bettercap

bettercap [options]

Common Usage Examples:
sudo bettercap -iface
sudo bettercap -caplet
sudo bettercap -eval "; "

-iface
    Specify the network interface to use (e.g., eth0, wlan0).

-caplet
    Load and execute a caplet script file on startup.

-eval ""
    Execute one or more commands directly on startup, separated by semicolons.

-debug
    Enable verbose debugging output for diagnostics.

-no-colors
    Disable colored output in the console.

-no-session
    Do not save the session data to disk (useful for ephemeral operations).

-gateway
    Automatically detect and use the network gateway for spoofing/proxying.

-target
    Specify one or more target IP addresses or CIDR ranges (e.g., 192.168.1.10, 192.168.1.0/24).

-http.addr
    Set the address and port for the built-in HTTP/HTTPS web UI server (default: 127.0.0.1:8081).

-proxy.port
    Set the port for the HTTP/HTTPS proxy module (default: 8080).

-arp.spoof
    Enable or disable ARP spoofing (default: false). Required for MITM attacks.

-dns.spoof
    Enable or disable DNS spoofing (default: false).

-mac.changer.interface
    Specify an interface to automatically change its MAC address upon startup.

-wifi.recon
    Enable or disable WiFi reconnaissance mode for discovering nearby networks and clients.

-wifi.deauth
    Enable or disable WiFi deauthentication attacks (default: false).

bettercap is a powerful, modular, and portable framework designed for various network-related tasks, including man-in-the-middle (MITM) attacks, network discovery, host reconnaissance, and WiFi auditing. It offers a comprehensive set of capabilities such as ARP spoofing, DNS spoofing, HTTP/HTTPS proxying, packet sniffing, credential harvesting, and WiFi deauthentication attacks.

Developed with modern security challenges in mind, bettercap aims to be easily extensible through modules and caplets (scriptable attack flows). It provides a powerful interactive console and a built-in web UI for ease of use, making it an essential tool for penetration testers, security researchers, and anyone involved in network security assessments. Its modular design allows users to combine different functionalities to create complex attack scenarios, while its portability ensures it can run on various operating systems, including Linux, macOS, and Windows.

bettercap requires root privileges (sudo) for most of its functionalities, especially for network manipulation, raw packet operations, and interface management.

Due to its powerful capabilities, it can be used for malicious purposes. Always ensure you have explicit permission and are operating within legal and ethical boundaries before using it on any network or system you do not own or manage. Improper or irresponsible use can lead to network instability, data loss, or severe legal consequences. It is primarily a penetration testing and security research tool; use it responsibly.

bettercap provides a powerful interactive console environment where users can dynamically load and unload modules, set parameters, start and stop attacks, and view real-time logs and statistics. This allows for flexible and on-the-fly adjustments to the attack strategy, making it highly adaptable during live engagements.

Caplets are executable scripts, written in a JavaScript-like syntax, that allow users to automate complex sequences of commands and module configurations. They enable the creation of custom attack workflows and provide a high degree of extensibility, simplifying repetitive tasks or intricate attack scenarios. Caplets enhance the framework's versatility, allowing for rapid deployment of sophisticated attacks.

A built-in web UI provides a graphical interface to control and monitor bettercap. This offers a more visual and intuitive way to manage network attacks, view discovered hosts, inspect captured data, and configure various modules without relying solely on the command-line console. The web UI enhances usability, especially for those who prefer a visual dashboard for network security operations.

bettercap was originally developed by Simone Margaritelli (evilsocket). Its initial versions, released around 2016, were written in Ruby and aimed to be a more modern and interactive alternative to tools like ettercap. However, to address performance limitations, improve portability, and enhance its overall architecture, the project underwent a significant rewrite in Go, starting with version 2.x. This rewrite transformed it into a more robust, faster, and cross-platform tool, solidifying its position as a leading open-source network attack framework. Development is active, with continuous updates and new features being added by its maintainers and community.

arpspoof(8), nmap(1), wireshark(1), aircrack-ng(8), ettercap(8), tcpdump(1)