Network Hacking - Post-Connection Attacks - MITM Attacks

3. Bettercap Basics

Previously, we learned what ARP spoofing is and how to use it to intercept connections in our network using a tool called ARP Spoof. I covered this tool because it is simple, reliable,and available for a number of operating systems. Therefore, learning how to use this tool can be useful in so many scenarios. However, in this lecture and in the next two lectures,we're going to be using a tool called Bettercap. Bettercap can be used to do exactly what we did with ARP Spoof. So we can use it to run an anaRp spoofing attack to intercept connections, and it can be used to do so much more. So we can use it to capture data, analyse it and see usernames and passwords. We can use it to bypass Https and potentially bypass HSTs.

We can use it to do DNS poofing, inject code into the loaded pages, and so much more. For now, though, I'm going to show you how to install the tool and give you a quick overview of how to use it. And we'll go over all of that in the next few lectures. So I'm going to go to my Kelly machine and run Bettercap. All I have to do now is just type its name, Bettercap. Now, as usual, if you want to get more information on this command and how to use it, you can do Help,and this will give you a complete help menu. But you don't really need to worry about this now because we will be using the tool a lot throughout the course and you will learn a lot as you use it. So I'm going to clear the screen again and to run the tool now. I'm going to typeBettercap the name of the tool, followed by Ifhase to specify the interface that is connected to the network that I want to run the attacks against. And as you know, to get my interface, we can just do if config, and I'm going to be running this against my NAT network, which is what Ethzero is connected to.

So I'm going to set my interface to ethical. I'm going to close this and I'm going to hit Enter to run the tool. And as you can see now, we're inside the tool. We have a different prompt now in which we can use the commands of Bettercap. Now, as you can see here, it's telling us that we can type Help to get a list of all of the commands that we can use with Bettercap. And since we don't know how to use it,I'm actually going to type Help and Perfect. As you can see, we get a full list of all of the commands that we can use. I'm going to use them with you now as we go through the course, so you can have a quick look at them, but don't worry too much about them. What's really important and you need to pay attention to right now is the modules. So these are all of the modules that we can use for all of the things that we can get better cap to do.And as you can see right now, none of them are working except for the event stream, which is basically the module that runs in the background to handle all the events. Now you can type "Help" followed by the name of any module you want. And this will show you a help menu that shows you how to use this specific module. For example, I want to show you in this lecture the net probe and the net recon modules. So since I don't know how to use them, I've typed Help and I'm going to follow it by the name of the module, which is Net Pro. I'm going to hit Enter and, as you can see,you'llget a description of what this module does. So basically, it keeps sending UDP packets to discover devices on the same network. And we can do net probe on to turn on the module and net dot probe off to turn it off. You can also see all the options that you can modify for this module. And I'm going to talk about options and how to modify them in the next lecture.

So for now, I'm going to keep all these options as the default option and I'm just going to do net probe on to turn them on. And as you can see, this will automatically start discovering clients connected to the same network. So at 00:27 right here is actually my Windows target machine. So if I go to the target Windows machine right here and do IP config, you'll see its IP address is 100 to seven. So this is just another way of discovering connected clients quickly using Bettercap. And what you didn't notice right now is that when we started the Net Pro, it automatically started the net recon to confirm this. So if we go up right here, you can see the only module that was running is the events stream. And now if I do help, you'll see I actually have two modules running: the Net Pro, which we just saw and we turned on manually, and the Net Dotrecon, which got turned on automatically by Bettercap. The reason for this is that the netprobe sends probe requests to all possible IPSs. And then if we get a response, the net recon would be the one detecting this response by monitoring myARP catch and then adding all of these IPS into a nice list so we can target them. So now, because the net recon is actually running, we can do a net show to see all of the connected clients. And as you can see, we get a nice list of all of the connected clients.

