Install MITM Attack Framework BetterCAP

Last Release: 07/03/2020    

Install MITM Attack Framework BetterCAP

Powerful, Modular, Portable MITM Attack Framework

BetterCAP is a powerful, modular/flexible and portable MITM attack framework created to perform various types of attacks against a network. It is able to manipulate HTTP, HTTPS and TCP traffic in realtime, sniff for credentials, etc. It was completely reimplemented in 2018, and aside MITM it brings network monitoring 802.11, BLE and more. Penetration testers, reverse engineers and cybersecurity researchers may find this tool very useful.

The release of the second generation of BetterCAP, which has a complete re-implementation of the most complete and advanced Man-in-the-Middle attack framework, raises the MITM attacks to a whole new level. Also, BetterCAP aims to become a reference framework for network monitoring, 802.11, BLE attacks, etc.

Bettercap switched from a Ruby application to a compiled Go application, which allow BetterCAP 2.7.0 to run on low end hardware while proxying hundreds of connections per second and forwarding tens of hundred of packets. Memory and CPU usage are now extremely optimized and you can run several instances of your favorite MITM attack framework. BetterCAP supports Windows, macOS, Android, Linux (arm, mips, mips64, etc) and iOS.


MITM attack framework BetterCAP


  • Full and half duplex ARP spoofing
  • ICMP/DNS/NDP spoofing
  • Modular HTTP and HTTPS transparent proxies with support for user plugins
  • Realtime credentials harvesting for protocols such as HTTP(S) POSTed data, Basic and Digest Authentications, FTP, IRC, POP, IMAP, SMTP, NTLM ( HTTP, SMB, LDAP, etc.)
  • Fully customizable sniffer
  • Modular HTTP/HTTPS proxies to allow for injection of custom HTML, JS, CSS code or urls
  • SSLStripping with HSTS bypass. etc.

New Features:

  • single https certificate / authority fields can now be customized via dedicated module parameters ( http.server, https.proxy and )
  • implemented any.proxy module to redirect traffic to custom proxy tools
  • implemented http.proxy.injectjs and https.proxy.injectjs parameters to inject javascript code, files or URLs without a proxy module

Bettercap Caplets

Bettercap caplets, or .cap files are a powerful way to script bettercap’s interactive sessions, think about them as the .rc files of Metasploit. Check this repository for available caplets and modules. To execute:

$ sudo bettercap -caplet ./example.cap

BetterCap vs. EtterCAP

  • EtterCAP worked good, but it’s very old tool and unstable on big networks
  • Unlike BetterCAP, EtterCAP filters are very hard to implement (specific language implementation)
  • EtterCAP doesn’t provide a builtin HTTP(S) and TCP transparent proxies, neither fully customizable credentials sniffer, etc.

Install BetterCAP

First, you need to make sure that you have a correctly configured Go >= 1.8 environment. $GOPATH/bin needs to be in $PATH . You also need to check if the libpcap-dev and libnetfilter-queue-dev are installed on your system. Install if missing:

$ sudo apt-get install libpcap-dev libnetfilter-queue-dev

Then download BetterCAP as follows:

$ go get

After installation, install its dependencies, compile it and move the bettercap executable to $GOPATH/bin.

If you want to update to unstable release from repository, run:

$ go get -u
Info: A precompiled version is available for each release, but if you want to make your own binary, you can use the latest version of the source code from BetterCAP repository.

Use sudo bettercap -h to show the basic command line options.

$ bettercap --help

Usage of ./bettercap_:
  -autostart string
        Comma separated list of modules to auto start. (default ", net.recon")
  -caplet string
        Read commands from this file and execute them in the interactive session.
  -cpu-profile file
        Write cpu profile file.
        Print debug messages.
  -env-file string
        Load environment variables from this file if found, set to empty to disable environment persistence.
  -eval string
        Run one or more commands separated by ; in the interactive session, used to set variables via command line.
  -iface string
        Network interface to bind to, if empty the default interface will be auto selected.
  -mem-profile file
        Write memory profile to file.
        Disable output color effects.
        Disable interactive session history file.
        Suppress all logs which are not errors.

For legacy options check here.

Note: You might encounter issue like “error while loading shared libraries: cannot open shared object file: No such file or directory“, recommended solution:

$ sudo ln -s /usr/lib/x86_64-linux-gnu/ /usr/lib/

Basic commands:

          help MODULE : List available commands or show module specific help if no module name is provided. 
               active : Show information about active modules. 
                 quit : Close the session and exit. 
        sleep SECONDS : Sleep for the given amount of seconds. 
             get NAME : Get the value of variable NAME, use * alone for all, or NAME* as a wildcard. 
       set NAME VALUE : Set the VALUE of variable NAME. 
 read VARIABLE PROMPT : Show a PROMPT to ask the user for input that will be saved inside VARIABLE. 
                clear : Clear the screen. 
       include CAPLET : Load and run this caplet in the current session. 
            ! COMMAND : Execute a shell command and print its output. 
       alias MAC NAME : Assign an alias to a given endpoint given its MAC address.

