WEBVTT

0
00:01.020 --> 00:07.380
In the last two lectures I have shown you how to use Bettercap to launch various attacks of type Man

1
00:07.380 --> 00:09.660
in the Middle or Denial of Service

2
00:09.660 --> 00:16.170
exploiting the ARP protocol. Each time you want to launch an ARP spoofing attack you have to start the

3
00:16.170 --> 00:22.700
Bettercap, specified the targets, set to different options and start the required modulus.

4
00:22.710 --> 00:29.370
This is time consuming and prone to errors and to be honest it's not the pleasure to anyone to memorize

5
00:29.420 --> 00:32.020
tens of parameters and commands.

6
00:32.040 --> 00:40.290
Fortunately Bettercap has a feature called CAPLETS that allows you to script and automate all supported

7
00:40.380 --> 00:41.320
attacks.

8
00:41.340 --> 00:49.770
What is a caplet? It's a text file that contains the options and commands that you would execute in a bettercap

9
00:49.770 --> 00:51.770
interactive session.

10
00:51.840 --> 00:54.780
A caplet is similar to a shell script, 

11
00:54.780 --> 01:02.060
instead of writing command after command in a bettercap interactive session you just write the commands

12
01:02.070 --> 01:10.230
in a text file with  .cap extension and then start bettercap using -caplet option and that

13
01:10.230 --> 01:10.980
file.


14
01:11.020 --> 01:14.540
Let's see an example! Back to Kali

15
01:14.540 --> 01:16.020
I'm opening bettercap

16
01:16.040 --> 01:20.340
just like before and launching an ARP spoofing attack.

17
01:21.380 --> 01:27.820
I'm becoming root and bettercap-iface 

18
01:27.840 --> 01:29.190
eth0

19
01:29.220 --> 01:36.410
the name of the interface! Bettercap has started and I'll write first

20
01:36.410 --> 01:46.550
commands in this interactive session.
net.recon on set.arp.spoof.targets

21
01:46.790 --> 01:51.580
and the name of the target, the Windows machine.

22
01:51.580 --> 01:51.970
OK.

23
01:51.970 --> 01:52.510
This one!

24
01:57.490 --> 02:01.240
set arp.spoof.fullduplex true

25
02:04.050 --> 02:13.880
and I'm starting the module: arp.spoof on and net.sniff on

26
02:17.160 --> 02:18.080
perfect.

27
02:18.090 --> 02:21.480
This is the way you've already seen in the last lectures.

28
02:21.690 --> 02:29.620
I wanted to execute the commands in bettercap just to be sure that there are no mistakes; now using

29
02:29.620 --> 02:33.470
my preferred text editor, which is in my case vim,

30
02:33.520 --> 02:42.460
I'm gonna create a text file called arp_spoof.cap ; I need another terminal, I'm becoming 


31
02:42.460 --> 02:53.320
root, I'm a moving to / root/ directory and here I'm creating the file arp_spoof.cap

32
02:55.900 --> 03:03.310
Inside this file I'm gonna copy paste all options and commands executed in bettercap interactive

33
03:03.310 --> 03:07.030
session; the first option,

34
03:11.530 --> 03:19.960
the second option, the third option and the last two options

35
03:26.300 --> 03:35.000
and I'm saving the file; I'm closing this instance of bettercap and then started again this time using

36
03:35.000 --> 03:35.710
the caplet.

37
03:35.870 --> 03:39.070
First I'm moving to /root /directory.

38
03:39.080 --> 03:41.630
This is the directory that contains the caplet.

39
03:45.180 --> 03:45.890
This is the file.

40
03:48.670 --> 03:52.160
Be sure that the caplet is in the current working directory.

41
03:52.330 --> 04:02.900
If it's not, use correct absolute or relative path to the caplet file: bettercap -iface

42
04:02.910 --> 04:12.540
eth0 -caplet and the name of the file. I'm closing this terminal just to have more space

43
04:13.020 --> 04:22.070
and I'm hitting enter and bettercap started and has launched the ARP spoofing attack just as we would

44
04:22.070 --> 04:29.270
have written all the commands directly in bettercap session. Let's test that the attack is working!

45
04:32.070 --> 04:42.520
This is the victims machine and I'm executing arp- a ;this is its ARP table and we notice that 

46
04:42.520 --> 04:52.050
both the default gateway and the hacker have the same MAC address in the ARP table; now using the browser

47
04:52.460 --> 05:01.710
I'm going to log in to the same website we've tested at ARP spoofing attack: demo.testfire.net

48
05:03.110 --> 05:11.790
and I'll click on online banking log in; useer name Kali and password test

49
05:11.880 --> 05:13.400
1 2 3 4

50
05:13.550 --> 05:14.300
and log in

51
05:17.280 --> 05:25.630
We notice how the attacker has captured the credentials so the attack is working. Now if you want to

52
05:25.630 --> 05:31.740
add a new target , change an option or launch a second attack you just modified the caplet and

53
05:31.750 --> 05:39.380
start bettercap again. It's much simpler this way! Note that the bettercap already comes

54
05:39.440 --> 05:50.030
with some caplets and you may find them in  usr/share/ bettercap and caplets. These are the caplets

55
05:50.090 --> 05:51.740
bettercap is coming with.

56
05:55.090 --> 06:02.320
In bettercap interactive session you can see all caplets by executing caplets.show

57
06:05.350 --> 06:14.420
We see the name of the caplet and the caplet file and the path to the caplet,  caplet.path

58
06:15.590 --> 06:23.630
it will search for the  caplets in these directories and there is also  caplet.update available,

59
06:24.170 --> 06:30.320
it will updated the caplets from the official github repository.

60
06:30.340 --> 06:35.020
Note that this command is inactive in Kali by default.

61
06:35.020 --> 06:42.340
If you want to activate the command you must install bettercap-caplets package.

62
06:42.370 --> 06:43.680
Also take care that

63
06:43.690 --> 06:50.020
this command will overwrite any changes you have done to the caplets in the official directory.