Unable to capture passive PMKID values on MacOS #1076
Description
Prerequisites
Description of the bug or feature request
Environment
Please provide:
- Bettercap version you are using (
bettercap -version): bettercap v2.32.0 (built for darwin arm64 with go1.19.2) - OS version and architecture you are using: M1 Mac with MacOS 13.6.4
- Go version if building from sources N/A. Did
brew install bettercap. - Command line arguments you are using:
sudo bettercap -iface en0 -debug. - Caplet code you are using or the interactive session commands. N/A
- Full debug output while reproducing the issue (
bettercap -debug ...). See below.
Steps to Reproduce
First, find channels via airport -s. This gives:
SSID (BSSID) RSSI CHANNEL HT CC SECURITY (auth/unicast/group)
**redacted name** -93 40 Y -- RSN(PSK/AES/AES)
**redacted name** -93 36 Y -- RSN(PSK/AES/AES)
**redacted name** -93 36 Y -- RSN(PSK/AES/AES)
**redacted name** -92 108 Y -- RSN(PSK/AES/AES)
**redacted name** -92 40 Y -- RSN(PSK/AES/AES)
**redacted name** -91 64 Y -- RSN(PSK/AES/AES)
**redacted name** -88 48 Y -- RSN(PSK,SAE/AES/AES)
**redacted name** -86 149,+1 Y -- RSN(PSK/AES/AES)
**redacted name** -83 11 Y -- RSN(PSK/AES/AES)
**redacted name** -82 149 Y -- RSN(PSK/AES/AES)
**redacted name** -82 11 Y -- WPA(PSK/AES/AES) RSN(PSK/AES/AES)
**redacted name** -80 149,+1 Y -- RSN(PSK/AES/AES)
**redacted name** -80 149,+1 Y -- RSN(PSK/AES/AES)
**redacted name** -80 2 Y -- RSN(PSK/AES/AES)
**redacted name** -78 48 Y -- RSN(PSK,SAE/AES/AES)
**redacted name** -77 161 Y -- RSN(PSK/AES/AES)
**redacted name** -77 48 Y -- RSN(PSK/AES/AES)
**redacted name** -76 36,+1 Y -- RSN(PSK/AES/AES)
**redacted name** -74 36,+1 Y -- WPA(PSK/TKIP/TKIP) RSN(PSK/TKIP,AES/TKIP)
**redacted name** -74 157,+1 Y -- RSN(PSK/AES/AES)
**redacted name** -73 5 Y -- RSN(PSK/AES/AES)
**redacted name** -73 157,+1 Y -- RSN(PSK/AES/AES)
**redacted name** -73 149 Y -- RSN(PSK/AES/AES)
**redacted name** -73 8 Y -- RSN(PSK,SAE/AES/AES)
**redacted name** -72 157 Y -- RSN(PSK/AES/AES)
**redacted name** -72 40,-1 Y -- RSN(PSK/AES/AES)
**redacted name** -71 44 Y -- WPA(PSK/AES,TKIP/TKIP) RSN(PSK/AES,TKIP/TKIP)
**redacted name** -71 8 Y -- RSN(PSK,SAE/AES/AES)
**redacted name** -70 48 Y -- RSN(802.1x/AES/AES)
**redacted name** -70 48 Y -- RSN(802.1x/AES/AES)
**redacted name** -69 1,+1 Y -- RSN(PSK/AES/AES)
**redacted name** -68 11 Y -- RSN(PSK/AES/AES)
**redacted name** -67 3 Y -- RSN(PSK/AES/AES)
**redacted name** -64 1 Y -- RSN(PSK/AES/AES)
**redacted name** -64 1 Y -- WPA(PSK/AES,TKIP/TKIP) RSN(PSK/AES,TKIP/TKIP)
**redacted name** -62 1 Y -- RSN(PSK/AES/AES)
**redacted name** -48 1 N -- RSN(PSK/AES,TKIP/TKIP)
**redacted name** -48 6 Y -- RSN(PSK/AES/AES)
**redacted name** -47 6 Y -- RSN(PSK/AES/AES)
**redacted name** -55 149 Y -- RSN(PSK/AES/AES)
**redacted name** -55 149 Y -- RSN(PSK/AES/AES)
As you can see, things are distributed between a number of channels. I imagine trying it on all the channels like this, won't capture anything since it'll channel switch too rapidly and miss responses.
wifi.recon on
wifi.assoc all
So instead we try on single channels, like 1 or 149:
wifi.recon on
wifi.recon.channel 1
wifi.assoc all
wifi.recon on
wifi.recon.channel 149
wifi.assoc all
Both of these just return a bunch of probing (sorry I combined two outputs here so the timestamps are a bit off):
$ sudo bettercap -iface en0 -debug
en0 » [16:25:27] [sys.log] [dbg] arp.spoof arp cache restoration after spoofing enabled
en0 » [16:25:27] [sys.log] [dbg] Could not find mac for
en0 » [16:25:27] [session.started] {session.started 2024-02-13 16:25:27.511091 -0500 EST m=+0.061114542 <nil>}
en0 » [16:25:27] [mod.started] events.stream
en0 » wifi.recon on
[16:25:31] [sys.log] [inf] wifi using interface en0 (bc:<redacted>)
[16:25:31] [sys.log] [dbg] wifi interface en0 txpower set to 30
[16:25:31] [sys.log] [dbg] creating capture for 'en0' with options: {Monitor:true Snaplen:65536 Bufsize:2097152 Promisc:true Timeout:500ms}
[16:25:32] [sys.log] [dbg] wifi new frequencies: []
[16:25:32] [sys.log] [dbg] wifi wifi supported frequencies: []
[16:25:32] [sys.log] [inf] wifi started (min rssi: -200 dBm)
[16:25:32] [mod.started] wifi
en0 » [16:25:32] [sys.log] [inf] wifi channel hopper started.
