https redirect to http

[sirsanta]

hiii i have make some fake pages for known pages like Facebook etc i have also install dnsmasq in Kali and setup Apache server and every thing is okay now when the victim visit Facebook in chrome for example it will told him that this is unsecured cuz of https is there any way or tools in Kali to avoid that or any other thing would be greet thanks :)

[Sildaekar]

Short Answer: No

Long Answer: Yes. Get a SSL cert signed by a CA and install it on your server. The only downside is that this will require you to pay for it ($50 - $100 / year) and it is highly unlikely that this would happen in a real world scenario as anyone that is up to anything malicious is not going to link their real name with the attack. Also the cert will be locked in to a domain so you would have to register the domain as well (about $10/yr).

Best course: Just stick with the setup you have, most users are just going to accept it anyways without even looking. Just generate a self-signed cert made out to Facebook Inc. or something (make it look professional) and they probably won't even care.

Edited June 7, 2015 by Sildaekar

[cooper]

Problem is facebook is one of those sites whose public key is included within the keystore of most browsers, so your site can't have a domain name like facebook.com because the browser itself will rat you out.

[digininja]

I think what you are seeing is probably because of the HSTS header that Facebook set:

$ curl -I https://www.facebook.com
HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Strict-Transport-Security: max-age=15552000; preload
X-Frame-Options: DENY
X-XSS-Protection: 0
X-Content-Type-Options: nosniff
Set-Cookie: reg_fb_ref=https%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.com; httponly
Set-Cookie: reg_fb_gate=https%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.com; httponly
Vary: Accept-Encoding
Content-Type: text/html
X-FB-Debug: Qg9TDj+nh4GBt5zuZ3StBlnvkk6PxBozYm/+pRjGM9GBRtTMFf2mgT6PQGyT82nt4j5pVCmQFk1lFtk8nuCL/w==
Date: Sun, 07 Jun 2015 19:17:57 GMT
Connection: keep-alive

In which case you would have to deliver the site over HTTPS and to do that would need a legit certificate which you aren't going to be able to get.

[sirsanta]

so sslstrip or sslsplit dnsspoof arpspoof all of these tools guys is no thing . there is must be some thing am sure even if we could make the user in local network click certificate to install it in the browser when it popup many would do this blind am sure there is sneaky way but we have to discover it .... any ideas

[digininja]

If, as Cooper says, the certificate is pinned in the browser then not much you can do, even if you had him trust your CA then the certificate wouldn't match the expected one so the user would get warnings.

Before we go any further on this, what networks are you running this on?

[digip]

I think some sites also do preloaded HSTS, but not sure how you look this up on browsers other than older Chromium since you could look at the source code.

Nice post by someone explaining a little bit about SSL Pinning and the pre-loaded HSTS stuff, which you can override in some browsers if you have access to the machines. This would be something you might find in a corporate lan that companies might use self signed certificates on the proxy, or for internal servers that touch a DMZ, but I could see this going the other way in helping attacks not only see the encrypted traffic, but keeping their actions within this ssl space on the network where others can't read what may be injected onto the wire.

​ https://www.imperialviolet.org/2011/05/04/pinning.html

The chrome trick works in latest opera as well, since it's based in part on chrome

opera://net-internals/#hsts

If I understand this correctly, here you could, theoretically, install your own over-riding HSTS certificates pins with certs you own so you can decrypt traffic, but, if you have that level of access to a victims machine, you should in fact be able to hook to other data to get at things you want more than just sniffing the login to facebook. I have no idea how you actually pull of the attack, but I have a feeling someone else could probably figure it out if they kept at it and tested it out.

​Preloades sites in Chromium based browsers:

https://code.google.com/p/chromium/codesearch#chromium/src/net/http/transport_security_state_static.json

I have a feeling older IE browsers don't yet implement the pre-loaded HSTS stuff and is why people still report SSL strip working against IE based browsers but not on other things like latest Chrome, FF and Opera

Edited June 8, 2015 by digip

[Sildaekar]

I have a feeling older IE browsers don't yet implement the pre-loaded HSTS stuff and is why people still report SSL strip working against IE based browsers but not on other things like latest Chrome, FF and Opera

Just to add a little bit more to your comment on IE, you are correct. Currently it seems as though IE does not support HSTS but it will in Windows 10, and if the victim is currently running a release client for Windows 10 it is working.

http://blogs.msdn.com/b/ie/archive/2015/02/16/http-strict-transport-security-comes-to-internet-explorer.aspx

[cooper]

Did people notice this little IE/Bing problem too?

As with everything, the next version will fix all the old problems and create a nice stack of new ones. We'll see what Edge brings to the table...