The next release of bettercap will include a new spoofer module as an alternative to the default ARP spoofer.
The new module performs a fully automated and full duplex ICMP Redirect MITM attack, what my collegues at Zimperium discovered and called a DoubleDirect attack.
BetterCap will be the very first MITM framework to have this feature 100% working without any additional spoofers.
If you’re thinking about ettercap ICMP spoofer which was released (I think) years ago, let me remind you what its documentation says about it:
Obviously you have to be able to sniff all the traffic. If you are on a switch you have to use a different mitm attack such as arp poisoning.
So yeah, unless you’re already able to sniff network traffic ( in which case, why would you even need to do a MITM attack?!?!?! ), ettercap’s ICMP module is completely useless.
def build_icmp(self): pkt = IP(src=self.gateway, dst=self.target)/ICMP(type=5,code=1, gw=self.ip_address) /\ IP(src=self.target, dst=self.gateway)/UDP() return pkt
Which basically will only reroute traffic to the gateway.
In order to have a real and full duplex MITM using ICMP Redirect packets, you have to reroute the gateway and every other address that the target/victim is requesting, which is why I used
a DNS watcher thread just like described on Zimperium’s blog post.
So stay tuned guys, the next release is close!