Use bettercap to sniff traffic going through a proxy configured in the browser?

Question

Using bettercap, how can I intercept traffic which goes to a proxy server which is configured in browser?

With no proxy configured it is working fine. But as soon as a proxy is set in the browser connection settings, bettercap is unable to see traffic. I guess this is normal since with proxy traffic is going to the proxy server rather than the gateway.

Is it possible in such a setup to intercept traffic with bettercap? Is there any other way to achieve the same without bettercap?

bettercap -T 192.168.1.5 --proxy -P POST

User IP: 192.168.1.5/24, G/w 192.168.1.1
Proxy Server IP: 172.27.0.50
Kali Linux (running bettercap): 192.168.1.10/24, G/w 192.168.1.1

My question is more towards topological scenario..and how to overcome that.? Bettercap is working perfectly.

I'm using this command.

bettercap -T x.x.x.x --proxy -P

and getting this output

[E] You're using bettercap as a normal HTTP(S) proxy, it wasn't designed to handle CONNECT requests:

CONNECT sam.msn.com:443 HTTP/1.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Connection: Keep-Alive
Content-Length: 0
Host: sam.msn.com
Pragma: no-cache

my target is using IE 11 with on Windows 7 with proxy configured.

Proxy is on y.y.y.y:80

target machine is not multi-homed. All its traffic is passing through the gateway only.

I don't have any access to target machine.

@schroeder I don't know...I don't have access to it..I guess it should be the internet router.! — Mashhoor Gulati, Oct 17 '18 at 08:41
@schroeder which config.? no config editing done..it works perfect just by going directly to internet. Problem is only when going through proxy. — Mashhoor Gulati, Oct 17 '18 at 11:02
@schroeder there is no .conf file for bettercap..can you help me locate.? — Mashhoor Gulati, Oct 17 '18 at 11:26

score 1 · Answer 1 · answered Oct 17 '18 at 13:52

You will have to ask yourself how bettercap can get a hold of traffic.

You mention three distinct machines in your scenario:

User IP: 192.168.1.5/24, G/w 192.168.1.1

Proxy Server IP: 172.27.0.50

Kali Linux (running bettercap): 192.168.1.10/24, G/w 192.168.1.1

But in order to better understand what's going on, you need to clear that there is another machine here, so the list would be:

User IP: 192.168.1.5/24,
Kali Linux (running bettercap): 192.168.1.10/24
Gateway-Machine: 192.168.1.1
Proxy Server IP: 172.27.0.50

Obviously, your proxy server sits on an entirely different network segment than your other three machines.

Question: Is that some in-house proxy or is the proxy possibly provided by your ISP?

In case it is an inhouse proxy, it can be reached from the User machine 192.168.1.5 either through the default gateway 192.168.1.1 or there must be a separate route defined to that network.

You are not saying what OS your User machine is running, but try some commands along the lines of

traceroute 172.27.0.50

or

ip route show

to understand which way traffic to your proxy server takes. This will possibly help you understand how or why not you can eavesdrop the traffic.

Another question:

Might it be the case that your User machine is multi-homed, i.e. it has multiple network interfaces, one connected to the 192.168.1.1/24 network and another one connected to the 172.x.x.x network? That would be a perfect explaination.

Otherwise if there are no special routes and all traffic passes through 192.168.1.1 either with or without proxy, there is no good reason why you would see the traffic in once case and not see it in the other. Unless you have any filters set you forgot to tell us about, so make sure you sniff all traffic originating from or going to 192.168.1.5 on all ports!

I've updated the question. – Mashhoor Gulati Oct 21 '18 at 07:24 — Mashhoor Gulati, Oct 21 '18 at 07:24

Use bettercap to sniff traffic going through a proxy configured in the browser?

1 Answers1