Sniffing & Spoofing

BetterCap – A complete, modular, portable and easily extensible MITM framework

BetterCap is an attempt to create a complete, modular, portable and easily extensible MITM framework with every kind of features could be needed while performing a man in the middle attack.
It’s currently able to sniff and print from the network the following informations:

  • URLs being visited.
  • HTTPS host being visited.
  • HTTP POSTed data.
  • FTP credentials.
  • IRC credentials.
  • POP, IMAP and SMTP credentials.
  • NTLMv1/v2 ( HTTP, SMB, LDAP, etc ) credentials.


Default sniffer mode, all parsers enabled:

Enable proxy and use a custom port:

Enable proxy and load the module example_proxy_module.rb:

Disable spoofer and enable proxy ( stand alone proxy mode ):

Modules – You can easily implement a module to inject data into pages or just inspect the requests/responses creating a ruby file and passing it to bettercap with the –proxy-module argument, the following is a sample module that injects some contents into the title tag of each html page.


  • colorize (gem install colorize)
  • packetfu (gem install packetfu)
  • pcaprub (gem install pcaprub) [sudo apt-get install ruby-dev libpcap-dev]

Download BetterCap at Github Repo: EvilSocket

I started blogging around 2011 at #Ubuntupirates, #ProjectX and #pir8geek, I’m currently working as Network/Linux SysAdmin.

I’m a Linux,opensource advocate and interested in network security and InfoSec.

Leave a Reply