" "

PWNING WPA/WPA2 NETWORKS WITH BETTERCAP AND THE

PMKID CLIENT-LESS ATTACK
2019-02-13
! #bettercap, #deauth, #handshake, #hashcat, #pmkid, #rsn, #rsn pmkid, #wpa,
#wpa2

469 2.2K

In this post, I’ll talk about the new WiFi related features that have been re‐
cently implemented into bettercap, starting from how the EAPOL 4-way handshake
capturing has been automated, to a whole new type of attack that will allow us
to recover WPA PSK passwords of an AP without clients.

We’ll start with the assumption that your WiFi card supports monitor mode and
packet injection (I use an AWUS1900 with this driver), that you have a work‐
ing hashcat (v4.2.0 or higher is required) installation (ideally with GPU sup‐
port enabled) for cracking and that you know how to use it properly either for
dictionary or brute-force attacks, as no tips on how to tune the masks and/or
generate proper dictionaries will be given :)

On newer macOS laptops, the builtin WiFi interface en0 already supports
monitor mode, meaning you won’t need a Linux VM in order to run this :)

Deauth and 4-way Handshake Capture

First thing first, let’s try a classical deauthentication attack: we’ll start
bettercap, enable the wifi.recon module with channel hopping and configure
the ticker " Menu our#screen
module to refresh TOC $ Share
every %with
second Top an updated view of
the nearby WiFi networks (replace wlan0 with the interface you want to use):

sudo bettercap -iface wlan0

1
2 # this will set the interface in monitor mode and start channel hopping on

3 all supported frequencies

4 > wifi.recon on

5 # we want our APs sorted by number of clients for this attack, the default

6 sorting would be `rssi asc`

7 > set wifi.show.sort clients desc

8 # every second, clear our view and present an updated list of nearby WiFi
9 networks
> set ticker.commands 'clear; wifi.show'
> ticker on

You should now see something like this:

Assuming Casa-2.4 is the network we want to attack, let’s stick to channel 1

in order to avoid jumping to other frequencies and potentially losing useful
packets:

1 > wifi.recon.channel 1

What we want to do now is forcing one or more of the client stations (we can
see 5 of them for this AP) to disconnect by forging fake deauthentication pack‐
ets. Once they will reconnect, hopefully, bettercap will capture the needed
EAPOL frames of the handshake that we’ll later pass to hashcat for cracking
(replace e0:xx:xx:xx:xx:xx with the BSSID of your target AP):
 1 > wifi.deauth e0:xx:xx:xx:xx:xx

If everything worked as expected and you’re close enough to the AP and the
clients, bettercap will start informing you that complete handshakes have been
captured (you can customize the pcap file output by changing the
wifi.handshakes.file parameter):

Not only bettercap will check for complete handshakes and dump them only
when all the required packets have been captured, but it will also append
to the file one beacon packet for each AP, in order to allow any tool
reading the pcap to detect both the BSSIDs and the ESSIDs.

The downsides of this attack are obvious: no clients = no party, moreover, giv‐
en we need to wait for at least one of them to reconnect, it can potentially
take some time.

4-way Handshake Cracking

Once we have succesfully captured the EAPOL frames required by hashcat in order
to crack the PSK, we’ll need to convert the pcap output file to the hccapx
format that hashcat can read. In order to do so, we can either use this online
service, or install the hashcat-utils ourselves and convert the file locally:

/path/to/cap2hccapx /root/bettercap-wifi-handshakes.pcap bettercap-wifi-

1
handshakes.hccapx

You can now proceed to crack the handshake(s) either by dictionary attack or
brute-force. For instance, to try all 8-digits combinations:

/path/to/hashcat -m2500 -a3 -w3 bettercap-wifi-handshakes.hccapx '?d?d?d?d?

1
d?d?d?d'

And this is it, the evergreen deauthentication attack in all its simplicity,
performed with just one tool … let’s get to the fun part now :)
Client-less PMKID Attack

In 2018 hashcat authors disclosed a new type of attack which not only relies on
one single packet, but it doesn’t require any clients to be connected to our
target AP or, if clients are connected, it doesn’t require us to send deauth
frames to them, there’s no interaction between the attacker and client sta‐
tions, but just between the attacker and the AP, interaction which, if the
router is vulnerable, is almost immediate!

