BRANDEFENSE BRANDEFENSE
  • Platform
    How It Works?
    Platform Overview
    Cyber Intelligence
    Brand & Reputation Protection
    Exposure Management
    By Use Case
    Preventing Data Leakage
    Phishing Monitoring
    Account Takeover Detection
    Stolen Credit Cards
    Dark Web Monitoring
    Remediation and Takedown
    Q1 | 2023
    Explore the Ransomware Attacks
  • Solutions
    Threat Intelligence Service
    Brand Protection
    Vulnerability Management
    Attack Surface Management
    Fraud Protection
    VIP Security
    Vulnerability Intelligence
  • Resources
    Blog
    Infographics
    Datasheets
    Security News
    Threat Intelligence Researches
    Digital Risk Protection – FAQ
    Cybersecurity Glossary
    Events
  • Partners
    About the Partner Program
    Become a Partner
    Partner Portal
  • Company
    About Us
    Join Us!
    We in the Press
    Privacy Policy
    Terms of Use
    Contact Us
Request a Demo
Login

BRANDEFENSE

  • Platform
    How It Works?
    Platform Overview
    Cyber Intelligence
    Brand & Reputation Protection
    Exposure Management
    By Use Case
    Preventing Data Leakage
    Phishing Monitoring
    Account Takeover Detection
    Stolen Credit Cards
    Dark Web Monitoring
    Remediation and Takedown
    Q1 | 2023
    Explore the Ransomware Attacks
  • Solutions
    Threat Intelligence Service
    Brand Protection
    Vulnerability Management
    Attack Surface Management
    Fraud Protection
    VIP Security
    Vulnerability Intelligence
  • Resources
    Blog
    Infographics
    Datasheets
    Security News
    Threat Intelligence Researches
    Digital Risk Protection – FAQ
    Cybersecurity Glossary
    Events
  • Partners
    About the Partner Program
    Become a Partner
    Partner Portal
  • Company
    About Us
    Join Us!
    We in the Press
    Privacy Policy
    Terms of Use
    Contact Us
Using Bettercap in Penetration Testing

Using Bettercap in Penetration Testing

BRANDEFENSE
Blog
10/04/2020

Last updated on November 14th, 2022 at 02:03 pm

Bettercap is a man-in-the-middle (MITM) attack tool developed to for users who are likely to be penetration testers to test and improve the security of networks or some devices connected to these networks. There’s a lot of material online, especially from the official bettercap website, which document how the tool is used and some of the improvements that have been done to it over the years. This post will majorly focus on version 2.1, which is the current stable version. One can also clone the bettercap repository on github.com to use the development release.

Betterrcap website: www.bettercap.org

Let’s quickly start with the installation process before we can go ahead and explore the numerous functionalities that come with it.

For Kali Linux users, the following commands will be sufficient to have the tool up and running on your machine:

apt-get update
apt-get install bettercap

The installation for other flavors of Linux and the Mac OS X may, however require a little bit more steps as one has to download and install all the necessary dependencies before they are able to run bettercap. Execute this command to get your machine ready to install bettercap.

sudo apt-get install build-essential ruby-dev libpcap-dev

Proceed to install bettercap using the gem install GEMNAME command:

gem install bettercap

And perform an update with:

gem update bettercap

You are now all set to run bettercap and perform whichever recon operations or attacks on your network of choice. It is, however, advisable to use bettercap on your own or authorized network to avoid legal actions against you incase a breach is detected.

The first action is to try to find out what modules or commands are available for your use.

bettercap –help

bettercap help command

This lists the basic command line options. Now to start a fully interactive session then use:

sudo bettercap

To begin straight with the caplets:

sudo bettercap -eval “caplets.update; q”

Even though caplets can be used in both an interactive session and from the command line, we are going to perform most of our actions here from the interactive session.

Let’s start by first exploring how to monitor a local network with bettercap:

We can view all the devices connected to our network by typing:

net.show

bettercamp net command

This command allows bettercap to read the ARP (Adress Resolution Protocol) cache and discover hosts on the network. It is a passive method so a device cached a few minutes earlier then disconnected can still be detected as connected to the network by a bettercap net.show command probe.
To actively search for devices on the network use:

net.probe on
net.show

bettercap net command

We can now see that additional devices are discovered on the network. This is because bettercap was able to send dummy UDP packets to every possible IP address in the subnet and discover additional hosts.

