Past, Present and Future of Bettercap
Four months passed since my first blog post about bettercap, a lot of fixes have been released and a lot of new features have been implemented.
In this post I’d like to talk about some of these new features and describe them a little bit, this is basically a big changelog since the very first version, for a complete list of code changes you can read the releases github page.
Major Changes
Added --no-discovery argument to skip active host discovery. ( since v.1.1.0 )
Sometimes you already have the hosts you want to target in the arp cache of your computer, maybe because you already used bettercap against them or just because you already established some communication with them, you can now use the --no-discovery argument to use the static ARP cache instead of spawning the discovery agents and make the whole process faster.
Dynamic discovery, new hosts are added to the targets list while running. ( since v1.1.0 )
Once bettercap is started, it will keep searching for new hosts and add them to the targets list even if an attack is already running. You can basically just launch bettercap once and it will take care of new computers connecting to your internal network.
Implemented HTTP transparent proxy with modules support. ( since v1.1.0 )
No need for explanations here, you can find the complete documentation of the transparent proxy and its modules here.
Added builtin HTTP server. ( since v1.1.1 )
There’s now a simple builtin HTTP server available, you can use it to serve static assets such as images or js files that you might need in your custom proxy module.
New feature to save all packets to a pcap file ( --sniffer-pcap option ). ( since v1.1.2 )
You don’t have time to manually inspect everything you’re sniffing from the network? No problems! You can use the --sniffer-pcap argument to save every sniffed packet to a PCAP file and inspect it later.
New --sniffer-filter argument to pass custom BPF filters to the sniffer. ( since v1.1.2 )
Of course, you can use a custom BPF filter in order to save only the packets you’re really interested into :)
Added --no-spoofing argument ( alias for --spoofer NONE ). ( since v1.1.2 )
If you want to use bettercap as a local proxy/sniffer to debug or reverse engineer some application, you can easily disable the spoofing using the --no-spoofing argument.
New --check-updates option will check if a new version of bettercap is available. ( since v1.1.3 )
You can now check if a new version is available directly from bettercap.
First prototype of HTTPS transparent proxy with realtime crafted certificate and/or custom .pem file. ( since v1.1.4 )
Yep, since v1.1.4 bettercap is also able to intercept and proxy HTTPS traffic using certificate pinning, both using a realtime built certificate or a custom PEM file.
Added dynamic ARP agent/sniffer that will reply to ARP who-has requests when needed. ( since v1.1.4 )
As new legit ARP requests are intercepted on the network, the program will take care of generating a proper ( spoofed of course :P ) response.
Implemented half-duplex mode for weird routers that whenever receive an ARP_OPREPLY suddenly sends an ARP_OPREQUEST to the real ip, screwing up MITM ( since v1.1.4 )
This was a new feature I implemented in order to fix a weird behaviour me and some users experienced with particular routers, a full description of this new mode can be found here.
Now the user can target more than one address at once ( since v1.1.4, tnx to @mvrilo )
The --target argument now supports a comma separated list of targets.
Now the user can load more than one spoofer at once ( since v1.1.4, tnx to @minotaur-0 )
The --spoofer argument now supports a comma separated list of spoofing modules.
New argument to manually specify the gateway address ( since v1.1.5, tnx to @misterade )
The gateway address can now be manually specified on the command line, this is an optional argument which is needed only when you already know the gw address and don’t want bettercap to search for it.
New --sniffer-source argument to read a pcap file instead of sniffing from the network interface. ( since v1.1.5 )
If you’re running bettercap as a simple sniffer/cretendials harvester, you can “replay” an already captured pcap file and feed it to the program instead of capturing real time traffic.
Updated hw-prefixes file with latest version from nmap repository. ( since v1.1.6 )
This made the “mac-address to vendor” lookup more accurate.
Implemented custom upstream proxy options ( --custom-proxy, --custom-https-proxy ) both for HTTP and HTTPS. ( since v1.1.6 )
A new set of arguments is available in order to specify a custom HTTP/HTTPS upstream proxy address.
The Future
If you’re interested in upcoming features, there’s a “TODO” list available here, some of these items are done and the code has already been pushed to the dev branch, others are still to be done and I’m still not sure about some, these are the major upcoming features.
Implement --ignore ADDR,ADDR,ADDR option to filter out specific addresses from the targets list. ( READY in the developer branch )
If there’re one or multiple ip addresses that are causing a lot of traffic and that you’re not interested to, you can use this argument to completely ignore them.
Rewrite proxy class using em-proxy library.
I’m currently working on a complete rewriting of the Proxy class that will dramatically increase its performances thanks to the great em-proxy gem by Ilya Grigorik.
Active packet filtering/injection/etc
This still needs to be started, but in the future there will be a modular packet injector/filter ( pretty much like the modular HTTP(S) transparent proxy but for raw packets ^_^ ), probably powered by the nfqueue Ruby gem by Guillaume Delugré.
BSD Support. ( !!!Help wanted here!!! )
Bettercap is already compatible with Mac OS X and basically every distribution of GNU/Linux, I’d like some BSD guru to help me to make it compatible with *BSD systems as well.
HTTP/2 Support.
Self explanatory, still in TODO.