The Better Ettercap... Bettercap!

What is an Ettercap and how can it be better?  To explain I will speak briefly about what Ettercap is, and why it's useful.  Taken directly from the Ettercap home page: "Ettercap is a comprehensive suite for man in the middle attacks. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many features for network and host analysis."

Ettercap is a free and open source network security tool that helps penetration testers or attackers to perform network protocol analysis or active those same network protocols.  Ettercap was originally released in March 14, 2015 and is written in the C language.  Unfortunately, Ettercap has not advanced enough to stay relevant with some of the newer protocols.  As well, there is quite a few stability problems, and the worst issue is the extensibility is very difficult.  More about the pitfalls of Ettercap can be described here.

Therefore, it would be nice to have a "better" Ettercap, and thus spawned the project Bettercap by @evilsocket.  Bettercap is a fully extensible and portable framework written in Go which hopes to be a direct replacement for penetration testers and attackers to have an all-in-one solution.  Bettercap also aims to add different protocols such as WiFi, Bluetooth Low Energy, HID devices, and Ethernet networks.

Bettercap has more features than would be possible to discuss in a single blog post, but for today I will mostly be focusing on using Bettercap to perform different wireless attacks.  In order to be consistent I will be using version 2.4 as a pre-compiled binary downloaded from GitHub.  Source install instructions are also available, but this will allow the blog to be somewhat shorter.  

In order to follow along with this blog post you will need a wireless card that is able to inject packets.  The following code snippet is a quick and easy way to grab a pre-compiled binary of Bettercap.  

root@kali: wget
root@kali: unzip -d /opt/bettercap/
root@kali: cd /opt/bettercap

The screenshot below shows the wireless interface that will be used for the remainder of this blog post.

One way to test your card for wireless injection is if you are currently using Kali Linux you can use the pre-built Aircrack-ng Suite to check for packet injection.  The command aireplay-ng wlan0 --test.  If your wireless card is currently able to inject packets into wireless you will see an output like the one below.

Now we can begin looking further into Bettercap and it's abilities.  Of course one of the first things to do with any new tool is to run --help or find the man page in order to learn the different flags that are available.

To begin Bettercap I will simply run ./bettercap -iface wlan0 this will tell Bettercap to start using our wireless interface.  If you do not specify an interface Bettercap will attempt to find the primary, however in our instance we do not want to use the Ethernet interface but instead the wireless.

Bettercap has auto-complete functionality on the command line which means if you are not sure of the command you need to run, or if you want to see options you can simply hit the tab key twice and it will list the options.  As you can see from the screenshot below I ran the auto-complete for the WiFi modules built into Bettercap.  The first command we are going to run is the wifi.recon on command.  This will start Bettercap in a reconnaissance mode where it will listen for all beacons and probes while jumping through the different channels.  

The screenshot below shows the output, and as you can see nearly immediately wifi access points become visible to the wireless interface.  These wifi access points are found by sniffing for beacons.

If you are performing a wireless engagement or already know the Access Point you want to attack, you can simply set the channel to not hop channel to channel, but instead be on a static channel by running <number>.

The screenshot below shows Bettercap's ability to produce a nice well organized table of the different wifi access points as well as the current information gathered about them.  Information such as, the bssid, ssid, encryption method, if WPS is supported and if so what version, the current channel of the wifi access point, the amount of data sent and received, as well as the last beacon received.

Now that we have information on the nearby wifi access points we can use Bettercap to go on the offensive.  I should take the time at this point to note that attacking a wireless network that is not yours is illegal in many countries.  The wireless access point being used for demonstration in this blog post is owned and operated by me. The screenshot below shows the next command we will use: wifi.deauth <mac address>.  This will tell Bettercap to begin sending deauth packets to the mac address specified.  You might note that in the screenshot below that Bettercap returns with an error message saying it doesn't have detected clients.  That is because at the time of attack I had not waited long enough for a client to appear.  If you are having the same issue it might be helpful to set the wireless interface card to only listen on the channel of the wireless access point you are attacking.  This will help listen for client beacons as well.

If all goes well in the screenshot above Bettercap should capture a .pcap file that will have the four-way handshake from the wifi access point.  The next type of attack that Bettercap can perform is known as an association attack.  Also known as a clientless attack, because it was discovered in 2018 by a user on the Hashcat forums that many modern routers append an optional field at the end of the first EAPOL frame sent by the AP itself when someone is associating.  This optional field is the Robust Security Network or RSN which includes the PMKID.  Using this PMKID, we can use already pre-obtained data to generate a four-way handshake that Hashcat can crack.  Well luckily for us, Bettercap allows for wildcard commands that will look for any access point beacons and try to associate with them.  Looking specifically for the PMKID.  The command output can be shown in the screenshot below.  

Once an access point responds with a valid RSN PMKID Bettercap will save the four-way handshake to a .pcap file.  As you can see in the screenshot below the four-way handshake will be highlighted with red text.

Up to this point we have demonstrated two attack types that Bettercap can do using wireless only.  Additionally, Bettercap comes with the ability to automate the start up and attack vectors using what is known as caplets.   By running caplets.paths inside of Bettercap it will inform the user where the caplets are stored, and the order in which it looks for import.

The command caplets.update will update all the caplets from the github repo.  Another pro-tip, keep in mind if you have a custom caplet that you have in the directory it will remove it when updating.  Keep your caplets in a separate location for backup.

Once inside the Bettercap shell you can run to see what caplets have been loaded as well as the path.  

Quickly I will show a brief example of creating a custom caplet.  So first we will start vim test.cap and enter wifi.recon on.  In the screenshot below it shows the basic example of what the caplet will look like.  

You can even call the caplet straight from the command line with the flag -caplet <filename>.  As you can see from the screenshot below it automatically starts the WiFi recon.  

As a final note, I will also show that you can start a command directly from the command line by using -eval "<command>".  This can be helpful if you are trying to start Bettercap with a list of commands on device boot.  

In coming posts I will be working on creating a single-board computer solution that will attempt to leverage Bettercap's caplets in order to automate wireless pentesting from a covert position while performing physical or red teaming exercises.  Until next time, keep on injecting packets!

Sources and Inspiration: