In this post, learn how to use different modules available in the Bettercap for obtaining the user credentials and how you can spoof dns for redirecting the victim to the desired target. Let’s start without further ado
Attacker Machine: Kali Linux
Victim Machine: Windows 8.1
What is Bettercap
Bettercap is an efficient, easily extensible and portable platform written in Go that aims to provide an easy-to-use, all-in-one solution for security researchers, red teams and reverse engineers with all the features they can need to conduct reconnaissance and attack WiFi networks, Bluetooth Low Energy devices, wireless HID devices and Ethernet networks.
It can be said as Swiss Army knife for 802.11, recognition and MITM attacks on BLE and Ethernet networks.
First, start the net.probe module with command net.probe on. You can see the list of network available and can get the IP Address for the victim machine
After you get the IP address let’s start arp spoofing to get the packets.
There are various parameters available for arp spoofing modules. You can use the parameters as per your requirements. Use command help <module name> for getting help on the parameters
Here I am targeting a single machine therefore using arp.spoof.target option. Now if you want to scan for the entire networks. You can use the arp.spoof.internal option. Use command set arp.spoof.targets . And you are now ready to start your arp spoofing
Now let’s check what net.sniff parameters are using help command you can take a look at the parameters available. There are various parameters available in this module. Use them as per requirements
Here I am using net.sniff.output for creating an output file named pentest.pcap and net.sniff.verbose parameters. But if you want to search for the particular term in the packets you can use regexp option.
After starting net.sniff go to the victim machine and search anything you want in browser. Here I am searching google.com, you can see that traffic is generating.
But as you can see that there is no http traffic captured. You need to start http proxy for intercepting the http traffic and injecting malicious code. Start the http.proxy.sslstrip by setting it’s value as true. You will be able to intercept the http traffic.
Here I am using http login page. Run the command inurl: http login page in google. On the first link you will get testphp.vulnweb.com. Here I am using test as username and thisisdummypassword as password.
Now open the generated file pentest.pcap in wireshark and take a look at the traffic.
Now let’s search for the credentials in the traffic. You will get the post request in which you will find the credentials.
DNS Spoofing is used to send spoofed responses. There are various parameters available that can be used on various occasions. Here I am using dns.spoof.domains to give the list of domains that I want to spoof. Use help dns.spoof to get more information on parameters.
Use command set dns.spoof.domains and give the name of the domains you want to spoof. Here I am using vulnhub.com. I am diverting the traffic to my default apache page.
Let's take a look on the vulnhub.com
At the terminal and you can see that the response is spoofed.
The bettercap is swissknife for pen-tester, security auditors who can perform various types of attacks in one place. Here arp.spoof, net.spoof, http.proxy and dns spoofing modules are used. I hope you find this article interesting and you learned something new.