Not working at once

Bettercap 2.7.0 is the latest release of the network attacks and monitoring tool. It is an alternative to Ettercap. My attempts to poison the ARP cache of my testing machines first failed, until I found out why.

A simple MITM-Scenario

Computers B and C communicate with each other and router A. An attacker positions himself in the middle and captures their data.

A Man-in-the-middle attack (MITM) is a scenario where an attacker sends network traffic on a detour through his own computer. This gives him the opportunity to listen into (sniff) and manipulate the data stream.

MITM vs. Sniffing

MITM and sniffing are not the same. While sniffing just means listening to the traffic on a network without actively interfering, a Man-in-the-middle attack means that all or specific traffic is directed through the attacker’s computer.

Sniffing can be done only on collision domains, like a wireless connection. But it does not work on switched networks.

One way to realize a MITM attack is to send out wrong ARP address information to the hosts involved. This is called ARP poisoning or ARP spoofing.

How to get started with Bettercap 2.7.0

Since the last version, Bettercap has changed a lot. Old command line parameters do not work anymore. Here is how you get started now:

Download Bettercap to your PC. On Kali Linux open a shell and type in:

apt-get install bettercap

Start Bettercap and specify the network interface you like to use. Replace eth1 with your network adaptor.

bettercap -iface eth1

The interface will come up and the program will start discovering devices on your network. Start spoofing your targets with this command:

set arp.spoof.targets x.x.x.x, y.y.y.y; arp.spoof on

And finally turn on sniffing on the data that is now redirected through your computer:

net.sniff on

You can also use Wireshark or any other sniffing tool at this point. Just let it monitor the interface you use for Bettercap.

When you want to end Bettercap, type in


to restore the ARP caches on the machines you attacked.


Bettercap gives you the option to start with the parameter “-debug”. This is what helped me finding out why my ARP poisoning attempts had failed.

bettercap -iface eth1 -debug

So I started ARP spoofing again for my two target machines…

set arp.spoof.targets x.x.x.x, y.y.y.y; arp.spoof on

…and immediately got this error message:

[sys.log] [dbg] Could not find hardware address for x.x.x.x

It seems that Bettercap relies on the local ARP cache of the machine it is running on. And since my Kali Linux had never communicated with both target hosts, they were unknown. Therefore, I opened another shell and pinged both hosts:

ping x.x.x.x
ping y.y.y.y

At once Bettercap started sending ARP packets to both machines, poisoning their cache with false hardware addresses of the other machines and the router. Finally, I was able to reroute network traffic through my attacker machine.

Update (15.9.2018) – make some noise

To avoid the arp-issue described above users can use the command:

net.probe on

Bettercap then sends arp requests to all addresses on the local subnet. Penetration testers should be aware that this makes a lot of noise on the network which might trigger a honeypot, IDS or IPS device even before the attack started.

bettercap command “net.probe on” probes every ip on the subnet

That bettercap does not try to resolve an IP address automatically does not seem to bother the developers. From my perspective this is not a good approach. 




Comments are closed.