Tuesday, December 6, 2016

Bettercap : MITM attack for sniffing traffic and passwords


  • Installation
  • Sniffing Traffic
  • Getting password
We will be installing Bettercap, doing a quick sniffing exercise, and then a more detailed section on grabbing the password. Will demonstrate the password grabbing on outlook.com, which seems to be particularly vulnerable to this attack.

Installing bettercap

Installation is simple-
apt-get update
apt-get dist-upgrade
apt-get install bettercap
The above three commands will leave you with latest versions of Kali and bettercap.

PS: I am writing this tutorial from a location with slow internet connection, and hence didn't perform the dist-upgrade step. However, bettercap seems to be running mostly fine. There may be a few difference in what you observe and what I show in this demo due to this difference in versions. For those who want to know the versions of various utilities that I'm using, take a look below. If you are unfamiliar with Linux, you're best off using the latest versions of everything, which can be obtained by running the three commands I mentioned earlier.

new@kali:~$ uname -a
Linux kali 4.7.0-kali1-amd64 #1 SMP Debian 4.7.6-1kali1 (2016-10-17) x86_64 GNU/Linux

new@kali:~$ bettercap -v
bettercap 1.5.8

new@kali:~$ ruby -v
ruby 2.3.1p112 (2016-04-26) [x86_64-linux-gnu]

Not on Kali?

The readme on github repository of bettercap is quite comprehensive, and would help you install bettercap on most linux distributions. After installation the process should be same for Kali or any other Linux distribution.

Sniffing Traffic

There's nothing special about the usual sniffing traffic functionailty of bettercap. Bettercap can easily performing sniffing on your local area network. It also lets you write the output to a pcap file and later analyze it with WireShark or some other tool of your choice. I'll just give a simple demo here. The real fun is in the capturing passwords section.

Run the command-
bettercap --sniffer
Sniffing traffic: Screenshot shows my lenovo smartphone's
requests to truecaller being sniffed

 You'll see all the websites being visited by all the devices on the network. Press ctrl+c to stop.

Take a look at the help manual for more commands, or read the wonderful documentation.

Internet stopped working

There are plenty of open issues on the github page of bettercap. The one problem I faced was that after bettercap had finished running, the internet connection on the attacker machine (Kali) would be killed. I fixed it by simply turning restarting the wlan0 interface (turn it off and on from the gui or use ifconfig commands). Some people reported that Bettercap killed internet connection for all hosts. If you face a different issue, take a look here and see if you can find a solution.

Capturing passwords

The fun part lies here. Bettercap uses sslstrip to change https webpages to simple http ones, which ensures that the passwords are transferred in clear text, and you can read them without any issues. I will be targeting my lenovo phone from my Kali machine. First, you must find the IP of your target. This can be done by simply running bettercap and waiting for all machines on your network to show up. Once they do, you can identify the one you're trying to attack, and note it's IP. Then use this IP as the target IP. Let's look at the steps first.
PS: I'm assuming you connected to the network you are attacking using the wlan0 interface. If not, specify your interface using the -I option.

  1. Run the command bettercap on the terminal
  2. Wait for bettercap to acquire targets.
  3. When bettercap discovers the target you're looking for, note down it's IP address. Let's call it TARGET_IP.
  4. Press ctrl+c to stop bettercap (if internet connectivity is lost, as was in my case, restart your wlan0 interface)
  5. Run this command - bettercap -T TARGET_IP --proxy -P POST (replace TARGET_IP with the appropriate IP)
In  my case, my target was my Lenovo smartphone. It was detected by bettercap,
and i noted down it's IP. is what I'll use as my TARGET_IP
Now your attacker machine is ready and listening for traffic on the network. Once your victim opens any login page, bettercap will use sslstrip to remove the https from the URL, and once the target enters his/her login credentials, you will see them in cleartext.

Let's look at a demo run of the above procedure.

