π¨Bettercap
Official Documentation
Get Module Help
Recon & Monitoring
show list of host details
turn passive host discovery on/off
The net.recon module performs passive scanning and is on by default, but it may not discover active devices that are not sending ARP messages while Bettercap is running. Bettercap also includes an active scanning feature in the net.probe module. Bettercap's net.probe module will continually send UDP packets to all hosts on the network. Bettercap sends the UDP activity in the form of four common protocols: NetBIOS Name Service (NBNS) discovery, Multicast DNS (MDNS), Universal Plug-and-Play (UPNP), and Web Services Discovery (WSD).
turn active host discovery on/off
Running the net.probe module for several seconds will typically reveal many more host discoveries than the net.recon module will discover. During the active discovery, or after stopping the discovery, you can examine information about discovered hosts using the net.show command.
Sniffing
turn packet sniffing on/off
set verbose
If true it will consider packets from/to this computer, otherwise it will skip them.
save packets to a file
examine packet sniffer status
add source pcap file to read
extract matching regex from packet payloads
set a protocol filter for sniffer output
Password Sniffing
You could use predefined caplet http-req-dump.cap:
Proxy JS Injection (XSS)
we use beef-xss active caplet
When user opens HTTP website, for instance time.com, hook will be executed
Bettercap + BeFF Hook
Fuzzing
In addition to packet-sniffing capabilities, Bettercap also can mutate packets for network protocol fuzzing using the net.fuzz module. By default, the net.fuzz module will mutate 100% of packets transmitted by Bettercap, mutating 40% of the packet payload data. You can adjust these values by changing the net.fuzz.rate and net.fuzz.ratio parameters.
mutate (fuzz) packets as they are forwarded
choose application layers are fuzzed
change the percentage of packet and byte mutation
SYN Scan
start scan
stop scan
show progress
show results
Ticker Commands
The Bettercap ticker allows you to specify a collection of commands to run at a fixed frequency, which is great for monitoring the network or periodically scanning for new network targets.
ARP Spoof
start ARP spoof
run ARP spoof in ban mode (targets connection wont work )
run full duplex ARP spoof (both target and gateway will be attacked)
if the gateway has ARP spoof protection the attack will fail
Ban Target From Network
DNS Spoof
Set the dns.spoof.address for the host that you want to receive client activity stemming from spoofed responses. Set dns.spoof.domains to a comma-separated list of all the domains you want to target for DNS spoofing, or set dns.spoof.all to true to spoof all DNS responses. Alternatively, you can target your attack by setting dns.spoof.hosts to a hosts file that uses a specific hostname-to-IP-address pairing (using the same configuration of the standard /etc/hosts file on UNIX systems).
Set the IP address to return for spoofed DNS answers
Set a list of domain targets for DNS spoofing, comma- separated list
Perform DNS spoofing for all requests regardless of domain, hosts file
Perform DNS spoofing only for the entries mapped in the specified hosts file
DHCPv6 Spoof
NDP Spoof
Custom Proxy
turn any proxy on/off
TCP Proxy
HTTP Proxy
enable SSL strip attack
URL, path or js code to inject into every HTML page
HTTPS Proxy
A full featured HTTPS transparent proxy that can be scripted using javascript modules. If used together with a spoofer, all HTTPS traffic will be redirected to it and it will automatically handle port redirections as needed.
When a new TLS connection is being proxied, bettercap will fetch the original certificate from the target host and resign on the fly the full chain using its own CA.
enable SSL strip attack
inject js code
Wifi Network Monitoring
wifi.recon covers both 2.4 Ghz and 5Ghz frequencies. Itβs doing everything you need. Deauth, Sniff, Handshake captures. To start, add -iface option:
In case of an error: Canβt restore interface wlan0 wireless mode (SIOCSIWMODE failed: Bad file descriptor). Please adjust manually. Quit bettercap and manually set the wireless interface to monitor mode. For example, as follows:
Turn on recon:
You can manage channels with:
To clear them:
Results can be seen with:
To capture handshakes, we should define a sniffer, filter specific frames (0x888e), set the output file for processing later on, maybe select the channel and or target:
Then we should hit it with the Deauth. You can deauth all clients with:
or just specific one:
When you capture the handshake, you can start breaking them. Weβll not cover that here.
BLE (Bluetooth Low Energy device discovery)
The ble.recon
will discovery every BLE device you want to inspect with ble.enum
or playaround with ble.write
.
To connect, enumerate and read characteristics from the BLE device 04:ff:de:ff:be:ff:
Write the bytes ff ff ff ff ff ff ff ff
to the BLE device 04:ff:de:ff:be:ff
on its characteristics with UUID 234afbd5e3b34536a3fe72f630d4278d
:
ble.enum only works one time per execution
incomplete support for macOS
not supported on Windows
Last updated