WEBVTT

0
00:01.590 --> 00:08.100
In the last two lectures we've seen how ARP works, what does ARP Poisoning or Spoofing mean and 

1
00:08.100 --> 00:12.870
how to launch an ARP Poisoning attack using a tool called Ettercap.


2
00:13.200 --> 00:18.320
We’ll move on to another advanced hacking tool called Bettercap.


3
00:18.750 --> 00:25.790
For many years Ettercap was the standard tool for performing ARP Poisoning and MITM 

4
00:25.790 --> 00:29.380
attacks on wired or wireless networks.

5
00:29.460 --> 00:36.110
It's still a very useful tool and for a fast and reliable attack it could be the tool of your choice.

6
00:36.120 --> 00:42.240
You can install it in just a few seconds on any Linux distribution and launch the attack with only

7
00:42.240 --> 00:43.070
one command.

8
00:43.650 --> 00:50.660
However things have evolved and another more advanced tool, called the Bettercap, was released.

9
00:51.780 --> 00:59.610
It was completely rewritten in Golang and this allows BetterCAP to run on low end hardware while 

10
00:59.610 --> 01:02.980
processing hundreds of connections per second 

11
01:03.120 --> 01:12.570
and forwarding tens of hundreds of packets. Memory and CPU usage are now extremely optimized. BetterCAP

12
01:12.570 --> 01:17.460
supports Linux, Windows, Mac OS and Android.

13
01:17.460 --> 01:25.740
Note that it requires  a rooted phone. 
BetterCAP is a powerful flexible and portable tool created

14
01:25.740 --> 01:29.160
to perform various types of Man in the Middle

15
01:29.160 --> 01:36.000
Attacks against protocols like ARP, DNS or DHCPv6.

16
01:36.150 --> 01:46.410
It manipulates HTTP, HTTPS and TCP traffic in real time, sniffs credentials for protocols like HTTP, HTTPS, 

17
01:46.480 --> 01:58.620
FTP, IMAP, POP or SMTP, bypasses HTTPS, performs SSLStripping with HSTS bypass and many more.

18
01:58.620 --> 01:59.630
more.

19
01:59.730 --> 02:04.950
It's the Swiss Army knife for network attacks and the monitoring.

20
02:04.950 --> 02:07.380
Enough talking let's go to work!

21
02:07.470 --> 02:14.070
I'm gonna use Kai because it has Bettercap in its default repositories and it's easier to install

22
02:14.070 --> 02:17.520
it; if you use another distribution of Linux

23
02:17.520 --> 02:21.850
you should install it. Depending on the distribution you are using

24
02:21.870 --> 02:27.490
you can install it from binary packages using the package manager like apt

25
02:27.600 --> 02:33.750
or you need to compile it. Let's install Bettercap on KALI.

26
02:33.810 --> 02:42.280
At the terminal I am becoming root: sudo su and a -sign and I am entering the default password

27
02:42.520 --> 02:45.400
of Kali user which is Kali.

28
02:45.520 --> 02:47.360
Okay I'm root!

29
02:47.560 --> 02:56.680
Let's install Bettercap using apt: apt update && apt install bettercap


30
02:59.800 --> 03:02.490
okay it's installing bettercap!

31
03:07.070 --> 03:15.110
Bettercap has been successfully installed! To see a summary of its help you execute bettercap -

32
03:15.200 --> 03:15.560
h

33
03:21.210 --> 03:28.680
To start it you execute as root bettercap -i face and the name of the interface that's connected

34
03:28.710 --> 03:37.970
to the network you want to attack; just run ifconfig to see its name ! In this example I'm starting

35
03:37.980 --> 03:47.270
bettercap on eth0 which is  bridged to the wireless interface of my laptop.  Kali is running

36
03:47.330 --> 03:47.870
in a VM

37
03:50.920 --> 03:56.200
so bettercap -iface eth0

38
04:00.690 --> 04:06.840
Once the command gets executed you are in bettercap and you see a different prompt.

39
04:07.020 --> 04:17.140
This is the bettercap prompt! Bettercap uses modulus for each available attack! To display all its modules

40
04:17.350 --> 04:22.730
we run help; these are the modules of bettercap.

41
04:26.230 --> 04:35.730
We see a list of commands, all available modules and which ones are running; the only module that is running

42
04:35.730 --> 04:38.880
by default is events.stream

43
04:38.880 --> 04:47.450
which prints out bettercap events as a continuous stream! If you want to see the help of a module you

44
04:47.450 --> 04:50.520
execute help and the name of the module.

45
04:50.570 --> 04:53.930
For example help net.probe

46
04:57.360 --> 04:59.530
and we see the help of the module.

47
04:59.710 --> 05:03.720
It starts network hosts probing in the background

48
05:03.820 --> 05:06.490
so in fact it scans the network.

49
05:07.540 --> 05:15.960
We see that it's not running and that we can start started by typing net probe on.

50
05:15.970 --> 05:20.620
This is how we started the module and this is how we stop it.

51
05:20.620 --> 05:26.380
We also notice that this module has some parameters available.

52
05:26.380 --> 05:37.210
They can be used to fine tune its behavior. Let's start the module! net.probe on We notice that

53
05:37.270 --> 05:45.750
it has also started another module called net.recon as an requirement! net.probe starting

54
05:45.900 --> 05:54.580
net.recon as a requirement for a net.probe. If I execute the help comment I see that there are

55
05:54.580 --> 06:04.380
three modules running: events.stream, net.probe and net.recon Now to see all discovered

56
06:04.380 --> 06:15.370
hosts on the network I run  net.show and I see a list of hosts, their IP and MAC addresses,

57
06:15.560 --> 06:19.430
name, vendor and so on.

58
06:19.430 --> 06:29.240
If I want to see a list of all running modules besides the help command I can run active and it's

59
06:29.240 --> 06:33.290
showing all active modules with their options.