You are here: Home » Sniffing & Spoofing » Bettercap

Bettercap

Bettercap Description

BetterCAP is a powerful, flexible and portable tool created to perform various types of MITM attacks against a network, manipulate HTTP, HTTPS and TCP traffic in realtime, sniff for credentials and much more.

Why another MITM tool?

This is exactly what you are thinking right now, isn’t it? 😀 But allow yourself to think about it for 5 more minutes … what you should be really asking is:

Does a complete, modular, portable and easy to extend MITM tool actually exist?

If your answer is “ettercap”, let me tell you something:

  • Ettercap was a great tool, but it made its time.
  • Ettercap filters do not work most of the times, are outdated and hard to implement due to the specific language they’re implemented in.
  • Ettercap is freaking unstable on big networks … try to launch the host discovery on a bigger network rather than the usual /24 😉
  • Yeah you can see connections and raw pcap stuff, nice toy, but as a professional researcher I want to see only relevant stuff.
  • Unless you’re a C/C++ developer, you can’t easily extend ettercap or make your own module.

Moreover:

  • Ettercap’s and MITMf’s ICMP spoofing is completely useless, ours is not.
  • Ettercap does not provide a builtin and modular HTTP(S) and TCP transparent proxies, we do.
  • Ettercap does not provide a smart and fully customizable credentials sniffer, we do.

Homepage: https://www.bettercap.org/

Author: Simone 'evilsocket' Margaritelli*

License: GPL3

Bettercap Help

Usage: bettercap [options]
MAIN:

    -I, --interface IFACE            Network interface name - default: eth0
    -G, --gateway ADDRESS            Manually specify the gateway address, if not specified the current gateway will be retrieved and used. 
    -T, --target ADDRESS1,ADDRESS2   Target IP addresses, if not specified the whole subnet will be targeted.
        --ignore ADDRESS1,ADDRESS2   Ignore these addresses if found while searching for targets.
        --no-discovery               Do not actively search for hosts, just use the current ARP cache, default to false.
        --no-target-nbns             Disable target NBNS hostname resolution.
        --packet-throttle NUMBER     Number of seconds ( can be a decimal number ) to wait between each packet to be sent.
        --check-updates              Will check if any update is available and then exit.
    -h, --help                       Display the available options.

LOGGING:

    -O, --log LOG_FILE               Log all messages into a file, if not specified the log messages will be only print into the shell.
        --log-timestamp              Enable logging with timestamps for each line, disabled by default.
    -D, --debug                      Enable debug logging.
        --silent                     Suppress every message which is not an error or a warning, default to false.

SPOOFING:

    -S, --spoofer NAME               Spoofer module to use, available: ARP, ICMP, NONE - default: ARP.
        --no-spoofing                Disable spoofing, alias for --spoofer NONE.
        --half-duplex                Enable half-duplex MITM, this will make bettercap work in those cases when the router is not vulnerable.
        --kill                       Instead of forwarding packets, this switch will make targets connections to be killed.

SNIFFING:

    -X, --sniffer                    Enable sniffer.
    -L, --local                      Parse packets coming from/to the address of this computer ( NOTE: Will set -X to true ), default to false.
        --sniffer-source FILE        Load packets from the specified PCAP file instead of the interface ( will enable sniffer ).
        --sniffer-output FILE        Save all packets to the specified PCAP file ( will enable sniffer ).
        --sniffer-filter EXPRESSION  Configure the sniffer to use this BPF filter ( will enable sniffer ).
    -P, --parsers PARSERS            Comma separated list of packet parsers to enable, '*' for all ( NOTE: Will set -X to true ), available: 
                                     MAIL, FTP, DHCP, IRC, MYSQL, HTTPAUTH, COOKIE, REDIS, HTTPS, URL, POST, PGSQL, SNMP, SNPP, RLOGIN, MPD, 
                                     DICT, NNTP, NTLMSS, WHATSAPP, CREDITCARD - default: *
        --custom-parser EXPRESSION   Use a custom regular expression in order to capture and show sniffed data ( NOTE: Will set -X to true ).

PROXYING:


  TCP:

        --tcp-proxy                  Enable TCP proxy ( requires other --tcp-proxy-* options to be specified ).
        --tcp-proxy-module MODULE    Ruby TCP proxy module to load.
        --tcp-proxy-port PORT        Set local TCP proxy port, default to 2222 .
        --tcp-proxy-upstream ADDRESS:PORT
                                     Set TCP proxy upstream server address and port.
        --tcp-proxy-upstream-address ADDRESS
                                     Set TCP proxy upstream server address.
        --tcp-proxy-upstream-port PORT
                                     Set TCP proxy upstream server port.
  HTTP:

        --proxy                      Enable HTTP proxy and redirects all HTTP requests to it, default to false.
        --proxy-port PORT            Set HTTP proxy port, default to 8080.
        --allow-local-connections    Allow direct connections to the proxy instance, default to false.
        --no-sslstrip                Disable SSLStrip.
        --proxy-module MODULE        Ruby proxy module to load, either a custom file or one of the following: injectcss, injecthtml, injectjs.
        --http-ports PORT1,PORT2     Comma separated list of HTTP ports to redirect to the proxy, default to 80.
        --proxy-upstream-address ADDRESS
                                     If set, only requests coming from this server address will be redirected to the HTTP/HTTPS proxies.