We can see their IPS, we can see the corresponding Mac addresses for these clients, and it can also show you information right here about each one of these IPS. For example, it's telling us that this right here is the IP for 880. So this is the IP of this computer. It's also telling us that this right here is the gateway. This is the IP of the router. And, as you can see, the vendor is attempting to identify the manufacturer of the hardware used in each of these clients. So, as you can see for the gateway,it thinks that it uses a Realtek chipset. Now, you can also see the 100 x 7 device here. Like I said, this is my target Windows device right here. So that's it for this lecture. I just wanted to give you a quick overview of how to get help with a specific module, how to run a specific module, and how to analyse the results. And in the next lecture, I'm going to show you how we can run an attack using Bettercap to intercept the data and read usernames and passwords that flow through the network once we become the man in the middle. Once we intercept the connection

4. ARP Spoofing Using Bettercap

Now in this lecture, I want to show you how to run an ARP spoofing attack using Bettercap. This will allow us to place our computer in the middle of the connection and intercept data. Not only that, but we're also going to see how we can read this data data.So we can see all the URLs of all the websites that the target visits, and we'll see everything that they post. So we'll be able to capture and view anything they send to any website, including usernames and passwords. So first we need to become the man in the middle. And we're going to do this using a module called ARP Spoof. So if I scroll up to the help menu, you can see we have a module here called ARP Spoof. So as usual, if we don't know how to use this module, we're going to do some help with ARP Spoof because we want to see how to use this module and all the options that we can set for it. So as you can see, as usual, we can do IRP Spoof on to turn this module on. We can do IRP with the van on and this will literally just cut the connection to the target. This is very simple.

You can try it on your own time. I'm not going to do it here. You can do ARP Spoof Off to turn it off and ARP Ban Off to turn the band off. Now, in the previous lecture, I also said that anything you see under the parameters are the options that we can set for this specific module, but I didn't show you how to modify that. So in this lecture we're actually going to be modifying some of these options. Now, as you can see, the tool is actually very helpful because, first of all, it gives us the option name in yellow here. So these are the options that we can set, that we can change. And then it's also telling us a description of what this option does and the default value. So, for example, we can see we have an option called ARP Spoof. You can see the description for this option and basically what this option will do. If you set it to true, it will spoof both the router and the target. So it's similar to what we did with ARP Spoof when we executed the command twice to spoof both the router and the target. If you set this to true, both the router and the target will be spoofed, putting you in the middle of the connection. If you leave it to the default, which is false, you will only spoof the target machine. Now, this can be useful if the router has some sort of protection against ARP spoofing attacks because you won't be interacting with the router at all. But it's also limiting because we won't be able to do what I'm going to do in the next lectures. Because the router will communicate with the target device directly, we won't be able to inject stuff into the responses that the router sends to the target device. Now, I actually want to change this to "True." The method I'm going to use to do this can be used to change any option in any module in Bettercap, so not only in the ARP Spoof. If you're using any module, you can do help followed by the module name.

To get help with that module name, you can see all of the options that you can set here. And then if you want to modify the value of any of these options, all you have to do is copy the option name, which is what I have right here, and type it followed by the option that you want to modify. And in my case, it's called ARP Spoof full duplex. And I want to set this to "true." So very, very simple. And like I said, you can use this command to change any option in any module in Bettercap. All you have to do is type set followed by the option name, followed by the value that you want to set. So I'm going to hit enter and that's done. If you don't see errors, it means it was executed properly. The next option that I want to change is the targets.

So again, in the description, it's clear that these are the targets that I want to run the attack against. And I can use a comma if I want to target more than one IP at the same time. So again, just like what I did before,I'm going to do set followed by the option name, which is ARP spoof targets. And you can actually use the tab to autocomplete. So if I just type tab, it will autocomplete the targets for me. And after this, I'm going to put the value that I want to set this option to, which is the IP of my target. And we can get this using Net Discover, using Zenmap or using the result that I got here after I ran the recon module. I did not do that show. And we got all of this, which is the list of all of the computers connected to the same network. And my target right now is this particular device, the 100 to seven. This is my Windows virtual machine right here. So I'm going to put the IP at 00:27. And again, we don't see any errors, which means that everything was executed as expected. Now we're ready to run the tool. And again, based on the help menu that we got, we can do ARP spoof on to turn this module on.

