Bettercap
Bettercap Description
BetterCAP is a powerful, flexible and portable tool created to perform various types of MITM attacks against a network, manipulate HTTP, HTTPS and TCP traffic in realtime, sniff for credentials and much more.
Why another MITM tool?
This is exactly what you are thinking right now, isn’t it? 😀 But allow yourself to think about it for 5 more minutes … what you should be really asking is:
Does a complete, modular, portable and easy to extend MITM tool actually exist?
If your answer is “ettercap”, let me tell you something:
- Ettercap was a great tool, but it made its time.
- Ettercap filters do not work most of the times, are outdated and hard to implement due to the specific language they’re implemented in.
- Ettercap is freaking unstable on big networks … try to launch the host discovery on a bigger network rather than the usual /24 😉
- Yeah you can see connections and raw pcap stuff, nice toy, but as a professional researcher I want to see only relevant stuff.
- Unless you’re a C/C++ developer, you can’t easily extend ettercap or make your own module.
Moreover:
- Ettercap’s and MITMf’s ICMP spoofing is completely useless, ours is not.
- Ettercap does not provide a builtin and modular HTTP(S) and TCP transparent proxies, we do.
- Ettercap does not provide a smart and fully customizable credentials sniffer, we do.
Homepage: https://www.bettercap.org/
Author: Simone 'evilsocket' Margaritelli*
License: GPL3
Bettercap Help
Usage: bettercap [options]
MAIN:
-I, --interface IFACE Network interface name - default: eth0
-G, --gateway ADDRESS Manually specify the gateway address, if not specified the current gateway will be retrieved and used.
-T, --target ADDRESS1,ADDRESS2 Target IP addresses, if not specified the whole subnet will be targeted.
--ignore ADDRESS1,ADDRESS2 Ignore these addresses if found while searching for targets.
--no-discovery Do not actively search for hosts, just use the current ARP cache, default to false.
--no-target-nbns Disable target NBNS hostname resolution.
--packet-throttle NUMBER Number of seconds ( can be a decimal number ) to wait between each packet to be sent.
--check-updates Will check if any update is available and then exit.
-h, --help Display the available options.
LOGGING:
-O, --log LOG_FILE Log all messages into a file, if not specified the log messages will be only print into the shell.
--log-timestamp Enable logging with timestamps for each line, disabled by default.
-D, --debug Enable debug logging.
--silent Suppress every message which is not an error or a warning, default to false.
SPOOFING:
-S, --spoofer NAME Spoofer module to use, available: ARP, ICMP, NONE - default: ARP.
--no-spoofing Disable spoofing, alias for --spoofer NONE.
--half-duplex Enable half-duplex MITM, this will make bettercap work in those cases when the router is not vulnerable.
--kill Instead of forwarding packets, this switch will make targets connections to be killed.
SNIFFING:
-X, --sniffer Enable sniffer.
-L, --local Parse packets coming from/to the address of this computer ( NOTE: Will set -X to true ), default to false.
--sniffer-source FILE Load packets from the specified PCAP file instead of the interface ( will enable sniffer ).
--sniffer-output FILE Save all packets to the specified PCAP file ( will enable sniffer ).
--sniffer-filter EXPRESSION Configure the sniffer to use this BPF filter ( will enable sniffer ).
-P, --parsers PARSERS Comma separated list of packet parsers to enable, '*' for all ( NOTE: Will set -X to true ), available:
MAIL, FTP, DHCP, IRC, MYSQL, HTTPAUTH, COOKIE, REDIS, HTTPS, URL, POST, PGSQL, SNMP, SNPP, RLOGIN, MPD,
DICT, NNTP, NTLMSS, WHATSAPP, CREDITCARD - default: *
--custom-parser EXPRESSION Use a custom regular expression in order to capture and show sniffed data ( NOTE: Will set -X to true ).
PROXYING:
TCP:
--tcp-proxy Enable TCP proxy ( requires other --tcp-proxy-* options to be specified ).
--tcp-proxy-module MODULE Ruby TCP proxy module to load.
--tcp-proxy-port PORT Set local TCP proxy port, default to 2222 .
--tcp-proxy-upstream ADDRESS:PORT
Set TCP proxy upstream server address and port.
--tcp-proxy-upstream-address ADDRESS
Set TCP proxy upstream server address.
--tcp-proxy-upstream-port PORT
Set TCP proxy upstream server port.
HTTP:
--proxy Enable HTTP proxy and redirects all HTTP requests to it, default to false.
--proxy-port PORT Set HTTP proxy port, default to 8080.
--allow-local-connections Allow direct connections to the proxy instance, default to false.
--no-sslstrip Disable SSLStrip.
