BetterCAP is a powerful, flexible and portable tool created to perform various types of MITM attacks against a network, manipulate HTTP, HTTPS and TCP traffic in realtime, sniff for credentials and much more.
Why another MITM tool?
This is exactly what you are thinking right now, isn’t it? 😀 But allow yourself to think about it for 5 more minutes … what you should be really asking is:
Does a complete, modular, portable and easy to extend MITM tool actually exist?
If your answer is “ettercap”, let me tell you something:
- Ettercap was a great tool, but it made its time.
- Ettercap filters do not work most of the times, are outdated and hard to implement due to the specific language they’re implemented in.
- Ettercap is freaking unstable on big networks … try to launch the host discovery on a bigger network rather than the usual /24 😉
- Yeah you can see connections and raw pcap stuff, nice toy, but as a professional researcher I want to see only relevant stuff.
- Unless you’re a C/C++ developer, you can’t easily extend ettercap or make your own module.
- Ettercap’s and MITMf’s ICMP spoofing is completely useless, ours is not.
- Ettercap does not provide a builtin and modular HTTP(S) and TCP transparent proxies, we do.
- Ettercap does not provide a smart and fully customizable credentials sniffer, we do.
Author: Simone 'evilsocket' Margaritelli*
Usage: bettercap [options]
MAIN: -I, --interface IFACE Network interface name - default: eth0 -G, --gateway ADDRESS Manually specify the gateway address, if not specified the current gateway will be retrieved and used. -T, --target ADDRESS1,ADDRESS2 Target IP addresses, if not specified the whole subnet will be targeted. --ignore ADDRESS1,ADDRESS2 Ignore these addresses if found while searching for targets. --no-discovery Do not actively search for hosts, just use the current ARP cache, default to false. --no-target-nbns Disable target NBNS hostname resolution. --packet-throttle NUMBER Number of seconds ( can be a decimal number ) to wait between each packet to be sent. --check-updates Will check if any update is available and then exit. -h, --help Display the available options. LOGGING: -O, --log LOG_FILE Log all messages into a file, if not specified the log messages will be only print into the shell. --log-timestamp Enable logging with timestamps for each line, disabled by default. -D, --debug Enable debug logging. --silent Suppress every message which is not an error or a warning, default to false. SPOOFING: -S, --spoofer NAME Spoofer module to use, available: ARP, ICMP, NONE - default: ARP. --no-spoofing Disable spoofing, alias for --spoofer NONE. --half-duplex Enable half-duplex MITM, this will make bettercap work in those cases when the router is not vulnerable. --kill Instead of forwarding packets, this switch will make targets connections to be killed. SNIFFING: -X, --sniffer Enable sniffer. -L, --local Parse packets coming from/to the address of this computer ( NOTE: Will set -X to true ), default to false. --sniffer-source FILE Load packets from the specified PCAP file instead of the interface ( will enable sniffer ). --sniffer-output FILE Save all packets to the specified PCAP file ( will enable sniffer ). --sniffer-filter EXPRESSION Configure the sniffer to use this BPF filter ( will enable sniffer ). -P, --parsers PARSERS Comma separated list of packet parsers to enable, '*' for all ( NOTE: Will set -X to true ), available: MAIL, FTP, DHCP, IRC, MYSQL, HTTPAUTH, COOKIE, REDIS, HTTPS, URL, POST, PGSQL, SNMP, SNPP, RLOGIN, MPD, DICT, NNTP, NTLMSS, WHATSAPP, CREDITCARD - default: * --custom-parser EXPRESSION Use a custom regular expression in order to capture and show sniffed data ( NOTE: Will set -X to true ). PROXYING: TCP: --tcp-proxy Enable TCP proxy ( requires other --tcp-proxy-* options to be specified ). --tcp-proxy-module MODULE Ruby TCP proxy module to load. --tcp-proxy-port PORT Set local TCP proxy port, default to 2222 . --tcp-proxy-upstream ADDRESS:PORT Set TCP proxy upstream server address and port. --tcp-proxy-upstream-address ADDRESS Set TCP proxy upstream server address. --tcp-proxy-upstream-port PORT Set TCP proxy upstream server port. HTTP: --proxy Enable HTTP proxy and redirects all HTTP requests to it, default to false. --proxy-port PORT Set HTTP proxy port, default