  HTTPS:

        --proxy-https                Enable HTTPS proxy and redirects all HTTPS requests to it, default to false.
        --proxy-https-port PORT      Set HTTPS proxy port, default to 8083.
        --proxy-pem FILE             Use a custom PEM CA certificate file for the HTTPS proxy, default to /home/mial/.bettercap/bettercap-ca.pem .
        --https-ports PORT1,PORT2    Comma separated list of HTTPS ports to redirect to the proxy, default to 443.

  CUSTOM:

        --custom-proxy ADDRESS       Use a custom HTTP upstream proxy instead of the builtin one.
        --custom-proxy-port PORT     Specify a port for the custom HTTP upstream proxy, default to 8080.
        --custom-https-proxy ADDRESS Use a custom HTTPS upstream proxy instead of the builtin one.
        --custom-https-proxy-port PORT
                                     Specify a port for the custom HTTPS upstream proxy, default to 8083.
        --custom-redirection RULE    Apply a custom port redirection, the format of the rule is PROTOCOL ORIGINAL_PORT NEW_PORT. For instance 
                                     TCP 21 2100 will redirect all TCP traffic going to port 21, to port 2100.

SERVERS:

        --httpd                      Enable HTTP server, default to false.
        --httpd-port PORT            Set HTTP server port, default to 8081.
        --httpd-path PATH            Set HTTP server path, default to ./ .
        --dns FILE                   Enable DNS server and use this file as a hosts resolution table.
        --dns-port PORT              Set DNS server port, default to 5300.

Bettercap Usage Example

General Options

The following are the main options that determine the general behaviour of BetterCap, these options are not mandatory, in fact bettercap will automatically detect everything it needs in order to work, you just might need to use one or more of the following options to specify some custom behaviour in specific cases.

Examples

Attack specific targets:

sudo bettercap -T 192.168.1.10,192.168.1.11

Attack a specific target by its MAC address:

sudo bettercap -T 01:23:45:67:89:10

Attack a range of IP addresses:

sudo bettercap -T 192.168.1.1-30

Attack a specific subnet:

sudo bettercap -T 192.168.1.1/24

Options

-I, --interface IFACE

BetterCAP will automatically detect your default network interface and use it, if you want to make it use another interface ( when you have more than one, let’s say eth0 and wlan0 ) you can use this option.

-G, --gateway ADDRESS

The same goes for the gateway, either let bettercap automatically detect it or manually specify its address.

-T, --target ADDRESS1,ADDRESS2

If no specific target is given on the command line, bettercap will spoof every single address on the network. There are cases when you already know the IP or MAC address of your target(s), in such cases you can use this option.

--ignore ADDRESS1,ADDRESS2

Ignore these IP addresses if found while searching for targets.

--no-discovery

Do not actively search for hosts, just use the current ARP cache, default to false.

--no-target-nbns

Disable target NBNS hostname resolution.

--packet-throttle NUMBER

Number of seconds ( can be a decimal number ) to wait between each packet to be sent.

--check-updates

Will check if any update is available and then exit.

-h, --help

Display the available options.

Logging

These options determine how bettercap console logger is going to behave.

Examples

Save log output to the out.log file:

sudo bettercap --log out.log

Save log output to the out.log file and suppress terminal output:

sudo bettercap --log out.log --silent

Save log output to the out-ts.log file and enable timestamps for each line:

sudo bettercap --log-timestamp --log out-ts.log

Options

-O, --log LOG_FILE

Log all messages into a file, if not specified the log messages will be only print into the shell.

--log-timestamp

Enable logging with timestamps for each line, disabled by default.

-D, --debug

Enable debug logging, it is good practice to use this option while reporting a bug in order to have the full debug log of the program.

--silent

Suppress every message which is not an error or a warning, default to false.

Spoofing

As previously described in the introduction section, spoofing is the very hearth of every MITM attack. These options will determine which spoofing technique to use and how to use it.

