Tuesday, December 6, 2016

Bettercap : MITM attack for sniffing traffic and passwords

Contents

  • Installation
  • Sniffing Traffic
  • Getting password
We will be installing Bettercap, doing a quick sniffing exercise, and then a more detailed section on grabbing the password. Will demonstrate the password grabbing on outlook.com, which seems to be particularly vulnerable to this attack.

Installing bettercap

Installation is simple-
apt-get update
apt-get dist-upgrade
apt-get install bettercap
The above three commands will leave you with latest versions of Kali and bettercap.

PS: I am writing this tutorial from a location with slow internet connection, and hence didn't perform the dist-upgrade step. However, bettercap seems to be running mostly fine. There may be a few difference in what you observe and what I show in this demo due to this difference in versions. For those who want to know the versions of various utilities that I'm using, take a look below. If you are unfamiliar with Linux, you're best off using the latest versions of everything, which can be obtained by running the three commands I mentioned earlier.

new@kali:~$ uname -a
Linux kali 4.7.0-kali1-amd64 #1 SMP Debian 4.7.6-1kali1 (2016-10-17) x86_64 GNU/Linux

new@kali:~$ bettercap -v
bettercap 1.5.8

new@kali:~$ ruby -v
ruby 2.3.1p112 (2016-04-26) [x86_64-linux-gnu]

Not on Kali?

The readme on github repository of bettercap is quite comprehensive, and would help you install bettercap on most linux distributions. After installation the process should be same for Kali or any other Linux distribution.


Sniffing Traffic

There's nothing special about the usual sniffing traffic functionailty of bettercap. Bettercap can easily performing sniffing on your local area network. It also lets you write the output to a pcap file and later analyze it with WireShark or some other tool of your choice. I'll just give a simple demo here. The real fun is in the capturing passwords section.

Run the command-
bettercap --sniffer
Sniffing traffic: Screenshot shows my lenovo smartphone's
requests to truecaller being sniffed

 You'll see all the websites being visited by all the devices on the network. Press ctrl+c to stop.

Take a look at the help manual for more commands, or read the wonderful documentation.


Internet stopped working

There are plenty of open issues on the github page of bettercap. The one problem I faced was that after bettercap had finished running, the internet connection on the attacker machine (Kali) would be killed. I fixed it by simply turning restarting the wlan0 interface (turn it off and on from the gui or use ifconfig commands). Some people reported that Bettercap killed internet connection for all hosts. If you face a different issue, take a look here and see if you can find a solution.



Capturing passwords

The fun part lies here. Bettercap uses sslstrip to change https webpages to simple http ones, which ensures that the passwords are transferred in clear text, and you can read them without any issues. I will be targeting my lenovo phone from my Kali machine. First, you must find the IP of your target. This can be done by simply running bettercap and waiting for all machines on your network to show up. Once they do, you can identify the one you're trying to attack, and note it's IP. Then use this IP as the target IP. Let's look at the steps first.
PS: I'm assuming you connected to the network you are attacking using the wlan0 interface. If not, specify your interface using the -I option.

  1. Run the command bettercap on the terminal
  2. Wait for bettercap to acquire targets.
  3. When bettercap discovers the target you're looking for, note down it's IP address. Let's call it TARGET_IP.
  4. Press ctrl+c to stop bettercap (if internet connectivity is lost, as was in my case, restart your wlan0 interface)
  5. Run this command - bettercap -T TARGET_IP --proxy -P POST (replace TARGET_IP with the appropriate IP)
In  my case, my target was my Lenovo smartphone. It was detected by bettercap,
and i noted down it's IP. 192.162.2.2 is what I'll use as my TARGET_IP
Now your attacker machine is ready and listening for traffic on the network. Once your victim opens any login page, bettercap will use sslstrip to remove the https from the URL, and once the target enters his/her login credentials, you will see them in cleartext.

Let's look at a demo run of the above procedure.

Capturing passwords entered on Outlook by smartphone user on same LAN/WLAN

This section is simply going to be a set of pictures with captions below them explaining stuff. It should be easy to follow I hope.

