Since TlS/SSL that encrypts https is so difficult to crack, the easiest solution to getting into an https connection is to downgrade https to http.

We set up MITM and when the client requests the https version of the desired web site, we give him the https version.

MITM Attack using a BetterCap caplet: hstshijack

• The one that comes with BetterCap is buggy. Zaid modified it to work…
• Download , copy, and paste to: /usr/share/bettercap/caplets/

NOTE: This will downgrade any https connection to http as long as the target web site uses https not hsts.

• You'll see the site loads with https (lock visible) not http.

Suggestion: modify your spoof.cap:

• Add option BEFORE to “net.sniff on”: set net.sniff.local true
• This option tells Bettercap to sniff all data even if it thinks the data is local data. Once we use the https caplet, the data will seem to have been sent from your local computer.
• Your spoof.cap should include the following lines (or create a new caplet):

net.probe on
set arp.spoof.fullduplex true
set arp.spoof.targets 10.0.0.142  # change IP to target, use comma for multiple [REMOVE THIS COMMENT BEFORE USING]
arp.spooof on
set net.sniff.local true
net.sniff on

Run Bettercap with the custom spoof caplet:

bettercap -iface [interface name] -caplet /path/to/caplet.cap

Once you successfully run that (should have arp.spoof, net.probe/recon/sniff), run the hsts caplet:

• From inside bettercap, run ``caplets.show`` to see all the available caplets.
• To run a caplet you simply type its name at the bettercap prompt.
• If you see no errors, it executed as expected.

HSTS: HTTP Strict Transport Security

• Modern browsers are hard-coded to only load a list of HSTS websites over https (this is a local check done by the browser on the client/target machine).
• Because this is a function of the browser on the client (target), the MITM hijack is defeated.

The only way around this is to make the browser think it is loading another web site.

• Replace all links for HSTS websites with similar links.
• facebook.com replaced with facebook.corn
• twitter.com replaced with twiter.com
• These are configured in hstshijack.cap

Even with this hack, if the client/target types in facebook.com, this will NOT work.

• This is because the browser has a check list and will not load certain sites if they cannot be loaded over https.

This will only work if the client/target uses a search engine that does not use https first to search for the site to access.

• Example: google.ie
• On that search site, search for facebook… our MITM hijack will replace all facebook.com urls with facebook.corn
• This still might not work with updated browsers.