Nethunter + Pineapple Nano + bettercap

**BeNe** · 2016-10-02

Hi Security Folks,

i have some problems with my setup: Nethunter + Pineapple Nano + Bettercap. I want to use bettercap or mitmf on the Nethunter - but had no luck so far.

Bettercap doesn´t proxying HTTP and HTTPS only some sites. DNS requests are coming through bettercap but nothing happens.
In this example i opened "web.de" and "google.com" - but get no output on the client -> time out.

Code:

| |__   ___| |_| |_ ___ _ __ ___ __ _ _ __
| '_ \ / _ \ __| __/ _ \ '__/ __/ _` | '_ \
| |_) |  __/ |_| ||  __/ | | (_| (_| | |_) |
|_.__/ \___|\__|\__\___|_|  \___\__,_| .__/
                                     |_| v1.5.8
http://bettercap.org/



[I] Starting [ spoofing:✘ discovery:✘ sniffer:✔ tcp-proxy:✘ http-proxy:✔ https-proxy:✔ sslstrip:✔ http-server:✘ dns-server:true ] ...

[D] NETSTAT:
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         172.16.17.254   0.0.0.0         UG        0 0          0 wlan0
172.16.17.0     0.0.0.0         255.255.255.0   U         0 0          0 wlan0
172.16.42.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0

[D] ifconfig eth0
[D] Using ifconfig
[D] Linux ifconfig eth0:
["eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500", "inet 172.16.42.42  netmask 255.255.255.0  broadcast 0.0.0.0", "ether 00:c0:ca:90:d3:65  txqueuelen 1000  (Ethernet)", "RX packets 466  bytes 29203 (28.5 KiB)", "RX errors 0  dropped 0  overruns 0  frame 0", "TX packets 0  bytes 32162 (31.4 KiB)", "TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0"]
[D] Preloading hardware vendor prefixes ...
[I] [eth0] 172.16.42.42 : 00:C0:CA:90:D3:65 / eth0 ( ALFA )
[D] ----- NETWORK INFORMATIONS -----
[D]   network  = 172.16.42.0 ( 172.16.42.0 -> 172.16.42.255 )
[D]   gateway  = 172.16.17.254
[D]   local_ip = 172.16.42.42
[D] --------------------------------

