Unable to capture passive PMKID values on MacOS

[Divide-By-0]

Prerequisites

Description of the bug or feature request

Environment

Please provide:

• Bettercap version you are using ( bettercap -version ): bettercap v2.32.0 (built for darwin arm64 with go1.19.2)
• OS version and architecture you are using: M1 Mac with MacOS 13.6.4
• Go version if building from sources N/A. Did brew install bettercap.
• Command line arguments you are using: sudo bettercap -iface en0 -debug.
• Caplet code you are using or the interactive session commands. N/A
• Full debug output while reproducing the issue ( bettercap -debug ... ). See below.

Steps to Reproduce

First, find channels via airport -s. This gives:

SSID (BSSID)                        RSSI CHANNEL HT CC SECURITY (auth/unicast/group)
**redacted name**                   -93  40      Y  -- RSN(PSK/AES/AES) 
**redacted name**                   -93  36      Y  -- RSN(PSK/AES/AES) 
**redacted name**                   -93  36      Y  -- RSN(PSK/AES/AES) 
**redacted name**                   -92  108     Y  -- RSN(PSK/AES/AES) 
**redacted name**                   -92  40      Y  -- RSN(PSK/AES/AES) 
**redacted name**                   -91  64      Y  -- RSN(PSK/AES/AES) 
**redacted name**                   -88  48      Y  -- RSN(PSK,SAE/AES/AES) 
**redacted name**                   -86  149,+1  Y  -- RSN(PSK/AES/AES) 
**redacted name**                   -83  11      Y  -- RSN(PSK/AES/AES) 
**redacted name**                   -82  149     Y  -- RSN(PSK/AES/AES) 
**redacted name**                   -82  11      Y  -- WPA(PSK/AES/AES) RSN(PSK/AES/AES) 
**redacted name**                   -80  149,+1  Y  -- RSN(PSK/AES/AES) 
**redacted name**                   -80  149,+1  Y  -- RSN(PSK/AES/AES) 
**redacted name**                   -80  2       Y  -- RSN(PSK/AES/AES) 
**redacted name**                   -78  48      Y  -- RSN(PSK,SAE/AES/AES) 
**redacted name**                   -77  161     Y  -- RSN(PSK/AES/AES) 
**redacted name**                   -77  48      Y  -- RSN(PSK/AES/AES) 
**redacted name**                   -76  36,+1   Y  -- RSN(PSK/AES/AES) 
**redacted name**                   -74  36,+1   Y  -- WPA(PSK/TKIP/TKIP) RSN(PSK/TKIP,AES/TKIP) 
**redacted name**                   -74  157,+1  Y  -- RSN(PSK/AES/AES) 
**redacted name**                   -73  5       Y  -- RSN(PSK/AES/AES) 
**redacted name**                   -73  157,+1  Y  -- RSN(PSK/AES/AES) 
**redacted name**                   -73  149     Y  -- RSN(PSK/AES/AES) 
**redacted name**                   -73  8       Y  -- RSN(PSK,SAE/AES/AES) 
**redacted name**                   -72  157     Y  -- RSN(PSK/AES/AES) 
**redacted name**                   -72  40,-1   Y  -- RSN(PSK/AES/AES) 
**redacted name**                   -71  44      Y  -- WPA(PSK/AES,TKIP/TKIP) RSN(PSK/AES,TKIP/TKIP) 
**redacted name**                   -71  8       Y  -- RSN(PSK,SAE/AES/AES) 
**redacted name**                   -70  48      Y  -- RSN(802.1x/AES/AES) 
**redacted name**                   -70  48      Y  -- RSN(802.1x/AES/AES) 
**redacted name**                   -69  1,+1    Y  -- RSN(PSK/AES/AES) 
**redacted name**                   -68  11      Y  -- RSN(PSK/AES/AES) 
**redacted name**                   -67  3       Y  -- RSN(PSK/AES/AES) 
**redacted name**                   -64  1       Y  -- RSN(PSK/AES/AES) 
**redacted name**                   -64  1       Y  -- WPA(PSK/AES,TKIP/TKIP) RSN(PSK/AES,TKIP/TKIP) 
**redacted name**                   -62  1       Y  -- RSN(PSK/AES/AES) 
**redacted name**                   -48  1       N  -- RSN(PSK/AES,TKIP/TKIP) 
**redacted name**                   -48  6       Y  -- RSN(PSK/AES/AES) 
**redacted name**                   -47  6       Y  -- RSN(PSK/AES/AES) 
**redacted name**                   -55  149     Y  -- RSN(PSK/AES/AES) 
**redacted name**                   -55  149     Y  -- RSN(PSK/AES/AES) 

