bettercap 1.1.0

data/example_proxy_module.rb

@@ -0,0 +1,21 @@
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : http://www.evilsocket.net/
+
+This project is released under the GPL 3 license.
+
+=end
+class HackTitle < Proxy::Module
+  def on_request( request, response )
+    # is it a html page?
+    if response.content_type == 'text/html'
+      Logger.info "Hacking http://#{request.host}#{request.url} title tag"
+      # make sure to use sub! or gsub! to update the instance
+      response.body.sub!( '<title>', '<title> !!! HACKED !!! ' )
+    end
+  end
+end

data/lib/bettercap/base/ifirewall.rb

@@ -0,0 +1,28 @@
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : http://www.evilsocket.net/
+
+This project is released under the GPL 3 license.
+
+=end
+class IFirewall
+  def enable_forwarding(enabled)
+    raise 'IFirewall: Unimplemented method!'
+  end
+
+  def forwarding_enabled?()
+    raise 'IFirewall: Unimplemented method!'
+  end
+
+  def add_port_redirection( iface, proto, from, addr, to )
+    raise 'IFirewall: Unimplemented method!'
+  end
+
+  def del_port_redirection( iface, proto, from, addr, to )
+    raise 'IFirewall: Unimplemented method!'
+  end
+end

data/lib/bettercap/base/ispoofer.rb

@@ -0,0 +1,24 @@
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : http://www.evilsocket.net/
+
+This project is released under the GPL 3 license.
+
+=end
+class ISpoofer
+  def initialize
+    raise 'ISpoofer: Unimplemented method!'
+  end
+
+  def start
+    raise 'ISpoofer: Unimplemented method!'
+  end
+
+  def stop
+    raise 'ISpoofer: Unimplemented method!'
+  end
+end

data/lib/bettercap/context.rb

@@ -0,0 +1,124 @@
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : http://www.evilsocket.net/
+
+This project is released under the GPL 3 license.
+
+=end
+
+# this class holds global states & data
+require 'bettercap/error'
+
+class Context
+  attr_accessor :options, :iface, :ifconfig, :network, :firewall, :gateway,
+                :targets, :spoofer, :proxy
+
+  @@instance = nil
+
+  def self.get
+    if @@instance.nil?
+      @@instance = self.new
+    end
+    @@instance
+  end
+
+  def initialize
+    @options = {
+        :iface => Pcap.lookupdev,
+        :spoofer => 'ARP',
+        :target => nil,
+        :logfile => nil,
+        :sniffer => false,
+        :parsers => ['*'],
+        :local => false,
+        :debug => false,
+        :arpcache => false,
+        :proxy => false,
+        :proxy_port => 8080,
+        :proxy_module => nil
+    }
+
+    @iface = nil
+    @ifconfig = nil
+    @network = nil
+    @firewall = FirewallFactory.get_firewall
+    @gateway = nil
+    @targets = []
+    @proxy = nil
+    @spoofer = nil
+
+    @discovery_running = false
+    @discovery_thread = nil
+  end
+
+  def update_network
+    @iface    = PacketFu::Utils.whoami? :iface => @options[:iface]
+    @ifconfig = PacketFu::Utils.ifconfig @options[:iface]
+    @network  = @ifconfig[:ip4_obj]
+    @gateway  = Network.get_gateway
+
+    raise BetterCap::Error, "Could not determine IPv4 address of '#{@options[:iface]}' interface." unless !@network.nil?
+
+    Logger.debug "network=#{@network} gateway=#{@gateway} local_ip=#{@iface[:ip_saddr]}"
+    Logger.debug "IFCONFIG: #{@ifconfig.inspect}"
+    Logger.debug "IFACE: #{@iface.inspect}"
+  end
+
+  def start_discovery_thread
+    @discovery_running = true
+    @discovery_thread = Thread.new {
+      Logger.info 'Network discovery thread started.'
+
+      while @discovery_running
+        empty_list = false
+
+        if @targets.size == 0 and !@options[:arpcache]
+          empty_list = true
+          Logger.info 'Searching for alive targets ...'
+        end
+
+        @targets = Network.get_alive_targets self
+
+        if empty_list and !@options[:arpcache]
+          Logger.info "Collected #{@targets.size} total targets."
+          @targets.each do |target|
+            Logger.info "  #{target}"
+          end
+        end
+      end
+    }
+  end
+
+  def stop_discovery_thread
+    @discovery_running = false
+    if @discovery_thread != nil
+      Logger.info 'Stopping network discovery thread ...'
+
+      begin
+        @discovery_thread.join
+      rescue
+      end
+    end
+  end
+
+  def finalize
+    stop_discovery_thread
+
+    if !@spoofer.nil?
+      @spoofer.stop
+    end
+
+    if !@proxy.nil?
+      @proxy.stop
+      @firewall.del_port_redirection( @options[:iface], 'TCP', 80, @iface[:ip_saddr], @options[:proxy_port] )
+    end
+
+    if !@firewall.nil?
+      @firewall.enable_forwarding(false)
+    end
+  end
+end