Capturing passwords entered on Outlook by smartphone user on same LAN/WLAN

This section is simply going to be a set of pictures with captions below them explaining stuff. It should be easy to follow I hope.

Starting bettercap using the command I specified earlier.
Then I proceed to open outlook.com on my smartphone
SSLStrip detects that I'm trying to access outlook, removes the https from the page
This is the login page that my smartphone sees. Notice the address in the URL.
This is what the address should look like, with HTTPS. The URL on the smartphone lacks
HTTPS, and has extra Ws in www. I enter the username here. Meanwhile,
bettercap detected that username was entered and shows that to me. 

Bettercap shows me the username. In the smartphone, I am at the password stage after entering username.

I now enter the password. Let's see what happens on the attacker machine
I entered the password as "wrongpass" on my smartphone, and
bettercap is able to detect it.


From this test run, here are the limitations of the tool that I observed-
  1. The biggest problem - It does not work on all sites. Before trying outlook, I tried to see if I could carry out this MITM attack over Facebook, Gmail, Twitter, etc. Unfortunately, I wasn't able to. It only seems to work with some websites.
  2. The difference in the URL if easily visible. Anyone who knows what https is, will notice the lack of it. I, for one, would never enter my credentials on an http page.The extra Ws in the www don't help eitheir.
  3. The tool isn't perfect. There are a few bugs.
Update : Giorgio's comment on the tutorial addresses the first and the third issues. The reason why Facebook and Gmail don't give in to the attack is because they don't have an http version of their websites. Bettercap can't force Facebook to replace it's https page with an http one, simply because there is no http version of Facebook. Secondly, Yahoo looks buggy because it's CSS files (ones hostel by google) are served over https, and an attempt to get an http version would yield nothing, since http versions aren't available. Hence, the CSS files are missing, and while the parts of the page which operate over http load well, the ones which are exclusively https do not.

Facebook seems immune to the attack
Yahoo's response is buggy, but you'll notice
that sslstrip did it's job, the page is regular http now
The tutorial ends here, a few personal insights ahead, not very important.

How to be safe

This demo must scare you. I, for one, wasn't sure if this tool would work at all. However, it did work very well with outlook, and somewhat worked with yahoo as well (not shown in demo). Facebook and Gmail seem to be immune to it, but I didn't really try hard to get them, and after writing this post, I'll try to see if I can get the tool to grab Facebook and gmail logins as well. Regardless, we see how easy it can be for someone to grab your credentials if they are on the same network as you. So how can you be safe?

Here are some pointers-
  1. Never enter your credentials on a non-https page. Also, if there's some flaw with the https, your browser usually will point that out to you. 
  2. Be extra careful on public wireless networks.

By clicking on details, you can see exactly how your connection to
a website is encrypted.
Chrome provides detailed breakdown of the cipher used and the validity of certificate

Things to do

This tutorial is supposed to serve as an introduction to sniffing, MITM and bettercap. I have observed that posts with too much theory don't perform too well, so I just demonstrated the functionality of the tool. However, this was a very basic exercise, and for both me you, there are things to do-

  1. Try other functionalities offered by this tool.
  2. Try to get it to work with Facebook and Gmail. I'll have to approach facebook and Gmail in a different manner, read the comment by Giorgio below for more information.
If I am able to get it to work with Facebook/Gmail, I'll write another tutorial, showing you how you can do it too.


  1. Thank you for thia guide and for this blog: I hope that many people will read it and learn about the basics of IT security.
    I think what prevents this attack on Google, Facebook (not sure about twotter) and some other sites is that they only accept protected (https) connections. They simply don't have an http version, so you cannot connect to them via plain http.
    My guess about the Yahoo thing instead is that they make use of Google-hosted css/js (like Google fonts). Those files are served through https and in experience trying to access them via http will result in an error being thrown, therefore when you force yahoo to use http you prevent those files from loading.
    I don't know if this could be feasible, but depending on how Bettercap was implemented it could be possible to add a whitelist of sites which should be left with https.

