,2,3,4,5,6,7,8,9,11,12
# set wifi.region 00
set ticker.period 20
set ticker.commands clear; wifi.show; wifi.assoc all; sleep 7; wifi.deauth all
wifi.recon on
sleep 5
ticker on
events.ignore wifi.client.probe
events.clear
clear

You need to start it like this (instead of wlp0s20f0u2, enter the name of your wireless interface):

sudo bettercap -iface wlp0s20f0u2 -caplet pwnagotchi.cap

Thus, I walked around with a laptop and, as bettercap assures me, I captured dozens of handshakes. But strict aircrack-ng is far from recognizing all of them suitable for cracking:

In this caplet, everything is pretty clear. Commented out lines:

# set wifi.recon.channel 1,2,3,4,5,6,7,8,9,11,12
# set wifi.region 00

do not work, you can uncomment them and, if necessary, correct them to your values. My wlp0s20f0u2 interface already has txpower set to 30.00 dBm. If you also set up increased power for your device and after starting bettercap the power drops, then look at the initial value of regulatory domain at which the txpower is normal:

sudo iw reg get

And write as wifi.region. For more on the topic of power, see the article “How to increase TX-Power of Wi-Fi adapters in Kali Linux”.

Line

set ticker.period 20

sets the loop to repeat commands every 20 seconds.

And the command set for the loop is described by this line:

set ticker.commands clear; wifi.show; wifi.assoc all; sleep 7; wifi.deauth all

That is, wifi.show – shows a generalized table with the collected information. Then the wifi.assoc all command is launched to initiate a connection to all APs and collect PMKID from all access points. Then sleep 7 sets a pause of 7 seconds – I DO NOT know if a pause is really needed and how long it should take, try different timings. Then comes the wifi.deauth all command, which deauthenticates all clients – the remaining 13 seconds from a 20 second cycle are allocated to this command.

In this case, the collection of information about the AP and listening to handshakes are performed continuously.

You can try different timings and choose what will show the best results, especially when moving – share your observations in the comments! Although, it seems to me, everything is individual here – it depends on the density of Wi-Fi access points and speed of movement.

By the way, since all the collected data is dumped into one single file, you will first have to carefully study the article “How to extract all handshakes from a capture file with several handshakes” and, secondly, extract the handshakes you need almost manually, as described in that article.

For cracking the PMKID hash, see all articles on the pmkid tag.

On the picture is AWUS1900 of Simone Margaritelli (possibly connected to pwnagotchi):

Last Updated on

Recommended for you:

Leave a Reply

Your email address will not be published.