As you can see, things are distributed between a number of channels. I imagine trying it on all the channels like this, won't capture anything since it'll channel switch too rapidly and miss responses.

wifi.recon on
wifi.assoc all

So instead we try on single channels, like 1 or 149:

wifi.recon on
wifi.recon.channel 1
wifi.assoc all

wifi.recon on
wifi.recon.channel 149
wifi.assoc all

Both of these just return a bunch of probing (sorry I combined two outputs here so the timestamps are a bit off):

$ sudo bettercap -iface en0 -debug
 en0  » [16:25:27] [sys.log] [dbg] arp.spoof arp cache restoration after spoofing enabled
 en0  » [16:25:27] [sys.log] [dbg] Could not find mac for 
 en0  » [16:25:27] [session.started] {session.started 2024-02-13 16:25:27.511091 -0500 EST m=+0.061114542 <nil>}
 en0  » [16:25:27] [mod.started] events.stream
 en0  » wifi.recon on
[16:25:31] [sys.log] [inf] wifi using interface en0 (bc:<redacted>)
[16:25:31] [sys.log] [dbg] wifi interface en0 txpower set to 30
[16:25:31] [sys.log] [dbg] creating capture for 'en0' with options: {Monitor:true Snaplen:65536 Bufsize:2097152 Promisc:true Timeout:500ms}

[16:25:32] [sys.log] [dbg] wifi new frequencies: []
[16:25:32] [sys.log] [dbg] wifi wifi supported frequencies: []
[16:25:32] [sys.log] [inf] wifi started (min rssi: -200 dBm)
[16:25:32] [mod.started] wifi
 en0  » [16:25:32] [sys.log] [inf] wifi channel hopper started.
 en0  » [16:25:32] [sys.log] [dbg] wifi wifi stations pruner started (ap.ttl:5m0s sta.ttl:5m0s).
 en0  » [16:25:32] [wifi.ap.new] wifi access point <redacted> (-52 dBm) detected as 0a:<redacted>.
 en0  » [16:25:32] [wifi.ap.new] wifi access point <redacted> (-79 dBm) detected as e2:<redacted>.
 en0  » [16:25:32] [wifi.ap.new] wifi access point 

wifi.recon.channel 149
[16:25:50] [sys.log] [dbg] wifi new frequencies: [5745]
[16:25:50] [sys.log] [dbg] wifi setting hopping channels to 149
[16:25:50] [sys.log] [dbg] wifi hop changed