So we're going to do an ARP spoof on and perfect it. As you can see, we see no errors. It's telling us that the module is running. And if I do help, again, we're going to get a list of all of the modules that are running right now. And as you can see, we can see that ARP spoofing is on. Also, it is very important that you make sure the net probe and the net recon are running. We did this in the previous lecture. That's why I didn't do it now. So, as shown here, Bettercap should be doing what ARPSpoofing was doing in both the router and the target device, putting me in the middle of the connection. So let's go to the Windows machine right here. And I'm going to do ARPA. And as you can see, the router's Mac address right here is the same as the Mac address for this device, which is the 100 215 And if I go back here to the Kali Machine and do ifconfig, you'll see this is the same Mac address as the Mac address of the Kali Ethh zero interface. So basically, what this means is that this Windows Machine,every time it wants to send something to the router, it will send it to the Kali Machine. And because we set the full duplex option in Bettercap, the router also thinks that this Kali Machine is the target machine. Therefore, any time it needs to send a response to the Windows Machine, it'll actually send it to better copyright here. And like I said before, this means every username, password,URL, anything the target computer sends or receives will have to go through the Cali machine, where we're going to be able to read it, modify it, or drop it. And I'm going to walk you through that in the

5. Spying on Network Devices (Capturing Passwords, Visited Websites...etc)

In the previous lecture, we learned how to use Bettercap to run an ARP spoofing attack and place ourselves in the middle of the connection between a computer and the access point. And every time I do this, I keep saying this means that all the requests and all the responses will flow through our computer, which means that we'll be able to see anything a user does on the Internet. So we should be able to see the URLs, the images, the videos, the passwords they log in with, or anything they send or receive. So right now we are already in the middle of the connection and the data is already flowing through our computer. So all we have to do is just use a programme to capture this data and analyse it. Now, we can use wireshark to do that, and I will cover this later on in the course, but for now, I'm going to use a really nice module that comes with Bettercap that will automatically capture all of the data, analyse it, and show me the interesting stuff.

So all we have to do now is to tell Bettercap to capture all of the data that is flowing through this computer and analyse it for me. And to do this, we can use the net sniff module. You can do help followed by net sniff to see all of the options that you can set for this module. But I showed you how to read options and change them. So for now, I actually want to run it without modifying any of the options. So I'm just going to do net sniffing on. So now everything that's going to flow through this computer will be captured and analysed by the net dot sniff module. So I'm going to close this terminal window and let's go to the Target Windows computer. I'm going to open my web browser and we're going to generate some traffic and see if that's going to be captured by Bettercap. What we're doing right now will not work against HTTPS. But don't worry, we'll talk about how to bypass HTTP later on and why this won't work. But for now, for testing, I'm just going to go to a website called Vulneeb, and I'm going to include its link in the resources of this lecture. So as you can see, this is a normal website that doesn't use HTTPS. It also has a number of links here. So if I click, for example, on this link,everything loads fine, as you can see here. But if we go to the Kali machine,you'll see that every request that we sent was actually captured by this computer. So you can do this to any computer that is connected to the same network as you, whether it's a wired or a wireless network. So you can see there were requests sent to Google.

If we scroll down, you'll see we made a request for this website, Boneweb.com. You can also see all of the other files that this website loaded for you. So you can see we have a logo loaded here. You can see we have a styles file being loaded here. Again, if there were more images, you'd actually see links to all of the images that are being loaded. You can see here that this is the second link that we clicked on the testphp vonweb.com. So this is what we have right here, here at the top. Now also, let me just go back and maybe click on the first one. And as you can see, this is another website. It has a login functionality here. And let's try, for example, logging in with a username. Let's set the user name to my name, Zadi. And let's set the password as 123-456-7890. I'm going to click on "log in." Again, as you can see, we got logged in with no issues at all. But if I go back to the Kali computer and scroll up, as you can see, we captured a login that was sent to this website test HTML five vulnweb.com. Again, this is exactly the website that we have here. And if you look in here, you can see that the user name was Zaytesavi and the password was one,two, three, all the way up to 90. So basically the idea that I'm trying to get across right now is that anything that the target computer sends or receives right now will be captured by the Caddie machine. And like I said, we can do this to any computer or any phone that is connected to the same network as Azus, whether it's a WiFi or a wired network.

