Hi Security Folks,

i have some problems with my setup: Nethunter + Pineapple Nano + Bettercap. I want to use bettercap or mitmf on the Nethunter - but had no luck so far.

Bettercap doesn´t proxying HTTP and HTTPS only some sites. DNS requests are coming through bettercap but nothing happens.
In this example i opened "web.de" and "google.com" - but get no output on the client -> time out.



| |__ ___| |_| |_ ___ _ __ ___ __ _ _ __
| '_ \ / _ \ __| __/ _ \ '__/ __/ _` | '_ \
| |_) | __/ |_| || __/ | | (_| (_| | |_) |
|_.__/ \___|\__|\__\___|_| \___\__,_| .__/
|_| v1.5.8
http://bettercap.org/



[I] Starting [ spoofing:✘ discovery:✘ sniffer:✔ tcp-proxy:✘ http-proxy:✔ https-proxy:✔ sslstrip:✔ http-server:✘ dns-server:true ] ...

[D] NETSTAT:
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 172.16.17.254 0.0.0.0 UG 0 0 0 wlan0
172.16.17.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
172.16.42.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

[D] ifconfig eth0
[D] Using ifconfig
[D] Linux ifconfig eth0:
["eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500", "inet 172.16.42.42 netmask 255.255.255.0 broadcast 0.0.0.0", "ether 00:c0:ca:90:d3:65 txqueuelen 1000 (Ethernet)", "RX packets 466 bytes 29203 (28.5 KiB)", "RX errors 0 dropped 0 overruns 0 frame 0", "TX packets 0 bytes 32162 (31.4 KiB)", "TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0"]
[D] Preloading hardware vendor prefixes ...
[I] [eth0] 172.16.42.42 : 00:C0:CA:90:D3:65 / eth0 ( ALFA )
[D] ----- NETWORK INFORMATIONS -----
[D] network = 172.16.42.0 ( 172.16.42.0 -> 172.16.42.255 )
[D] gateway = 172.16.17.254
[D] local_ip = 172.16.42.42
[D] --------------------------------

