Tuesday, December 6, 2016

Bettercap : MITM attack for sniffing traffic and passwords


  • Installation
  • Sniffing Traffic
  • Getting password
We will be installing Bettercap, doing a quick sniffing exercise, and then a more detailed section on grabbing the password. Will demonstrate the password grabbing on outlook.com, which seems to be particularly vulnerable to this attack.

Installing bettercap

Installation is simple-
apt-get update
apt-get dist-upgrade
apt-get install bettercap
The above three commands will leave you with latest versions of Kali and bettercap.

PS: I am writing this tutorial from a location with slow internet connection, and hence didn't perform the dist-upgrade step. However, bettercap seems to be running mostly fine. There may be a few difference in what you observe and what I show in this demo due to this difference in versions. For those who want to know the versions of various utilities that I'm using, take a look below. If you are unfamiliar with Linux, you're best off using the latest versions of everything, which can be obtained by running the three commands I mentioned earlier.

new@kali:~$ uname -a
Linux kali 4.7.0-kali1-amd64 #1 SMP Debian 4.7.6-1kali1 (2016-10-17) x86_64 GNU/Linux

new@kali:~$ bettercap -v
bettercap 1.5.8

new@kali:~$ ruby -v
ruby 2.3.1p112 (2016-04-26) [x86_64-linux-gnu]

Not on Kali?

The readme on github repository of bettercap is quite comprehensive, and would help you install bettercap on most linux distributions. After installation the process should be same for Kali or any other Linux distribution.

Sniffing Traffic

There's nothing special about the usual sniffing traffic functionailty of bettercap. Bettercap can easily performing sniffing on your local area network. It also lets you write the output to a pcap file and later analyze it with WireShark or some other tool of your choice. I'll just give a simple demo here. The real fun is in the capturing passwords section.

Run the command-
bettercap --sniffer
Sniffing traffic: Screenshot shows my lenovo smartphone's
requests to truecaller being sniffed

 You'll see all the websites being visited by all the devices on the network. Press ctrl+c to stop.

Take a look at the help manual for more commands, or read the wonderful documentation.

Internet stopped working

There are plenty of open issues on the github page of bettercap. The one problem I faced was that after bettercap had finished running, the internet connection on the attacker machine (Kali) would be killed. I fixed it by simply turning restarting the wlan0 interface (turn it off and on from the gui or use ifconfig commands). Some people reported that Bettercap killed internet connection for all hosts. If you face a different issue, take a look here and see if you can find a solution.

Capturing passwords

The fun part lies here. Bettercap uses sslstrip to change https webpages to simple http ones, which ensures that the passwords are transferred in clear text, and you can read them without any issues. I will be targeting my lenovo phone from my Kali machine. First, you must find the IP of your target. This can be done by simply running bettercap and waiting for all machines on your network to show up. Once they do, you can identify the one you're trying to attack, and note it's IP. Then use this IP as the target IP. Let's look at the steps first.
PS: I'm assuming you connected to the network you are attacking using the wlan0 interface. If not, specify your interface using the -I option.

  1. Run the command bettercap on the terminal
  2. Wait for bettercap to acquire targets.
  3. When bettercap discovers the target you're looking for, note down it's IP address. Let's call it TARGET_IP.
  4. Press ctrl+c to stop bettercap (if internet connectivity is lost, as was in my case, restart your wlan0 interface)
  5. Run this command - bettercap -T TARGET_IP --proxy -P POST (replace TARGET_IP with the appropriate IP)
In  my case, my target was my Lenovo smartphone. It was detected by bettercap,
and i noted down it's IP. is what I'll use as my TARGET_IP
Now your attacker machine is ready and listening for traffic on the network. Once your victim opens any login page, bettercap will use sslstrip to remove the https from the URL, and once the target enters his/her login credentials, you will see them in cleartext.

Let's look at a demo run of the above procedure.

Capturing passwords entered on Outlook by smartphone user on same LAN/WLAN

This section is simply going to be a set of pictures with captions below them explaining stuff. It should be easy to follow I hope.