6. Creating Custom Spoofing Script

In the previous lectures, we learned how to use Bettercap to discover all clients on the same network,run an ARP Spoofing attack to intercept the data,and then sniff data to see the usernames, passwords, and everything that's getting sent over the network. Now, in order to actually do this, we actually have to run a number of commands. So first of all, we had to do netprobe on to turn on the probe module. We had to set the settings for the ARP Spoof module,turn that on, and then turn the sniffing module on. Now, every time you want to do this, every time you want to intercept data and see it on screen,you're going to have to do all of these steps that I showed you in the previous lecture. Or if you're lazy like myself, you can use an atablet to do all of that automatically, which is exactly what I want to show you in this lecture. So what do I mean by a template? Well, basically a template is just a text file that contains all of the commands that you want to run. So I'm going to resize this menu, I'm going to open a text file, and I'm just going to rearrange this a little bit to make it easier to follow. And I'm going to close this window here and I'm going to go to the first command that we had to run in order to do this. So again, scrolling up, the first thing we did was net dot probe on. So in my text file here, I'm going to literally type this command net probe on and, as we saw,this will automatically start the net recon module.

Again, we enable both of these modules in order to discover the connected clients and keep track of any new clients that connect to the network. The next thing that we did was modify the settings for the ARP Spoof module. So we did set ARP Spoof full duplex to true. I'm going to actually copy this and paste it here. Then we set the target IP. So again, I'm just going to copy this and paste it here. And keep in mind, this is very important. You want to make sure that you change the IP address to the IP of your target all the time. And if you are targeting multiple computers, you can just use the comma and type the next IP after the comma. Next, we turned on the ARP Spoof module. So again, this is what I'm going to do here. I'm going to do ARP Spoof on and finally run the sniffer by doing net sniff on. So again, I'm just going to type this in here, net sniff on. So this is actually a nice summary of what we did in the previous lectures. Again, like I said, every time you want to intercept the connections, you're going to have to startBettercap and run all of these commands manually. You want to start the prompt module. You want to enable the full duplex so you fool or spoof the target under the router. You want to set your target IP, and you want to turn on the spoof and turn on the sniff.

So to make this very easy, instead of having to type this every time we want to run an ARP spoofing attack and intercept data, I put all of this in a text file. I'm going to save this text file. I'm going to put it in my root directory and I'm going to call it Spoof Cape Cab. So I'm going to save this now, and I can close it because we're done with it, and we can go back here. And what I'm actually going to do,I'm going to exit out of this. So I'm going to quit Better Cab and I'm going to clear the screen. And if I do LS to list all the files and directories in the current working directory,because right now, I am en route, So if I do LS, you can see we have a new file called Spoof Cap. And just to confirm, if I go down to myfile manager right here, you can see we have a new file again in the root called Spoof Cab. And all we want to do is feed this file to Bettercap before we start Bettercap. We don't know how to do this, so we're going to use Bettercap help to see all of the options that we can set with Bettercap. And what we want to do is use the capital option right here. So we're going to run Bettercap like we used to do. First of all, we do Bettercap, followed by Ifase to specify the interface that is connected to the target network. And in my case, this is ETH Zero. So so far, this is identical to what I've been doing in the previous lectures. The only difference now is that we're going to use the Capletoption to specify my capt file that I just created. So I'm going to do Coplet, followed by the file that I just created, which is called Spoof Cap. And that's it. Now, before I hit Enter, just to confirm with you, I'm going to go back to my Windows machine and I'm going to do ARPA, just to show you. And as you can see right now, the router IP right here has this Mac address. So after I run this, it should automatically start all of the modules that I just typed, and it should run an ARP Spoofing attack. Therefore, the router's Mac address should be changed to the Mac address of ETH Zero, which is connected to Kali right here.

So I'm going to hit enter. And as you can see, we actually got an error,and the error was saying the proof could not be found. So I'm suspecting I made a spelling mistake. And I did. As you can see, I actually named the capital. So it's not a parody. So I actually make a lot of mistakes like this. So I'm just going to rename this to Spoof and we're going to go back here. I'm going to exit and run the same command again. and perfect. As you can see, we made no errors at all. If I do help, as you can see,automatically we have the proof that is running. We have the probe, the recon, and the sniffal running as soon as we run better. If you remember, the first time we ran it, we only had the stream running and had to do everything manually and set the options manually. So this is a really, really nice way of doing it. Now let's confirm that everything is working as expected. So I'm going to go to the Windows machine and we're going to do ARPA again. and perfect. As you can see, the router's Mac address has changed to the same Mac address as the Kali machine. And the original router's Mac address,the correct one, was this.