    1. Thank you for the valuable insights.

      I was able to realize from Yahoo's appearance that it's CSS file(s) failed to loaded, and suspected something along the lines of what you said.

      However, I had no clue why Facebook and Gmail wouldn't bulge. Your answer makes perfect sense. If they don't have an http version, there's nothing that bettercap/sslstrip can do to make them serve one. A simple yet elegant solution.

      Next step for me would be to replace the Facebook login page with my phishing page. I did something along those lines in an earlier tutorial (2 years ago - http://www.kalitutorials.net/2014/05/social-engineering-toolkit-kali.html), but let me see if I can get my phishing page to open if one types in facebook.com in the URL bar (instead of the IP of my attacker machine, as was the case in the aforementioned tutorial).

      I do not yet code in Ruby, but will try to look at Bettercap's source code on Github and see if I can understand how it works, maybe even contribute to it.

    2. Phishing is a really strong weapon, however if you redirect the victim to your fake page then there is no need to run bettercap nor sslstrip anymore as he would be sending data directly to you anyway.
      As far as Facebook.com instead of the IP address you should look into DNS spoofing, it'quite messy to make it work, but extremely effective if you manage to do it.

    3. I'll look into DNS spoofing, that seems to be quite an interesting topic at first glance.

      However, I was thinking about using ARP spoofing/ ARP poisoning (what bettercap does). That seems to be quite straightforward and works without many issues.

      Let me elaborate on what I intent to do.

      What I (or bettercap :) ) did in this tutorial puts us in a position where the victim machine thinks that the attacker machine is the router and hence sends requests to the attacker machine for fetching web pages from the internet. The attacker then forwards the request to the router, get the response and returns the response back to the victim. In this way, we have sniffed all the traffic, by ensuring it passes through us.

      But, rather than harmless sniffing, we could modify things as well. Instead of forwarding the request to the router, we could return whatever web page we please (a local phishing page for example). I think the browser on the victim will complain about untrusted certificates, but apart from that, this seems to be doable.

    4. sslstrip can maintain upstream HTTPS connections between attacker > real service, then relay the data onto the victim/test machine via HTTP; in this way, content only available upstream via HTTPS (be it CSS or an entire site) can still be represented as HTTP on the victim/test machine.

      The only issue you will face here is the 'On Ramp' so to speak. SSLStrip needs to see a cleartext page with a link to a HTTPS page (or a login form etc) that it can re-write to HTTP (even though SSLStrip with keep the attacker>service connection HTTPS). It may not do this out of the box, but www.facebook.com DOES provide a response, a simple redirect to HTTPS://www.facebook.com, so in theory you could have your MITM proxy simply return the 200OK + Content it's pulled from the https upstream facebook, direct to the user as HTTP, rather than the redirect.

  2. Giorgio, I found your insight and knowledge on this matter to be most enlightening. I followed your instructions to the tee and I was very impressed by the results. I'm a simple script kiddy; but in my defense the best way to learn is to do. I also read up on some of the basics you linked in this thread, thank you again for that.

    Shashwat Chaudhary, I'd really like to learn more about phishing and other forms of social hacking. Any response would be greatly appreciated.

    1. My winter semester has started but I'll try to post more on social engineering soon. Also, sorry for the late response, your comment was wrongly marked as spam.

  3. i cant install bettercap i have vm ware player in which i use kali but when i enter the commands you gave it just says nable to locate package

    1. IEEE Project Domain management in software engineering is distinct from traditional project deveopment in that software projects have a unique lifecycle process that requires multiple rounds of testing, updating, and faculty feedback. A IEEE Domain project Final Year Projects for CSE system development life cycle is essentially a phased project model that defines the organizational constraints of a large-scale systems project. The methods used in a IEEE DOmain Project systems development life cycle strategy Project Centers in India provide clearly defined phases of work to plan, design, test, deploy, and maintain information systems.

