Bettercap with Mitmproxy
As I covered in a previous article Bettercap is an excellent tool for messing around with networks but it can do much more when combined with other tools. In this article, I’ll be going over how to use Bettercap and Mitmproxy to capture HTTP data being sent from other devices.
⚠️Disclaimer⚠️ I’m not responsible for what you do with this information
Quick Overview
In case you don’t know how to use Bettercap you can look at my previous article. In this tutorial, we will use Bettercap’s arp spoofing capabilities and its proxy abilities with Mitmproxy. Mitmproxy will then capture and let us sift through the HTTP data to find what we want.
Prerequisites
Computer — Should run Linux or macOS
Bettercap — installation and usage instructions here
Mitmproxy — installation instructions here
Step 1: Startup Mitmproxy
In this tutorial, we will be using the web version of Mitmproxy (comes with it). To start the web UI run in the terminal:
sudo mitmweb
and it should start. Depending on your configuration it may start your web browser and open its page. If that does not happen go to http://127.0.0.1:8081 in your preferred browser.
Step 2: Startup Bettercap
Getting Bettercap ready will be more challenging depending on your circumstances. Warning: Change Bettercap’s API port if you are planning to use it as Mitmproxy takes up port 8081. In this article, I will only be using Bettercap’s terminal interface. Once you have your target or target range selected type:
set arp.spoof.targets [targets here]
and then:
arp.spoof on
To get the HTTP data sent to Mitmproxy we will use Bettercaps any proxy. By default any proxy is already setup correctly so run:
any.proxy on
If you are unsure if the options are correct then just set any.proxy.dst_port to 8080, any.proxy.src_port to 80, and any.proxy.protocol to TCP.
Step 3: Profit!
If everything works out you should see a bunch of things popping up on Mitmproxy’s web UI. These should all be HTTP and you can look through each one by clicking on it. If you are looking for something specific the web UI comes with a convenient search bar at the top. You can also save the data to a file for viewing later. To view the file simply type:
sudo mitmweb -r [path to file here]
in the terminal.
Conclusion
Both Bettercap and Mitmproxy are great for remotely capturing insecure HTTP data from a target. However, this combo can be easily countered by HTTPS (yes I know both Bettercap and Mitmproxy have HTTPS options but those are a pain to set up and don’t always work) or a VPN. Unencrypted HTTP data is still common though, whether it's router login panels or Hulu captions (yes, as of the writing of this article Hulu still sends captions in HTTP). So next time you are in a coffee shop, be the reason VPN companies can still say people need them (Don’t actually do that it’s illegal).
Happy Hacking!~
