This guide shall demonstrate an easy way to start cracking wifi passwords using the Bettercap web UI and aircrack-ng.
Table of Contents
In this article you are going to learn the easiest method of cracking wifi passwords using Bettercap with it’s web UI and aircrack-ng. Please note that this method is only really successful for networks with very poor security and should therefore be seen as more of an introduction to the whole topic.
There are more sophisticated methods of cracking passwords, but they are also far more complex and require in-depth knowledge about encryption as well as other skills that are out of scope for this article.
In order to capture wifi handshakes to crack you will need a wifi card that can operate in “monitor mode”. Check with the manufacturer of your network card to see if monitor mode is available.
Alternatively you could use a Raspberry Pi Zero W running “Pwnagotchi“. I use this method to capture handshakes as I don’t have an external network card capable of operating in monitor mode.
What is monitor mode?
Monitor mode, also known as promiscuous mode or RFMON (Radio Frequency Monitor) mode, is a feature available on some Wi-Fi adapters that allows them to capture and analyze wireless network traffic.
When a Wi-Fi adapter is in monitor mode, it can capture all wireless packets in the air within its range, regardless of the destination or source of those packets. Normally, Wi-Fi adapters only capture packets addressed to them or broadcasted to all devices on the network. In monitor mode, the adapter listens to all wireless traffic, making it useful for various purposes such as network analysis, troubleshooting, and security auditing.
Capturing handshakes with Bettercap UI
In order to crack wifi handshakes you need to capture some first. In order to do this, open the bettercap web UI and start capturing.
Every time a device connects to a wireless network it completes a handshake with the access point. During this handshake, the following messages are exchanged:
- Message 1 (M1): The access point sends a message to the client containing the access point’s nonce (random number) and the supported cryptographic algorithms.
- Message 2 (M2): The client receives the M1 message and responds with a message containing its own nonce and its authentication data.
- Message 3 (M3): The access point receives the M2 message, generates a Pairwise Master Key (PMK), and sends a message to the client containing its own nonce, the PMK, and a message integrity code (MIC) to ensure data integrity.
- Message 4 (M4): The client receives the M3 message, verifies the integrity of the message using the MIC, and sends a final message to the access point to confirm that the handshake is successful.
You can either wait for a device to (re)connect to a wireless network and capture the handshake, or you can try and deauthenticate an existing device and therefore force it to reconnect.
In order to deauthenticate a device from a wireless network, select the target device’s “MAC” in Bettercap and click “Deauthenticate”. You can also Deauthenticate all devices from a wireless network by selecting “Deauthenticate devices” from the “BSSID” dropdown. The deauthenticated clients will try to reconnect to the network, initiating handshakes that you can capture in the process.
Once you managed to capture a handshake, a small red key is displayed next to the wireless network. You are now ready to try and crack the password.
The save location of the handshake can be displayed by hovering your mouse over the red key symbol. For me, it is:
Cracking the password with aircrack-ng
The easiest method to crack the captured handshake is called a “dictionary attack”, in which wordlists are used to find the password. Wordlists contain a list of potential passwords that can be checked against the captured data. Some well-known ressources are:
- RockYou Wordlist (GitHub) <– careful, this is a direct download link
- SecLists (GitHub)
- Weakpass (Weakpass.com)
Dictionary attacks are easy to carry out but are also limited to the passwords on the list. If the password you are looking for is not on the list, you will not get a result.
To start the cracking process, you can use the following command:
aircrack-ng /path/to/pcap/file -w /path/to/wordlist
Aircrack will start to go through every entry on the list and compare it against the captured data. If a match is found, aircrack-ng will stop and present the password.
The process will look something like this:
┌──(dailycompute㉿kali-linux-2022-2)-[~/Downloads] └─$ aircrack-ng bettercap-wifi-handshakes.pcap -w /usr/share/wordlists/rockyou.txt Reading packets, please wait... Opening bettercap-wifi-handshakes.pcap Resetting EAPOL Handshake decoder state. Resetting EAPOL Handshake decoder state. Resetting EAPOL Handshake decoder state. Resetting EAPOL Handshake decoder state. Resetting EAPOL Handshake decoder state. Read 66 packets. # BSSID ESSID Encryption 1 9C:53:xx:xx:xx:xx xxxxxxxxxxxxxxxxxxx WPA (1 handshake) 2 9E:53:xx:xx:xx:xx demo WPA (1 handshake) 3 CC:CE:xx:xx:xx:xx xxxxxxxxxxxxxxxxx WPA (0 handshake) Index number of target network ? 2
Aircrack-ng 1.7 [00:01:44] 265614/14344392 keys tested (2575.68 k/s) Time left: 1 hour, 31 minutes, 6 seconds 1.85% KEY FOUND! [ pizzaparty ] Master Key : B5 F8 81 CB 27 12 B7 EE F6 61 E0 30 49 A0 62 79 1A 36 84 AB C3 E9 CC E2 87 CB 49 9A 6E 94 D1 01 Transient Key : 3F AC DC 38 AA BB 49 70 D3 DC 62 FE CE B6 B6 D2 27 80 A2 FF 12 A9 2A 56 D4 8F 8F F8 29 51 95 9E BC E0 AC 19 82 96 F4 FC DF D0 F0 35 4E F6 3B B2 BB 9E AF F9 DE CF 2E C6 11 BE DD 42 4B D9 7A 00 EAPOL HMAC : A5 3D 63 FA 83 3C 75 26 E9 6E 41 AA 24 94 40 BA
The result in this case is pizzaparty, a word on the wordlist.
As I already wrote at the beginning of this article, dictionary attacks are the simplest way to start cracking wifi passwords. Dictionary attacks do not have a high chance of success since most routers these days use randomly generated letters or a long sequence of numbers.
There are more sophisticated methods that one can use, such as mask attacks, but these require in-depth knowledge of the target and sometimes even some social engineering. That’s a topic for another article.