data/lib/bettercap/discovery/arp.rb

@@ -0,0 +1,37 @@
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : http://www.evilsocket.net/
+
+This project is released under the GPL 3 license.
+
+=end
+require 'bettercap/logger'
+require 'bettercap/shell'
+require 'bettercap/target'
+
+# Parse the ARP table searching for new hosts.
+class ArpAgent
+  def self.parse( ctx )
+    arp     = Shell.arp
+    targets = []
+
+    Logger.debug "ARP:\n#{arp}"
+
+    arp.split("\n").each do |line|
+      m = /[^\s]+\s+\(([0-9\.]+)\)\s+at\s+([a-f0-9:]+).+#{ctx.ifconfig[:iface]}.*/i.match(line)
+      if !m.nil?
+        if m[1] != ctx.gateway and m[1] != ctx.iface[:ip_saddr] and m[2] != 'ff:ff:ff:ff:ff:ff'
+          target = Target.new( m[1], m[2] )
+          targets << target
+          Logger.debug "FOUND  #{target}"
+        end
+      end
+    end
+
+    targets
+  end
+end

data/lib/bettercap/discovery/icmp.rb

@@ -0,0 +1,37 @@
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : http://www.evilsocket.net/
+
+This project is released under the GPL 3 license.
+
+=end
+require 'bettercap/logger'
+require 'bettercap/shell'
+require 'bettercap/factories/firewall_factory'
+
+# Send a broadcast ping trying to filling the ARP table.
+class IcmpAgent
+  def initialize( timeout = 5 )
+    @thread = Thread.new do
+      FirewallFactory.get_firewall.enable_icmp_bcast(true)
+
+      if RUBY_PLATFORM =~ /darwin/
+        ping = Shell.execute("ping -i #{timeout} -c 2 255.255.255.255")
+      elsif RUBY_PLATFORM =~ /linux/      
+        ping = Shell.execute("ping -i #{timeout} -c 2 -b 255.255.255.255")
+      end
+    end
+  end
+
+  def wait
+    begin
+      @thread.join
+    rescue Exception => e
+      Logger.debug "IcmpAgent.wait: #{e.message}"
+    end
+  end
+end

