Sniffing & Credentials Harvesting

Sniffing & Credentials Harvesting
- Examples
- Options

The builtin sniffer is currently able to dissect and print from the network ( or from a previously captured PCAP file ) the following informations:

URLs being visited.
HTTPS hosts being visited.
HTTP POSTed data.
HTTP Basic and Digest authentications.
HTTP Cookies.
FTP credentials.
IRC credentials.
POP, IMAP and SMTP credentials.
NTLMv1/v2 ( HTTP, SMB, LDAP, etc ) credentials.
DICT Protocol credentials.
MPD Credentials.
NNTP Credentials.
DHCP messages and authentication.
REDIS login credentials.
RLOGIN credentials.
SNPP credentials.
And more!

Note

New parsers are implemented almost on a regular basis for each new release, for a full and updated list check the SNIFFING section in the “bettercap —help” menu.

Examples

Use bettercap as a simple local network sniffer:

sudo bettercap --local or sudo bettercap -L

Use the capture.pcap file in your home directory as a packets source:

sudo bettercap --sniffer-source ~/capture.pcap

Spoof the whole network and save every packet to the capture.pcap file in your home directory:

sudo bettercap --sniffer-output ~/capture.pcap

Spoof the whole network but only sniff HTTP traffic:

sudo bettercap --sniffer-filter "tcp port http"

Spoof the whole network and extract data from packets containing the “password” word:

sudo bettercap --custom-parser ".*password.*"

Options

`-X, --sniffer`

Enable sniffer.

`-L, --local`

By default bettercap will only parse packets coming from/to other addresses on the network, if you also want to process packets being sent or received from your own computer you can use this option ( NOTE: will enable the sniffer ).

`--sniffer-source FILE`

Load packets from the specified PCAP file instead of the network interface ( NOTE: will enable the sniffer ).

`--sniffer-output FILE`

Save all packets to the specified PCAP file ( NOTE: will enable the sniffer ).

`--sniffer-filter EXPRESSION`

Configure the sniffer to use this BPF filter ( NOTE: will enable the sniffer ).

`-P, --parsers PARSERS`

Comma separated list of packet parsers to enable, * for all ( NOTE: will enable the sniffer ), available: COOKIE, CREDITCARD, DHCP, DICT, FTP, HTTPAUTH, HTTPS, IRC, MAIL, MPD, MYSQL, NNTP, NTLMSS, PGSQL, POST, REDIS, RLOGIN, SNMP, SNPP, URL, WHATSAPP, default to *.

`--custom-parser EXPRESSION`

Use a custom regular expression in order to capture and show sniffed data ( NOTE: will enable the sniffer ).