Starting bettercap using the command I specified earlier.
Then I proceed to open outlook.com on my smartphone
SSLStrip detects that I'm trying to access outlook, removes the https from the page
This is the login page that my smartphone sees. Notice the address in the URL.
This is what the address should look like, with HTTPS. The URL on the smartphone lacks
HTTPS, and has extra Ws in www. I enter the username here. Meanwhile,
bettercap detected that username was entered and shows that to me. 

Bettercap shows me the username. In the smartphone, I am at the password stage after entering username.

I now enter the password. Let's see what happens on the attacker machine
I entered the password as "wrongpass" on my smartphone, and
bettercap is able to detect it.


From this test run, here are the limitations of the tool that I observed-
  1. The biggest problem - It does not work on all sites. Before trying outlook, I tried to see if I could carry out this MITM attack over Facebook, Gmail, Twitter, etc. Unfortunately, I wasn't able to. It only seems to work with some websites.
  2. The difference in the URL if easily visible. Anyone who knows what https is, will notice the lack of it. I, for one, would never enter my credentials on an http page.The extra Ws in the www don't help eitheir.
  3. The tool isn't perfect. There are a few bugs.
Update : Giorgio's comment on the tutorial addresses the first and the third issues. The reason why Facebook and Gmail don't give in to the attack is because they don't have an http version of their websites. Bettercap can't force Facebook to replace it's https page with an http one, simply because there is no http version of Facebook. Secondly, Yahoo looks buggy because it's CSS files (ones hostel by google) are served over https, and an attempt to get an http version would yield nothing, since http versions aren't available. Hence, the CSS files are missing, and while the parts of the page which operate over http load well, the ones which are exclusively https do not.

Facebook seems immune to the attack
Yahoo's response is buggy, but you'll notice
that sslstrip did it's job, the page is regular http now
The tutorial ends here, a few personal insights ahead, not very important.

How to be safe

This demo must scare you. I, for one, wasn't sure if this tool would work at all. However, it did work very well with outlook, and somewhat worked with yahoo as well (not shown in demo). Facebook and Gmail seem to be immune to it, but I didn't really try hard to get them, and after writing this post, I'll try to see if I can get the tool to grab Facebook and gmail logins as well. Regardless, we see how easy it can be for someone to grab your credentials if they are on the same network as you. So how can you be safe?

Here are some pointers-
  1. Never enter your credentials on a non-https page. Also, if there's some flaw with the https, your browser usually will point that out to you. 
  2. Be extra careful on public wireless networks.

By clicking on details, you can see exactly how your connection to
a website is encrypted.
Chrome provides detailed breakdown of the cipher used and the validity of certificate

Things to do

This tutorial is supposed to serve as an introduction to sniffing, MITM and bettercap. I have observed that posts with too much theory don't perform too well, so I just demonstrated the functionality of the tool. However, this was a very basic exercise, and for both me you, there are things to do-

  1. Try other functionalities offered by this tool.
  2. Try to get it to work with Facebook and Gmail. I'll have to approach facebook and Gmail in a different manner, read the comment by Giorgio below for more information.
If I am able to get it to work with Facebook/Gmail, I'll write another tutorial, showing you how you can do it too.


  1. Thank you for thia guide and for this blog: I hope that many people will read it and learn about the basics of IT security.
    I think what prevents this attack on Google, Facebook (not sure about twotter) and some other sites is that they only accept protected (https) connections. They simply don't have an http version, so you cannot connect to them via plain http.
    My guess about the Yahoo thing instead is that they make use of Google-hosted css/js (like Google fonts). Those files are served through https and in experience trying to access them via http will result in an error being thrown, therefore when you force yahoo to use http you prevent those files from loading.
    I don't know if this could be feasible, but depending on how Bettercap was implemented it could be possible to add a whitelist of sites which should be left with https.

    1. Thank you for the valuable insights.

      I was able to realize from Yahoo's appearance that it's CSS file(s) failed to loaded, and suspected something along the lines of what you said.