[D] Spoofing disabled.
[D] PacketQueue worker started.
[D] PacketQueue worker started.
[D] PacketQueue worker started.
[D] PacketQueue worker started.
[D] Probing 172.16.17.254 ...
[D] Probing 172.16.17.254 ...
[I] [GATEWAY] 172.16.17.254 : ( ??? )
[W] WARNING: Both HTTP transparent proxy and URL parser are enabled, you're gonna see duplicated logs.
[D] RESPONSE LINE: 'HTTP/1.1 200 OK'
[D] RESPONSE LINE: 'Connection: close'
[D] RESPONSE LINE: 'Content-Length: 558'
[D] RESPONSE LINE: 'Content-Type: image/x-icon'
[D] RESPONSE LINE: ''
[I] [DNS] Starting on 172.16.42.42:5300 ...
[I] [SSL] Loading HTTPS Certification Authority from '/root/.bettercap/bettercap-ca.pem' ...
[D] Redirecting TCP traffic from *:53 to 172.16.42.42:5300
[I] [HTTPS] Proxy starting on 172.16.42.42:8083 ...
[I] [HTTP] Proxy starting on 172.16.42.42:8080 ...
[D] Redirecting UDP traffic from *:53 to 172.16.42.42:5300
[D] Redirecting TCP traffic from *:80 to 172.16.42.42:8080
[D] Redirecting TCP traffic from *:443 to 172.16.42.42:8083
[D] Starting sniffer ...
[D] Loading parser SNMP ( BetterCap::Parsers::SNMP ) ...
[D] Loading parser SNPP ( BetterCap::Parsers::Snpp ) ...
[D] Loading parser WHATSAPP ( BetterCap::Parsers::Whatsapp ) ...
[D] Loading parser DHCP ( BetterCap::Parsers::DHCP ) ...
[D] Loading parser COOKIE ( BetterCap::Parsers::Cookie ) ...
[D] Loading parser NNTP ( BetterCap::Parsers::Nntp ) ...
[D] Loading parser RLOGIN ( BetterCap::Parsers::Rlogin ) ...
[D] Loading parser NTLMSS ( BetterCap::Parsers::NTLMSS ) ...
[D] Loading parser CREDITCARD ( BetterCap::Parsers::CreditCard ) ...
[D] Loading parser PGSQL ( BetterCap::Parsers::PgSQL ) ...
[D] Loading parser URL ( BetterCap::Parsers::Url ) ...
[D] Loading parser DICT ( BetterCap::Parsers::Dict ) ...
[D] Loading parser MYSQL ( BetterCap::Parsers::MySQL ) ...
[D] Loading parser HTTPAUTH ( BetterCap::Parsers::Httpauth ) ...
[D] Loading parser IRC ( BetterCap::Parsers::Irc ) ...
[D] Loading parser MAIL ( BetterCap::Parsers::Mail ) ...
[D] Loading parser POST ( BetterCap::Parsers::Post ) ...
[D] Loading parser FTP ( BetterCap::Parsers::Ftp ) ...
[D] Loading parser REDIS ( BetterCap::Parsers::Redis ) ...
[D] Loading parser HTTPS ( BetterCap::Parsers::Https ) ...
[D] Loading parser MPD ( BetterCap::Parsers::Mpd ) ...
[D] Loading parser TEAMVIEWER ( BetterCap::Parsers::TeamViewer ) ...
[D] Spoofing 2 targets ...
[D] Spoofing 2 targets ...
[D] Spoofing 2 targets ...
[D] Spoofing 2 targets ...
[D] Spoofing 2 targets ...
[D] Spoofing 2 targets ...
[D] Spoofing 2 targets ...
[D] Spoofing 2 targets ...
[D] Spoofing 2 targets ...
[D] [DNS] Received Resolv::DNS::Resource::IN::A request for easylist-downloads.adblockplus.org ...
[D] [172.16.42.1 > DNS] Received request for 'easylist-downloads.adblockplus.org' -> upstream DNS
[D] [DNS] Received Resolv::DNS::Resource::IN::AAAA request for easylist-downloads.adblockplus.org ...
[D] [172.16.42.1 > DNS] Received request for 'easylist-downloads.adblockplus.org' -> upstream DNS
[172.16.42.167 > 78.46.27.186:https] [HTTPS] https://filter22.adblockplus.org./
[D] Spoofing 2 targets ...
[172.16.42.167 > 148.251.12.230:https] [HTTPS] https://filter49.adblockplus.org./
[172.16.42.167 > 78.46.27.186:https] [HTTPS] https://filter22.adblockplus.org./
[172.16.42.167 > 148.251.12.230:https] [HTTPS] https://filter49.adblockplus.org./
[D] Spoofing 2 targets ...
[D] Spoofing 2 targets ...
[172.16.42.167 > 78.46.27.186:https] [HTTPS] https://filter22.adblockplus.org./
[172.16.42.167 > 148.251.12.230:https] [HTTPS] https://filter49.adblockplus.org./
[D] Spoofing 2 targets ...
[D] Spoofing 2 targets ...
[172.16.42.167 > 52.24.123.95:https] [HTTPS] https://ec2-52-24-123-95.us-west-2.compute.amazonaws.com./
[D] Spoofing 2 targets ...
[D] Spoofing 2 targets ...
[172.16.42.167 > 78.46.27.186:https] [HTTPS] https://filter22.adblockplus.org./
[172.16.42.167 > 148.251.12.230:https] [HTTPS] https://filter49.adblockplus.org./
[D] Spoofing 2 targets ...
[172.16.42.167 > 69.195.158.195:https] [HTTPS] https://w2.hackademix.net./
[D] Spoofing 2 targets ...
[D] Spoofing 2 targets ...
[D] [DNS] Received Resolv::DNS::Resource::IN::A request for web.de ...
[D] [172.16.42.1 > DNS] Received request for 'web.de' -> upstream DNS
[D] [DNS] Received Resolv::DNS::Resource::IN::AAAA request for web.de ...
[D] [172.16.42.1 > DNS] Received request for 'web.de' -> upstream DNS
[D] Spoofing 2 targets ...
[172.16.42.167 > 216.58.213.46:https] [HTTPS] https://ber01s15-in-f46.1e100.net./
[D] Spoofing 2 targets ...
[D] Spoofing 2 targets ...
[D] [DNS] Received Resolv::DNS::Resource::IN::A request for update.eset.com ...
[D] [172.16.42.1 > DNS] Received request for 'update.eset.com' -> upstream DNS
[D] Spoofing 2 targets ...
[D] Spoofing 2 targets ...
[172.16.42.167 > 78.46.27.186:https] [HTTPS] https://filter22.adblockplus.org./
[172.16.42.167 > 148.251.12.230:https] [HTTPS] https://filter49.adblockplus.org./
[D] Spoofing 2 targets ...
[D] Spoofing 2 targets ...
[D] [DNS] Received Resolv::DNS::Resource::IN::A request for google.de ...
[D] [172.16.42.1 > DNS] Received request for 'google.de' -> upstream DNS
[D] [DNS] Received Resolv::DNS::Resource::IN::AAAA request for google.de ...
[D] [172.16.42.1 > DNS] Received request for 'google.de' -> upstream DNS
[172.16.42.167 > 52.26.2.199:https] [HTTPS] https://ec2-52-26-2-199.us-west-2.compute.amazonaws.com./
[D] Spoofing 2 targets ...
[D] Spoofing 2 targets ...
[D] Spoofing 2 targets ...
[D] Spoofing 2 targets ...
[D] Spoofing 2 targets ...
[D] Spoofing 2 targets ...
^C