To stay constantly updated on the devices connected to the network without having to repeatedly type in the commands, use these commands:

set ticker.commands ‘net.show’
ticker on

bettercap ticker command

By default bettercap probes for devices connected to the network every second. We can change this setting with

ticker.period <desired_time_in_seconds>

To turn it off just run:

ticker off

Bettercap also allows us to spoof other hosts and sniff their activities on the network.

set arp.spoof.targets <device_ip_address>
arp.spoof on

This spoofs the specified device whose IP address we can learn from

net.show

To turn this off use:

arp.spoof off

Well, just spoofing another host is not useful if we can’t learn of what activities this device is performing on the network. Once more as a reminder it is better to do this on a private network as spoofing a device or sniffing are illegal actions if done without consent.
Now to sniff and monitor a device’s activities we can run the bettercap sniffer.

set net.sniff.verbose true
net.sniff on

bettercap sniff command
bettercap sniff on command
bettercap net sniff

Here, we can see a process tree that would nominally include any processes spawned by the malware and options to download a sample and access a report. Also available are tags assigned to this sample by the community – in this case, the community has correctly identified this sample as Formbook.

From the screenshots, we can see how much one can learn about a device’s activities, like the visited websites and sometimes even installed applications. This can give a footing to a motivated hacker or penetration tester and enable them to evaluate exploits that can be used against their target(s).

Bettercap has many more functionalities that can be used in a network attack, monitoring, or testing process. These include:

  1. Password sniffer
  2. Fake access point creation
  3. Handshake capture
  4. Wi-Fi networks monitoring
  5. Bettercap webserver
  6. DNS spoofer
  7. Transparent HTTP proxy
  8. TCP proxy
  9. Logging

Discussing all these modules in this post is impractical. However, if you have any questions about any of the modules that bettercap offers, we will be more than happy to share helpful material with you.
I hope this served well in introducing you to this powerful tool that is vital to any penetration tester looking to evaluate a network’s security.

If you have a question about the blog post, you can contact us.

Ian King

Share on Facebook Share on X
Search
Categories
APT GroupsBlogDark WebDRPSFraudRansomwareSector AnalysisSecurity NewsVIP SecurityWe in the PressWeekly Newsletter
Recent Posts
  • The Impact of Machine Learning on Enhancing Threat Detection
    The Impact of Machine Learning on Enhancing Threat Detection
  • The Future of AI in Cybersecurity: Benefits and Risks
    The Future of AI in Cybersecurity: Benefits and Risks
  • Brandefense Shares Bridge Partner Program and Brandefense 2.0 with Its Business Partners
    Brandefense Shares Bridge Partner Program and Brandefense 2.0 with Its Business Partners
  • What is Supply Chain Security?
    What is Supply Chain Security?
Ransomware Trends Report | Q2 2023
Ransomware Attack Trends in the Second Quarter of 2023
Report

Ransomware Attack Trends in the Second Quarter of 2023

Download Report
Follow us!

Continue Reading

osint recon-ng metasploit
Next post

OSINT with Recon-ng

We know what hackers know about you

Our cyber threat intelligence and security research team is ready to help you.
image link

Brandefense is solving SOC’s complex challenges. We are here to help Brandefense customers to protect their brands and reputations against cyber threats.

United States:

300 Delaware Ave. Ste 210 #328 Wilmington, DE 19801 / USA

Republic of Turkey:

Üniversiteler, 1605 Cd. Cyberpark Vakıf Binası Kat: -1 No: B25, 06800 Çankaya/Ankara

© 2022 Brandefense. All rights reserved.

Solutions
Threat IntelligenceBrand ProtectionVulnerability ManagementFraud ProtectionVIP SecurityAttack Surface ManagementVulnerability Intelligence
Use Case
Data LeakagePhishing MonitoringAccount Takeover DetectionStolen Credit CardsDark Web MonitoringRemediation / Takedown
Partners
About the Partner ProgramBecome a Partner
Company
AboutCareerPrivacy PolicyTerms Of UseContact
Close
Search

Hit enter to search or ESC to close

cookie By using this website, you agree to our cookie policy. Close