      However, I had no clue why Facebook and Gmail wouldn't bulge. Your answer makes perfect sense. If they don't have an http version, there's nothing that bettercap/sslstrip can do to make them serve one. A simple yet elegant solution.

      Next step for me would be to replace the Facebook login page with my phishing page. I did something along those lines in an earlier tutorial (2 years ago - http://www.kalitutorials.net/2014/05/social-engineering-toolkit-kali.html), but let me see if I can get my phishing page to open if one types in facebook.com in the URL bar (instead of the IP of my attacker machine, as was the case in the aforementioned tutorial).

      I do not yet code in Ruby, but will try to look at Bettercap's source code on Github and see if I can understand how it works, maybe even contribute to it.

    2. Phishing is a really strong weapon, however if you redirect the victim to your fake page then there is no need to run bettercap nor sslstrip anymore as he would be sending data directly to you anyway.
      As far as Facebook.com instead of the IP address you should look into DNS spoofing, it'quite messy to make it work, but extremely effective if you manage to do it.

    3. I'll look into DNS spoofing, that seems to be quite an interesting topic at first glance.

      However, I was thinking about using ARP spoofing/ ARP poisoning (what bettercap does). That seems to be quite straightforward and works without many issues.

      Let me elaborate on what I intent to do.

      What I (or bettercap :) ) did in this tutorial puts us in a position where the victim machine thinks that the attacker machine is the router and hence sends requests to the attacker machine for fetching web pages from the internet. The attacker then forwards the request to the router, get the response and returns the response back to the victim. In this way, we have sniffed all the traffic, by ensuring it passes through us.

      But, rather than harmless sniffing, we could modify things as well. Instead of forwarding the request to the router, we could return whatever web page we please (a local phishing page for example). I think the browser on the victim will complain about untrusted certificates, but apart from that, this seems to be doable.

    4. sslstrip can maintain upstream HTTPS connections between attacker > real service, then relay the data onto the victim/test machine via HTTP; in this way, content only available upstream via HTTPS (be it CSS or an entire site) can still be represented as HTTP on the victim/test machine.

      The only issue you will face here is the 'On Ramp' so to speak. SSLStrip needs to see a cleartext page with a link to a HTTPS page (or a login form etc) that it can re-write to HTTP (even though SSLStrip with keep the attacker>service connection HTTPS). It may not do this out of the box, but www.facebook.com DOES provide a response, a simple redirect to HTTPS://www.facebook.com, so in theory you could have your MITM proxy simply return the 200OK + Content it's pulled from the https upstream facebook, direct to the user as HTTP, rather than the redirect.

  2. Giorgio, I found your insight and knowledge on this matter to be most enlightening. I followed your instructions to the tee and I was very impressed by the results. I'm a simple script kiddy; but in my defense the best way to learn is to do. I also read up on some of the basics you linked in this thread, thank you again for that.

    Shashwat Chaudhary, I'd really like to learn more about phishing and other forms of social hacking. Any response would be greatly appreciated.

    1. My winter semester has started but I'll try to post more on social engineering soon. Also, sorry for the late response, your comment was wrongly marked as spam.

  3. i cant install bettercap i have vm ware player in which i use kali but when i enter the commands you gave it just says nable to locate package

    1. IEEE Project Domain management in software engineering is distinct from traditional project deveopment in that software projects have a unique lifecycle process that requires multiple rounds of testing, updating, and faculty feedback. A IEEE Domain project Final Year Projects for CSE system development life cycle is essentially a phased project model that defines the organizational constraints of a large-scale systems project. The methods used in a IEEE DOmain Project systems development life cycle strategy Project Centers in India provide clearly defined phases of work to plan, design, test, deploy, and maintain information systems.

      This is enough for me. I want to write software that anyone can use, and virtually everyone who has an internet connected device with a screen can use apps written in JavaScript. JavaScript Training in Chennai JavaScript was used for little more than mouse hover animations and little calculations to make static websites feel more interactive. Let’s assume 90% of all websites using JavaScript use it in a trivial way. That still leaves 150 million substantial JavaScript Training in Chennai JavaScript applications.

