Bettercap

From charlesreid1

Revision as of 01:02, 22 August 2016 by Admin (talk | contribs) (→‎Links)

Project page: https://www.bettercap.org/

What is bettercap?

Bettercap is a better version of Ettercap. The intention was to create a new tool that worked the same, but better.

But what is it, really? It has two objectives: first, it is a tool for sniffing traffic, and second, it is a tool for carrying out man in the middle attacks (so that you can sniff the traffic of your network neighbors).

Like Ettercap, Bettercap has several nice features:

  • half and full duplex ARP spoofing
  • ICMP/DNS/NDP spoofing
  • Host discovery
  • Credentials harvesting for multiple protocols (POST, HTTPS, FTP, IRC, POP, SMTP, etc)
  • Customizable sniffer
  • Modular HTTP/HTTPS proxies to allow for injection of custom HTML, JS, CSS code or urls
  • SSLStripping with HSTS bypass

Dependencies

To install bettercap, you need ruby and libpcap: 

$ apt-get install build-essential ruby-dev libpcap-dev

Install

Now install the bettercap gem: 

$ gem install bettercap
$ gem update bettercap

Help

Let's take a look at some of the important flags. Here's the help: 

$ bettercap --help
 _          _   _
| |__   ___| |_| |_ ___ _ __ ___ __ _ _ __
| '_ \ / _ \ __| __/ _ \ '__/ __/ _` | '_ \
| |_) |  __/ |_| ||  __/ | | (_| (_| | |_) |
|_.__/ \___|\__|\__\___|_|  \___\__,_| .__/
                                     |_| v1.5.7
http://bettercap.org/



Usage: bettercap [options]

MAIN:

    -I, --interface IFACE            Network interface name - default: wlan1
        --use-mac ADDRESS            Change the interface MAC address to this value before performing the attack.
        --random-mac                 Change the interface MAC address to a random one before performing the attack.
    -G, --gateway ADDRESS            Manually specify the gateway address, if not specified the current gateway will be retrieved and used.
    -T, --target ADDRESS1,ADDRESS2   Target IP addresses, if not specified the whole subnet will be targeted.
        --ignore ADDRESS1,ADDRESS2   Ignore these addresses if found while searching for targets.
        --no-discovery               Do not actively search for hosts, just use the current ARP cache, default to false.
        --no-target-nbns             Disable target NBNS hostname resolution.
        --packet-throttle NUMBER     Number of seconds ( can be a decimal number ) to wait between each packet to be sent.
        --check-updates              Will check if any update is available and then exit.
    -h, --help                       Display the available options.

LOGGING:

    -O, --log LOG_FILE               Log all messages into a file, if not specified the log messages will be only print into the shell.
        --log-timestamp              Enable logging with timestamps for each line, disabled by default.
    -D, --debug                      Enable debug logging.
        --silent                     Suppress every message which is not an error or a warning, default to false.

SPOOFING:

    -S, --spoofer NAME               Spoofer module to use, available: NONE, ICMP, ARP - default: ARP.
        --no-spoofing                Disable spoofing, alias for --spoofer NONE.
        --half-duplex                Enable half-duplex MITM, this will make bettercap work in those cases when the router is not vulnerable.
        --kill                       Instead of forwarding packets, this switch will make targets connections to be killed.

SNIFFING:

    -X, --sniffer                    Enable sniffer.
    -L, --local                      Parse packets coming from/to the address of this computer ( NOTE: Will set -X to true ), default to false.
        --sniffer-source FILE        Load packets from the specified PCAP file instead of the interface ( will enable sniffer ).
        --sniffer-output FILE        Save all packets to the specified PCAP file ( will enable sniffer ).
        --sniffer-filter EXPRESSION  Configure the sniffer to use this BPF filter ( will enable sniffer ).
    -P, --parsers PARSERS            Comma separated list of packet parsers to enable, '*' for all ( NOTE: Will set -X to true ), available: FTP, REDIS, TEAMVIEWER, MAIL, SNPP, NTLMSS, WHATSAPP, DHCP, URL, PGSQL, CREDITCARD, IRC, DICT, COOKIE, RLOGIN, NNTP, MYSQL, HTTPS, POST, SNMP, MPD, HTTPAUTH - default: *
        --custom-parser EXPRESSION   Use a custom regular expression in order to capture and show sniffed data ( NOTE: Will set -X to true ).

PROXYING:


  TCP:

        --tcp-proxy                  Enable TCP proxy ( requires other --tcp-proxy-* options to be specified ).
        --tcp-proxy-module MODULE    Ruby TCP proxy module to load.
        --tcp-proxy-port PORT        Set local TCP proxy port, default to 2222 .
        --tcp-proxy-upstream ADDRESS:PORT
                                     Set TCP proxy upstream server address and port.
        --tcp-proxy-upstream-address ADDRESS
                                     Set TCP proxy upstream server address.
        --tcp-proxy-upstream-port PORT
                                     Set TCP proxy upstream server port.
  HTTP:

        --proxy                      Enable HTTP proxy and redirects all HTTP requests to it, default to false.
        --proxy-port PORT            Set HTTP proxy port, default to 8080.
        --allow-local-connections    Allow direct connections to the proxy instance, default to false.
        --no-sslstrip                Disable SSLStrip.
        --proxy-module MODULE        Ruby proxy module to load, either a custom file or one of the following: injecthtml, injectcss, injectjs.
        --http-ports PORT1,PORT2     Comma separated list of HTTP ports to redirect to the proxy, default to 80.
        --proxy-upstream-address ADDRESS
                                     If set, only requests coming from this server address will be redirected to the HTTP/HTTPS proxies.

