Getting better – spoofing with BetterCAP
Any good pen tester has a variety of tools at his or her disposal. Often, there are different tools that are comparable to each other in functionality, but one does something better than the other and vice versa. A common pain point for the pen tester is the wonderfully powerful tool that is no longer supported, so you make do with what was last updated a decade ago. Hey, if it ain't broke, don't fix it – some attacks, like ARP spoofing, don't change over the years at their core. However, any bugs that were present are there for life. Ettercap has proven itself to security practitioners, and we've seen its power here, but I'm going to wrap up the sniffing and spoofing discussion with the new kid on the block (relatively speaking): BetterCAP.
First, we can grab BetterCAP on Kali very easily as it's in the repository:
# apt-get install bettercap
Fire up bettercap -h for an introduction to this tool's abilities. If I simply run bettercap, I see it gets to work immediately!
BetterCAP is not for beginners, for this reason. It is designed to get you straight to work with as little fuss as necessary. By looking at the startup line alone, we can see this is no ordinary sniffer: note the TCP/UDP/HTTP/HTTPS proxy, SSL stripper, and HTTP and DNS servers. We'll revisit this handy tool for other attacks elsewhere in this book. For now, let's take a look at a special kind of spoofing that BetterCAP makes simple for us: the ICMP redirection attack.