Starting bettercap using the command I specified earlier.
Then I proceed to open outlook.com on my smartphone
SSLStrip detects that I'm trying to access outlook, removes the https from the page
This is the login page that my smartphone sees. Notice the address in the URL.
This is what the address should look like, with HTTPS. The URL on the smartphone lacks
HTTPS, and has extra Ws in www. I enter the username here. Meanwhile,
bettercap detected that username was entered and shows that to me. 

Bettercap shows me the username. In the smartphone, I am at the password stage after entering username.

I now enter the password. Let's see what happens on the attacker machine
I entered the password as "wrongpass" on my smartphone, and
bettercap is able to detect it.

Limitations

From this test run, here are the limitations of the tool that I observed-
  1. The biggest problem - It does not work on all sites. Before trying outlook, I tried to see if I could carry out this MITM attack over Facebook, Gmail, Twitter, etc. Unfortunately, I wasn't able to. It only seems to work with some websites.
  2. The difference in the URL if easily visible. Anyone who knows what https is, will notice the lack of it. I, for one, would never enter my credentials on an http page.The extra Ws in the www don't help eitheir.
  3. The tool isn't perfect. There are a few bugs.
Update : Giorgio's comment on the tutorial addresses the first and the third issues. The reason why Facebook and Gmail don't give in to the attack is because they don't have an http version of their websites. Bettercap can't force Facebook to replace it's https page with an http one, simply because there is no http version of Facebook. Secondly, Yahoo looks buggy because it's CSS files (ones hostel by google) are served over https, and an attempt to get an http version would yield nothing, since http versions aren't available. Hence, the CSS files are missing, and while the parts of the page which operate over http load well, the ones which are exclusively https do not.

Facebook seems immune to the attack
Yahoo's response is buggy, but you'll notice
that sslstrip did it's job, the page is regular http now
The tutorial ends here, a few personal insights ahead, not very important.

How to be safe

This demo must scare you. I, for one, wasn't sure if this tool would work at all. However, it did work very well with outlook, and somewhat worked with yahoo as well (not shown in demo). Facebook and Gmail seem to be immune to it, but I didn't really try hard to get them, and after writing this post, I'll try to see if I can get the tool to grab Facebook and gmail logins as well. Regardless, we see how easy it can be for someone to grab your credentials if they are on the same network as you. So how can you be safe?

Here are some pointers-
  1. Never enter your credentials on a non-https page. Also, if there's some flaw with the https, your browser usually will point that out to you. 
  2. Be extra careful on public wireless networks.

By clicking on details, you can see exactly how your connection to
a website is encrypted.
Chrome provides detailed breakdown of the cipher used and the validity of certificate

Things to do

This tutorial is supposed to serve as an introduction to sniffing, MITM and bettercap. I have observed that posts with too much theory don't perform too well, so I just demonstrated the functionality of the tool. However, this was a very basic exercise, and for both me you, there are things to do-

  1. Try other functionalities offered by this tool.
  2. Try to get it to work with Facebook and Gmail. I'll have to approach facebook and Gmail in a different manner, read the comment by Giorgio below for more information.
If I am able to get it to work with Facebook/Gmail, I'll write another tutorial, showing you how you can do it too.

86 comments:

  1. Thank you for thia guide and for this blog: I hope that many people will read it and learn about the basics of IT security.
    I think what prevents this attack on Google, Facebook (not sure about twotter) and some other sites is that they only accept protected (https) connections. They simply don't have an http version, so you cannot connect to them via plain http.
    My guess about the Yahoo thing instead is that they make use of Google-hosted css/js (like Google fonts). Those files are served through https and in experience trying to access them via http will result in an error being thrown, therefore when you force yahoo to use http you prevent those files from loading.
    I don't know if this could be feasible, but depending on how Bettercap was implemented it could be possible to add a whitelist of sites which should be left with https.

    ReplyDelete
    Replies
    1. Thank you for the valuable insights.

      I was able to realize from Yahoo's appearance that it's CSS file(s) failed to loaded, and suspected something along the lines of what you said.

      However, I had no clue why Facebook and Gmail wouldn't bulge. Your answer makes perfect sense. If they don't have an http version, there's nothing that bettercap/sslstrip can do to make them serve one. A simple yet elegant solution.

