In this new tutorial, we will see together how to get started with the Bettercap utility tool in its current version (v2.x). As mentioned by the author of this tool, Bettercap is the Swiss Army knife for Wireless, Bluetooth, Ethernet network reconnaissance and MITM attacks.
Bettercap is a powerful, easily extensible and portable framework written in Go which aims to offer to security researchers, red teamers and reverse engineers an easy to use, all-in-one solution with all the features they might need for performing reconnaissance and attacking WiFi networks, Bluetooth Low Energy devices, Wireless HID devices and Ethernet networks.
BETTERCAP KEYS FEATURES
- WiFi networks scanning, deauthentication attack, clientless PMKID attack, and automatic WPA/WPA2 handshakes capture.
- Bluetooth Low Energy devices scanning, characteristics enumeration, reading, and writing.
- 2.4Ghz wireless devices scanning and MouseJacking attacks with over-the-air HID frames injection (with DuckyScript support).
- Passive and active IP network hosts probing and recon.
- ARP, DNS and DHCPv6 spoofers for MITM attacks on IP based networks.
- A powerful network sniffer for credentials harvesting which can also be used as a network protocol fuzzer.
- And much more.
You can find all the information about this amazing tool on the official website www.bettercap.org or directly on their Github repository. In this tutorial, we will mainly focus on the installation of Bettercap on Ubuntu or any derived distributions as well as the first steps to know for correct use of this tool.
INSTALLATION OF BETTERCAP 2 ON UBUNTU/DEBIAN AND OTHER DERIVED DISTRIBUTIONS
Method "1" ~ Install from Precompiled Binaries
There is a relatively simple method to install Bettercap on your machine using the precompiled binaries. But I would not spend a lot of time on this solution because it does not represent a real interest. To do it, simply use the below commands.
sudo apt update sudo apt install libpcap-dev libusb-1.0-0-dev libnetfilter-queue-dev # Go to https://github.com/bettercap/bettercap/releases # Grab the URL of the latest precompiled version and change it below if necessary cd ~/Downloads wget https://github.com/bettercap/bettercap/releases/download/v2.26.1/bettercap_linux_amd64_v2.26.1.zip unzip bettercap_linux_amd64_v2.26.1.zip sudo mv -v bettercap /usr/bin rm -rf bettercap_linux_amd64_v2.26.1.*
You can now launch bettercap with root privilege using the below command:
sudo bettercap -h
Method "2" ~ Install from Sources
The second method to install Bettercap is to compile everything from the sources. To do this, we will need also to install and configure properly all the needed dependencies. Are you ready?
sudo apt update sudo apt install build-essential libpcap-dev libusb-1.0-0-dev libnetfilter-queue-dev golang git
When you finished installing the above dependencies, you will need to edit your "
.profile" file to add the export path required by golang.
Add the following three lines at the bottom of the file without forgetting to save it before closing it.
# set Golang export PATH export GOPATH=$HOME/go export PATH=$PATH:/usr/local/go/bin:$GOPATH/bin
Once you are done reload your "
.profile" using the below command:
We can now start the installation process of Bettercap using the commands below:
go get github.com/bettercap/bettercap cd $GOPATH/src/github.com/bettercap/bettercap make build sudo make install
Believe it or not but you're done with the installation of Bettercap. You can now launch the tool with root privilege using the below command:
sudo bettercap -h
Installing Bettercap Web Interface
The easiest way to start playing with Bettercap is using its official web user interface. Once you have finished to install the tool using one of the above methods, open your terminal and process with the following commands:
sudo bettercap -eval "caplets.update; ui.update; q"
Only run "
caplets.update" the first time as every time the entire system caplets folder is replaced with the downloaded contents from Github, this will overwrite your changes, such as the credentials or other custom settings with default values. When the update is done, the last and final step is to edit the default credentials setting.
sudo nano /usr/local/share/bettercap/caplets/http-ui.cap
You can now start the web user interface using the below command. If you have an Apache server or any other application using the port 80 of your machine, it is strongly advised to stop it before starting Bettercap web user interface to avoid any conflict with port 80.
sudo bettercap -caplet http-ui
Open your browser to "
http://127.0.0.1/" and log in using the credentials you configured in the previous step.