wifi.assoc all
 en0  » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
 en0  » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
 en0  » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
 en0  » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
 en0  » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
 en0  » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
 en0  » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
 en0  » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
 en0  » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
 en0  » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
 en0  » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
 en0  » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
 en0  » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
 en0  » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
 en0  » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
 en0  » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
 en0  » [15:39:02] [sys.log] [inf] wifi sending association request to AP <redacted> (channel:1 encryption:WPA2)
...(about 49 lines omitted)...
 en0  » [16:25:56] [wifi.ap.new] wifi access point <redacted> (-91 dBm) detected as 20:<redacted> (Verizon).
 en0  » [16:25:58] [wifi.client.new] new station 0c:<redacted>(Longcheer Telecommunication Limited) detected for <redacted> (08:<redacted>)
 en0  » [16:26:03] [wifi.client.new] new station 88:<redacted> (Apple, Inc.) detected for <redacted>-5G (00:<redacted>)
 en0  » [15:39:22] [wifi.client.probe] station <redacted> is probing for SSID <redacted> (-81 dBm)
 en0  » [15:39:23] [wifi.client.probe] station <redacted> (Sonos, Inc.) is probing for SSID <redacted> (-91 dBm)
 en0  » [15:39:23] [wifi.client.probe] station <redacted> (Espressif Inc.) is probing for SSID <redacted> (-83 dBm)
 en0  » [15:39:24] [wifi.ap.new] wifi access point <redacted> (-90 dBm) detected as <redacted> (Netgear).
 en0  » [15:39:25] [wifi.client.probe] station <redacted> is probing for SSID <redacted> (-45 dBm)
 en0  » [15:39:25] [wifi.client.probe] station <redacted> is probing for SSID <redacted> (-45 dBm)
 en0  » [15:39:27] [wifi.client.probe] station <redacted> (Espressif Inc.) is probing for SSID <redacted> (-85 dBm)
 en0  » [15:39:28] [wifi.client.probe] station <redacted> is probing for SSID <redacted> (-92 dBm)
 en0  » [15:39:28] [wifi.client.probe] station <redacted> (Espressif Inc.) is probing for SSID <redacted> (-83 dBm)
 en0  » [15:39:30] [wifi.client.probe] station <redacted> (Apple, Inc.) is probing for SSID <redacted> (-82 dBm)
 en0  » [15:39:30] [wifi.client.probe] station <redacted> (Apple, Inc.) is probing for SSID <redacted> (-84 dBm)
 en0  » [15:39:30] [wifi.client.probe] station <redacted> (Apple, Inc.) is probing for SSID <redacted> (-84 dBm)
 en0  » [15:39:30] [wifi.client.probe] station <redacted> (Apple, Inc.) is probing for SSID <redacted> (-87 dBm)
 en0  » [15:39:30] [wifi.client.probe] station <redacted> (Apple, Inc.) is probing for SSID <redacted> (-82 dBm)
 en0  » [15:39:30] [wifi.client.probe] station <redacted> (Apple, Inc.) is probing for SSID <redacted> (-92 dBm)
 en0  » [15:39:30] [wifi.client.probe] station <redacted> (Apple, Inc.) is probing for SSID <redacted> (-85 dBm)
 en0  » [15:39:30] [wifi.client.probe] station <redacted> (Apple, Inc.) is probing for SSID <redacted> (-85 dBm)
 en0  » [15:39:30] [wifi.client.probe] station <redacted> (Apple, Inc.) is probing for SSID <redacted> (-83 dBm)

And similarly for channel 149. One time I got this after starting to recon:

 en0  » [16:25:32] [sys.log] [dbg] wifi got frame 1/4 of the ee:<redacted> <-> 0e:<redacted> handshake (without PMKID) (anonce:a8...)
 en0  » [16:25:32] [sys.log] [dbg] wifi adding beacon frame to handshake for ee:<redacted>
 en0  » [16:25:32] [sys.log] [dbg] wifi (aggregate true) saving handshake frames to ~/bettercap-wifi-handshakes.pcap
 en0  » [16:25:32] [wifi.client.handshake] captured 0e:<redacted> -> <redacted>Guest (ee:<redacted>) WPA2 handshake (half) to ~/bettercap-wifi-handshakes.pcap
 en0  » [16:25:32] [sys.log] [dbg] wifi got frame 3/4 of the ee:<redacted> <-> 0e:<redacted> handshake (mic:5c99...)
 en0  » [16:25:32] [sys.log] [dbg] wifi (aggregate true) saving handshake frames to ~/bettercap-wifi-handshakes.pcap

Expected behavior: What you expected to happen
PMKIDs should be written to a file, especially with so many RSN networks. However, ~/bettercap-wifi-handshakes.pcap does not exist and there's no output suggesting it got any PKMIDs.

Actual behavior: What actually happened
wifi.assoc all just sent out probes and didn't actually do anything.

--

♥ ANY INCOMPLETE REPORT WILL BE CLOSED RIGHT AWAY ♥

[marcmp]

Is the BSSID column from airport -s output missing?
Try to run it with privileges and check how the rest goes...
sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -s

[malicious]

It seems like airport no longer does anything, starting with macOS 14.4:

WARNING: The airport command line tool is deprecated and will be removed in a future release.
For diagnosing Wi-Fi related issues, use the Wireless Diagnostics app or wdutil command line tool.