It’s with immense pleasure that I announce the release of the second generation of bettercap, a complete reimplementation of the most complete and advanced Man-in-the-Middle attack framework. This release not only brings MITM attacks to the next level, but it aims to be the reference framework for network monitoring (we <3 blueteams too), 802.11, BLE attacks and more! :D
The first thing I want to mention is the amazing team that helped me debugging during endless sessions on Windows, or implemented new features that changed the tool radically, or tested, or gave ideas, or reported bugs (on GitHub, not on Twitter -.-) … you guys rock and I am so lucky, thank you.
Let’s get started :D
As who’s following either me or bettercap itself on Twitter probably knows, the biggest change has been in the underlying technology and framework that bettercap relies upon, we switched from a Ruby application, to a compiled Go application and this increased performances tremendously for several reasons.
First, we’re not victims of a GIL anymore, this plus Go’s amazing concurrency mechanisms allowes bettercap 2.0 to run on low end hardware and still keep proxying hundreds of connections per second and forwarding tens of hundres of packets, while the previous version had an average of 5-6 connections/s due to how I/O requests were pooled by the interpreter while locking (aka the GIL sucks, a lot). Long story short, no more unwanted network DoS when performing a MITM attack!! F YEAH! - put cool ninja move here -
Also memory and CPU usage now are extremely optimized, you can run several instances of bettercap on your Raspberry Pi (or laptop, or router, or whatever … quite literally) and your CPU cores won’t even get to 20% unless you’re attacking a huge subnet … you can monitor LAN events in real time, while scanning for WiFi access points, while attacking BLE devices nearby and all at the same time, super fast, on low end hardware … but more on this later.
TL;DR: FU Ruby, Go is amazing, fast and scales exceptionally well.
Needless to say, having a single binary with zero dependencies (or just libpcap.so on some platforms, thing that will be solved with a full static build soon) that you can just drop on a router/server/whatever and run is way better than the whole rubygems/rvm/rubyenv/whateverbs mess, while if you want to update to bleeding edge, all you have to do is install Go and then
go get -u github.com/bettercap/bettercap … how freaking cool is that? :D
Oh … and this new version supports Windows, macOS, Android, Linux (arm, mips, mips64, etc) and soon iOS ^_^
The useful features of the old version have been ported to this new one and you will find them as session modules (really, RTFM, I spent hours writing that shit), so you’ll have
net.recon searching for new hosts on your network while
net.probe will keep probing for new ones, there’s our old friend
arp.spoof with his buddies
dhcp6.spoof friend. You have the
net.sniffer of course, a
syn.scanner if you need and several other core modules you can use to script your interactive session while the
events.stream will flow in front of you :D
Talking about scripting, as I said proxy modules are easily scriptable in JS:
Also, now we have “caplets”, which are basically like metasploit
.rc files … enough ugly shell scripts because we don’t remember the command line for every attack scenario, now you can save your commands as
.cap files and load them from your interactive session, let’s see a couple of interesting examples :D
Execute an ARP spoofing attack on the whole network (by default) or on a host (using
-eval as described), intercept HTTP and HTTPS requests with the
https.proxy modules and dump them using the
http-req-dumsp.js proxy script.
An example of how to use the
ticker module, use this caplet to monitor activities on your network.
netmon.cap but will monitor for WiFi access points and clients instead of network hosts.
Reroute IPv4 DNS requests by using DHCPv6 replies, start a HTTP server and DNS spoofer for
google.com (works against Windows 10 ^_^):
These are just a few basic examples, I strongly encourage you to check the caplets repository.
There’s a brand new
wifi.recon module that will either stick to a channel or perform channel hopping, both for 2.4Ghz and 5.0Ghz frequencies, reporting useful information on what’s going on at the 802.11 layer, the
wifi.deauth module will deauth clients (doh!) while the
net.sniffer will capture WPA2 handshakes (bye bye kismet, airodump, airmon, wifite, etc!). Meanwhile, the
ble.recon will discover every Bluetooth Low Energy device you might want to inspect with
ble.enum or fuzz with
ble.fuzz modules are work in progress, as well as
sdr.* modules and others.
Did I mention that this works on macOS and Windows too? :D Oh, and probably your macOS has a WiFi card capable of monitor mode and frames injection already :D This release is taking everything to the next level, we’re not just in the ethernet, we are everywhere.
I believe this is functionally the biggest change, or at least the one with the biggest potential: we finally have a REST API! Imagine having a mobile client for your bettercap instance running in your dropbox, or simply imagine to develop a mobile application just by launching the Android executable, using the
http.server module itself to serve a web UI and just create a WebView to render it … boom, easy mobile baby! :D
You can read every single bit of information, you can have per IP realtime network statistics, you can send commands, wait for events … the sky is the limit!!! -put evil laugh here-
There's power on that USB … kismet on a drone ftw pic.twitter.com/CbeeyL0QtZ— 🦄 (@evilsocket) December 14, 2017
I’m so looking forward to see what users will create with this API, no more ugly Python wrappers, no more parsing complicated log files! F YEAH!!!