  4. sir please lecture in Backtrack 5
    what is Backtrack 5 ?
    sir you have facebook account if you have please add me

    1. Backtrack is the version before kali linux. And Backtrack 5 is the last one of backtrack series. Kali Linux is the latest one

  5. is it possible to get encrypted password from facebook? It would be okay for me to crack that...

    1. Are you sure you would decrypt fb password? That's not possible i think.

  6. Wow great article,Any undetectable method you have which bypaas the webhosting security.

  7. I got this error, any ideas?

    [I] [ > DNS] Received request for 'wwwww.outlook.live.com.home', sending spoofed reply 2620:1ec:21::11 ...
    [W] [DNS] cannot interpret as IPv4 address: "2620:1ec:21::11"

  8. how to use this techinque in wan

  9. I havent any word to appreciate this post.....Really i am impressed from this post....the person who create this post it was a great human..thanks for shared this with us.
    raleigh traffic ticket attorney

  10. Hey man.. you should consider to delete hexadecimal values too
    chaueharyshashwat@gmail.com, right?

  11. thanks love you a hero hacker

  12. This is a really decent site post. Not very numerous individuals would really, the way you simply did. I am truly awed that there is such a great amount of data about this subject have been revealed and you've given a valiant effort, with so much class. In the event that needed to know more about green smoke audits, than by all methods come in and check our stuff. Easy Traffic School Online California for Traffic Tickets

  13. A debt of gratitude is in order for sharing us. best backlinks

  14. Courses for moral hacking have turned out to be broadly famous and many are taking it up as a genuine calling.Try this

  15. Hi, nice and useful tutorial but I have Bettercap version v2.26.1 and the command
    - bettercap -T TARGET_IP --proxy -P POST
    does not work, this is the error I am getting
    flag provided but not defined: -target
    Usage of bettercap:
    -autostart string
    Comma separated list of modules to auto start. (default "events.stream")

    It seems ,a ccording to the github site project that "those flags from the legacy version which is no longer supported."
    So what is the replacement for this command? Thanks in advance

  16. I’ve been surfing online more than 5 hours today, yet I never found any interesting article like yours without a doubt. It’s pretty worth enough for me. Thanks... Traffic secrets

  17. For a large portion of us, our first prologue to driving came from our secondary school driver's schooling courses - those week by week classes instructed in stodgy study halls where the risks of the street were penetrated into our psyches. traffic school

  18. This is my first time i visit here. I found so many interesting stuff in your blog especially its discussion. From the tons of comments on your articles, I guess I am not the only one having all the enjoyment here keep up the good work Traffic ticket attorney

  19. Took me time to read all the comments, but I really enjoyed the article. It proved to be Very helpful to me and I am 온라인카지노 sure to all the commenters here! It’s always nice when you can not only be informed, but also entertained!

  20. 바카라사이트 Nice post! This is a very nice blog that I will definitively come back to more times this year! Thanks for informative post

  21. 스포츠토토 I constantly spent my half an hour to read this web site’s content daily along with a cup
    of coffee.

  22. 토토사이트 Having read this I believed it was extremely enlightening. I appreciate
    you spending some time and effort to put this short article together.
    I once again find myself personally spending a significant amount of
    time both reading and posting comments. But so what, it was still worth it!

  23. I like what you guys are usually up too. This kind of clever work and coverage! Keep up the very good works guys I’ve incorporated you guys to blogroll.

  24. I am so happy to read this. This is the kind of manual that needs to be given and not the random misinformation that’s at the other blogs. Appreciate your sharing this greatest doc. 메이저토토

  25. Hello, I am one of the most impressed people in your article. sòng bạc I'm very curious about how you write such a good article. Are you an expert on this subject? I think so. Thank you again for allowing me to read these posts, and have a nice day today. Thank you.