      Next step for me would be to replace the Facebook login page with my phishing page. I did something along those lines in an earlier tutorial (2 years ago - http://www.kalitutorials.net/2014/05/social-engineering-toolkit-kali.html), but let me see if I can get my phishing page to open if one types in facebook.com in the URL bar (instead of the IP of my attacker machine, as was the case in the aforementioned tutorial).

      I do not yet code in Ruby, but will try to look at Bettercap's source code on Github and see if I can understand how it works, maybe even contribute to it.

      Delete
    2. Phishing is a really strong weapon, however if you redirect the victim to your fake page then there is no need to run bettercap nor sslstrip anymore as he would be sending data directly to you anyway.
      As far as Facebook.com instead of the IP address you should look into DNS spoofing, it'quite messy to make it work, but extremely effective if you manage to do it.

      Delete
    3. I'll look into DNS spoofing, that seems to be quite an interesting topic at first glance.

      However, I was thinking about using ARP spoofing/ ARP poisoning (what bettercap does). That seems to be quite straightforward and works without many issues.

      Let me elaborate on what I intent to do.

      What I (or bettercap :) ) did in this tutorial puts us in a position where the victim machine thinks that the attacker machine is the router and hence sends requests to the attacker machine for fetching web pages from the internet. The attacker then forwards the request to the router, get the response and returns the response back to the victim. In this way, we have sniffed all the traffic, by ensuring it passes through us.

      But, rather than harmless sniffing, we could modify things as well. Instead of forwarding the request to the router, we could return whatever web page we please (a local phishing page for example). I think the browser on the victim will complain about untrusted certificates, but apart from that, this seems to be doable.

      Delete
    4. sslstrip can maintain upstream HTTPS connections between attacker > real service, then relay the data onto the victim/test machine via HTTP; in this way, content only available upstream via HTTPS (be it CSS or an entire site) can still be represented as HTTP on the victim/test machine.

      The only issue you will face here is the 'On Ramp' so to speak. SSLStrip needs to see a cleartext page with a link to a HTTPS page (or a login form etc) that it can re-write to HTTP (even though SSLStrip with keep the attacker>service connection HTTPS). It may not do this out of the box, but www.facebook.com DOES provide a response, a simple redirect to HTTPS://www.facebook.com, so in theory you could have your MITM proxy simply return the 200OK + Content it's pulled from the https upstream facebook, direct to the user as HTTP, rather than the redirect.

      Delete
  2. Giorgio, I found your insight and knowledge on this matter to be most enlightening. I followed your instructions to the tee and I was very impressed by the results. I'm a simple script kiddy; but in my defense the best way to learn is to do. I also read up on some of the basics you linked in this thread, thank you again for that.

    Shashwat Chaudhary, I'd really like to learn more about phishing and other forms of social hacking. Any response would be greatly appreciated.

    ReplyDelete
    Replies
    1. My winter semester has started but I'll try to post more on social engineering soon. Also, sorry for the late response, your comment was wrongly marked as spam.

      Delete
  3. i cant install bettercap i have vm ware player in which i use kali but when i enter the commands you gave it just says nable to locate package

    ReplyDelete
    Replies
    1. IEEE Project Domain management in software engineering is distinct from traditional project deveopment in that software projects have a unique lifecycle process that requires multiple rounds of testing, updating, and faculty feedback. A IEEE Domain project Final Year Projects for CSE system development life cycle is essentially a phased project model that defines the organizational constraints of a large-scale systems project. The methods used in a IEEE DOmain Project systems development life cycle strategy Project Centers in India provide clearly defined phases of work to plan, design, test, deploy, and maintain information systems.


      This is enough for me. I want to write software that anyone can use, and virtually everyone who has an internet connected device with a screen can use apps written in JavaScript. JavaScript Training in Chennai JavaScript was used for little more than mouse hover animations and little calculations to make static websites feel more interactive. Let’s assume 90% of all websites using JavaScript use it in a trivial way. That still leaves 150 million substantial JavaScript Training in Chennai JavaScript applications.

      Delete
  4. sir please lecture in Backtrack 5
    what is Backtrack 5 ?
    sir you have facebook account if you have please add me

    ReplyDelete
    Replies
    1. Backtrack is the version before kali linux. And Backtrack 5 is the last one of backtrack series. Kali Linux is the latest one

      Delete
  5. is it possible to get encrypted password from facebook? It would be okay for me to crack that...