So this means that this Windows machine is now Spoofed, thinking that the Kelly machine is the router, and the router now thinks that the Kali machine is this machine. This will place Kelly in the middle of the connection. And just to confirm this real quick, I'm already vulnerable. This is the website that we tested login on before. I'm actually still logged in. So I'm going to log out, log in again, and I'm going to leave the username to admin. And I'm just going to put in a password again. 123-4290 enter. Let's go back. and perfect. As you can see, we wouldn't be able to get this if we were not in the middle of the connection. So the fact that we're getting all of this means that we managed to intercept the data and see everything the target user sends or receives. And again, we have the username and the password right here. Like I said, this will only work with HTTP. We will discuss HTTP in the next lectures. But in this lecture, I just wanted to show you an easy way of scripting commands that you often run with Better Cap. Because in the future, we're going to be doing a number of things that rely on us being in demand in the middle. So, because I don't want to waste time enabling all of the modules that we're running here. So again, if I right click this and open with a normal text editor, all you have to do is just put your commands in a file, give a file a specific name, and then when you're on Bettercap, all you have to do is just use the capital argument followed by the name of your cap file.

7. Bypassing HTTPS

Everything we've done so far will only work with http pages. The reason why it works against HTTP is that, as we see, the data in HTTP is sent as plain text. So it's text that humans like us can read and understand stand.That's why when we're demanding the middle, we're able to read this text, and if we wanted, we're able to modify this text as we wish. This is obviously a problem, and this problem was fixed in HTTP. So, as you know, most websites use Https. The reason why, like I said, is that it's a more secure version of HTTP. And basically, the way it works is it adds an extra layer over HTTP, which is where the S comes from. So it's a secure HTTP protocol. And this extra layer will encrypt the plaintext data that HTTP sends. So, if a person manages to become the man in the middle, they will be able to read this data, but the data will be gibberish. It will not be readable by the person intercepting the connection. Now, HTTP relies on TLS or SSL to encrypt data, and this is very difficult to break. Therefore, in order to bypass this, the easiest method is to downgrade HTTPS connections to HTTP.

So, since we're the man in the middle, we can check if the target is requesting a Https website. We will give him the Http version of the website rather than the Https version. This way, the data will be sent in plaintext and we'll be able to read it exactly as I showed you in the previous lecture. To do this, we'll have to manually configure and use a tool called SSL Strip. And I show how to do this in my more advanced courses. But luckily, Bettercap has a template that does all of that for us. I also modified this caplet myself to get it to work more reliably and on more websites. So please make sure you use the custom Caddyimage that I made for this course because it comes with this modified capt by default. If you want to use the original Caddy, then you're going to have to manually download this caplet and put it in the right path. I am using the custom Caddy in here, so I won't need to do any of that. I can simply run Bettercap and use it. But before doing that, I just want to go to the home directory and modify this proof captcha we have been using in the previous lectures. And I just want to modify this one thing in this.So I'm going to right-click it and open it with Leafpad. And what I want to modify is that I want to add an option to the sniff in here. So, as you know, this line netsniff will turn on my sniffer. But before turning it on, I want to set the net sniffer local to True. And what this option will do is it'll tell Bettercap to sniffall data even if it thinks this data is local data.

The reason why I set this option to True is because once we use the HTTPS bypass capital, the data will seem as if it's being sent from our computer. So Bettercap will think these passwords belong to me, to my computer, and it will not display them to me on screen. That's why we're setting it to true so that we can see all the usernames and the passwords sent on the websites that we will downgrade from Https to Http. So I'm going to save this with CTRL S and quit it with CTRL Q. And now we are actually ready to go and use thistemplate and see how we can downgrade Https to Http and steal passwords from login pages that use Https by default. So I'm going to go to my terminal and I'm going to use Bettercap exactly as I've been using it before. So we're doing Bettercap, the name of the program. We're giving it our interface after the Ifhase argument. We're using the argument to specify a capt to run as soon as we run the program. And we're running the Spoof caplet, the one that we built in the previous lecture, that will run the ARPSpoofing command and run the sniffer for us. So I'm going to hit Enter and, as you can see, everything got executed as expected. If we do help, we'll see all the running modules, and we'll have the ARP Spoof and the Thesniffer running with the recon and with the probe. So this is exactly what we wanted from our caplet. So first of all, the HSTs bypass template is one of many tablets that Better Cup comes with. If you want to list all of these templates, you can do a caplets show, and as you can see, you'll get a list of all of the caplets that you have and their location on the system. Now the caplet that we want to run is the HST Hijacket, this one right here. And to run any of these tablets, all you have to do is literally just type their name, and as usual, you can use the tab to autocomplete.