to 8080. --allow-local-connections Allow direct connections to the proxy instance, default to false. --no-sslstrip Disable SSLStrip. --proxy-module MODULE Ruby proxy module to load, either a custom file or one of the following: injectcss, injecthtml, injectjs. --http-ports PORT1,PORT2 Comma separated list of HTTP ports to redirect to the proxy, default to 80. --proxy-upstream-address ADDRESS If set, only requests coming from this server address will be redirected to the HTTP/HTTPS proxies. HTTPS: --proxy-https Enable HTTPS proxy and redirects all HTTPS requests to it, default to false. --proxy-https-port PORT Set HTTPS proxy port, default to 8083. --proxy-pem FILE Use a custom PEM CA certificate file for the HTTPS proxy, default to /home/mial/.bettercap/bettercap-ca.pem . --https-ports PORT1,PORT2 Comma separated list of HTTPS ports to redirect to the proxy, default to 443. CUSTOM: --custom-proxy ADDRESS Use a custom HTTP upstream proxy instead of the builtin one. --custom-proxy-port PORT Specify a port for the custom HTTP upstream proxy, default to 8080. --custom-https-proxy ADDRESS Use a custom HTTPS upstream proxy instead of the builtin one. --custom-https-proxy-port PORT Specify a port for the custom HTTPS upstream proxy, default to 8083. --custom-redirection RULE Apply a custom port redirection, the format of the rule is PROTOCOL ORIGINAL_PORT NEW_PORT. For instance TCP 21 2100 will redirect all TCP traffic going to port 21, to port 2100. SERVERS: --httpd Enable HTTP server, default to false. --httpd-port PORT Set HTTP server port, default to 8081. --httpd-path PATH Set HTTP server path, default to ./ . --dns FILE Enable DNS server and use this file as a hosts resolution table. --dns-port PORT Set DNS server port, default to 5300.
Bettercap Usage Example
The following are the main options that determine the general behaviour of BetterCap, these options are not mandatory, in fact bettercap will automatically detect everything it needs in order to work, you just might need to use one or more of the following options to specify some custom behaviour in specific cases.
Attack specific targets:
sudo bettercap -T 192.168.1.10,192.168.1.11
Attack a specific target by its MAC address:
sudo bettercap -T 01:23:45:67:89:10
Attack a range of IP addresses:
sudo bettercap -T 192.168.1.1-30
Attack a specific subnet:
sudo bettercap -T 192.168.1.1/24
-I, –interface IFACE
BetterCAP will automatically detect your default network interface and use it, if you want to make it use another interface ( when you have more than one, let’s say eth0 and wlan0 ) you can use this option.
-G, –gateway ADDRESS
The same goes for the gateway, either let bettercap automatically detect it or manually specify its address.
-T, –target ADDRESS1,ADDRESS2
If no specific target is given on the command line, bettercap will spoof every single address on the network. There are cases when you already know the IP or MAC address of your target(s), in such cases you can use this option.
Ignore these IP addresses if found while searching for targets.
Do not actively search for hosts, just use the current ARP cache, default to false.
Disable target NBNS hostname resolution.
Number of seconds ( can be a decimal number ) to wait between each packet to be sent.
Will check if any update is available and then exit.
Display the available options.
These options determine how bettercap console logger is going to behave.
Save log output to the out.log file:
sudo bettercap --log out.log
Save log output to the out.log file and suppress terminal output:
sudo bettercap --log out.log --silent
Save log output to the out-ts.log file and enable timestamps for each line:
sudo bettercap --log-timestamp --log out-ts.log
-O, –log LOG_FILE
Log all messages into a file, if not specified the log messages will be only print into the shell.
Enable logging with timestamps for each line, disabled by default.
Enable debug logging, it is good practice to use this option while reporting a bug in order to have the full debug log of the program.
Suppress every message which is not an error or a warning, default to false.
As previously described in the introduction section, spoofing is the very hearth of every MITM attack. These options will determine which spoofing technique to use and how to use it.
