hack_postconnect_bypasshttps
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| hack_postconnect_bypasshttps [2020/05/31 16:18] – [HTTPS] gman | hack_postconnect_bypasshttps [2020/05/31 18:09] (current) – [HSTS Hijack] gman | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== HTTPS ====== | + | ====== |
| Since TlS/SSL that encrypts https is so difficult to crack, the easiest solution to getting into an https connection is to downgrade https to http. | Since TlS/SSL that encrypts https is so difficult to crack, the easiest solution to getting into an https connection is to downgrade https to http. | ||
| Line 8: | Line 8: | ||
| - | ====== HSTS Hijack | + | ===== HTTPS Hijack ===== |
| - | MITM Attack using a BetterCap caplet: hstshijack | + | MITM Attack using a **BetterCap** caplet: hstshijack |
| * The one that comes with BetterCap is buggy. Zaid modified it to work... | * The one that comes with BetterCap is buggy. Zaid modified it to work... | ||
| * {{ : | * {{ : | ||
| + | |||
| + | **NOTE:** This will downgrade any https connection to http **as long as** the target web site uses https **not** [[https:// | ||
| + | * You'll see the site loads with https (lock visible) not http. | ||
| Suggestion: modify your spoof.cap: | Suggestion: modify your spoof.cap: | ||
| - | * Add option BEFORE to " | + | * Add option BEFORE to " |
| * This option tells Bettercap to sniff all data even if it thinks the data is local data. Once we use the https caplet, the data will seem to have been sent from your local computer. | * This option tells Bettercap to sniff all data even if it thinks the data is local data. Once we use the https caplet, the data will seem to have been sent from your local computer. | ||
| * Your spoof.cap should include the following lines (or create a new caplet): | * Your spoof.cap should include the following lines (or create a new caplet): | ||
| Line 27: | Line 30: | ||
| net.sniff on | net.sniff on | ||
| </ | </ | ||
| + | |||
| + | Run Bettercap with the custom spoof caplet: | ||
| + | |||
| + | < | ||
| + | |||
| + | Once you successfully run that (should have arp.spoof, net.probe/ | ||
| + | * From inside bettercap, run ``caplets.show`` to see all the available caplets. | ||
| + | * To run a caplet you simply type its name at the bettercap prompt. | ||
| + | * If you see no errors, it executed as expected. | ||
| + | |||
| + | ---- | ||
| + | |||
| + | ===== HSTS Hijack ===== | ||
| + | |||
| + | **HSTS: HTTP Strict Transport Security** | ||
| + | * Modern browsers are hard-coded to only load a list of HSTS websites over https (this is a local check done by the browser on the client/ | ||
| + | * Because this is a function of the browser on the client (target), the MITM hijack is defeated. | ||
| + | |||
| + | The only way around this is to make the browser think it is loading another web site. | ||
| + | * Replace all links for HSTS websites with similar links. | ||
| + | * facebook.com replaced with facebook.corn | ||
| + | * twitter.com replaced with twiter.com | ||
| + | * These are configured in hstshijack.cap | ||
| + | |||
| + | Even with this hack, if the client/ | ||
| + | * This is because the browser has a check list and will not load certain sites if they cannot be loaded over https. | ||
| + | |||
| + | This will only work if the client/ | ||
| + | * Example: google.ie | ||
| + | * On that search site, search for facebook... our MITM hijack will replace all facebook.com urls with facebook.corn | ||
| + | * This still might not work with updated browsers. | ||
| ---- | ---- | ||
hack_postconnect_bypasshttps.1590941923.txt.gz · Last modified: by gman