bettercap
bettercap copied to clipboard
bettercap
Unable to capture passive PMKID values on MacOS
Prerequisites
Description of the bug or feature request
Environment
Please provide:
- Bettercap version you are using (
bettercap -version): bettercap v2.32.0 (built for darwin arm64 with go1.19.2) - OS version and architecture you are using: M1 Mac with MacOS 13.6.4
- Go version if building from sources N/A. Did
brew install bettercap. - Command line arguments you are using:
sudo bettercap -iface en0 -debug. - Caplet code you are using or the interactive session commands. N/A
- Full debug output while reproducing the issue (
bettercap -debug ...). See below.
Steps to Reproduce
First, find channels via airport -s. This gives:
SSID (BSSID) RSSI CHANNEL HT CC SECURITY (auth/unicast/group)
**redacted name** -93 40 Y -- RSN(PSK/AES/AES)
**redacted name** -93 36 Y -- RSN(PSK/AES/AES)
**redacted name** -93 36 Y -- RSN(PSK/AES/AES)
**redacted name** -92 108 Y -- RSN(PSK/AES/AES)
**redacted name** -92 40 Y -- RSN(PSK/AES/AES)
**redacted name** -91 64 Y -- RSN(PSK/AES/AES)
**redacted name** -88 48 Y -- RSN(PSK,SAE/AES/AES)
**redacted name** -86 149,+1 Y -- RSN(PSK/AES/AES)
**redacted name** -83 11 Y -- RSN(PSK/AES/AES)
**redacted name** -82 149 Y -- RSN(PSK/AES/AES)
**redacted name** -82 11 Y -- WPA(PSK/AES/AES) RSN(PSK/AES/AES)
**redacted name** -80 149,+1 Y -- RSN(PSK/AES/AES)
**redacted name** -80 149,+1 Y -- RSN(PSK/AES/AES)
**redacted name** -80 2 Y -- RSN(PSK/AES/AES)
**redacted name** -78 48 Y -- RSN(PSK,SAE/AES/AES)
**redacted name** -77 161 Y -- RSN(PSK/AES/AES)
**redacted name** -77 48 Y -- RSN(PSK/AES/AES)
**redacted name** -76 36,+1 Y -- RSN(PSK/AES/AES)
**redacted name** -74 36,+1 Y -- WPA(PSK/TKIP/TKIP) RSN(PSK/TKIP,AES/TKIP)
**redacted name** -74 157,+1 Y -- RSN(PSK/AES/AES)
**redacted name** -73 5 Y -- RSN(PSK/AES/AES)
**redacted name** -73 157,+1 Y -- RSN(PSK/AES/AES)
**redacted name** -73 149 Y -- RSN(PSK/AES/AES)
**redacted name** -73 8 Y -- RSN(PSK,SAE/AES/AES)
**redacted name** -72 157 Y -- RSN(PSK/AES/AES)
**redacted name** -72 40,-1 Y -- RSN(PSK/AES/AES)
**redacted name** -71 44 Y -- WPA(PSK/AES,TKIP/TKIP) RSN(PSK/AES,TKIP/TKIP)
**redacted name** -71 8 Y -- RSN(PSK,SAE/AES/AES)
**redacted name** -70 48 Y -- RSN(802.1x/AES/AES)
**redacted name** -70 48 Y -- RSN(802.1x/AES/AES)
**redacted name** -69 1,+1 Y -- RSN(PSK/AES/AES)
**redacted name** -68 11 Y -- RSN(PSK/AES/AES)
**redacted name** -67 3 Y -- RSN(PSK/AES/AES)
**redacted name** -64 1 Y -- RSN(PSK/AES/AES)
**redacted name** -64 1 Y -- WPA(PSK/AES,TKIP/TKIP) RSN(PSK/AES,TKIP/TKIP)
**redacted name** -62 1 Y -- RSN(PSK/AES/AES)
**redacted name** -48 1 N -- RSN(PSK/AES,TKIP/TKIP)
**redacted name** -48 6 Y -- RSN(PSK/AES/AES)
**redacted name** -47 6 Y -- RSN(PSK/AES/AES)
**redacted name** -55 149 Y -- RSN(PSK/AES/AES)
**redacted name** -55 149 Y -- RSN(PSK/AES/AES)
As you can see, things are distributed between a number of channels. I imagine trying it on all the channels like this, won't capture anything since it'll channel switch too rapidly and miss responses.
