bettercap is a complete, modular, portable and easily extensible MITM tool and framework with every kind of diagnostic and offensive feature you could need in order to perform a man in the middle attack.
Does a complete, modular, portable and easy to extend MITM tool actually exist?
If your answer is “ettercap”, let me tell you something:
- ettercap was a great tool, but it made its time.
- ettercap filters do not work most of the times, are outdated and hard to implement due to the specific language they’re implemented in.
- ettercap is freaking unstable on big networks … try to launch the host discovery on a bigger network rather than the usual /24
- yeah you can see connections and raw pcap stuff, nice toy, but as a professional researcher you want to see only relevant stuff.
- unless you’re a C/C++ developer, you can’t easily extend ettercap or make your own module.
Indeed you could use more than just one tool … maybe arpspoof to perform the actual poisoning, mitmproxy to intercept HTTP stuff and inject your payloads and so forth … I don’t know about you, but I hate when I need to use a dozen of tools just to perform one single attack, especially when I need to do some black magic in order to make all of them work on my distro or on OSX … what about the KISS principle?
Default sniffer mode, all parsers enabled:
sudo bettercap -X
Enable sniffer and load only specified parsers:
sudo bettercap -X -P "FTP,HTTPAUTH,MAIL,NTLMSS"
Enable sniffer + all parsers and parse local traffic as well:
sudo bettercap -X -L
Enable sniffer + all parsers and also dump everything to a pcap file:
sudo bettercap --sniffer --sniffer-pcap=output.pcap
What about saving only HTTP traffic to that pcap file?
sudo bettercap --sniffer --sniffer-pcap=http.pcap --sniffer-filter "tcp and dst port 80"