# **Using Bettercap for ARP Spoofing** ---  --- ## **Description** In this lab, I will use a Linux virtual machine to analyze the possibility of ARP Spoofing attack on a Windows machine accessing an HTTP web and stealing passwords. --- Bettercap is a versatile and powerful tool commonly used in penetration testing and network security. It offers a wide range of features, including: * ARP Spoofing Attack: Intercepts, modifies, or forwards network traffic between devices on the same local network. * Network Scanning: Lists connected devices with information such as IP addresses, MAC addresses, operating systems, and running services. * MITM (Man-In-The-Middle) Attack: Intercepts and modifies traffic between two parties without detection. * DNS Spoofing Attack: Alters DNS requests to redirect victims to malicious websites. To perform ARP spoofing attack using Bettercap, you can follow these steps: **1. Install Bettercap:** If you don't have it, you can install Bettercap on Kali Linux using the command: `sudo apt-get install bettercap` **2. Enable IP Forwarding on the Attacker Machine:** Before launching the attack, enable IP forwarding on your Linux machine to ensure packets are forwarded correctly: `echo 1 > /proc/sys/net/ipv4/ip_forward`  Identify the network interface you will use with `ifconfig`:  Start Bettercap with the identified network interface: `bettercap -iface <network interface>`  If you run the "**help**", you can see all the available comments and also the modules here as well.  Bettercap has many modules and you can see.Each module has its own purpose in performing cyber attacks, for example: > any.proxy: Intercept and modify web traffic. > > api.rest: Provides a REST API to control Bettercap remotely. > > arp.spoof: Performs ARP spoofing to redirect traffic. > > c2: Provides a framework for managing compromised machines (botnets). > > caplets: Small modules that can be used to extend Bettercap's functionality. > > dhcp6.spoof: Performs DHCPv6 spoofing. > > dns.spoof: Performs DNS spoofing to redirect web traffic. > > events.stream: Streams Bettercap events to a remote server. > > gps: Spoofs GPS location. > > hid: Performs HID (Human Interface Device) attacks to simulate a keyboard and mouse. > > http.proxy: Intercepts and modifies HTTP traffic. > > http.server: Serves files over HTTP. > > https.proxy: Intercept and modify HTTPS traffic. > > https.server: Serve files over HTTPS. > > mac.changer: Change the MAC address of a network interface. > > mdns.server: Spoof an mDNS (Bonjour) service. > > mysql.server: Spoof a MySQL server. > > ndp.spoof: Perform an NDP spoofing attack (similar to ARP spoofing but for IPv6). > > net.probe: Scan the network for devices and services. **3. Scan the Network to Identify Targets** To discover devices on the network, use Bettercap's probing module: `net.probe on`  As you can see, I already found the Windows' IP. This IP is the victim's machine. When you run help again you will see net.recon and net.probe are running  So if you run net.show, you will see a net discover like table where you will find the IP and make pairings and also the name of the computers or name of the devices as well.  **4. Start ARP Spoofing attack:**  So that arp.spoof.fullduplex is very important. I'am going to have to make sure that we change full duplex from false to true.  After that i use `set arp.spoof.targets <target IP>` This command in Bettercap is used to specify a target for an ARP spoofing attack. This command tells Bettercap that you want to attack the device with the IP address you provide. Once the target is set, Bettercap will start sending spoofed ARP packets to the target and gateway (usually a router), causing the target's network traffic to pass through your computer. My target IP is **192.168.1.5**, this is my window's IP. Before performing ARP spoofing. I will open CMD on the windows machine to check arp with the command. `arp -a`  Looking at this table we can see the router's IP address is **192.168.1.1**. and MAC address is **c0–9f-e1-f4–10–9c** So I can just run `arp.spoof on` Rerun the arp -a command  We can easily see that MAC address has changed. MAC address now is **00–0c-29–42–10–7f**. That is the MAC address of the Linux machine. So I have successfully performed ARP spoofing. Now I will show you the dangers of ARP spoofing. **5. Sniff the Network Traffic** With ARP spoofing active, you can begin capturing data packets using Bettercap's sniffer: `net.sniff on` This command in Bettercap is used to start the "sniffing" mode of network traffic. When this mode is enabled, Bettercap will start capturing all data packets that pass through the network interface it is listening on. I'm going to go ahead to [unicornitems.com](http://unicornitems.com/), which is an HTTP site. **6. HTTP Packet Analysis** As users interact with unsecured HTTP websites, Bettercap will display the captured packets in real-time, highlighting sensitive information such as: * Request Line: HTTP request type and URL. * Header Fields: Information like User-Agent and Cookies. * Data: Sensitive details, including usernames and passwords in POST requests. *  Looking at this we can see how easily a website using HTTP can be exposed. Username and Password can be easily stolen. --- # **Conclusion** Bettercap's ARP spoofing demonstrates how easily attackers can exploit network vulnerabilities, especially when dealing with unsecured HTTP traffic. This attack underscores the importance of robust security practices, such as using HTTPS, implementing strong network defenses, and regularly monitoring for suspicious activities. By understanding these techniques, security professionals can better protect networks and educate users on the risks of insecure connections, highlighting the ongoing need for vigilance in today's digital landscape.