Being Man In The Middle can be sometimes good!
Sniffing and performing MiTM on network traffic is one of the security engineers' foundational skills. In the past, ettercap was the standard for doing this, but it’s served its time well and now has a successor: bettercap.
bettercap is like ettercap, but better.
BetterCAP is a modular/flexible, powerful and portable MITM attack framework created to perform various types of attacks against a network. It is able to manipulate HTTP, HTTPS and TCP traffic in realtime, sniff for credentials, etc. It was completely redeployed in 2018, and aside MITM it brings network monitoring 802.11, BLE and more.
It belongs definitely to a Penetration testers, reverse engineers and/or cybersecurity researchers toolbox.
Bettercap switched from a Ruby application to a compiled Go application, which allow BetterCAP 2.7.0 to run on low end hardware while proxying hundreds of connections per second and forwarding tens of hundred of packets. Memory and CPU usage are now extremely optimized and you can run several instances of your favorite MITM attack framework.
You can install BetterCAP on Windows, macOS, Android, Linux (mips, mips64,arm, etc) and iOS.
Full and half duplex ARP spoofing
Fully customizable sniffer
Modular HTTP/HTTPS proxies to allow for injection of custom HTML, JS, CSS code or urls
SSLStripping with HSTS bypass. etc.
Modular HTTP and HTTPS transparent proxies with support for user plugins
Realtime credentials harvesting for protocols such as HTTP(S) POSTed data, IRC, POP, IMAP, SMTP,Basic and Digest Authentications, FTP, NTLM ( HTTP, SMB, LDAP, etc.)
single https certificate / authority fields can now be customized via dedicated module parameters (https.proxy, http.server, and api.rest)
implemented any.proxy module to redirect traffic to custom proxy tools
Bettercap caplets, or .cap files are a powerful way to script bettercap’s interactive sessions, they are similar to .rc files of Metasploit. Check this repository for available caplets and modules.
pheniix_pc422$ sudo bettercap -caplet ./attackpheniix.cap
BetterCap vs. EtterCAP
Unlike BetterCAP, EtterCAP filters are very hard to implement (specific language implementation)
EtterCAP doesn’t provide a builtin HTTP,HTTPS and TCP transparent proxies, neither fully customizable credentials sniffer.
EtterCAP worked good, but it is an old tool and unstable on big networks.
How to install it ?
First of all, you have to make sure that you have a correctly configured Go >= 1.8 environment. $GOPATH/bin needs to be in $PATH . You also need to install libpcap-dev and libnetfilter-queue-dev on your system.
Follow me to install them like this:
pheniix_pc422$ sudo apt-get install libpcap-dev libnetfilter-queue-dev
Then download BetterCAP:
pheniix_pc422$ go get github.com/bettercap/bettercap
After installation, install its dependencies, compile it and move the bettercap executable to $GOPATH/bin.
If you want to update to unstable release from repository, run:
pheniix_pc422$ go get -u github.com/bettercap/bettercap
Note: A precompiled version is available for each release, but if you want to make your own binary, you can use the latest version of the source code from BetterCAP repository.
Use this command to show the basic command line options like in the picture:
Note: You can face some issues like “error while loading shared libraries: libpcap.so.1: cannot open shared object file: No such file or directory“
solve this issue like the following:
Here are some basic commands:
net.show commands shows the information about the networks.
In order to see which modules are runninng you can use "help" command.
If you want to see more information about an specific module you can use:
» help <module>
You can also see all information about ALL the modules go with this command:
To get all info on specific module type this:
You have also the opportunity to run commands right away from the terminal:
pheniix_pc422$ bettercap -eval "net.probe.on; ticker on"
To run system commands within bettercap, add ! :
Bettercap is a versatile tool. Redirection, Phishing, Sniffing, Injections. You can do a lot with it. But there are some “problems”. It is a tool that you should be aware of whether you’re in InfoSec or are just interested in being technically aware of what’s possible.If you have any favorite use cases or configurations for it, let us know and we will add them here on Pheniix.Behaviour can vary because of the network architecture, DNS cache, setup. Unexpected results can happen, especially to inexperienced users with Bettercap. It’s going to take you some time to overcome the problems and get use to the new environment. All in all, a solid robust tool that you should at least try.
TRADEMARK LEGAL NOTICE
All product names, logos, and brands are the property of their respective owners in Austria or other countries. All company, product and service names used in this website are for identification purposes only. Pheniix is not affiliated with or an official partner of Cisco, CompTIA,Dimension Data, VMware, Amazon, Microsoft, Certified Ethical Hacker, (ISC)², Juniper, Wireshark, Offensive Security,Google, GNS3, F5, Python, Linux, Java, OpenStack, Vagrant, Ansible, Docker, GIT, , Blockchain or other companies. Use of these names, logos, and brands does not imply endorsement. The opinions expressed in Pheniix are personal perspectives and not those of Cisco, Dimension Data or any other company. Pheniix runs as an independent blog.