    ReplyDelete
    Replies
    1. Are you sure you would decrypt fb password? That's not possible i think.

      Delete
  6. Wow great article,Any undetectable method you have which bypaas the webhosting security.

    ReplyDelete
  7. I got this error, any ideas?

    [I] [192.168.1.7 > DNS] Received request for 'wwwww.outlook.live.com.home', sending spoofed reply 2620:1ec:21::11 ...
    [W] [DNS] cannot interpret as IPv4 address: "2620:1ec:21::11"

    ReplyDelete
  8. how to use this techinque in wan

    ReplyDelete
  9. I havent any word to appreciate this post.....Really i am impressed from this post....the person who create this post it was a great human..thanks for shared this with us.
    raleigh traffic ticket attorney

    ReplyDelete
  10. Hey man.. you should consider to delete hexadecimal values too
    chaueharyshashwat@gmail.com, right?

    ReplyDelete
  11. thanks love you a hero hacker

    ReplyDelete
  12. This is a really decent site post. Not very numerous individuals would really, the way you simply did. I am truly awed that there is such a great amount of data about this subject have been revealed and you've given a valiant effort, with so much class. In the event that needed to know more about green smoke audits, than by all methods come in and check our stuff. Easy Traffic School Online California for Traffic Tickets

    ReplyDelete
  13. A debt of gratitude is in order for sharing us. best backlinks

    ReplyDelete
  14. Courses for moral hacking have turned out to be broadly famous and many are taking it up as a genuine calling.Try this

    ReplyDelete
  15. Hi, nice and useful tutorial but I have Bettercap version v2.26.1 and the command
    - bettercap -T TARGET_IP --proxy -P POST
    does not work, this is the error I am getting
    flag provided but not defined: -target
    Usage of bettercap:
    -autostart string
    Comma separated list of modules to auto start. (default "events.stream")

    It seems ,a ccording to the github site project that "those flags from the legacy version which is no longer supported."
    So what is the replacement for this command? Thanks in advance

    ReplyDelete
  16. I’ve been surfing online more than 5 hours today, yet I never found any interesting article like yours without a doubt. It’s pretty worth enough for me. Thanks... Traffic secrets

    ReplyDelete
  17. For a large portion of us, our first prologue to driving came from our secondary school driver's schooling courses - those week by week classes instructed in stodgy study halls where the risks of the street were penetrated into our psyches. traffic school

    ReplyDelete
  18. This is my first time i visit here. I found so many interesting stuff in your blog especially its discussion. From the tons of comments on your articles, I guess I am not the only one having all the enjoyment here keep up the good work Traffic ticket attorney

    ReplyDelete
  19. Took me time to read all the comments, but I really enjoyed the article. It proved to be Very helpful to me and I am 온라인카지노 sure to all the commenters here! It’s always nice when you can not only be informed, but also entertained!

    ReplyDelete
  20. 바카라사이트 Nice post! This is a very nice blog that I will definitively come back to more times this year! Thanks for informative post

    ReplyDelete
  21. 스포츠토토 I constantly spent my half an hour to read this web site’s content daily along with a cup
    of coffee.

    ReplyDelete
  22. 토토사이트 Having read this I believed it was extremely enlightening. I appreciate
    you spending some time and effort to put this short article together.
    I once again find myself personally spending a significant amount of
    time both reading and posting comments. But so what, it was still worth it!

    ReplyDelete
  23. I like what you guys are usually up too. This kind of clever work and coverage! Keep up the very good works guys I’ve incorporated you guys to blogroll.
    토토사이트

    ReplyDelete
  24. I am so happy to read this. This is the kind of manual that needs to be given and not the random misinformation that’s at the other blogs. Appreciate your sharing this greatest doc. 메이저토토

    ReplyDelete
  25. Hello, I am one of the most impressed people in your article. sòng bạc I'm very curious about how you write such a good article. Are you an expert on this subject? I think so. Thank you again for allowing me to read these posts, and have a nice day today. Thank you.


    ReplyDelete
  26. My Instagram account got hacked and I was looking for a way to restore it but couldn’t find much from this post as well. I especially took the PhD Qualitative Data Analysis Help because I couldn’t focus on writing my project and decided to take help from professional writers instead.