So to run our caplet right here, all I have to do is digitally type HS and press tab, and as you can see,it will automatically autocomplete for me and type the name. Now, if I hit Enter, this will load the capital with all of its options and it'll run it for me. So as you can see, because we don't see any errors, this means everything gets executed as expected. So let's go to the Windows machine, browse some HTTPS pages, and see if we can sniff data, usernames, passwords, and URLs that they enter on their computer. So I have my Windows machine here. I have Chrome installed. This is the latest version of Chrome at the time of recording this lecture. A really good idea before trying all of these things is to remove your browsing data, because the websites that we're going to try to access might be cached, and they might be just loaded from your cache. This will only happen if you're visiting the same website over and over again, mostly when testing. Therefore, it's a really good idea to control, shift, delete,and click on Clear browsing data. Make sure all of this is clicked, make sure it's set to all the time, and click on Clear to remove all of it. And let's go ahead and go to a website that uses HTTPS. So a good example would be LinkedIn.com and perfect. If you look here at the top, you'll see the website is loading over HTTP, not over HTTPS. Therefore, we will be able to see anything the user enters in these boxes. So let's put a username. Let's set it to Zid@zsecurity.org. And I'll set the password as 123-456-7890. It doesn't really matter. You can use any password. And I'm going to hit enter to log in. This is wrong. So obviously we're getting an error message. But if we go back to Kali, as you can see, we're capturing all of this data because it's not being sent over HTTPS anymore, it's being sent over HTTP. And if you look in here, you can see we captured login information. It's sent to LinkedIn.com, sent to this specific URL,a login URL, and you can see the username is Zayed@zetsecurity.org, and the password is one, two, three,all the way up to 90. So that's really, really good.

Let's go ahead and test another HTTPS website. Let's go to stack overflow.com.Again, You can see on top it's loading over HTTP, not HTTPS. So I'm going to click on Login and again, I'm going to put my email Zay, zet security.org, and we'll put a password as 123-456-7890, Hit Enter, and let's go to the cali machine again, scroll down this time, because we're stuck on top and perfect. You can see we have a post request here. It's sent to this specific URL. Again, you can see "Log in" in the URL. You can see the website itself stack overflow.com.And if we scroll down a little bit more,we can see that the username is Zayed@zsecurity.org. And the password again, one, two, three,all the way up to 90. So that is really, really good. Now we can downgrade any HTTPS connection to HTTP as long as the target website uses HTTPS, not HSTs. So this method will work against pretty much all websites that use HTTPS, except for the really popular websites such as Facebook, Twitter, and so on. So let me show you a quick example. If I go here and try to go to Facebook.com, you'll see that the website got loaded over HTTPS, not over HTTP. Even though we configured our caplete correctly, and even though we're able to downgrade HTTPS connections on a lot of websites, such as LinkedIn and Stack Overflow, This is happening because Facebook is using HSTs,which is a little bit trickier to bypass. In the next lecture, we'll talk more about what HSTs are, why it's tricky to bypass, and how to partially bypass them and still get usernames and passwords from the websites that implemented them, such as Facebook, Twitter, and so on.

Study with ExamSnap to prepare for ECCouncil CEH Practice Test Questions and Answers, Study Guide, and a comprehensive Video Training Course. Powered by the popular VCE format, ECCouncil CEH Certification Exam Dumps compiled by the industry experts to make sure that you get verified answers. Our Product team ensures that our exams provide ECCouncil CEH Practice Test Questions & Exam Dumps that are up-to-date.