Bettercap ( Part 1 )

 

Being Man In The Middle can be sometimes good! 

 

 

Sniffing and performing MiTM on network traffic is one of the security engineers' foundational skills. In the past, ettercap was the standard for doing this, but it’s served its time well and now has a successor: bettercap.

bettercap is like ettercap, but better. 

 

BetterCAP is a modular/flexible, powerful and portable MITM attack framework created to perform various types of attacks against a network. It is able to manipulate HTTP, HTTPS and TCP traffic in realtime, sniff for credentials, etc. It was completely redeployed in 2018, and aside MITM it brings network monitoring 802.11, BLE and more.
It belongs definitely to a Penetration testers, reverse engineers and/or cybersecurity researchers toolbox.

 

Bettercap switched from a Ruby application to a compiled Go application, which allow BetterCAP 2.7.0 to run on low end hardware while proxying hundreds of connections per second and forwarding tens of hundred of packets. Memory and CPU usage are now extremely optimized and you can run several instances of your favorite MITM attack framework.

 

You can install BetterCAP on Windows, macOS, Android, Linux (mips, mips64,arm, etc) and iOS.

 

 

Legacy features:

  • Full and half duplex ARP spoofing

  • Fully customizable sniffer

  • Modular HTTP/HTTPS proxies to allow for injection of custom HTML, JS, CSS code or urls

  • SSLStripping with HSTS bypass. etc.

  • ICMP/DNS/NDP spoofing

  • Modular HTTP and HTTPS transparent proxies with support for user plugins

  • Realtime credentials harvesting for protocols such as HTTP(S) POSTed data, IRC, POP, IMAP, SMTP,Basic and Digest Authentications, FTP, NTLM ( HTTP, SMB, LDAP, etc.)

 

New Features:
  • single https certificate / authority fields can now be customized via dedicated module parameters (https.proxy, http.server, and api.rest)

  • implemented any.proxy module to redirect traffic to custom proxy tools

  • implemented http.proxy.injectjs and https.proxy.injectjs parameters to inject javascript code, files or URLs without a proxy module

Great Caplets
 

Bettercap caplets, or .cap files are a powerful way to script bettercap’s interactive sessions, they are similar to .rc files of Metasploit. Check this repository for available caplets and modules. 

For example:

 

pheniix_pc422$ sudo bettercap -caplet ./attackpheniix.cap

 

BetterCap vs. EtterCAP
  • Unlike BetterCAP, EtterCAP filters are very hard to implement (specific language implementation)

  • EtterCAP doesn’t provide a builtin HTTP,HTTPS and TCP transparent proxies, neither fully customizable credentials sniffer.

  • EtterCAP worked good, but it is an old tool and unstable on big networks.

 

How to install it ?

 

 

First of all, you have to make sure that you have a correctly configured Go >= 1.8 environment. $GOPATH/bin needs to be in $PATH . You also need to install libpcap-dev and libnetfilter-queue-dev on your system.

Follow me to install them like this:

 

pheniix_pc422$ sudo apt-get install libpcap-dev libnetfilter-queue-dev

 

Then download BetterCAP:

 

pheniix_pc422$ go get github.com/bettercap/bettercap

 

After installation, install its dependencies, compile it and move the bettercap executable to $GOPATH/bin.

If you want to update to unstable release from repository, run:

 

pheniix_pc422$ go get -u github.com/bettercap/bettercap

 

Note: A precompiled version is available for each release, but if you want to make your own binary, you can use the latest version of the source code from BetterCAP repository.

 

Use this command to show the basic command line options like in the picture:

 

 

Note: You can face some issues like “error while loading shared libraries: libpcap.so.1: cannot open shared object file: No such file or directory“

solve this issue like the following:

 

 

Here are some basic commands:

 

 

 

net.show commands shows the information about the networks.

 

In order to see which modules are runninng you can use "help" command.

 

 



If you want to see more information about an specific module you can use:

 

 

» help <module>

 

 

You can also see all information about ALL the modules go with this command:

 

 

 

 

 

To get all info on specific m