en0 » [16:25:32] [sys.log] [dbg] wifi wifi stations pruner started (ap.ttl:5m0s sta.ttl:5m0s).
en0 » [16:25:32] [wifi.ap.new] wifi access point <redacted> (-52 dBm) detected as 0a:<redacted>.
en0 » [16:25:32] [wifi.ap.new] wifi access point <redacted> (-79 dBm) detected as e2:<redacted>.
en0 » [16:25:32] [wifi.ap.new] wifi access point
wifi.recon.channel 149
[16:25:50] [sys.log] [dbg] wifi new frequencies: [5745]
[16:25:50] [sys.log] [dbg] wifi setting hopping channels to 149
[16:25:50] [sys.log] [dbg] wifi hop changed
wifi.assoc all
en0 » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
en0 » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
en0 » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
en0 » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
en0 » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
en0 » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
en0 » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
en0 » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
en0 » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
en0 » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
en0 » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
en0 » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
en0 » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
en0 » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
en0 » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
en0 » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
en0 » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
...(about 49 lines omitted)...
en0 » [16:25:56] [wifi.ap.new] wifi access point <redacted> (-91 dBm) detected as 20:<redacted> (Verizon).
en0 » [16:25:58] [wifi.client.new] new station 0c:<redacted>(Longcheer Telecommunication Limited) detected for <redacted> (08:<redacted>)
en0 » [16:26:03] [wifi.client.new] new station 88:<redacted> (Apple, Inc.) detected for <redacted>-5G (00:<redacted>)
en0 » [15:39:22] [wifi.client.probe] station <redacted> is probing for SSID <redacted> (-81 dBm)
en0 » [15:39:23] [wifi.client.probe] station <redacted> (Sonos, Inc.) is probing for SSID <redacted> (-91 dBm)
en0 » [15:39:23] [wifi.client.probe] station <redacted> (Espressif Inc.) is probing for SSID <redacted> (-83 dBm)
en0 » [15:39:24] [wifi.ap.new] wifi access point <redacted> (-90 dBm) detected as <redacted> (Netgear).
en0 » [15:39:25] [wifi.client.probe] station <redacted> is probing for SSID <redacted> (-45 dBm)
en0 » [15:39:25] [wifi.client.probe] station <redacted> is probing for SSID <redacted> (-45 dBm)
en0 » [15:39:27] [wifi.client.probe] station <redacted> (Espressif Inc.) is probing for SSID <redacted> (-85 dBm)
en0 » [15:39:28] [wifi.client.probe] station <redacted> is probing for SSID <redacted> (-92 dBm)
en0 » [15:39:28] [wifi.client.probe] station <redacted> (Espressif Inc.) is probing for SSID <redacted> (-83 dBm)
en0 » [15:39:30] [wifi.client.probe] station <redacted> (Apple, Inc.) is probing for SSID <redacted> (-82 dBm)
en0 » [15:39:30] [wifi.client.probe] station <redacted> (Apple, Inc.) is probing for SSID <redacted> (-84 dBm)
en0 » [15:39:30] [wifi.client.probe] station <redacted> (Apple, Inc.) is probing for SSID <redacted> (-84 dBm)
en0 » [15:39:30] [wifi.client.probe] station <redacted> (Apple, Inc.) is probing for SSID <redacted> (-87 dBm)
en0 » [15:39:30] [wifi.client.probe] station <redacted> (Apple, Inc.) is probing for SSID <redacted> (-82 dBm)
en0 » [15:39:30] [wifi.client.probe] station <redacted> (Apple, Inc.) is probing for SSID <redacted> (-92 dBm)
en0 » [15:39:30] [wifi.client.probe] station <redacted> (Apple, Inc.) is probing for SSID <redacted> (-85 dBm)
en0 » [15:39:30] [wifi.client.probe] station <redacted> (Apple, Inc.) is probing for SSID <redacted> (-85 dBm)
en0 » [15:39:30] [wifi.client.probe] station <redacted> (Apple, Inc.) is probing for SSID <redacted> (-83 dBm)
And similarly for channel 149. One time I got this after starting to recon:
en0 » [16:25:32] [sys.log] [dbg] wifi got frame 1/4 of the ee:<redacted> <-> 0e:<redacted> handshake (without PMKID) (anonce:a8...)
en0 » [16:25:32] [sys.log] [dbg] wifi adding beacon frame to handshake for ee:<redacted>
en0 » [16:25:32] [sys.log] [dbg] wifi (aggregate true) saving handshake frames to ~/bettercap-wifi-handshakes.pcap
en0 » [16:25:32] [wifi.client.handshake] captured 0e:<redacted> -> <redacted>Guest (ee:<redacted>) WPA2 handshake (half) to ~/bettercap-wifi-handshakes.pcap
en0 » [16:25:32] [sys.log] [dbg] wifi got frame 3/4 of the ee:<redacted> <-> 0e:<redacted> handshake (mic:5c99...)
en0 » [16:25:32] [sys.log] [dbg] wifi (aggregate true) saving handshake frames to ~/bettercap-wifi-handshakes.pcap
Expected behavior: What you expected to happen
PMKIDs should be written to a file, especially with so many RSN networks. However, ~/bettercap-wifi-handshakes.pcap does not exist and there's no output suggesting it got any PKMIDs.
Actual behavior: What actually happened
wifi.assoc all just sent out probes and didn't actually do anything.
--
♥ ANY INCOMPLETE REPORT WILL BE CLOSED RIGHT AWAY ♥