--proxy-module MODULE Ruby proxy module to load, either a custom file or one of the following: injectcss, injecthtml, injectjs.
--http-ports PORT1,PORT2 Comma separated list of HTTP ports to redirect to the proxy, default to 80.
--proxy-upstream-address ADDRESS
If set, only requests coming from this server address will be redirected to the HTTP/HTTPS proxies.
HTTPS:
--proxy-https Enable HTTPS proxy and redirects all HTTPS requests to it, default to false.
--proxy-https-port PORT Set HTTPS proxy port, default to 8083.
--proxy-pem FILE Use a custom PEM CA certificate file for the HTTPS proxy, default to /home/mial/.bettercap/bettercap-ca.pem .
--https-ports PORT1,PORT2 Comma separated list of HTTPS ports to redirect to the proxy, default to 443.
CUSTOM:
--custom-proxy ADDRESS Use a custom HTTP upstream proxy instead of the builtin one.
--custom-proxy-port PORT Specify a port for the custom HTTP upstream proxy, default to 8080.
--custom-https-proxy ADDRESS Use a custom HTTPS upstream proxy instead of the builtin one.
--custom-https-proxy-port PORT
Specify a port for the custom HTTPS upstream proxy, default to 8083.
--custom-redirection RULE Apply a custom port redirection, the format of the rule is PROTOCOL ORIGINAL_PORT NEW_PORT. For instance
TCP 21 2100 will redirect all TCP traffic going to port 21, to port 2100.
SERVERS:
--httpd Enable HTTP server, default to false.
--httpd-port PORT Set HTTP server port, default to 8081.
--httpd-path PATH Set HTTP server path, default to ./ .
--dns FILE Enable DNS server and use this file as a hosts resolution table.
--dns-port PORT Set DNS server port, default to 5300.
Bettercap Usage Example
General Options
The following are the main options that determine the general behaviour of BetterCap, these options are not mandatory, in fact bettercap will automatically detect everything it needs in order to work, you just might need to use one or more of the following options to specify some custom behaviour in specific cases.
Examples
Attack specific targets:
sudo bettercap -T 192.168.1.10,192.168.1.11
Attack a specific target by its MAC address:
sudo bettercap -T 01:23:45:67:89:10
Attack a range of IP addresses:
sudo bettercap -T 192.168.1.1-30
Attack a specific subnet:
sudo bettercap -T 192.168.1.1/24
Options
-I, --interface IFACE
BetterCAP will automatically detect your default network interface and use it, if you want to make it use another interface ( when you have more than one, let’s say eth0 and wlan0 ) you can use this option.
-G, --gateway ADDRESS
The same goes for the gateway, either let bettercap automatically detect it or manually specify its address.
-T, --target ADDRESS1,ADDRESS2
If no specific target is given on the command line, bettercap will spoof every single address on the network. There are cases when you already know the IP or MAC address of your target(s), in such cases you can use this option.
--ignore ADDRESS1,ADDRESS2
Ignore these IP addresses if found while searching for targets.
--no-discovery
Do not actively search for hosts, just use the current ARP cache, default to false.
--no-target-nbns
Disable target NBNS hostname resolution.
--packet-throttle NUMBER
Number of seconds ( can be a decimal number ) to wait between each packet to be sent.
--check-updates
Will check if any update is available and then exit.
-h, --help
Display the available options.
Logging
These options determine how bettercap console logger is going to behave.
Examples
Save log output to the out.log file:
sudo bettercap --log out.log
Save log output to the out.log file and suppress terminal output:
sudo bettercap --log out.log --silent
Save log output to the out-ts.log file and enable timestamps for each line:
sudo bettercap --log-timestamp --log out-ts.log
Options
-O, --log LOG_FILE
Log all messages into a file, if not specified the log messages will be only print into the shell.
--log-timestamp
Enable logging with timestamps for each line, disabled by default.
-D, --debug
Enable debug logging, it is good practice to use this option while reporting a bug in order to have the full debug log of the program.
--silent
Suppress every message which is not an error or a warning, default to false.
Spoofing
As previously described in the introduction section, spoofing is the very hearth of every MITM attack. These options will determine which spoofing technique to use and how to use it.
BetterCap already includes an ARP spoofer ( working both in full duplex and half duplex mode ), aDNS spoofer and the first, fully working and completely automatized ICMP DoubleDirect spooferin the world
Examples
Use the good old ARP spoofing:
sudo bettercap or sudo bettercap -S ARP or sudo bettercap --spoofer ARP
Use a full duplex ICMP redirect spoofing attack:
sudo bettercap -S ICMP or sudo bettercap --spoofer ICMP
Disable spoofing:
sudo bettercap -S NONE or sudo bettercap --spoofer NONE or sudo bettercap --no-spoofing
No dear 192.168.1.2, you won’t connect to anything anymore 😀
sudo bettercap -T 192.168.1.2 --kill
Options
-S, --spoofer NAME
Spoofer module to use, available: ARP, ICMP, NONE - default: ARP.
