Sniffing & Spoofingmitmwifiblearpdnsreconspoofingnetwork

bettercap

bettercap is a complete, modular, portable and easily extensible MITM framework serving as a Swiss Army knife for 802.11, BLE, IPv4 and IPv6 networks reconnaissance and attacks. It provides an all-in-one solution for security researchers, red teamers and reverse engineers.

Description

bettercap is a powerful, easily extensible and portable framework written in Go, designed to offer security researchers, red teamers, and reverse engineers an easy-to-use, all-in-one solution for reconnaissance and attacks on WiFi networks, Bluetooth Low Energy devices, wireless HID devices, and Ethernet networks. It supports a wide range of features including WiFi scanning, deauthentication attacks, PMKID association attacks, WPA/WPA2 handshake capture, BLE scanning and characteristics manipulation, 2.4GHz wireless device scanning with MouseJacking, IP network probing, and spoofing for MITM attacks on IPv4 and IPv6 networks.

Use cases include passive and active network reconnaissance, credential harvesting via network sniffing, port scanning, and orchestrating complex attacks through its REST API and web UI. Proxies operate at packet, TCP, and HTTP/HTTPS levels with scriptable JavaScript plugins, enabling advanced protocol fuzzing and traffic manipulation. The interactive session provides commands like net.show for displaying network endpoints with IP, MAC, vendor, and traffic details.

The tool features modules such as arp.spoof, dns.spoof, net.recon, and wifi, which can be started or monitored within the session. It is particularly useful for man-in-the-middle scenarios, wireless attacks, and comprehensive network analysis in penetration testing environments.

How It Works

bettercap operates as an interactive framework with a command-line interface for managing modules like net.recon (for endpoint detection), arp.spoof, dns.spoof, and wifi. It detects endpoints via network probing, displaying IP, MAC, vendor (e.g., VMware, Inc.), and traffic stats in tables via net.show. Spoofing modules enable MITM by ARP, DNS, NDP, or DHCPv6 manipulation on IPv4/IPv6 networks. WiFi features include scanning, deauth attacks, PMKID association, and handshake capture; BLE handles device enumeration and read/write; 2.4GHz supports HID injection with DuckyScript. Proxies filter at packet/TCP/HTTP levels with JS plugins; sniffer harvests credentials; REST API and websockets handle events for orchestration.

Installation

bash

sudo apt install bettercap

Flags

-QScan the system in quiet mode

-cronjobOutput in cronjob format

-autostartComma separated list of modules to auto start. (default "events.stream")

-capletRead commands from this file and execute them in the interactive session

-caplets-pathSpecify an alternative base path for caplets

-cpu-profileWrite cpu profile file

Examples

Launch bettercap interactive session, showing network endpoints like 172.16.10.254 as detected with MAC and vendor

bettercap

Display usage information and available flags

bettercap -h

Scan the system in quiet mode and output in cronjob format

bettercap -Q --cronjob

Show network table with IP, MAC, Name, Vendor, Sent/Recvd traffic, and Last Seen for endpoints

net.show

List available commands or show module specific help

help

Set the VALUE of variable NAME

set NAME VALUE

Show information about active modules like net.recon and events.stream

active

Updated 2026-04-16kali.org ↗