HOW TO USE THE MODULES
Before starting to see the different attacks, you should know that we are going to use the "modules" function of Bettercap, and these can be configured using the "
» set dns.spoof.domain victim.com
To enable or disable the module, you simply need to call the module and add the argument "on" or "off" in your command:
» dns.spoof on
ARP POISONING ATTACK
The Address Resolution Protocol (ARP) is a widely used communications protocol for resolving Internet layer addresses into link-layer addresses. This type of attack consists of poisoning the ARP cache of the target machine to route the packets to the hacker machine. Basically, in a local network, all communications take place via the MAC addresses of the machines.
The ARP attack will modify the victim's MAC address table. It is required to change the victim's default gateway MAC address so that you can retrieve all the packets transmitted by the victim.
Important: If you attack the victim without configuring your machine properly as a "router", the attack will be considered as a DOS (Denial Of Service). The requests made by the victim will not be forwarded to the real recipient and will, therefore, be dropped. To avoid this, we will need to enable the router mode of our machine using the below command.
» net.probe on
net.probe module is enabled, to find the target we want to attack, we use the following command:
To process further with this example, our victim will be the machine with the IP address 192.168.1.104, which is a computer connected to the network and running on Windows 10.
» arp.spoof off » set http.proxy.sslstrip true » set arp.spoof.internal true » set arp.spoof.targets 192.168.1.104 » set net.sniff.verbose false » net.sniff on » http.proxy on » arp.spoof on
All traffic from/to 192.168.1.104 will be redirected to you. By default, the target is the network where the attacker is located. In our case, if I hadn't modified "
arp.spoof.target", the ARP attack would have been propagated on the 192.168.1.0/24 network.
We have carried out a MITM (Man-In-The-Middle) attack. We can "sniff" the network and grab the packets transmitted by the victim machine.
DNS SPOOFING ATTACK
A "DNS Spoofing" attack consists in modifying the DNS table of a machine or an entire network. When the victim wishes to connect for example to the website "
http://apache.org", his machine will then be redirected to another IP address (private or public) keeping the same domain name.
We need first to set up properly the DNS Spoofing:
» set dns.spoof.domains apache.org » set dns.spoof.all true » dns.spoof on
The command "
set dns.spoof.all true" allows taking into account external incoming requests. We keep the ARP spoof attack in place to target the user we are attacking.
» set arp.spoof.targets 192.168.1.104 » arp.spoof on
Since we are redirecting flows from "apache.org" to the attacker's ip, we are going to create a web server using Bettercap. Please remember, to switch off your Apache webserver or any application using the port 80 of your machine to avoid any port conflicts. Otherwise, you must modify the port in the server configuration of Bettercap using the command "
» set http.server.path /var/www/html » http.server on
Before modifying the victim's ARP table, if the victim had visited the apache.org site, he would then have reached the official page.
After poisoning the ARP cache, the apache.org page redirects directly to the local server of the attacker.
The DNS attack is now over, I let you imagine what a malicious hacker could do with this type of attack.
A proxy attack is a fact of being able to recover the logs of all web requests. It is interesting to set up a proxy when you want to block certain websites in a company or a local network. In our case, we will use the proxy to retrieve the pages that the victim consults. To do it, we will need to configure the verbosity level of the sniffer.
» set net.sniff.verbose false » net.sniff on
Then we configure the proxy:
» set http.proxy.sslstrip true » http.proxy on
Using the "
sslstrip" parameter allows us to enable the https proxy, and to offer the client a certificate generated by Bettercap. Again we keep the ARP attack configuration in place to target the victim. As per the below screenshot, we can see the victim machine is currently visiting Github.com website.
Important: Some of HTTPS sites can be configured to use HSTS protection which can make the attack more complex.
We’ve finished with getting started with the Bettercap tool. I hope you enjoyed it. All manipulations are obviously to be carried out in a local network, of which you are the owner.