Shutting down, hang on ...


Here is my Setup:
http://fs5.directupload.net/images/161002/rexdx5q3.jpg

Nethunter 3.15.2
OnePlusOne

1880

Here are the needed interfaces and routes shwon in the graphic:

Point 1 (Nethunter built in WiFi)
Interface wlan0

wlan0 Link encap:Ethernet HWaddr c0:ee:fb:27:35:cc
inet addr:172.16.17.112 Bcast:172.16.17.255 Mask:255.255.255.0
inet6 addr: 2003:85:ae45:60f1:54b5:4805:88ea:f458/64 Scope: Global
inet6 addr: 2003:85:ae45:60f1:c2ee:fbff:fe27:35cc/64 Scope: Global
inet6 addr: fe80::c2ee:fbff:fe27:35cc/64 Scope: Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:13344 errors:0 dropped:3383 overruns:0 frame:0
TX packets:5908 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2336945 TX bytes:1047648

# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.16.17.254 0.0.0.0 UG 0 0 0 wlan0
172.16.17.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
172.16.42.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0


Point 2 (Pineapple/Nethunter eth0)
Interface eth0

eth0 Link encap:Ethernet HWaddr 00:c0:ca:90:d3:65
inet addr:172.16.42.42 Bcast:0.0.0.0 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:981 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:47306 TX bytes:34478

# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.16.17.254 0.0.0.0 UG 0 0 0 wlan0
172.16.17.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
172.16.42.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0


Point 3 (Pineapple)
Interface br-lan

br-lan Link encap:Ethernet HWaddr 00:C0:CA:90:BD:9C
inet addr:172.16.42.1 Bcast:172.16.42.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1279 errors:0 dropped:0 overruns:0 frame:0
TX packets:3944 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:132027 (128.9 KiB) TX bytes:193882 (189.3 KiB)

# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.16.42.42 0.0.0.0 UG 0 0 0 br-lan
172.16.42.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan


Point 4 (Client)
Interface wlan0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.16.42.167 netmask 255.255.255.0 broadcast 172.16.42.255
inet6 fe80::dc5c:d1e7:a60f:19cd prefixlen 64 scopeid 0x20<link>
ether 00:25:d3:5a:d4:7f txqueuelen 1000 (Ethernet)
RX packets 1220 bytes 108079 (105.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 118 bytes 21822 (21.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