      This is enough for me. I want to write software that anyone can use, and virtually everyone who has an internet connected device with a screen can use apps written in JavaScript. JavaScript Training in Chennai JavaScript was used for little more than mouse hover animations and little calculations to make static websites feel more interactive. Let’s assume 90% of all websites using JavaScript use it in a trivial way. That still leaves 150 million substantial JavaScript Training in Chennai JavaScript applications.

  4. sir please lecture in Backtrack 5
    what is Backtrack 5 ?
    sir you have facebook account if you have please add me

    1. Backtrack is the version before kali linux. And Backtrack 5 is the last one of backtrack series. Kali Linux is the latest one

  5. is it possible to get encrypted password from facebook? It would be okay for me to crack that...

    1. Are you sure you would decrypt fb password? That's not possible i think.

  6. Wow great article,Any undetectable method you have which bypaas the webhosting security.

  7. I got this error, any ideas?

    [I] [ > DNS] Received request for 'wwwww.outlook.live.com.home', sending spoofed reply 2620:1ec:21::11 ...
    [W] [DNS] cannot interpret as IPv4 address: "2620:1ec:21::11"

  8. how to use this techinque in wan

  9. I havent any word to appreciate this post.....Really i am impressed from this post....the person who create this post it was a great human..thanks for shared this with us.
    raleigh traffic ticket attorney

  10. Hey man.. you should consider to delete hexadecimal values too
    chaueharyshashwat@gmail.com, right?

  11. thanks love you a hero hacker

  12. This is a really decent site post. Not very numerous individuals would really, the way you simply did. I am truly awed that there is such a great amount of data about this subject have been revealed and you've given a valiant effort, with so much class. In the event that needed to know more about green smoke audits, than by all methods come in and check our stuff. Easy Traffic School Online California for Traffic Tickets

  13. A debt of gratitude is in order for sharing us. best backlinks

  14. Courses for moral hacking have turned out to be broadly famous and many are taking it up as a genuine calling.Try this

  15. Hi, nice and useful tutorial but I have Bettercap version v2.26.1 and the command
    - bettercap -T TARGET_IP --proxy -P POST
    does not work, this is the error I am getting
    flag provided but not defined: -target
    Usage of bettercap:
    -autostart string
    Comma separated list of modules to auto start. (default "events.stream")

    It seems ,a ccording to the github site project that "those flags from the legacy version which is no longer supported."
    So what is the replacement for this command? Thanks in advance

  16. I’ve been surfing online more than 5 hours today, yet I never found any interesting article like yours without a doubt. It’s pretty worth enough for me. Thanks... Traffic secrets

  17. For a large portion of us, our first prologue to driving came from our secondary school driver's schooling courses - those week by week classes instructed in stodgy study halls where the risks of the street were penetrated into our psyches. traffic school

  18. This is my first time i visit here. I found so many interesting stuff in your blog especially its discussion. From the tons of comments on your articles, I guess I am not the only one having all the enjoyment here keep up the good work Traffic ticket attorney

  19. Took me time to read all the comments, but I really enjoyed the article. It proved to be Very helpful to me and I am 온라인카지노 sure to all the commenters here! It’s always nice when you can not only be informed, but also entertained!

  20. 바카라사이트 Nice post! This is a very nice blog that I will definitively come back to more times this year! Thanks for informative post

  21. 스포츠토토 I constantly spent my half an hour to read this web site’s content daily along with a cup
    of coffee.

  22. 토토사이트 Having read this I believed it was extremely enlightening. I appreciate
    you spending some time and effort to put this short article together.
    I once again find myself personally spending a significant amount of
    time both reading and posting comments. But so what, it was still worth it!


© Kali Tutorials, 2016. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Shashwat Chaudhary and Kali Tutorials with appropriate and specific direction to the original content.
Bitcoin: 1B5aLqJcMW7zznffTxQwta8JTZsxBDPguC