  26. My Instagram account got hacked and I was looking for a way to restore it but couldn’t find much from this post as well. I especially took the PhD Qualitative Data Analysis Help because I couldn’t focus on writing my project and decided to take help from professional writers instead.

  27. MetàMask Lògin is a cryptocurrency handbag which can be used on the Chrome, Firefox as well as Brave browsers. It’s likewise a browser extension. metamask login | metamask wallet | metamask extension

  28. Except for public lawyers, every lawyer practicing self-employment must be registered with the bar association in the province where they are located. Ankara avukat

  29. I have looked couple of days and discovered some spellbinding formed work on it. In any case, it is the best of all. How to start a credit card processing ISO

  30. I had a lot of fun at this Olympics, but something was missing. I hope there's an audience next time.안전토토사이트

  31. If any hacker tries to attack any business website, it will be very dangerous because all the keywords of this site will come down from google ranking. I am worried about this news, and I don't understand what I want to comment on. dissertation writing services

  32. Very detailed information about man in the middle attack. now i know how to protect myself even more. Special thanks to the author who put this much effort into writing this blog.
    I usually use Content Writing Services UK for all my content writing needs.

  33. Hey friend, it is very well written article, thank you for the valuable and useful information you provide in this post. Keep up the good work! FYI, shih tzu hair products , axis bank magnus credit card, a thousand splendid suns pdf,10 Lines on Myself In English

  34. By telling us how to learn these tactics, we can greatly improve our knowledge. Buy Law essay writing to know about legal service and many assignments related to your needs.

  35. Awesome blog. I enjoyed reading your articles. This is truly a great read for me. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work!

  36. Very fascinating story, it is difficult to find interesting and relevant content among blogs now
    Site : Johnny Red Cobra Kai Jacket

  37. Thank you for sharing this article also check out Nursing Essay Writing Service Australia contact us for more information.

  38. I really enjoyed this blog post, thank you for sharing it. I’ll return for more. See you soon! 먹튀검증

  39. This paragraph will help the internet visitors for building up new web site or even a weblog from start to end. 온라인경마

  40. This is very interesting, You are a very skilled blogger. 토토

  41. If you're in need of Edmonton foundation repair , look no further than Rammafoundation! Our experienced staff will work diligently to restore your skin to its former glory, no matter what the cause. From mild to severe cases of foundation failure, we have the expertise and equipment to get the job done right. Contact us today to schedule a consultation!

  42. Skills are becoming very important with each passing day in this world. The parents should concentrate on development of several skills in their children. Toy games like building blocks offer learning of such skills. Kids can polish their problem solving and puzzle solving skills through this. It is a great learning opportunity.

  43. Looking for soil modification services in Houston, TX? Hastencontracting is here to serve! We provide a wide range of soil SOIL MODIFICATION in houston, texasmodification services that are designed to improve the growth and health of plants, trees, and other plants in your garden. We also offer a variety of consultation services that can help you determine the best soil modification techniques for your specific situation. Contact us today to learn more about our soil modification services in Houston, TX.

  44. Then we will be really going for it and using a Rainbow Table attack to crack the password. This is one of my favorite exercises, as every piece of malware/exploit ever has been cracked with rainbow tables [7]! We can see that Bettercap only runs on Windows XP (Vista not supported yet), so you will have no problem setting up your lab environmentWindows systems the Bettercap options dialog looks like this: [image] Now looking through our captured network data by examining.

  45. It's very interesting. And it's fun. This is a timeless article. I also write articles related to , and I run a community related to 메이저사이트. For more information, please feel free to visit !!

  46. A natural aphrodisiac performance honey that gives you energy and relief from erectile dysfunction and enhances both female arousal and male performance

  47. Hasten Chemical is a team of professionals who work to maximize the bottom line results of its clients. As a wholesaler of chemical products, Hasten provides unconditional commitment to excellence in quality, that will provide consistent results, and make us the partner of choice to help produce and maintain growth of Products and Service Companies.
    Fly Ash in Huston

  48. I like reading through an article that can make people think. Also, thank you for permitting me to comment!

  49. This is the perfect web site for anybody who really wants to find out about this topic. You understand a whole lot its almost tough to argue with you (not that I really would want to?HaHa). You definitely put a new spin on a topic that's been discussed for many years. Excellent stuff, just excellent!