BetterCap already includes an ARP spoofer ( working both in full duplex and half duplex mode ), aDNS spoofer and the first, fully working and completely automatized ICMP DoubleDirect spooferin the world
Use the good old ARP spoofing:
sudo bettercap or sudo bettercap -S ARP or sudo bettercap --spoofer ARP
Use a full duplex ICMP redirect spoofing attack:
sudo bettercap -S ICMP or sudo bettercap --spoofer ICMP
sudo bettercap -S NONE or sudo bettercap –spoofer NONE or sudo bettercap –no-spoofing
No dear 192.168.1.2, you won’t connect to anything anymore 😀
sudo bettercap -T 192.168.1.2 --kill
-S, –spoofer NAME
Spoofer module to use, available: ARP, ICMP, NONE – default: ARP.
Disable spoofing, alias for –spoofer NONE / -S NONE.
Instead of forwarding packets, this switch will make targets connections to be killed.
If your router has some builtin protection against spoofing do not worry, you can go half duplex.
During a MITM, full duplex means that you’re poisoning both the target machine and the router, namely if T is the target, R is the router and A is the attacker, you’ll do this:
Make T believe that A is the router.
Make R believe that A is the target.
So you need to send two ARP replies in order to do this.
Sniffing & Credentials Harvesting
The builtin sniffer is currently able to dissect and print from the network ( or from a previously captured PCAP file ) the following informations:
- URLs being visited.
- HTTPS hosts being visited.
- HTTP POSTed data.
- HTTP Basic and Digest authentications.
- HTTP Cookies.
- FTP credentials.
- IRC credentials.
- POP, IMAP and SMTP credentials.
- NTLMv1/v2 ( HTTP, SMB, LDAP, etc ) credentials.
- DICT Protocol credentials.
- MPD Credentials.
- NNTP Credentials.
- DHCP messages and authentication.
- REDIS login credentials.
- RLOGIN credentials.
- SNPP credentials.
- And more!
Use bettercap as a simple local network sniffer:
sudo bettercap --local or sudo bettercap -L
Use the capture.pcap file in your home directory as a packets source:
sudo bettercap --sniffer-source ~/capture.pcap
Spoof the whole network and save every packet to the capture.pcap file in your home directory:
sudo bettercap --sniffer-output ~/capture.pcap
Spoof the whole network but only sniff HTTP traffic:
sudo bettercap --sniffer-filter "tcp port http"
Spoof the whole network and extract data from packets containing the “password” word:
sudo bettercap --custom-parser ".*password.*"
By default bettercap will only parse packets coming from/to other addresses on the network, if you also want to process packets being sent or received from your own computer you can use this option ( NOTE: will enable the sniffer ).
Load packets from the specified PCAP file instead of the network interface ( NOTE: will enable the sniffer ).
Save all packets to the specified PCAP file ( NOTE: will enable the sniffer ).
Configure the sniffer to use this BPF filter ( NOTE: will enable the sniffer ).
-P, –parsers PARSERS
Comma separated list of packet parsers to enable, * for all ( NOTE: will enable the sniffer ), available: COOKIE, CREDITCARD, DHCP, DICT, FTP, HTTPAUTH, HTTPS, IRC, MAIL, MPD, MYSQL, NNTP,NTLMSS, PGSQL, POST, REDIS, RLOGIN, SNMP, SNPP, URL, WHATSAPP, default to *.
Use a custom regular expression in order to capture and show sniffed data ( NOTE: will enable the sniffer ).
Enable HTTP server, default to false.
Set HTTP server port, default to 8081.
Set HTTP server path, default to ./.
If you want to perform DNS spoofing, you must specify the –dns FILE command line argument, where the FILE value is the name of a file composed by entries like the following:
# Empty lines or lines starting with # will be ignored. # redirect *.google.com to the attacker ip address local .*google\.com # redirect *.microsoft.com to 10.10.10.10 10.10.10.10 .*microsoft\.com
Then all you’ve left to do is execute:
sudo bettercap --dns dns.conf
Enable DNS server and use this file as a hosts resolution table.
Set DNS server port, default to 5300.
How to install Bettercap
Installation on Kali Linux
sudo apt-get install bettercap
Installation on Linux (Debian, Mint, Ubuntu)
sudo apt-get install build-essential ruby-dev libpcap-dev sudo apt-get install ruby gem install bettercap