[D] Spoofing disabled.
[D] PacketQueue worker started.
[D] PacketQueue worker started.
[D] PacketQueue worker started.
[D] PacketQueue worker started.
[D] Probing 172.16.17.254 ...
[D] Probing 172.16.17.254 ...
[I] [GATEWAY] 172.16.17.254 :  ( ??? )
[W] WARNING: Both HTTP transparent proxy and URL parser are enabled, you're gonna see duplicated logs.
[D]   RESPONSE LINE: 'HTTP/1.1 200 OK'
[D]   RESPONSE LINE: 'Connection: close'
[D]   RESPONSE LINE: 'Content-Length: 558'
[D]   RESPONSE LINE: 'Content-Type: image/x-icon'
[D]   RESPONSE LINE: ''
[I] [DNS] Starting on 172.16.42.42:5300 ...
[I] [SSL] Loading HTTPS Certification Authority from '/root/.bettercap/bettercap-ca.pem' ...
[D] Redirecting TCP traffic from *:53 to 172.16.42.42:5300
[I] [HTTPS] Proxy starting on 172.16.42.42:8083 ...
[I] [HTTP] Proxy starting on 172.16.42.42:8080 ...
[D] Redirecting UDP traffic from *:53 to 172.16.42.42:5300
[D] Redirecting TCP traffic from *:80 to 172.16.42.42:8080
[D] Redirecting TCP traffic from *:443 to 172.16.42.42:8083
[D] Starting sniffer ...
[D] Loading parser SNMP ( BetterCap::Parsers::SNMP ) ...
[D] Loading parser SNPP ( BetterCap::Parsers::Snpp ) ...
[D] Loading parser WHATSAPP ( BetterCap::Parsers::Whatsapp ) ...
[D] Loading parser DHCP ( BetterCap::Parsers::DHCP ) ...
[D] Loading parser COOKIE ( BetterCap::Parsers::Cookie ) ...
[D] Loading parser NNTP ( BetterCap::Parsers::Nntp ) ...
[D] Loading parser RLOGIN ( BetterCap::Parsers::Rlogin ) ...
[D] Loading parser NTLMSS ( BetterCap::Parsers::NTLMSS ) ...
[D] Loading parser CREDITCARD ( BetterCap::Parsers::CreditCard ) ...
[D] Loading parser PGSQL ( BetterCap::Parsers::PgSQL ) ...
[D] Loading parser URL ( BetterCap::Parsers::Url ) ...
[D] Loading parser DICT ( BetterCap::Parsers::Dict ) ...
[D] Loading parser MYSQL ( BetterCap::Parsers::MySQL ) ...
[D] Loading parser HTTPAUTH ( BetterCap::Parsers::Httpauth ) ...
[D] Loading parser IRC ( BetterCap::Parsers::Irc ) ...
[D] Loading parser MAIL ( BetterCap::Parsers::Mail ) ...
[D] Loading parser POST ( BetterCap::Parsers::Post ) ...
[D] Loading parser FTP ( BetterCap::Parsers::Ftp ) ...
[D] Loading parser REDIS ( BetterCap::Parsers::Redis ) ...
[D] Loading parser HTTPS ( BetterCap::Parsers::Https ) ...
[D] Loading parser MPD ( BetterCap::Parsers::Mpd ) ...
[D] Loading parser TEAMVIEWER ( BetterCap::Parsers::TeamViewer ) ...
[D] Spoofing 2 targets ...
[D] Spoofing 2 targets ...
[D] Spoofing 2 targets ...
[D] Spoofing 2 targets ...
[D] Spoofing 2 targets ...
[D] Spoofing 2 targets ...
[D] Spoofing 2 targets ...
[D] Spoofing 2 targets ...
[D] Spoofing 2 targets ...
[D] [DNS] Received Resolv::DNS::Resource::IN::A request for easylist-downloads.adblockplus.org ...
[D] [172.16.42.1 > DNS] Received request for 'easylist-downloads.adblockplus.org' -> upstream DNS
[D] [DNS] Received Resolv::DNS::Resource::IN::AAAA request for easylist-downloads.adblockplus.org ...
[D] [172.16.42.1 > DNS] Received request for 'easylist-downloads.adblockplus.org' -> upstream DNS
[172.16.42.167 > 78.46.27.186:https] [HTTPS] https://filter22.adblockplus.org./
[D] Spoofing 2 targets ...
[172.16.42.167 > 148.251.12.230:https] [HTTPS] https://filter49.adblockplus.org./
[172.16.42.167 > 78.46.27.186:https] [HTTPS] https://filter22.adblockplus.org./
[172.16.42.167 > 148.251.12.230:https] [HTTPS] https://filter49.adblockplus.org./
[D] Spoofing 2 targets ...
[D] Spoofing 2 targets ...
[172.16.42.167 > 78.46.27.186:https] [HTTPS] https://filter22.adblockplus.org./
[172.16.42.167 > 148.251.12.230:https] [HTTPS] https://filter49.adblockplus.org./
[D] Spoofing 2 targets ...
[D] Spoofing 2 targets ...
[172.16.42.167 > 52.24.123.95:https] [HTTPS] https://ec2-52-24-123-95.us-west-2.compute.amazonaws.com./
[D] Spoofing 2 targets ...
[D] Spoofing 2 targets ...
[172.16.42.167 > 78.46.27.186:https] [HTTPS] https://filter22.adblockplus.org./
[172.16.42.167 > 148.251.12.230:https] [HTTPS] https://filter49.adblockplus.org./
[D] Spoofing 2 targets ...
[172.16.42.167 > 69.195.158.195:https] [HTTPS] https://w2.hackademix.net./
[D] Spoofing 2 targets ...
[D] Spoofing 2 targets ...
[D] [DNS] Received Resolv::DNS::Resource::IN::A request for web.de ...
[D] [172.16.42.1 > DNS] Received request for 'web.de' -> upstream DNS
[D] [DNS] Received Resolv::DNS::Resource::IN::AAAA request for web.de ...
[D] [172.16.42.1 > DNS] Received request for 'web.de' -> upstream DNS
[D] Spoofing 2 targets ...
[172.16.42.167 > 216.58.213.46:https] [HTTPS] https://ber01s15-in-f46.1e100.net./
[D] Spoofing 2 targets ...
[D] Spoofing 2 targets ...
[D] [DNS] Received Resolv::DNS::Resource::IN::A request for update.eset.com ...
[D] [172.16.42.1 > DNS] Received request for 'update.eset.com' -> upstream DNS
[D] Spoofing 2 targets ...
[D] Spoofing 2 targets ...
[172.16.42.167 > 78.46.27.186:https] [HTTPS] https://filter22.adblockplus.org./
[172.16.42.167 > 148.251.12.230:https] [HTTPS] https://filter49.adblockplus.org./
[D] Spoofing 2 targets ...
[D] Spoofing 2 targets ...
[D] [DNS] Received Resolv::DNS::Resource::IN::A request for google.de ...
[D] [172.16.42.1 > DNS] Received request for 'google.de' -> upstream DNS
[D] [DNS] Received Resolv::DNS::Resource::IN::AAAA request for google.de ...
[D] [172.16.42.1 > DNS] Received request for 'google.de' -> upstream DNS
[172.16.42.167 > 52.26.2.199:https] [HTTPS] https://ec2-52-26-2-199.us-west-2.compute.amazonaws.com./
[D] Spoofing 2 targets ...
[D] Spoofing 2 targets ...
[D] Spoofing 2 targets ...
[D] Spoofing 2 targets ...
[D] Spoofing 2 targets ...
[D] Spoofing 2 targets ...
^C