  HTTPS:

        --proxy-https                Enable HTTPS proxy and redirects all HTTPS requests to it, default to false.
        --proxy-https-port PORT      Set HTTPS proxy port, default to 8083.
        --proxy-pem FILE             Use a custom PEM CA certificate file for the HTTPS proxy, default to /root/.bettercap/bettercap-ca.pem .
        --https-ports PORT1,PORT2    Comma separated list of HTTPS ports to redirect to the proxy, default to 443.

  CUSTOM:

        --custom-proxy ADDRESS       Use a custom HTTP upstream proxy instead of the builtin one.
        --custom-proxy-port PORT     Specify a port for the custom HTTP upstream proxy, default to 8080.
        --custom-https-proxy ADDRESS Use a custom HTTPS upstream proxy instead of the builtin one.
        --custom-https-proxy-port PORT
                                     Specify a port for the custom HTTPS upstream proxy, default to 8083.
        --custom-redirection RULE    Apply a custom port redirection, the format of the rule is PROTOCOL ORIGINAL_PORT NEW_PORT. For instance TCP 21 2100 will redirect all TCP traffic going to port 21, to port 2100.

SERVERS:

        --httpd                      Enable HTTP server, default to false.
        --httpd-port PORT            Set HTTP server port, default to 8081.
        --httpd-path PATH            Set HTTP server path, default to ./ .
        --dns FILE                   Enable DNS server and use this file as a hosts resolution table.
        --dns-port PORT              Set DNS server port, default to 5300.

For examples & docs please visit http://bettercap.org/docs/

Important flags are as follow: 

    -T: specify MiTM targets (IP or MAC)
    -I: interface to use
    -G: specify gateway address (usually automatic)
    --no-discovery: don’t search for hosts (use ARP cache)
    --ignore: ignore ADDRESS1,ADDRESS2
    --check-updates: you guessed it
    -h: get your options

Sniffing vs Spoofing

Like Ettercap, Bettercap has two functions:

  • Sniff traffic
  • Spoof traffic from other computers on the network through various attacks

The simplest sniffing scenario is if you're sitting on a network hub (on which all traffic is broadcast to all ports) and sniffing all of the traffic that comes through that port. In this scenario, you have perfect visibility of all the traffic on a network. Normally you cannot sniff traffic because the network card will drop traffic not addressed to it, and because the network card will not forward packets. Sniffing tools fix that.

If you're on a network switch or a wifi network, you will not have visibility of all packets on the network. If you are on a network switch, your port physically does not receive packets not intended for your device. If you are on a wifi network, your wifi card will drop frames not intended for your computer, and even if you kept the frames, you would be missing data, and would have an imperfect picture of the traffic.

The problem is resolved through spoofing. With spoofing, you can carry out attacks at Level 3, the packet level, by spoofing packets from different computers. For example, ARP spoofing sends out fake ARP reply packets, confusing network neighbors.

Using

Spoofing with bettercap

Let's run through your basic ARP poisoning attack.

-S specifies your spoofing method - either ARP or ICMP

--kill kills connections for any clients

--half-duplex is useful when you can't MITM the router - that is, when the router has protective mechanisms in place to prevent its ARP table from being corrupted. This type of attack gives you control over all traffic that is leaving, but not traffic that is coming to, the sheep. 

$ bettercap -I wlan1 -O bettercap.log -S ARP

or add the -X flag (sniffer mode, covered below):

Sniffing with bettercap

By default, bettercap is not in sniffing mode, it is in MITM mode. You can run in sniffing mode only, or in MITM only, or in combination - bettercap is flexible.

-X turns on sniffer mode. 

$ bettercap -I wlan1 -O bettercap.log -S ARP -X

Links

Project page: https://www.bettercap.org/

Basics: http://www.darknet.org.uk/2016/03/bettercap-modular-portable-mitm-framework/

Bettercap tutorial: https://danielmiessler.com/study/bettercap/

To Explore

Using proxy to replace web content

SSL

Flags


Defcon.png
monkey in the middle attacks
in which an attacker tricks two parties into thinking they're communicating with each other, but both are communicating with the attacker.

MITM

Wireless Attacks: MITM/Wireless

Wired Attacks: MITM/Wired


Layer 1 and 2 MITM Attacks:

MITM/Layer 1 and 2

Network Tap: MITM/Wired/Network Tap

Evil Twin Attack: Evil Twin  · MITM/Evil Twin


Layer 3 and 4 MITM Attacks:

MITM/Layer 3 and 4

Traffic Sniffing: MITM/Sniffing

ARP Poisoning: MITM/ARP Poisoning

Traffic Injection/Modification: MITM/Traffic Injection

DNS Attacks: MITM/DNS  · Bettercap/Failed DNS Spoofing Attack  · Bettercap/Failed DNS Spoofing Attack 2

DHCP Attacks: MITM/DHCP

WPAD MITM Attack: MITM/WPAD

Port Stealing: MITM/Port Stealing

Rushing Attack: MITM/Rushing Attack

Attacking HTTPS: MITM/HTTPS


Layer 5 MITM Attacks:

Session Hijacking: MITM/Session Hijacking


Toolz:

Ettercap  · Bettercap  · MITMf  · EvilFOCA

Wireshark  · Aircrack

Dsniff  · Arpspoof  · Dnsspoof

SSLSniff  · SSLStrip  · Frankencert

Driftnet  · Karma


MITM Labs: {{MITMLabs}}


Category:MITM  · Category:Attacks  · Category:Kali Attack Layers

Template:MITMLabs  · Template:MITMFlag

Flags  · Template:MITMFlag  · e




Retrieved from "https://charlesreid1.com/w/index.php?title=Bettercap&oldid=12986"