The gMan nixWiki

Because the mind is made of Teflon...

User Tools

Site Tools

You are here: start » hack_postconnect_bypasshttps
hack_postconnect_bypasshttps

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
hack_postconnect_bypasshttps [2020/05/31 16:52] – [HSTS Hijack] gmanhack_postconnect_bypasshttps [2020/05/31 18:09] (current) – [HSTS Hijack] gman
Line 1: Line 1:
-====== HTTPS ======+====== Bypass HTTPS ======
  
 Since TlS/SSL that encrypts https is so difficult to crack, the easiest solution to getting into an https connection is to downgrade https to http.  Since TlS/SSL that encrypts https is so difficult to crack, the easiest solution to getting into an https connection is to downgrade https to http. 
Line 8: Line 8:
  
  
-====== HTTPS Hijack ======+===== HTTPS Hijack =====
  
 MITM Attack using a **BetterCap** caplet: hstshijack MITM Attack using a **BetterCap** caplet: hstshijack
Line 15: Line 15:
  
 **NOTE:** This will downgrade any https connection to http **as long as** the target web site uses https **not** [[https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security|hsts]].  **NOTE:** This will downgrade any https connection to http **as long as** the target web site uses https **not** [[https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security|hsts]]. 
 +  * You'll see the site loads with https (lock visible) not http.
  
 Suggestion: modify your spoof.cap:  Suggestion: modify your spoof.cap: 
Line 29: Line 30:
 net.sniff on net.sniff on
 </code> </code>
 +
 +Run Bettercap with the custom spoof caplet: 
 +
 +<code>bettercap -iface [interface name] -caplet /path/to/caplet.cap</code>
 +
 +Once you successfully run that (should have arp.spoof, net.probe/recon/sniff), run the hsts caplet: 
 +  * From inside bettercap, run ``caplets.show`` to see all the available caplets.
 +  * To run a caplet you simply type its name at the bettercap prompt.
 +  * If you see no errors, it executed as expected. 
 +
 +----
 +
 +===== HSTS Hijack =====
 +
 +**HSTS: HTTP Strict Transport Security**
 +  * Modern browsers are hard-coded to only load a list of HSTS websites over https (this is a local check done by the browser on the client/target machine).
 +  * Because this is a function of the browser on the client (target), the MITM hijack is defeated. 
 +
 +The only way around this is to make the browser think it is loading another web site. 
 +  * Replace all links for HSTS websites with similar links. 
 +  * facebook.com replaced with facebook.corn 
 +  * twitter.com replaced with twiter.com
 +  * These are configured in hstshijack.cap 
 +
 +Even with this hack, if the client/target types in facebook.com, this will NOT work. 
 +  * This is because the browser has a check list and will not load certain sites if they cannot be loaded over https.
 +
 +This will only work if the client/target uses a search engine that does not use https first to search for the site to access. 
 +  * Example: google.ie
 +  * On that search site, search for facebook... our MITM hijack will replace all facebook.com urls with facebook.corn
 +  * This still might not work with updated browsers.
  
 ---- ----
  
hack_postconnect_bypasshttps.1590943979.txt.gz · Last modified: by gman