    ReplyDelete
  27. MetàMask Lògin is a cryptocurrency handbag which can be used on the Chrome, Firefox as well as Brave browsers. It’s likewise a browser extension. metamask login | metamask wallet | metamask extension

    ReplyDelete
  28. Except for public lawyers, every lawyer practicing self-employment must be registered with the bar association in the province where they are located. Ankara avukat

    ReplyDelete
  29. I have looked couple of days and discovered some spellbinding formed work on it. In any case, it is the best of all. How to start a credit card processing ISO

    ReplyDelete
  30. I had a lot of fun at this Olympics, but something was missing. I hope there's an audience next time.안전토토사이트

    ReplyDelete
  31. If any hacker tries to attack any business website, it will be very dangerous because all the keywords of this site will come down from google ranking. I am worried about this news, and I don't understand what I want to comment on. dissertation writing services

    ReplyDelete
  32. Very detailed information about man in the middle attack. now i know how to protect myself even more. Special thanks to the author who put this much effort into writing this blog.
    I usually use Content Writing Services UK for all my content writing needs.

    ReplyDelete
  33. Hey friend, it is very well written article, thank you for the valuable and useful information you provide in this post. Keep up the good work! FYI, shih tzu hair products , axis bank magnus credit card, a thousand splendid suns pdf,10 Lines on Myself In English

    ReplyDelete
  34. Youre so right. Im there with you. Your weblog is definitely worth a read if anyone comes throughout it. Im lucky I did because now Ive received a whole new view of this. 먹튀검증사이트

    ReplyDelete
  35. By telling us how to learn these tactics, we can greatly improve our knowledge. Buy Law essay writing to know about legal service and many assignments related to your needs.

    ReplyDelete
  36. Awesome blog. I enjoyed reading your articles. This is truly a great read for me. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work!

    ReplyDelete
  37. My curiosity was solved by looking at your writing. Your writing was helpful to me. 룰렛사이트 I want to help you too.

    ReplyDelete
  38. I just wanted to say that I love every time visiting your wonderful post! Very powerful and have true and fresh information about psychology . Thanks for the post and effort! Please keep sharing more such a blog
    Site: Yellowstone John Dutton Quilted Jacket

    ReplyDelete
  39. Very fascinating story, it is difficult to find interesting and relevant content among blogs now
    Site : Johnny Red Cobra Kai Jacket

    ReplyDelete
  40. Thank you for sharing this article also check out Nursing Essay Writing Service Australia contact us for more information.

    ReplyDelete
  41. I really enjoyed this blog post, thank you for sharing it. I’ll return for more. See you soon! 먹튀검증

    ReplyDelete
  42. This paragraph will help the internet visitors for building up new web site or even a weblog from start to end. 온라인경마

    ReplyDelete
  43. This is very interesting, You are a very skilled blogger. 토토

    ReplyDelete
  44. If you're in need of Edmonton foundation repair , look no further than Rammafoundation! Our experienced staff will work diligently to restore your skin to its former glory, no matter what the cause. From mild to severe cases of foundation failure, we have the expertise and equipment to get the job done right. Contact us today to schedule a consultation!

    ReplyDelete
  45. Skills are becoming very important with each passing day in this world. The parents should concentrate on development of several skills in their children. Toy games like building blocks offer learning of such skills. Kids can polish their problem solving and puzzle solving skills through this. It is a great learning opportunity.

    ReplyDelete
  46. Looking for soil modification services in Houston, TX? Hastencontracting is here to serve! We provide a wide range of soil SOIL MODIFICATION in houston, texasmodification services that are designed to improve the growth and health of plants, trees, and other plants in your garden. We also offer a variety of consultation services that can help you determine the best soil modification techniques for your specific situation. Contact us today to learn more about our soil modification services in Houston, TX.

    ReplyDelete
  47. Then we will be really going for it and using a Rainbow Table attack to crack the password. This is one of my favorite exercises, as every piece of malware/exploit ever has been cracked with rainbow tables [7]! We can see that Bettercap only runs on Windows XP (Vista not supported yet), so you will have no problem setting up your lab environmentWindows systems the Bettercap options dialog looks like this: [image] Now looking through our captured network data by examining.