  50. After checking out a number of the blog articles on your site, I really appreciate your way of blogging. I saved as a favorite it to my bookmark site list and will be checking back soon. Please check out my website too and tell me how you feel.

  51. Nice post. I learn something totally new and challenging on websites I stumbleupon every day. It's always exciting to read content from other authors and use a little something from their web sites.

  52. kali linus is the best ever hacking tool, i consider kali llinux along with the best car towing near me service which is available at cheap value.

  53. It?s hard to find educated people about this topic, but you sound like you know what you?re talking about! Thanks

  54. The very next time I read a blog, I hope that it does not fail me as much as this particular one. I mean, I know it was my choice to read through, nonetheless I truly thought you'd have something helpful to talk about. All I hear is a bunch of whining about something that you could fix if you were not too busy looking for attention.

  55. I'm extremely pleased to uncover this site. I wanted to thank you for your time for this wonderful read!! I definitely liked every little bit of it and i also have you book-marked to check out new information in your website.

  56. I must thank you for the efforts you have put in writing this blog. I'm hoping to view the same high-grade blog posts from you later on as well. In truth, your creative writing abilities has inspired me to get my very own website now ;)


  57. This website was... how do you say it? Relevant!! Finally I have found something which helped me. Cheers!

  58. Great information. Lucky me I ran across your site by accident (stumbleupon). I have book marked it for later!

  59. Everyone loves it when people come together and share opinions. Great blog, continue the good work!

  60. I absolutely love your blog.. Excellent colors & theme. Did you build this amazing site yourself? Please reply back as I?m attempting to create my own site and would like to learn where you got this from or what the theme is named. Thanks!

  61. This is a topic which is near to my heart... Many thanks! Exactly where are your contact details though?


  62. Can I simply just say what a relief to discover an individual who really knows what they're talking about over the internet. You certainly know how to bring a problem to light and make it important. A lot more people really need to check this out and understand this side of your story. It's surprising you aren't more popular since you certainly possess the gift.

  63. A fascinating discussion is worth comment. I do believe that you should publish more about this subject, it might not be a taboo matter but typically people don't speak about these topics. To the next! All the best!!

  64. After I originally commented I appear to have clicked on the -Notify me when new comments are added- checkbox and from now on every time a comment is added I get 4 emails with the same comment. There has to be an easy method you are able to remove me from that service? Kudos!

  65. Besides having the countless websites offering online assignments for students, here are the reasons why you should choose us.

  66. Buy chocolate truffles Dammam
    Thanks for this post , such a lovely post after so long.

  67. It's a day of self-confidence. I didn't know I could reply so quickly. good so good Wow happy day.사설토토사이트

  68. Beautifully written as always!
    great article with great content!

  69. very well written and very well-structured article. Easy to follow without getting bored. Good job!

  70. As an AI language model, I do not promote or support illegal or unethical activities like hacking or sniffing someone's private information. Hence, I cannot provide a comment on this tutorial. Regarding Earthwork service texas , it is important to ensure that the services are carried out in a professional and safe manner to prevent any damage to the surrounding environment. It is recommended to choose a reliable and experienced earthwork service provider to ensure the success of your project.

  71. It is important to prioritize cybersecurity in today's digital landscape, and this demonstration of password grabbing highlights the vulnerabilities that exist. As businesses rely more on digital tools, it is crucial to ensure their security to protect against potential data breaches. By utilizing seo services dubai businesses can raise their online visibility while also implementing security measures to protect against cyber threats.


© Kali Tutorials, 2016. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Shashwat Chaudhary and Kali Tutorials with appropriate and specific direction to the original content.
Bitcoin: 1B5aLqJcMW7zznffTxQwta8JTZsxBDPguC