top of page

Being Man In The Middle can be sometimes good!

Sniffing and performing MiTM on network traffic is one of the security engineers' foundational skills. In the past, ettercap was the standard for doing this, but it’s served its time well and now has a successor: bettercap.

bettercap is like ettercap, but better.

BetterCAP is a modular/flexible, powerful and portable MITM attack framework created to perform various types of attacks against a network. It is able to manipulate HTTP, HTTPS and TCP traffic in realtime, sniff for credentials, etc. It was completely redeployed in 2018, and aside MITM it brings network monitoring 802.11, BLE and more. It belongs definitely to a Penetration testers, reverse engineers and/or cybersecurity researchers toolbox.

Bettercap switched from a Ruby application to a compiled Go application, which allow BetterCAP 2.7.0 to run on low end hardware while proxying hundreds of connections per second and forwarding tens of hundred of packets. Memory and CPU usage are now extremely optimized and you can run several instances of your favorite MITM attack framework.

You can install BetterCAP on Windows, macOS, Android, Linux (mips, mips64,arm, etc) and iOS.

Legacy features:

  • Full and half duplex ARP spoofing

  • Fully customizable sniffer

  • Modular HTTP/HTTPS proxies to allow for injection of custom HTML, JS, CSS code or urls

  • SSLStripping with HSTS bypass. etc.

  • ICMP/DNS/NDP spoofing

  • Modular HTTP and HTTPS transparent proxies with support for user plugins

  • Realtime credentials harvesting for protocols such as HTTP(S) POSTed data, IRC, POP, IMAP, SMTP,Basic and Digest Authentications, FTP, NTLM ( HTTP, SMB, LDAP, etc.)

New Features:
  • single https certificate / authority fields can now be customized via dedicated module parameters (https.proxy, http.server, and

  • implemented any.proxy module to redirect traffic to custom proxy tools

  • implemented http.proxy.injectjs and https.proxy.injectjs parameters to inject javascript code, files or URLs without a proxy module

Great Caplets

Bettercap caplets, or .cap files are a powerful way to script bettercap’s interactive sessions, they are similar to .rc files of Metasploit. Check this repository for available caplets and modules.

For example:

pheniix_pc422$ sudo bettercap -caplet ./attackpheniix.cap

BetterCap vs. EtterCAP
  • Unlike BetterCAP, EtterCAP filters are very hard to implement (specific language implementation)

  • EtterCAP doesn’t provide a builtin HTTP,HTTPS and TCP transparent proxies, neither fully customizable credentials sniffer.

  • EtterCAP worked good, but it is an old tool and unstable on big networks.

How to install it ?

First of all, you have to make sure that you have a correctly configured Go >= 1.8 environment. $GOPATH/bin needs to be in $PATH . You also need to install libpcap-dev and libnetfilter-queue-dev on your system.

Follow me to install them like this:

pheniix_pc422$ sudo apt-get install libpcap-dev libnetfilter-queue-dev

Then download BetterCAP:

pheniix_pc422$ go get

After installation, install its dependencies, compile it and move the bettercap executable to $GOPATH/bin.

If you want to update to unstable release from repository, run:

pheniix_pc422$ go get -u

Note: A precompiled version is available for each release, but if you want to make your own binary, you can use the latest version of the source code from BetterCAP repository.

Use this command to show the basic command line options like in the picture:

Note: You can face some issues like “error while loading shared libraries: cannot open shared object file: No such file or directory“

solve this issue like the following:

Here are some basic commands: commands shows the information about the networks.

In order to see which modules are runninng you can use "help" command.

If you want to see more information about an specific module you can use:

» help <module>

You can also see all information about ALL the modules go with this command:

To get all info on specific module type this:

You have also the opportunity to run commands right away from the terminal:

pheniix_pc422$ bettercap -eval "net.probe.on; ticker on"

To run system commands within bettercap, add ! :

» !ifconfig

Bettercap is a versatile tool. Redirection, Phishing, Sniffing, Injections. You can do a lot with it. But there are some “problems”. It is a tool that you should be aware of whether you’re in InfoSec or are just interested in being technically aware of what’s possible.If you have any favorite use cases or configurations for it, let us know and we will add them here on Pheniix.Behaviour can vary because of the network architecture, DNS cache, setup. Unexpected results can happen, especially to inexperienced users with Bettercap. It’s going to take you some time to overcome the problems and get use to the new environment. All in all, a solid robust tool that you should at least try.


All product names, logos, and brands are the property of their respective owners in Austria or other countries. All company, product and service names used in this website are for identification purposes only. Pheniix is not affiliated with or an official partner of Cisco, CompTIA,Dimension Data, VMware, Amazon, Microsoft, Certified Ethical Hacker, (ISC)², Juniper, Wireshark, Offensive Security,Google, GNS3, F5, Python, Linux, Java, OpenStack, Vagrant, Ansible, Docker, GIT, , Blockchain or other companies. Use of these names, logos, and brands does not imply endorsement. The opinions expressed in Pheniix are personal perspectives and not those of Cisco, Dimension Data or any other company. Pheniix runs as an independent blog.

#IPSEC #SecurityCenter #InfoSec #ASASecurityDeviceManagerASDM #CCNASecurity #NationalCyberSecurityAwarenessMonth #Cybersecurity #Security #CloudSecurity #security #NationalSecurityAgencyNSA #IBMSecurity #CiscoSecurity #cybersecurity #securityflaw #CyberSecurity #Mike #MikeGhahremani #Pheniix #CISSP #ISC2 #CCNA #CCNP #CCIE #Bettercap #MITM #WIfI6

bottom of page