    ReplyDelete
  48. It's very interesting. And it's fun. This is a timeless article. I also write articles related to , and I run a community related to 메이저사이트. For more information, please feel free to visit !!

    ReplyDelete
  49. A natural aphrodisiac performance honey that gives you energy and relief from erectile dysfunction and enhances both female arousal and male performance

    ReplyDelete
  50. Hasten Chemical is a team of professionals who work to maximize the bottom line results of its clients. As a wholesaler of chemical products, Hasten provides unconditional commitment to excellence in quality, that will provide consistent results, and make us the partner of choice to help produce and maintain growth of Products and Service Companies.
    Fly Ash in Huston

    ReplyDelete
  51. I like reading through an article that can make people think. Also, thank you for permitting me to comment!

    ReplyDelete
  52. This is the perfect web site for anybody who really wants to find out about this topic. You understand a whole lot its almost tough to argue with you (not that I really would want to?HaHa). You definitely put a new spin on a topic that's been discussed for many years. Excellent stuff, just excellent!

    ReplyDelete
  53. After checking out a number of the blog articles on your site, I really appreciate your way of blogging. I saved as a favorite it to my bookmark site list and will be checking back soon. Please check out my website too and tell me how you feel.

    ReplyDelete
  54. Nice post. I learn something totally new and challenging on websites I stumbleupon every day. It's always exciting to read content from other authors and use a little something from their web sites.

    ReplyDelete
  55. kali linus is the best ever hacking tool, i consider kali llinux along with the best car towing near me service which is available at cheap value.

    ReplyDelete
  56. It?s hard to find educated people about this topic, but you sound like you know what you?re talking about! Thanks

    ReplyDelete
  57. The very next time I read a blog, I hope that it does not fail me as much as this particular one. I mean, I know it was my choice to read through, nonetheless I truly thought you'd have something helpful to talk about. All I hear is a bunch of whining about something that you could fix if you were not too busy looking for attention.

    ReplyDelete
  58. I'm extremely pleased to uncover this site. I wanted to thank you for your time for this wonderful read!! I definitely liked every little bit of it and i also have you book-marked to check out new information in your website.

    ReplyDelete
  59. I must thank you for the efforts you have put in writing this blog. I'm hoping to view the same high-grade blog posts from you later on as well. In truth, your creative writing abilities has inspired me to get my very own website now ;)

    ReplyDelete

  60. This website was... how do you say it? Relevant!! Finally I have found something which helped me. Cheers!

    ReplyDelete
  61. Great information. Lucky me I ran across your site by accident (stumbleupon). I have book marked it for later!

    ReplyDelete
  62. Everyone loves it when people come together and share opinions. Great blog, continue the good work!

    ReplyDelete
  63. I absolutely love your blog.. Excellent colors & theme. Did you build this amazing site yourself? Please reply back as I?m attempting to create my own site and would like to learn where you got this from or what the theme is named. Thanks!

    ReplyDelete
  64. This is a topic which is near to my heart... Many thanks! Exactly where are your contact details though?

    ReplyDelete

  65. Can I simply just say what a relief to discover an individual who really knows what they're talking about over the internet. You certainly know how to bring a problem to light and make it important. A lot more people really need to check this out and understand this side of your story. It's surprising you aren't more popular since you certainly possess the gift.

    ReplyDelete
  66. A fascinating discussion is worth comment. I do believe that you should publish more about this subject, it might not be a taboo matter but typically people don't speak about these topics. To the next! All the best!!

    ReplyDelete
  67. Hello there! I just would like to offer you a big thumbs up for the excellent information you've got right here on this post. I'll be returning to your site for more soon.

    ReplyDelete
  68. After I originally commented I appear to have clicked on the -Notify me when new comments are added- checkbox and from now on every time a comment is added I get 4 emails with the same comment. There has to be an easy method you are able to remove me from that service? Kudos!

    ReplyDelete
  69. Besides having the countless websites offering online assignments for students, here are the reasons why you should choose us.

    ReplyDelete

© Kali Tutorials, 2016. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Shashwat Chaudhary and Kali Tutorials with appropriate and specific direction to the original content.
Bitcoin: 1B5aLqJcMW7zznffTxQwta8JTZsxBDPguC