Shutting down, hang on ...

Here is my Setup:

Nethunter 3.15.2
OnePlusOne

network.JPG

**BeNe** · 2016-10-02

Here are the needed interfaces and routes shwon in the graphic:

Point 1 (Nethunter built in WiFi)
Interface wlan0

Code:

wlan0     Link encap:Ethernet  HWaddr c0:ee:fb:27:35:cc
          inet addr:172.16.17.112  Bcast:172.16.17.255  Mask:255.255.255.0
          inet6 addr: 2003:85:ae45:60f1:54b5:4805:88ea:f458/64 Scope: Global
          inet6 addr: 2003:85:ae45:60f1:c2ee:fbff:fe27:35cc/64 Scope: Global
          inet6 addr: fe80::c2ee:fbff:fe27:35cc/64 Scope: Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:13344 errors:0 dropped:3383 overruns:0 frame:0
          TX packets:5908 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2336945 TX bytes:1047648
		  
# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.16.17.254   0.0.0.0         UG    0      0        0 wlan0
172.16.17.0     0.0.0.0         255.255.255.0   U     0      0        0 wlan0
172.16.42.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

Point 2 (Pineapple/Nethunter eth0)
Interface eth0

Code:

eth0      Link encap:Ethernet  HWaddr 00:c0:ca:90:d3:65
          inet addr:172.16.42.42  Bcast:0.0.0.0  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:981 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:47306 TX bytes:34478
		  
# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.16.17.254   0.0.0.0         UG    0      0        0 wlan0
172.16.17.0     0.0.0.0         255.255.255.0   U     0      0        0 wlan0
172.16.42.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

Point 3 (Pineapple)
Interface br-lan

Code:

br-lan    Link encap:Ethernet  HWaddr 00:C0:CA:90:BD:9C
          inet addr:172.16.42.1  Bcast:172.16.42.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1279 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3944 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:132027 (128.9 KiB)  TX bytes:193882 (189.3 KiB)

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.16.42.42    0.0.0.0         UG    0      0        0 br-lan
172.16.42.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan

Point 4 (Client)
Interface wlan0

Code:

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.16.42.167  netmask 255.255.255.0  broadcast 172.16.42.255
        inet6 fe80::dc5c:d1e7:a60f:19cd  prefixlen 64  scopeid 0x20<link>
        ether 00:25:d3:5a:d4:7f  txqueuelen 1000  (Ethernet)
        RX packets 1220  bytes 108079 (105.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 118  bytes 21822 (21.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
		
# route -n
Kernel-IP-Routentabelle
Ziel            Router          Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.16.42.1     0.0.0.0         UG    600    0        0 wlan0
172.16.42.0     0.0.0.0         255.255.255.0   U     600    0        0 wlan0


