Wifi Hacking – Cracking WPA2 Handshake with Bettercap – Kali Linux 2021

Written by Rob Parker

Written by Rob Parker

Rob is a Certified Ethical Hacker (CEH v11) from EC-Council and a certified EIPA Data Protection Officer that specialises in security and ethical hacking. He has worked in all parts of the world in various security roles and is keen on helping others in their ethical hacking journeys.

Steam Labs Ethical Hacking posts are designed to educate, introduce and demonstrate hacking tools for penetration testing purposes only. We will not be held responsible for people who use these skills for illegal or malicious attacks.

In this tutorial I am going to introduce you to a budget wireless adapt and demonstrate how to set it up, then talk to you about one of my favourite wireless hacking tools, Bettercap.

According to its official repository here, bettercap is a powerful, easily extensible and portable framework that aims to offer to security researchers and reverse engineers an easy to useall-in-one solution with all the features they might possibly need for performing reconnaissance and attacking WiFi networks, Bluetooth Low Energy devices, wireless HID devices and Ethernet networks. In this tutorial, I will demo the basics of getting started with Bettercap.

How can you install the Atheros AR9271 wireless adapter?

In order to get this installed and up and running, enter the below commands onto a Kali terminal window.

How can you check if the adapter has been installed and if its recognised?

iwconfig will allow you to see if Kali has recognised as well as some core technical details about the wireless adapter.

How can you put the adapter into monitor mode?

In order to put it into monitor mode, we will use airmon-ng along with the adapter interface name and start, if you want to put it back into managed mode, change it from start to stop

To install Bettercap, it is really easy, use the below command, then you should be good to go.

Monitor mode is a promiscuous mode for your IEEE802.11x receiver (aka Wi-Fi adapter or Wi-Fi NIC) and lets you capture signals from not only your access point but others as well. To put your Wi-Fi adapter in promiscuous mode for bettercap, use the below command.

To start discovering Access Points around you:

As you can see we are now able to see a majority of the manufacturers of access points around me. Now, what if I want to see the access points in descending order of the clients connected to it. As we already know that deauth attacks work on APs with clients to capture a handshake and hence, having more clients catalyses the capture process.

It is operating on channel 6 and we’d first put our adapter to listen on channel 6.

By setting sniff.verbose to true, every captured and parsed packet will be sent to the events.stream for displaying.

Next, the net.sniff.filter ether proto 0*888e sets the sniffer to capture EAPOL frames. 0*888e is the standard code for EAPOL (IEEE 802.11X frames).

Output file is set to wifi.pcap

net.sniff on turns the bettercap sniffer on

wifi.deauth starts sending deauth packets to the specified MAC ID (BSSID) of the access point

events.stream on turns the logging on and now bettercap will run in verbose mode.

As you can see, the client has reauthenticated after being deauthenticated by bettercap and a handshake has been captured

Now, we’ll use aircrack-ng to crack hashes captured in this handshake file. We’ve already written an article on aircrack-ng for your reference here.

First, create a password list and store the passwords you think the router or AP might use, if you are not sure, maybe use a leaked password list.

Then, use aircrack-ng to try to crack the password.

Remember to select the network if you get this prompt

Then, that’s it, if the password matches the handshake, you will be in. And just like that, we have cracked the Wi-Fi passphrase of Teddy2.

You May Also Like