Bettercap – Extensible MITM Framework

bettercap is a complete, modular, portable and easily extensible MITM tool and framework with every kind of diagnostic and offensive feature you could need in order to perform a man in the middle attack.

Does a complete, modular, portable and easy to extend MITM tool actually exist?

If your answer is “ettercap”, let me tell you something:

  • ettercap was a great tool, but it made its time.
  • ettercap filters do not work most of the times, are outdated and hard to implement due to the specific language they’re implemented in.
  • ettercap is freaking unstable on big networks … try to launch the host discovery on a bigger network rather than the usual /24
  • yeah you can see connections and raw pcap stuff, nice toy, but as a professional researcher you want to see only relevant stuff.
  • unless you’re a C/C++ developer, you can’t easily extend ettercap or make your own module.

Indeed you could use more than just one tool … maybe arpspoof to perform the actual poisoning, mitmproxy to intercept HTTP stuff and inject your payloads and so forth … I don’t know about you, but I hate when I need to use a dozen of tools just to perform one single attack, especially when I need to do some black magic in order to make all of them work on my distro or on OSX … what about the KISS principle?


Default sniffer mode, all parsers enabled:

sudo bettercap -X

Enable sniffer and load only specified parsers:

sudo bettercap -X -P "FTP,HTTPAUTH,MAIL,NTLMSS"

Enable sniffer + all parsers and parse local traffic as well:

sudo bettercap -X -L

Enable sniffer + all parsers and also dump everything to a pcap file:

sudo bettercap --sniffer --sniffer-pcap=output.pcap 

What about saving only HTTP traffic to that pcap file?

sudo bettercap --sniffer --sniffer-pcap=http.pcap --sniffer-filter "tcp and dst port 80"


Add Comment