--no-spoofing
Disable spoofing, alias for --spoofer NONE / -S NONE.
--kill
Instead of forwarding packets, this switch will make targets connections to be killed.
--half-duplex
If your router has some builtin protection against spoofing do not worry, you can go half duplex.
During a MITM, full duplex means that you’re poisoning both the target machine and the router, namely if T is the target, R is the router and A is the attacker, you’ll do this:
Make T believe that A is the router.
Make R believe that A is the target.
So you need to send two ARP replies in order to do this.
Sniffing & Credentials Harvesting
The builtin sniffer is currently able to dissect and print from the network ( or from a previously captured PCAP file ) the following informations:
- URLs being visited.
- HTTPS hosts being visited.
- HTTP POSTed data.
- HTTP Basic and Digest authentications.
- HTTP Cookies.
- FTP credentials.
- IRC credentials.
- POP, IMAP and SMTP credentials.
- NTLMv1/v2 ( HTTP, SMB, LDAP, etc ) credentials.
- DICT Protocol credentials.
- MPD Credentials.
- NNTP Credentials.
- DHCP messages and authentication.
- REDIS login credentials.
- RLOGIN credentials.
- SNPP credentials.
- And more!
Examples
Use bettercap as a simple local network sniffer:
sudo bettercap --local or sudo bettercap -L
Use the capture.pcap file in your home directory as a packets source:
sudo bettercap --sniffer-source ~/capture.pcap
Spoof the whole network and save every packet to the capture.pcap file in your home directory:
sudo bettercap --sniffer-output ~/capture.pcap
Spoof the whole network but only sniff HTTP traffic:
sudo bettercap --sniffer-filter "tcp port http"
Spoof the whole network and extract data from packets containing the “password” word:
sudo bettercap --custom-parser ".*password.*"
Options
-X, --sniffer
Enable sniffer.
-L, --local
By default bettercap will only parse packets coming from/to other addresses on the network, if you also want to process packets being sent or received from your own computer you can use this option ( NOTE: will enable the sniffer ).
--sniffer-source FILE
Load packets from the specified PCAP file instead of the network interface ( NOTE: will enable the sniffer ).
--sniffer-output FILE
Save all packets to the specified PCAP file ( NOTE: will enable the sniffer ).
--sniffer-filter EXPRESSION
Configure the sniffer to use this BPF filter ( NOTE: will enable the sniffer ).
-P, --parsers PARSERS
Comma separated list of packet parsers to enable, * for all ( NOTE: will enable the sniffer ), available: COOKIE, CREDITCARD, DHCP, DICT, FTP, HTTPAUTH, HTTPS, IRC, MAIL, MPD, MYSQL, NNTP,NTLMSS, PGSQL, POST, REDIS, RLOGIN, SNMP, SNPP, URL, WHATSAPP, default to *.
--custom-parser EXPRESSION
Use a custom regular expression in order to capture and show sniffed data ( NOTE: will enable the sniffer ).
HTTP
You want to serve your custom javascript files on the network? Maybe you wanna inject some custom script or image into HTTP responses using a transparent proxy module but you got no public server to use? no worries dude :DA builtin HTTP server comes with bettercap, allowing you to serve custom contents from your own machine without installing and configuring other softwares such as Apache, nginx or lighttpd.
--httpd
Enable HTTP server, default to false.
--httpd-port PORT
Set HTTP server port, default to 8081.
--httpd-path PATH
Set HTTP server path, default to ./.
DNS
If you want to perform DNS spoofing, you must specify the --dns FILE command line argument, where the FILE value is the name of a file composed by entries like the following:
# Empty lines or lines starting with # will be ignored. # redirect *.google.com to the attacker ip address local .*google\.com # redirect *.microsoft.com to 10.10.10.10 10.10.10.10 .*microsoft\.com
Then all you’ve left to do is execute:
sudo bettercap --dns dns.conf
--dns FILE
Enable DNS server and use this file as a hosts resolution table.
--dns-port PORT
Set DNS server port, default to 5300.
How to install Bettercap
Installation on Kali Linux
sudo apt install bettercap
Installation on Linux (Debian, Mint, Ubuntu)
sudo apt-get install build-essential ruby-dev libpcap-dev sudo apt-get install ruby gem install bettercap
Bettercap Screenshots
Comments are Closed