It turns out that a lot of modern routers append an optional field at the end
of the first EAPOL frame sent by the AP itself when someone is associating, the
so called Robust Security Network , which includes something called PMKID :

As explained in the original post, the PMKID is derived by using data which is
known to us:

1 PMKID = HMAC-SHA1-128(PMK, "PMK Name" | MAC_AP | MAC_STA)

Since the “PMK Name” string is constant, we know both the BSSID of the AP and
the station and the PMK is the same one obtained from a full 4-way handshake,
this is all hashcat needs in order to crack the PSK and recover the passphrase!
Here’s where the new wifi.assoc command comes into play: instead of deauthen‐
ticating existing clients as shown in the previous attack and waiting for the
full handshake to be captured, we’ll simply start to associate with the target
AP and listen for an EAPOL frame containing the RSN PMKID data.

Say we’re still listening on channel 1 (since we previously wifi.recon.channel

1 ), let’s send such association request to every AP and see who’ll respond
with useful information:

1 # wifi.assoc supports 'all' (or `*`) or a specific BSSID, just like

2 wifi.deauth
> wifi.assoc all

All nearby vulnerable routers (and let me reiterate: a lot of them are vulnera‐
ble), will start sending you the PMKID, which bettercap will dump to the usual
pcap file:

PMKID Cracking

We’ll now need to convert the PMKID data in the pcap file we just captured to a
hash format that hashcat can understand, for this we’ll use hcxpcaptool:

/path/to/hcxpcaptool -z bettercap-wifi-handshakes.pmkid /root/bettercap-

1
wifi-handshakes.pcap

We can now proceed cracking the bettercap-wifi.handshake.pmkid file so gener‐

ated by using algorithm number 16800 :

/path/to/hashcat -m16800 -a3 -w3 bettercap-wifi-handshakes.pmkid '?d?d?d?d?

1
d?d?d?d'

Recap

Goodbye airmon, airodump, aireplay and whatnots: one tool to rule them
all!
Goodbye Kali VMs on macOS: these modules work natively out of the box,
with the default Apple hardware <3
Full 4-way handshakes are for n00bs: just one association request and most
routers will send us enough key material.

Enjoy :)
11 Comments evilsocket.net !
1 Login

$ Recommend 6 t Tweet f Share Sort by Oldest

Join the discussion…

LOG IN WITH OR SIGN UP WITH DISQUS ?

Name

shDaniell • 3 months ago

Can you tell us if there is a speed difference between modes -m2500 and -m16800.
Perhaps if 2500 is way faster then deauth is still preferred.
 see more

1△ ▽ • Reply • Share ›

Simone Margaritelli Mod > shDaniell • 3 months ago

On my Titan X Pascal cards, I get 5-600 kH/s (each) for both WPA-EAPOL-PBKDF2
(mode 2500) and WPA-PMKID-PBKDF2 (mode 16800) as they basically attack the
same algo :)

see more

3△ ▽ • Reply • Share ›

shDaniell > Simone Margaritelli • 3 months ago

Cool, tnx for sharing
△ ▽ • Reply • Share ›
seraphik • 3 months ago
Great writeup, what wireless adapter is that on the tripod ?
△ ▽ • Reply • Share ›

seraphik > seraphik • 3 months ago

lack of sleep my bad.
△ ▽ • Reply • Share ›

Judavi • 3 months ago

Good article!
△ ▽ • Reply • Share ›

Erik B > Judavi • 2 months ago

my guess https://www.amazon.com/dp/B...
△ ▽ • Reply • Share ›

Simone Margaritelli Mod > Erik B • 2 months ago

no need to guess, it's written at the beginn of the article

1△ ▽ • Reply • Share ›

Show more replies

Игорь • 2 months ago

Hello! This is a great attack and I've already tried it out. I've recently bought the ALFA
awus1900 adapter and it doesn't work really well. Probably the driver's issue. Have you
had any troubles with setting it to work on kali?

see more

△ ▽ • Reply • Share ›

Simone Margaritelli Mod > Игорь • 2 months ago

 use this https://github.com/aircrack... ;)
4△ ▽ • Reply • Share ›

Игорь > Simone Margaritelli • 2 months ago

Yes, I did install this one. It works in general, but i usually have to unplug-
plug my adapter or reset monitor mode a few times before injection test
works ok. It never works fine two times in a row :( I just really don't know if
it's a specific issue for me or it's common for all awus1900 users. btw, evil
twin attacks don't work neither in fluxion nor in airogeddon. I almost regret
buying this adapter :)

see more

4△ ▽ • Reply • Share ›

✉ Subscribe d Add Disqus to your siteAdd DisqusAdd 🔒 Disqus' Privacy PolicyPrivacy PolicyPrivacy
Copyright © 2019 Simone Margaritelli
Copyright © 2019 Simone Margaritelli
~/ rss