traceroute google.com
traceroute to google.com (172.217.21.206), 30 hops max, 60 byte packets
 1  Pineapple.lan (172.16.42.1)  1.373 ms  1.717 ms  2.084 ms
 2  172.16.42.42 (172.16.42.42)  5.044 ms  5.542 ms  5.519 ms
 3  172.16.17.254 (172.16.17.254)  6.803 ms  7.683 ms  7.665 ms
 4  192.168.217.1 (192.168.217.1)  7.642 ms  8.338 ms  8.319 ms
 5  217.0.119.62 (217.0.119.62)  24.563 ms  27.663 ms  27.603 ms
 6  87.190.164.162 (87.190.164.162)  32.795 ms  24.875 ms  21.212 ms
 7  217.239.41.222 (217.239.41.222)  23.999 ms 217.239.49.142 (217.239.49.142)  23.987 ms 217.239.41.102 (217.239.41.102)  25.673 ms
 8  74.125.50.149 (74.125.50.149)  26.854 ms  29.469 ms  30.530 ms
 9  66.249.94.88 (66.249.94.88)  80.414 ms 66.249.94.86 (66.249.94.86)  30.485 ms  30.416 ms
10  209.85.142.17 (209.85.142.17)  31.286 ms  24.597 ms  23.724 ms
11  216.239.40.6 (216.239.40.6)  32.221 ms  32.199 ms  32.121 ms
12  209.85.247.100 (209.85.247.100)  33.281 ms 209.85.247.82 (209.85.247.82)  33.936 ms 216.239.57.191 (216.239.57.191)  33.919 ms
13  72.14.232.177 (72.14.232.177)  33.850 ms 216.239.47.59 (216.239.47.59)  33.829 ms  34.791 ms
14  108.170.235.247 (108.170.235.247)  35.872 ms  35.853 ms 108.170.235.245 (108.170.235.245)  35.785 ms
15  fra16s12-in-f14.1e100.net (172.217.21.206)  37.422 ms  37.405 ms  37.339 ms

I want to build the same setup as Simone Margaritelli (evilsocket) but with the Nethunter device instead of the Mac --> https://www.evilsocket.net/2016/09/1...tterCap-setup/
Seems to me that i´m missing a point or that i need to NAT on another interface instead only eth0 on the nethunter device ?

Simone did the NAT rules on the pineapple itself - what i already tested without luck. Same behaviour.
Here are my use rules:

Code:

root@Pineapple:~# uci get network.lan.gateway
172.16.42.42
root@Pineapple:~#  iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination $(uci get network.lan.gateway):8080
root@Pineapple:~#  iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination $(uci get network.lan.gateway):8083
root@Pineapple:~# iptables -t nat -A POSTROUTING -j MASQUERADE
root@Pineapple:~#

What have i done so far?

1.) Open a ANDROIDSU Shell on the Nethunter device. I start the Nethunter Pineapple Connector manual because the GUI has a small bug (https://github.com/offensive-securit...ter/issues/598)
2.) # cd /data/data/com.offsec.nethunter/files/scripts
3.) # ./pine-nano start 172.16.42.42/24 172.16.42.0/24 172.16.42.1 1471 start_proxy

Code:

This is the table: wlan0
Starting: Intent { act=android.intent.action.VIEW dat=http://172.16.42.1:1471/... }
root@MSM8974:/data/data/com.offsec.nethunter/files/scripts #

4.) Check iptables for the port redirection:

Code:

# iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 9 packets, 1086 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REDIRECT   tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 redir ports 8080
    0     0 REDIRECT   tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 redir ports 8083

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 2 packets, 143 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 1 packets, 60 bytes)
 pkts bytes target     prot opt in     out     source               destination
   16  1167 MASQUERADE  all  --  *      wlan0   0.0.0.0/0            0.0.0.0/0

Chain natctrl_nat_POSTROUTING (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain oem_nat_pre (0 references)
 pkts bytes target     prot opt in     out     source               destination

How can i get bettercap working correct ?
I´v tested it with NAT on the pineapple as Simone did and i tested the pine-nano script with and without the "start_proxy" option that set these rules:

Code:

f_transproxy(){
    # For Bettercap/mitmproxy which acts as a transparent proxy
    iptables -t nat -A PREROUTING -i eth0 -p tcp --destination-port 80 -j REDIRECT --to-port 8080
    iptables -t nat -A PREROUTING -i eth0 -p tcp --destination-port 443 -j REDIRECT --to-port 8083
}

In any case - bettercap doesn´t work correct and i don´t find my error in the setup.

Thanks for any hint/help!

Greez
BeNe

Thread: Nethunter + Pineapple Nano + bettercap

Thread Tools

Search Thread

Display

Nethunter + Pineapple Nano + bettercap

Similar Threads

Kali Nethunter rootless (nano -version) in Android realme narzo 20

Secondary VM - bettercap, bettercap-caplets and hostapd-mana packages not found

How can I Write-Out file in nano on NetHunter?

Posting Permissions