Differences

This shows you the differences between two versions of the page.

--- hack_postconnect_bypasshttps [2020/05/31 15:55] – created gman
+++ hack_postconnect_bypasshttps [2020/05/31 18:09] (current) – [HSTS Hijack] gman
@@ Line 1: / Line 1: @@
-====== HTTPS ======
+====== Bypass HTTPS ======
 Since TlS/SSL that encrypts https is so difficult to crack, the easiest solution to getting into an https connection is to downgrade https to http.
-We set up MITM and when the client requests the https version of the desired web site, we give him the https version.
+We set up **MITM** and when the client requests the https version of the desired web site, we give him the https version.
-====== Bettercap ======
+----
-BetterCap has a caplet to perform this: hstshijack
+===== HTTPS Hijack =====
+MITM Attack using a **BetterCap** caplet: hstshijack
   * The one that comes with BetterCap is buggy. Zaid modified it to work...
   * {{ :zaid_hacking:hstshijack.zip | Download }}, copy, and paste to: /usr/share/bettercap/caplets/
+**NOTE:** This will downgrade any https connection to http **as long as** the target web site uses https **not** [[https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security|hsts]].
+  * You'll see the site loads with https (lock visible) not http.
 Suggestion: modify your spoof.cap:
-  * Add option BEFORE to "net.sniff on": set net.sniff.local true
+  * Add option BEFORE to "net.sniff on": ''set net.sniff.local true''
   * This option tells Bettercap to sniff all data even if it thinks the data is local data. Once we use the https caplet, the data will seem to have been sent from your local computer.
   * Your spoof.cap should include the following lines (or create a new caplet):
@@ Line 18: / Line 24: @@
 <code>
 net.probe on
-net.recon on
 set arp.spoof.fullduplex true
-set arp.spoof.targets 10.0.0.142  # change IP to target, use comma for multiple
+set arp.spoof.targets 10.0.0.142  # change IP to target, use comma for multiple [REMOVE THIS COMMENT BEFORE USING]
 arp.spooof on
 set net.sniff.local true
 net.sniff on
 </code>
+Run Bettercap with the custom spoof caplet:
+<code>bettercap -iface [interface name] -caplet /path/to/caplet.cap</code>
+Once you successfully run that (should have arp.spoof, net.probe/recon/sniff), run the hsts caplet:
+  * From inside bettercap, run ``caplets.show`` to see all the available caplets.
+  * To run a caplet you simply type its name at the bettercap prompt.
+  * If you see no errors, it executed as expected.
+----
+===== HSTS Hijack =====
+**HSTS: HTTP Strict Transport Security**
+  * Modern browsers are hard-coded to only load a list of HSTS websites over https (this is a local check done by the browser on the client/target machine).
+  * Because this is a function of the browser on the client (target), the MITM hijack is defeated.
+The only way around this is to make the browser think it is loading another web site.
+  * Replace all links for HSTS websites with similar links.
+  * facebook.com replaced with facebook.corn
+  * twitter.com replaced with twiter.com
+  * These are configured in hstshijack.cap
+Even with this hack, if the client/target types in facebook.com, this will NOT work.
+  * This is because the browser has a check list and will not load certain sites if they cannot be loaded over https.
+This will only work if the client/target uses a search engine that does not use https first to search for the site to access.
+  * Example: google.ie
+  * On that search site, search for facebook... our MITM hijack will replace all facebook.com urls with facebook.corn
+  * This still might not work with updated browsers.
 ----