From Embedded Lab Vienna for IoT & Security
Jump to: navigation, search


This documentation is about bettercap, more specifically the functionality related to Arp Spoofing and Bluetooth conncetions. The bettercap tool is described on it’s website as "the Swiss Army knife for WiFi, Bluetooth Low Energy, wireless HID hijacking and Ethernet networks reconnaissance and MITM attacks".[1] In this Wiki entry, bettercap installed on a Raspberry Pi Model 4 B.


  • Raspberry Pi Model 4 B
  • Operating system: Raspbian Buster
  • Packages: build-essential, libpcap-dev, libusb-1.0-0-dev, libnetfilter-queue-dev
  • BLE device (MiPow Playbulb Candle)


Step 1 Install the prerequisites

sudo apt install golang git build-essential libpcap-dev libusb -1.0-0-dev libnetfilter-queue-dev 

Step 2 Install bettercap

go get 
cd go/src/ 
make build 
sudo make install 

Step 3 Run bettercap

sudo bettercap

If there is are any problems or you want to install the newest Bettercap version follow this documentation.

Show the available commands and modules

The following shows the output after starting bettercap. Note the subnet and the IP address of the Raspberry Pi are shown.

Sudo bettercap.png

After bettercap is running, a list of available commands and modules can be displayed using the command


Bettercap help.png

ARP Spoofing with Bettercap

Step 1: Start bettercap & update caplets


ARP Spoofing with Bettercap picture 03.png

Step 2: Scan local Network

Passive: List already detected hosts on the network (own arp cache): 

ARP Spoofing with Bettercap picture 01.png

Active: Search active hosts on the network

net.probe on

ARP Spoofing with Bettercap picture 02.png

Stop detection:

net.probe off
net.recon off

List available hosts again:

Step 3: ARP Poisoning

By default, the arp poisoning attack is performed on the whole subnet which is pretty conspicuous. If you want to target single hosts on the network you can define a target variable like this:

set arp.spoof.targets 'IP'

Enable/Disable ARP poisoning:

arp.spoof on
arp.spoof off

Sniff client actions:

net.sniff on

BLE with Bettercap

Enter the module name to gain further help

help ble.recon

Bettercap help ble.recon.png

Turn on ble.recon and list the available BLE devices

ble.recon on

Bettercap ble recon on show.png

Various information is available from these commands such as the RSSI, the MAC address (BD_ADDR), the vendor, the flags that show which version of Bluetooth is supported, whether it is possible to connect to the device and time discovered. The Playbulb Candle has been discovered and from the output it possible to see that it only supports BLE as BR/EDR is not supported.

To list the services and characteristics of the a device use the command

ble.enum MAC

In this case for the Playbulb Candle

 ble.enum DC:48:4B:0F:AC:E6

Bettercap ble enum.png

Attempts to change the values of characteristics can be made with


Results can be seen in the following screenshot.

Bettercap ble write.png

To end BLE scanning using bettercap, use the command

ble.recon off

Used Hardware

Raspberry Pi 3 Model B+ Raspberry Pi 3, Model B+, WLAN, BT Raspberry Pi® 3 Model B, 1GB LPDDR2 RAM MiPow Playbulb Candle