" #

WIFI
The WiFi modules use a WiFi interface supporting monitor mode and packet injection in
order to:

scan the 802.11 spectrum

perform deauthentication attacks on connected client stations
perform RSN PMKID based clientless attacks on vulnerable access points
automatically sniff and save key material either from complete WPA/WPA2
handshakes or PMKID packets.
send spoofed management beacons to create fake access points.

! Note

The interface only needs to support monitor mode and packet injection, it’ll be
bettercap itself to switch it to the right mode, just make sure there aren’t other
processes using the same wifi interface.

! Note

This modules are natively supported on macOS with the default interface en0 . Just
make sure the interface is not connected to any WiFi network and then start
bettercap with:
sudo bettercap -iface en0

Commands
wifi.recon on

Start 802.11 wireless base stations discovery and handshakes/PMKID capture.

wifi.recon off
Stop 802.11 wireless base stations discovery.

wifi.clear

Clear all access points collected by the WiFi discovery module.

wifi.recon BSSID

Set 802.11 base station address to filter for.

wifi.recon clear

Remove the 802.11 base station filter.

wifi.assoc BSSID

Send an association request to the selected BSSID in order to receive a RSN PMKID key
(use all , * or ff:ff:ff:ff:ff:ff to iterate for every access point).

wifi.deauth BSSID

Start a 802.11 deauth attack, if an access point BSSID is provided, every client will be
deauthenticated, otherwise only the selected client (use
use all , * or
ff:ff:ff:ff:ff:ff to deauth everything
everything).

wifi.show

Show current wireless stations list (default sorting by RSSI).

wifi.show.wps BSSID

Show WPS information about a given station (use all , * or ff:ff:ff:ff:ff:ff

to select all).

wifi.recon.channel CHANNEL

Comma separated list of channels to hop on.

wifi.recon.channel clear

Enable channel hopping on all supported channels.

wifi.ap

Inject fake management beacons in order to create a rogue access point ( requires
wifi.recon to run ).

Parameters
parameter default descriptio

If filled, the
use this inte
of the one p
wifi.interface
the -iface
argument or
automatical

Set the WiFi

wifi.region BO value before
the interface

Set WiFi tran

power to th
wifi.txpower 30
before activ
interface.

Minimum W
wifi.rssi.min -200
strength in d

If true, wifi.s
wifi.show.manufacturer
false show the de
manufacture

Defines a re
wifi.show.filter expression fi
wifi.show

Defines sort
( rssi , bssi
channel
encryption
wifi.show.sort rssi asc clients
sent , rcvd
direction ( a
for wifi.sh

Defines sort
wifi.show.sort asc
for wifi.sh

If greater tha
wifi.show.limit 0 defines limit
wifi.show

If channel h
enabled (em
wifi.recon
), this is t
wifi.hop.period 250 millseconds
algorithm w
every chann
doubled if b
5.0 bands ar

wifi.handshakes.file ~/bettercap-wifi-handshakes.pcap File path of

to save hand

If set, the w
read from th
wifi.source.file
instead of th
interface.

If true, dot11
wifi.skip-broken true an invalid ch
be skipped.

Comma sep
BSSID to ski
wifi.assoc.skip
sending ass
requests.

If true, mess
 wifi.assoc.silent false wifi.assoc w
suppressed.

Send associ
wifi.assoc.open false requests to
networks.

Comma sep
wifi.deauth.skip BSSID to ski
sending dea

If true, mess
wifi.deauth.silent false wifi.deaut
be suppress

Send wifi de
wifi.deauth.open true
to open net

SSID of the
wifi.ap.ssid FreeWifi
point.

BSSID of the
wifi.ap.bssid <random mac>
point.

Channel of t
wifi.ap.channel 1
access poin

If true, the f
point will us
wifi.ap.encryption true
otherwise it
open AP.

Examples
Run bettercap using eth0 as the main interface but start the wifi module on wlan0
instead:

sudo bettercap -iface eth0 -eval "set wifi.interface wlan0;

wifi.recon on"
Keep deauthing clients from the access point with BSSID DE:AD:BE:EF:DE:AD
every five seconds:

> set ticker.period 5; set ticker.commands "wifi.deauth

DE:AD:BE:EF:DE:AD"; ticker on

Use the ticker and wifi.recon modules to create a WiFi scanner (performing
channel hopping on every supported frequency):

> set ticker.commands "clear; wifi.show"; wifi.recon on; ticker on

Sort by BSSID and filter for BSSIDs starting with F4 :

> set wifi.show.sort bssid asc

> set wifi.show.filter ^F4
> wifi.show

Only recon on channels 1, 2 and 3:

> wifi.recon.channel 1,2,3; wifi.recon on

Will send management beacons as the fake access point “Banana” with BSSID
DE:AD:BE:EF:DE:AD on channel 5 without encryption:

> set wifi.ap.ssid Banana

> set wifi.ap.bssid DE:AD:BE:EF:DE:AD
> set wifi.ap.channel 5
> set wifi.ap.encryption false
> wifi.recon on; wifi.ap
$ %