BetterCap already includes an ARP spoofer ( working both in full duplex and half duplex mode ), aDNS spoofer and the first, fully working and completely automatized ICMP DoubleDirect spooferin the world

Examples

Use the good old ARP spoofing:

sudo bettercap or sudo bettercap -S ARP or sudo bettercap --spoofer ARP

Use a full duplex ICMP redirect spoofing attack:

sudo bettercap -S ICMP or sudo bettercap --spoofer ICMP

Disable spoofing:

sudo bettercap -S NONE or sudo bettercap --spoofer NONE or sudo bettercap --no-spoofing

No dear 192.168.1.2, you won’t connect to anything anymore 😀

sudo bettercap -T 192.168.1.2 --kill

Options

-S, --spoofer NAME

Spoofer module to use, available: ARP, ICMP, NONE - default: ARP.

--no-spoofing

Disable spoofing, alias for --spoofer NONE / -S NONE.

--kill

Instead of forwarding packets, this switch will make targets connections to be killed.

--half-duplex

If your router has some builtin protection against spoofing do not worry, you can go half duplex.

During a MITM, full duplex means that you’re poisoning both the target machine and the router, namely if T is the target, R is the router and A is the attacker, you’ll do this:

Make T believe that A is the router.

Make R believe that A is the target.

So you need to send two ARP replies in order to do this.

Sniffing & Credentials Harvesting

The builtin sniffer is currently able to dissect and print from the network ( or from a previously captured PCAP file ) the following informations:

  • URLs being visited.
  • HTTPS hosts being visited.
  • HTTP POSTed data.
  • HTTP Basic and Digest authentications.
  • HTTP Cookies.
  • FTP credentials.
  • IRC credentials.
  • POP, IMAP and SMTP credentials.
  • NTLMv1/v2 ( HTTP, SMB, LDAP, etc ) credentials.
  • DICT Protocol credentials.
  • MPD Credentials.
  • NNTP Credentials.
  • DHCP messages and authentication.
  • REDIS login credentials.
  • RLOGIN credentials.
  • SNPP credentials.
  • And more!

Examples

Use bettercap as a simple local network sniffer:

sudo bettercap --local or sudo bettercap -L

Use the capture.pcap file in your home directory as a packets source:

sudo bettercap --sniffer-source ~/capture.pcap

Spoof the whole network and save every packet to the capture.pcap file in your home directory:

sudo bettercap --sniffer-output ~/capture.pcap

Spoof the whole network but only sniff HTTP traffic:

sudo bettercap --sniffer-filter "tcp port http"

Spoof the whole network and extract data from packets containing the “password” word:

sudo bettercap --custom-parser ".*password.*"

Options

-X, --sniffer

Enable sniffer.

-L, --local

By default bettercap will only parse packets coming from/to other addresses on the network, if you also want to process packets being sent or received from your own computer you can use this option ( NOTE: will enable the sniffer ).

--sniffer-source FILE

Load packets from the specified PCAP file instead of the network interface ( NOTE: will enable the sniffer ).

--sniffer-output FILE

Save all packets to the specified PCAP file ( NOTE: will enable the sniffer ).

--sniffer-filter EXPRESSION

Configure the sniffer to use this BPF filter ( NOTE: will enable the sniffer ).

-P, --parsers PARSERS

Comma separated list of packet parsers to enable, * for all ( NOTE: will enable the sniffer ), available: COOKIE, CREDITCARD, DHCP, DICT, FTP, HTTPAUTH, HTTPS, IRC, MAIL, MPD, MYSQL, NNTP,NTLMSS, PGSQL, POST, REDIS, RLOGIN, SNMP, SNPP, URL, WHATSAPP, default to *.

--custom-parser EXPRESSION

Use a custom regular expression in order to capture and show sniffed data ( NOTE: will enable the sniffer ).

HTTP

You want to serve your custom javascript files on the network? Maybe you wanna inject some custom script or image into HTTP responses using a transparent proxy module but you got no public server to use? no worries dude :DA builtin HTTP server comes with bettercap, allowing you to serve custom contents from your own machine without installing and configuring other softwares such as Apache, nginx or lighttpd.

--httpd

Enable HTTP server, default to false.

--httpd-port PORT

Set HTTP server port, default to 8081.

--httpd-path PATH

Set HTTP server path, default to ./.

DNS

If you want to perform DNS spoofing, you must specify the --dns FILE command line argument, where the FILE value is the name of a file composed by entries like the following:

# Empty lines or lines starting with # will be ignored.

# redirect *.google.com to the attacker ip address
local .*google\.com

# redirect *.microsoft.com to 10.10.10.10
10.10.10.10 .*microsoft\.com

Then all you’ve left to do is execute:

sudo bettercap --dns dns.conf

--dns FILE

Enable DNS server and use this file as a hosts resolution table.

--dns-port PORT

Set DNS server port, default to 5300.

How to install Bettercap

Installation on Kali Linux

sudo apt-get install bettercap

Installation on Linux (Debian, Mint, Ubuntu)

sudo apt-get install build-essential ruby-dev libpcap-dev
sudo apt-get install ruby
gem install bettercap

Bettercap Screenshots

02

01

Bettercap Tutorials

Related tools