Bettercap ARP Spoof and DNS Spoof

Disclaimer: Only perform pentests on your own network or networks you are authorized to test.

Bettercap is great tool pentesting tool to perform ARP spoof and DNS spoof attacks, also known as Man in the Middle Attacks (MITM). However, it has tons of other features as well such as HID (human interface devices such as mice and keyboards) hijacking, Bluetooth Low Energy device hacking, CANBus hacking, etc.

This article will focus on ARP and DNS Spoofing and the commands you need to get started.

Step 1: Scan for devices

Start Bettercap by running this command. To get your interfaces, run ifconfig:

sudo bettercap -face <interface here>

Once Bettercap is open, run this command to scan for devices on the network:

net.probe on
net.show

net.probe will scan for devices and store them internally for you to view. The net.show command lists all the discovered devices. Leave net.probe running or if you are done run net.probe off

net.show before we can start arp and dns spoofing

I found that should a device have an IPv4 and IPv6 address, that net.show will only disply the IPv6 address. You can run a simple nmap scan as well to get a list of devices using the below command. It performs a ping scan and shows both IPs and MACs.

nmap -sn 192.168.1.0/24 

Step 2: ARP spoof

Before starting the ARP spoofing attack, it will be useful to run “arp -a” on the target machine, or just “arp” if it is Linux.

Take note of your MAC address for your router, i.e. the gateway.

arp output to get the router mac for arp spoofing attack

Now run these commands in bettercap

  • Fullduplex means it will attack the router and the target. This is the only option that worked for me.
  • In Targets the first IP is my router and the second IP is my target.
set arp.spoof.fullduplex true
set arp.spoof.targets 192.168.1.1,192.168.1.106
arp.spoof on

Now you can run the same arp command on your target again. The MAC address for your router is now the MAC of the Kali machine.

mac address changed. arp spoof worked!

Step 3: Monitor traffic

set net.sniff.local true
net.sniff on

Set local to true as some modules may make it look as if traffic is originating from the Kali machine even though it is not, so it is a good idea to turn this on.

net sniff to see arp traffic

You can stop the sniffer while ARP is running by issuing this command:

net.sniff off

Now check out the stats for net.sniff. This just gives some useful information about the number of sniffed packets, the net.sniff config, etc

net.sniff stats

You can also output the net.sniff packets to a pcap file for viewing in Wireshark.

set net.sniff.output /path/to/existing/folder/

Step 4: DNS Spoof

This does not always work, especially if you have DNS set manually or if you are using something like pihole. This could be because of DNSSEC.

This also wont work against sites that implement HSTS.

So at this point I switched routers that run on the 192.168.165./24 IP range to get it to work.

Replace “neverssl.com” with your desired domain.

set dns.spoof.domains *.neverssl.com
set dns.spoof.all true

You will see output like this while net.sniff is running. This tells us that Bettercap did in fact see the DNS request and responded to it.

dns spoof. Better can will respond to the DNS request

Step 5: Local Webserver

Kali will now be responding to the domains your are DNS spoofing, so in order for Kali to serve websites you need to start up a webserver. I just used Python as I mainly wanted to see whenever a request came in, I wasn’t too concerned with responding with a website.

In a new terminal run this command:

sudo python3 -m http.server 80
python http server will respond to dns spoof requests

Here we can see we got some requests for /online, requests for favicon.ico etc.

Cleanup

You can type the help command to see which modules are running. For our exercise we will stop the modules we started:

net.sniff off
dns.spoof off
arp.spoof off
net.probe off

It will take about a minute or so for your target device to show the original MAC address in its ARP table.


necrolingus

Tech enthusiast and home labber