wifi.recon on
wifi.assoc all
So instead we try on single channels, like 1 or 149:
wifi.recon on
wifi.recon.channel 1
wifi.assoc all
wifi.recon on
wifi.recon.channel 149
wifi.assoc all
Both of these just return a bunch of probing (sorry I combined two outputs here so the timestamps are a bit off):
$ sudo bettercap -iface en0 -debug
en0 » [16:25:27] [sys.log] [dbg] arp.spoof arp cache restoration after spoofing enabled
en0 » [16:25:27] [sys.log] [dbg] Could not find mac for
en0 » [16:25:27] [session.started] {session.started 2024-02-13 16:25:27.511091 -0500 EST m=+0.061114542 <nil>}
en0 » [16:25:27] [mod.started] events.stream
en0 » wifi.recon on
[16:25:31] [sys.log] [inf] wifi using interface en0 (bc:<redacted>)
[16:25:31] [sys.log] [dbg] wifi interface en0 txpower set to 30
[16:25:31] [sys.log] [dbg] creating capture for 'en0' with options: {Monitor:true Snaplen:65536 Bufsize:2097152 Promisc:true Timeout:500ms}
[16:25:32] [sys.log] [dbg] wifi new frequencies: []
[16:25:32] [sys.log] [dbg] wifi wifi supported frequencies: []
[16:25:32] [sys.log] [inf] wifi started (min rssi: -200 dBm)
[16:25:32] [mod.started] wifi
en0 » [16:25:32] [sys.log] [inf] wifi channel hopper started.
en0 » [16:25:32] [sys.log] [dbg] wifi wifi stations pruner started (ap.ttl:5m0s sta.ttl:5m0s).
en0 » [16:25:32] [wifi.ap.new] wifi access point <redacted> (-52 dBm) detected as 0a:<redacted>.
en0 » [16:25:32] [wifi.ap.new] wifi access point <redacted> (-79 dBm) detected as e2:<redacted>.
en0 » [16:25:32] [wifi.ap.new] wifi access point
wifi.recon.channel 149
[16:25:50] [sys.log] [dbg] wifi new frequencies: [5745]
[16:25:50] [sys.log] [dbg] wifi setting hopping channels to 149
[16:25:50] [sys.log] [dbg] wifi hop changed
wifi.assoc all
en0 » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
en0 » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
en0 » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
en0 » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
en0 » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
en0 » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
en0 » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
en0 » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
en0 » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
en0 » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
en0 » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
en0 » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
en0 » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
en0 » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
en0 » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
en0 » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
en0 » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
...(about 49 lines omitted)...
en0 » [16:25:56] [wifi.ap.new] wifi access point <redacted> (-91 dBm) detected as 20:<redacted> (Verizon).
en0 » [16:25:58] [wifi.client.new] new station 0c:<redacted>(Longcheer Telecommunication Limited) detected for <redacted> (08:<redacted>)
en0 » [16:26:03] [wifi.client.new] new station 88:<redacted> (Apple, Inc.) detected for <redacted>-5G (00:<redacted>)
en0 » [15:39:22] [wifi.client.probe] station <redacted> is probing for SSID <redacted> (-81 dBm)
en0 » [15:39:23] [wifi.client.probe] station <redacted> (Sonos, Inc.) is probing for SSID <redacted> (-91 dBm)
en0 » [15:39:23] [wifi.client.probe] station <redacted> (Espressif Inc.) is probing for SSID <redacted> (-83 dBm)
en0 » [15:39:24] [wifi.ap.new] wifi access point <redacted> (-90 dBm) detected as <redacted> (Netgear).
