[HSTS bypass and SSL stripping]

17 hours ago, sud0nick said:

I posted that almost a year ago...  I doubt any of it is relevant anymore.

True..  Good Grief I need to look at the post dates, sorry about that M8!

[HSTS bypass and SSL stripping]

Also, I forgot to mention a USB hub with a burner android with usb tethering/prepaid data are used for the internet connection (when applicable).    

[HSTS bypass and SSL stripping]

On 2/20/2016 at 6:52 PM, sud0nick said:

I've been working on this all day and I think I got my hopes up too high for Bettercap. It seems like a great tool and definitely has a lot of modularity but it still doesn't conquer HSTS. I'll lay out the testing environment I used today and what I experienced. If anyone else has better results please let me know how you accomplished them.

Method 1:
• Setup Backbox Linux with Bettercap on my home network containing multiple end user devices.

• Access websites with MBP and Windows 10 desktop which are connected to the same network.

Method 2:
• Using Backbox Linux, hostapd, dnsmasq, iptables, and the Alfa AWUS036NEH, I set up an AP on my laptop to become an actual MITM.
• Connected MBP to evil AP.

The following commands were used during both methods:

bettercap -X -I wlan0

bettercap -X -L wlan0

bettercap -X --proxy-https -I wlan0

The first command tells Bettercap to sniff all traffic in the subnet associated with wlan0 (in this case 192.168.1.0/24). Bettercap immediately found a bunch of targets (including my NAS, Domain Controller, Printer, laptops, phones, etc) and began displaying a bunch of traffic. I hopped on my MBP to see what would be captured when I browsed the internet but the network was brought to a halt. So I switched to my desktop and found the same issue. I pressed Ctrl+C in Bettercap and after a few seconds it stopped and my network came back up.

I tested this out a few more times throughout the day and at various points the network was either down completely or dragging very slowly, while at other times it seemed to work just fine. I did notice if I killed the connection to my VPN on Windows that I could get back out to the internet (didn't try on my MBP) but this only worked once or twice. Most of the time I couldn't browse to any sites at all.

Then I attempted to use Method 2 and the second command (with -L to sniff local traffic on my laptop) and it seemed when I connected my MBP to the evil AP it was able to get out to the internet just fine. All of the traffic was logged with the protocol being used but since everything was HTTPS I couldn't view any of the data.

The final command I used (this time using Method 1 again) enabled the HTTPS proxy server in Bettercap. This is a really cool builtin feature but it didn't work out as I had hoped. I hopped back on my MBP, and my desktop, and noticed the network was super slow again. I browsed to www[.]facebook[.]com, https://www[.]facebook[.]com,and https://wwww[.]facebook[.]com. The one with four w's seemed to work until I noticed on my MBP that Chrome had the "Your Connection is Not Secure" message. I clicked the "Advanced" link hoping it would let me bypass the invalid certificate but it said due to HSTS I wasn't allowed to continue. I tried to browse to a couple different sites, including these forums, on my desktop but nothing loaded as if I wasn't even connected to the internet.

Like I mentioned before I was able to see src, dst, proto, and url so I was able to tell that my wife was spending all day on Facebook on her phone but I got nothing beyond that. I probably missed a couple steps in this post but it's difficult for me to condense all of the setup, troubleshooting, and testing to a few lines. If I wasn't clear enough about my testing I'll be glad to answer any questions you may have. Overall it seems like a great tool but it certainly doesn't defeat HSTS and I'm kinda bummed it slows down the network so much.

A couple of things:

Have you tried using -T to specify a target?  I don't believe I've ever been able to get anything more than wireshark-style packet sniffing without specifying a target along with the HTTP proxy command.  Look at the bettercap website for details.

Is there a reason you're using BackBox?  Not that there's really anything wrong with it, but I'm pretty sure you're going to get better support, better compatibility with ruby, and more up-to-date libraries with newer Kali and Debian distros.  Don't expect newer tools (especially pen-testing tools) that are updated frequently to work with a distro that hasn't updated their downloadable image in over 6 months.  That's a pretty long time in the world of infosec.

Also, try testing against different browsers, and try getting creative with JavaScript and BeEF.  This tool was built IMO to make it easier for session highjacking; not script-kiddy-ing through ssl-stripping (though you can in certain situations).  I've tested it against the newest version of Mozilla Firefox (as of Jan 2017) and ssl stripping worked well.  It didn't work against Safari or Chrome.

As for those wondering about getting it to work on the pineapple:  save yourself finding out that the pineapple doesn't run it well and just get a RasPi 3 with Kali.  My mobile setup is a Nano with a AWUS Alfa 036NH added to it, RasPi 3 model B configured to auto-connect to the MGMT AP on the Pineapple on boot, running Kali with Bettercap.  I control the Nano via webui on my iPhone, and the RasPi 3 via vSSH lite (free SSH), all battery powered.  The alfa card is used for the mgmt AP, and the range is fantastic. With some practice you can do a ton of really cool stuff with it.