data/lib/bettercap/discovery/syn.rb

@@ -0,0 +1,88 @@
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : http://www.evilsocket.net/
+
+This project is released under the GPL 3 license.
+
+=end
+require 'bettercap/logger'
+
+# Send SYN probes trying to filling the ARP table.
+class SynAgent
+  def initialize( ifconfig, gw_ip, local_ip )
+    @local_ip = local_ip
+    @ifconfig = ifconfig
+    @queue    = Queue.new
+
+    net = ip = @ifconfig[:ip4_obj]
+
+    # loop each ip in our subnet and push it to the queue    
+    while net.include?ip
+      # rescanning the gateway could cause an issue when the 
+      # gateway itself has multiple interfaces ( LAN, WAN ... )
+      if ip != gw_ip and ip != local_ip
+        @queue.push ip
+      end
+
+      ip = ip.succ
+    end
+
+    # spawn the workers! ( tnx to https://blog.engineyard.com/2014/ruby-thread-pool )
+    @workers = (0...4).map do
+      Thread.new do
+        begin
+          while ip = @queue.pop(true)
+            Logger.debug "SYN Probing #{ip} ..."
+
+            pkt = get_packet ip.to_s
+
+            pkt.to_w( @ifconfig[:iface] )
+          end
+        rescue Exception => e
+          Logger.debug "#{ip} -> #{e.message}"
+        end
+      end
+    end
+  end
+
+  def wait
+    begin
+      @workers.map(&:join)
+    rescue Exception => e
+      Logger.debug "SynAgent.wait: #{e.message}"
+    end
+  end
+
+  private
+
+  def get_packet( destination )
+    pkt = PacketFu::TCPPacket.new
+    pkt.ip_v      = 4
+    pkt.ip_hl     = 5
+    pkt.ip_tos	  = 0
+    pkt.ip_len	  = 20
+    pkt.ip_frag   = 0
+    pkt.ip_ttl    = 115
+    pkt.ip_proto  = 6	# TCP
+    pkt.ip_saddr  = @local_ip
+    pkt.ip_daddr  = destination
+    pkt.payload   = "\xC\x0\xF\xF\xE\xE"
+    pkt.tcp_flags.ack  = 0
+    pkt.tcp_flags.fin  = 0
+    pkt.tcp_flags.psh  = 0
+    pkt.tcp_flags.rst  = 0
+    pkt.tcp_flags.syn  = 1
+    pkt.tcp_flags.urg  = 0
+    pkt.tcp_ecn        = 0
+    pkt.tcp_win	       = 8192
+    pkt.tcp_hlen       = 5
+    pkt.tcp_dst        = rand(1024..65535)
+    pkt.recalc
+    pkt
+  end
+end
+

data/lib/bettercap/discovery/udp.rb

@@ -0,0 +1,74 @@
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : http://www.evilsocket.net/
+
+This project is released under the GPL 3 license.
+
+=end
+require 'bettercap/logger'
+
+# Send UDP probes trying to filling the ARP table.
+class UdpAgent
+  def initialize( ifconfig, gw_ip, local_ip )
+    @ifconfig = ifconfig
+    @port = 137
+    @message =
+      "\x82\x28\x00\x00\x00" +
+      "\x01\x00\x00\x00\x00" +
+      "\x00\x00\x20\x43\x4B" +
+      "\x41\x41\x41\x41\x41" +
+      "\x41\x41\x41\x41\x41" +
+      "\x41\x41\x41\x41\x41" +
+      "\x41\x41\x41\x41\x41" +
+      "\x41\x41\x41\x41\x41" +
+      "\x41\x41\x41\x41\x41" +
+      "\x00\x00\x21\x00\x01"
+
+    @queue = Queue.new
+
+    net = ip = @ifconfig[:ip4_obj]
+
+    # loop each ip in our subnet and push it to the queue    
+    while net.include?ip
+      # rescanning the gateway could cause an issue when the 
+      # gateway itself has multiple interfaces ( LAN, WAN ... )
+      if ip != gw_ip and ip != local_ip
+        @queue.push ip
+      end
+
+      ip = ip.succ
+    end
+
+    # spawn the workers! ( tnx to https://blog.engineyard.com/2014/ruby-thread-pool )
+    @workers = (0...4).map do
+      Thread.new do
+        begin
+          while ip = @queue.pop(true)
+            Logger.debug "Probing #{ip} ..."
+
+            # send netbios udp packet, just to fill ARP table            
+            sd = UDPSocket.new
+            sd.send( @message, 0, ip.to_s, @port )
+            sd = nil
+            # TODO: Parse response for hostname?
+          end
+        rescue Exception => e
+          Logger.debug "#{ip} -> #{e.message}"
+        end
+      end
+    end
+  end
+
+  def wait
+    begin
+      @workers.map(&:join) 
+    rescue Exception => e
+      Logger.debug "UdpAgent.wait: #{e.message}"
+    end
+  end
+end
+

data/lib/bettercap/error.rb

@@ -0,0 +1,16 @@
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : http://www.evilsocket.net/
+
+This project is released under the GPL 3 license.
+
+=end
+
+# class used to distinghuish between handled and unhandled exceptions
+module BetterCap
+  class Error < StandardError; end
+end