en0 » [15:39:25] [wifi.client.probe] station <redacted> is probing for SSID <redacted> (-45 dBm)
en0 » [15:39:25] [wifi.client.probe] station <redacted> is probing for SSID <redacted> (-45 dBm)
en0 » [15:39:27] [wifi.client.probe] station <redacted> (Espressif Inc.) is probing for SSID <redacted> (-85 dBm)
en0 » [15:39:28] [wifi.client.probe] station <redacted> is probing for SSID <redacted> (-92 dBm)
en0 » [15:39:28] [wifi.client.probe] station <redacted> (Espressif Inc.) is probing for SSID <redacted> (-83 dBm)
en0 » [15:39:30] [wifi.client.probe] station <redacted> (Apple, Inc.) is probing for SSID <redacted> (-82 dBm)
en0 » [15:39:30] [wifi.client.probe] station <redacted> (Apple, Inc.) is probing for SSID <redacted> (-84 dBm)
en0 » [15:39:30] [wifi.client.probe] station <redacted> (Apple, Inc.) is probing for SSID <redacted> (-84 dBm)
en0 » [15:39:30] [wifi.client.probe] station <redacted> (Apple, Inc.) is probing for SSID <redacted> (-87 dBm)
en0 » [15:39:30] [wifi.client.probe] station <redacted> (Apple, Inc.) is probing for SSID <redacted> (-82 dBm)
en0 » [15:39:30] [wifi.client.probe] station <redacted> (Apple, Inc.) is probing for SSID <redacted> (-92 dBm)
en0 » [15:39:30] [wifi.client.probe] station <redacted> (Apple, Inc.) is probing for SSID <redacted> (-85 dBm)
en0 » [15:39:30] [wifi.client.probe] station <redacted> (Apple, Inc.) is probing for SSID <redacted> (-85 dBm)
en0 » [15:39:30] [wifi.client.probe] station <redacted> (Apple, Inc.) is probing for SSID <redacted> (-83 dBm)
And similarly for channel 149. One time I got this after starting to recon:
en0 » [16:25:32] [sys.log] [dbg] wifi got frame 1/4 of the ee:<redacted> <-> 0e:<redacted> handshake (without PMKID) (anonce:a8...)
en0 » [16:25:32] [sys.log] [dbg] wifi adding beacon frame to handshake for ee:<redacted>
en0 » [16:25:32] [sys.log] [dbg] wifi (aggregate true) saving handshake frames to ~/bettercap-wifi-handshakes.pcap
en0 » [16:25:32] [wifi.client.handshake] captured 0e:<redacted> -> <redacted>Guest (ee:<redacted>) WPA2 handshake (half) to ~/bettercap-wifi-handshakes.pcap
en0 » [16:25:32] [sys.log] [dbg] wifi got frame 3/4 of the ee:<redacted> <-> 0e:<redacted> handshake (mic:5c99...)
en0 » [16:25:32] [sys.log] [dbg] wifi (aggregate true) saving handshake frames to ~/bettercap-wifi-handshakes.pcap
Expected behavior: What you expected to happen
PMKIDs should be written to a file, especially with so many RSN networks. However, ~/bettercap-wifi-handshakes.pcap does not exist and there's no output suggesting it got any PKMIDs.
Actual behavior: What actually happened
wifi.assoc all just sent out probes and didn't actually do anything.
--
♥ ANY INCOMPLETE REPORT WILL BE CLOSED RIGHT AWAY ♥
Is the BSSID column from airport -s output missing?
Try to run it with privileges and check how the rest goes...
sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -s
It seems like airport no longer does anything, starting with macOS 14.4:
WARNING: The airport command line tool is deprecated and will be removed in a future release.
For diagnosing Wi-Fi related issues, use the Wireless Diagnostics app or wdutil command line tool.
Has anyone found a solution to this?
$ sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport
WARNING: The airport command line tool is deprecated and will be removed in a future release.
For diagnosing Wi-Fi related issues, use the Wireless Diagnostics app or wdutil command line tool.
$ sudo wdutil info
...
————————————————————————————————————————————————————————————————————
WIFI
————————————————————————————————————————————————————————————————————
MAC Address : <redacted> (hw=<redacted>)
Interface Name : en0
Power : On [On]
Op Mode : STA
SSID : <redacted>
BSSID : <redacted>
RSSI : -70 dBm
Noise : -95 dBm
Tx Rate : 263.0 Mbps
Security : WPA2 Personal
PHY Mode : 11ac
MCS Index : 6
Guard Interval : 400
NSS : 1
Channel : ------------------- intentionally removed
Country Code : US
Scan Cache Count : 61
NetworkServiceID : ------------------- intentionally removed
IPv4 Config Method : DHCP
IPv4 Address : ------------------- intentionally removed
IPv4 Router : ------------------- intentionally removed
IPv6 Config Method : Automatic
IPv6 Address : ------------------- intentionally removed
IPv6 Router : None
DNS : ------------------- intentionally removed
BTC Mode : Off
Desense :
Chain Ack : []
BTC Profile 2.4GHz : Disabled
BTC Profile 5GHz : Disabled
...
MAC Address, SSID, and BSSID are <redacted>! :(