# route -n
Kernel-IP-Routentabelle
Ziel Router Genmask Flags Metric Ref Use Iface
0.0.0.0 172.16.42.1 0.0.0.0 UG 600 0 0 wlan0
172.16.42.0 0.0.0.0 255.255.255.0 U 600 0 0 wlan0


traceroute google.com
traceroute to google.com (172.217.21.206), 30 hops max, 60 byte packets
1 Pineapple.lan (172.16.42.1) 1.373 ms 1.717 ms 2.084 ms
2 172.16.42.42 (172.16.42.42) 5.044 ms 5.542 ms 5.519 ms
3 172.16.17.254 (172.16.17.254) 6.803 ms 7.683 ms 7.665 ms
4 192.168.217.1 (192.168.217.1) 7.642 ms 8.338 ms 8.319 ms
5 217.0.119.62 (217.0.119.62) 24.563 ms 27.663 ms 27.603 ms
6 87.190.164.162 (87.190.164.162) 32.795 ms 24.875 ms 21.212 ms
7 217.239.41.222 (217.239.41.222) 23.999 ms 217.239.49.142 (217.239.49.142) 23.987 ms 217.239.41.102 (217.239.41.102) 25.673 ms
8 74.125.50.149 (74.125.50.149) 26.854 ms 29.469 ms 30.530 ms
9 66.249.94.88 (66.249.94.88) 80.414 ms 66.249.94.86 (66.249.94.86) 30.485 ms 30.416 ms
10 209.85.142.17 (209.85.142.17) 31.286 ms 24.597 ms 23.724 ms
11 216.239.40.6 (216.239.40.6) 32.221 ms 32.199 ms 32.121 ms
12 209.85.247.100 (209.85.247.100) 33.281 ms 209.85.247.82 (209.85.247.82) 33.936 ms 216.239.57.191 (216.239.57.191) 33.919 ms
13 72.14.232.177 (72.14.232.177) 33.850 ms 216.239.47.59 (216.239.47.59) 33.829 ms 34.791 ms
14 108.170.235.247 (108.170.235.247) 35.872 ms 35.853 ms 108.170.235.245 (108.170.235.245) 35.785 ms
15 fra16s12-in-f14.1e100.net (172.217.21.206) 37.422 ms 37.405 ms 37.339 ms

I want to build the same setup as Simone Margaritelli (evilsocket) but with the Nethunter device instead of the Mac --> https://www.evilsocket.net/2016/09/15/WiFi-Pineapple-NANO-OS-X-and-BetterCap-setup/
Seems to me that i´m missing a point or that i need to NAT on another interface instead only eth0 on the nethunter device ?

Simone did the NAT rules on the pineapple itself - what i already tested without luck. Same behaviour.
Here are my use rules:


root@Pineapple:~# uci get network.lan.gateway
172.16.42.42
root@Pineapple:~# iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination $(uci get network.lan.gateway):8080
root@Pineapple:~# iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination $(uci get network.lan.gateway):8083
root@Pineapple:~# iptables -t nat -A POSTROUTING -j MASQUERADE
root@Pineapple:~#



What have i done so far?

1.) Open a ANDROIDSU Shell on the Nethunter device. I start the Nethunter Pineapple Connector manual because the GUI has a small bug (https://github.com/offensive-security/kali-nethunter/issues/598)
2.) # cd /data/data/com.offsec.nethunter/files/scripts
3.) # ./pine-nano start 172.16.42.42/24 172.16.42.0/24 172.16.42.1 1471 start_proxy

This is the table: wlan0
Starting: Intent { act=android.intent.action.VIEW dat=http://172.16.42.1:1471/... }
root@MSM8974:/data/data/com.offsec.nethunter/files/scripts #

4.) Check iptables for the port redirection:

# iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 9 packets, 1086 bytes)
pkts bytes target prot opt in out source destination
0 0 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
0 0 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 redir ports 8083

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 2 packets, 143 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 1 packets, 60 bytes)
pkts bytes target prot opt in out source destination
16 1167 MASQUERADE all -- * wlan0 0.0.0.0/0 0.0.0.0/0

Chain natctrl_nat_POSTROUTING (0 references)
pkts bytes target prot opt in out source destination

Chain oem_nat_pre (0 references)
pkts bytes target prot opt in out source destination

How can i get bettercap working correct ?
I´v tested it with NAT on the pineapple as Simone did and i tested the pine-nano script with and without the "start_proxy" option that set these rules:


f_transproxy(){
# For Bettercap/mitmproxy which acts as a transparent proxy
iptables -t nat -A PREROUTING -i eth0 -p tcp --destination-port 80 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -i eth0 -p tcp --destination-port 443 -j REDIRECT --to-port 8083
}

In any case - bettercap doesn´t work correct and i don´t find my error in the setup.

Thanks for any hint/help!

Greez
BeNe