Basic info & Commands


|      IP        |        MAC         |      Name       |          Vendor           |  Sent   | Recvd   | Last Seen  | 
| 192.168.xx.xx  | a0:4e:xx:xx:xx:xx  | eth0            |                           | 0 B     | 0 B     | 15:12:48   | 
| 192.168.xx.xx  | ac:28:xx:xx:xx:xx  | gateway         |                           | 197 kB  | 0 B     | 15:12:49   | 
|                |                    |                 |                           |         |         |            | 
| 192.168.xx.xx  | a8:20:xx:xx:xx:xx  | 192.168.xx.xx   | xx.                       | 29 MB   | 18 MB   | 19:29:11   | 
| 192.168.xx.xx  | a0:37:xx:xx:xx:xx  | unknown.        | xx.                       | 1.4 MB  | 383 kB  | 19:27:50   | 
| 192.168.xx.xx  | a0:49:xx:xx:xx:xx  | workgroup.      | xx.                       | 290 kB  | 9.5 kB  | 19:28:43   | 
| 192.168.xx.xx  | a4:56:xx:xx:xx:xx  | 192.168.xx.xx   |                           | 4.6 kB  | 0 B     | 19:28:14   | 
| 192.168.xx.xx  | a8:72:xx:xx:xx:xx  | 192.168.xx.xx   | xx.                       | 626 kB  | 0 B     | 19:28:23   | 
| 192.168.xx.xx  | a8:62:xx:xx:xx:xx  | 192.168.xx.xx   | xx.                       | 69 kB   | 11 kB   | 19:28:29   | 
| 192.168.xx.xx  | ac:18:xx:xx:xx:xx  | 192.168.xx.xx   | xx.                       | 0 B     | 0 B     | 15:12:49   | 
| 192.168.xx.xx  | a4:2c:xx:xx:xx:xx  | 192.168.xx.xx   | xx.                       | 4.1 kB  | 0 B     | 18:39:24   | 
| 192.168.xx.xx  | a8:37:xx:xx:xx:xx  | 192.168.xx.xx   |                           | 9.5 kB  | 6.9 kB  | 19:05:36   | 
| 192.168.xx.xx  | a0:42:xx:xx:xx:xx  | 192.168.xx.xx   | xx.                       | 0 B     | 0 B     | 15:12:49   | 
| 192.168.xx.xx  | a0:33:xx:xx:xx:xx  | 192.168.xx.xx   | xx.                       | 133 kB  | 0 B     | 19:28:22   | 
*xx - redacted info

Use help to see which module is running:

» help

     any.proxy > not running       (firewall redirection to any custom proxy) > not running       (Expose a RESTful API)
     arp.spoof > running           (Keep spoofing selected hosts on the network)
     ble.recon > not running       (Bluetooth Low Energy devices discovery)
   dhcp6.spoof > running           (Replies to DHCPv6 messages, providing victims with a link-local IPv6 address and setting the attackers host as default DNS server)
     dns.spoof > running           (Replies to DNS messages with spoofed responses) > running           (Print events as a continuous stream)
           gps > not running       (talking with GPS hardware on a serial interface)
    http.proxy > not running       (full featured HTTP proxy that can be used to inject malicious contents into webpages, all HTTP traffic will be redirected to it)
   http.server > not running       (simple HTTP server, to be used to serve files and scripts accross the network)
   https.proxy > not running       (full featured HTTPS proxy that can be used to inject malicious contents into webpages, all HTTPS traffic will be redirected to it)
   mac.changer > not running       (change active interface mac address)
  mysql.server > not running       (simple Rogue MySQL server, to be used to exploit LOCAL INFILE and read arbitrary files from the client)
     net.probe > running           (actively search for hosts by sending UDP packets to every IP in the subnet)
     net.recon > not running       (read ARP cache in order to monitor hosts on the network)
     net.sniff > not running       (Sniff packets from the network)
  packet.proxy > not running       (Linux only module that relies on NFQUEUEs to filter packets)
      syn.scan > not running       (perform a syn prot scanning against an IP address within the provided ports range)
     tcp.proxy > not running       (full featured TCP proxy and tunnel, all TCP traffic to a given remote address and port will be redir. to it)
        ticker > not running       (execute one ore more commands every given amount of time)
        update > not running       (check bettercap updates)
          wifi > not running       (monitor and perform wireless attacks on 802.11)
           wol > not running       (send Wake On Lan packets in breadcast or to specific MAC)

For specific module, run:

» help <module>

To get all info on all modules:

» get *

                       any.proxy.dst_address: '<interface address>'
                          any.proxy.dst_port: '8080'
                             any.proxy.iface: '<interface name>'
                             wifi.hop.period: '250'
                            wifi.skip-broken: 'true'
                            wifi.source.file: ''

To get all info on specific module:

» get dns.spoof.* 

                          dns.spoof.address: '<interface address>' 
                              dns.spoof.all: 'false' 

If you want to run commands right away (from the terminal):

$ bettercap -eval "net.probe.on; ticker on"

To run system commands within bettercap, add ! :

» !pwd


Things to work on:

  • Experiment with different options, HTTPS, proxy

Bettercap is a versatile tool. Redirection, Phishing, Sniffing, Injections, .. you can do a lot with it. But there are some “problems”. Behaviour can vary because of the network architecture, DNS cache, setup.. Unexpected results can happen, especially to inexperienced users. It’s going to take you some time to overcome the problems and get use to the new environment. All in all, a solid tool that you should at least try. Check some examples on:

Documentation Box
Download Box