cooper Posted February 15, 2016 Share Posted February 15, 2016 Nice article that explains the process and execution: https://www.bettercap.org/blog/sslstripping-and-hsts-bypass Quote Link to comment Share on other sites More sharing options...
Maddog1929 Posted February 15, 2016 Share Posted February 15, 2016 Now all i need to do is find a tut on installing bettercap on to my pineapple-nano, then maybe portable mitm will actually be easy again Quote Link to comment Share on other sites More sharing options...
Maddog1929 Posted February 16, 2016 Share Posted February 16, 2016 Now all i need to do is find a tut on installing bettercap on to my pineapple-nano, then maybe portable mitm will actually be easy again Been toying around with this for a while, cant get it to ssl strip any connections I give it. I hope someone makes a tut of some kind on how to just use the thing Quote Link to comment Share on other sites More sharing options...
xrad Posted February 16, 2016 Share Posted February 16, 2016 Can bettercap even run on the Nano Or Tetra? Quote Link to comment Share on other sites More sharing options...
InfiniteDevelopment Posted February 16, 2016 Share Posted February 16, 2016 This bettercap ish looks like its what everyone has been looking for. I have long wondered if cred stealing using SSL degrade was going the way of kerosene.. Glad to see the community feels the needs for it just like I do. Is bettercap ported over to MK6 yet...? Quote Link to comment Share on other sites More sharing options...
dustbyter Posted February 16, 2016 Share Posted February 16, 2016 The first thing to confirm is if the nano can support ruby. The bettercap is written using ruby, my assumption is yes, but I have not confirmed it as I don't develop in ruby. The next challenge would be to confirm if all the code is written by bettercap, or if they rely on any 3rd party libraries, which may not be supported by the nano. I'd start there first. Quote Link to comment Share on other sites More sharing options...
AlfAlfa Posted February 16, 2016 Share Posted February 16, 2016 (edited) For this reason, Leonardo Nve Egea presented sslstrip+ ( or sslstrip2 ) during BlackHat Asia 2014. 2014? Is that right? I thought this was new... So it still works this method? Perhaps this one wouldn't be so easy for the browsers to just fix since it's technically changing the subdomain to a completely invalid one, but then you redirect it anyway since you're in control! Wouldn't it be more noticeable though if you catch an extra w in that url! :) wwwW dot! (well it would only be if you looked at the link where it points to right?) Or it could be anything but probably that would blend in the most. The first thing to confirm is if the nano can support ruby. The bettercap is written using ruby, my assumption is yes, but I have not confirmed it as I don't develop in ruby. The next challenge would be to confirm if all the code is written by bettercap, or if they rely on any 3rd party libraries, which may not be supported by the nano. I'd start there first. Yea DataHead said he uses it on his pineapple, so definitely ruby can work on them! Edited February 16, 2016 by AlfAlfa Quote Link to comment Share on other sites More sharing options...
jermzz Posted February 17, 2016 Share Posted February 17, 2016 Salatrip+ was incorporated into MITMf a while ago, along with a dns server. When I tried using it to mitm my home network, hsts still prevailed. No logins, https at the top of all the pages. Can someone explain how bettercap is different? Quote Link to comment Share on other sites More sharing options...
Maddog1929 Posted February 17, 2016 Share Posted February 17, 2016 Salatrip+ was incorporated into MITMf a while ago, along with a dns server. When I tried using it to mitm my home network, hsts still prevailed. No logins, https at the top of all the pages. Can someone explain how bettercap is different? As far as i can tell, it has active support which i guess is supposed to raise its reliability. However, ive had similar results trying to mitm on my home network too. It properly sniffs all http-https connections, but fails to strip them and constantly drops my 'clients'. However i believe the last problem is my wireless cards fault. Quote Link to comment Share on other sites More sharing options...
cooper Posted February 19, 2016 Author Share Posted February 19, 2016 You should remember that HSTS isn't "broken". It's circumvented by having the user go to something that looks eerily similar, like wvvw.facebook.com or something. Since what you're connecting to will be a new domain (from your browser's perspective) that you never visited before in, HSTS isn't a factor and thus allows the regular MitM process to occur. Quote Link to comment Share on other sites More sharing options...
karencho Posted February 20, 2016 Share Posted February 20, 2016 hello,use it today like this "bettercap -T 192.168.1.104 --proxy-https -P POST" NOT WORKING give me an errors "Your connection is not private" ...... can someone tell me is there possible to turn off hsts preload list with some js script or something like this? one more thing can you tell me when i am sniffing on my main computer internet connection is crushing down ..... same thing with Ettercap sniffing ,and with Csploit on android device ...when i am sniffing with tis programs my internet connection is crushing down,can anyone tell me why or how to fix it? Quote Link to comment Share on other sites More sharing options...
sud0nick Posted February 20, 2016 Share Posted February 20, 2016 (edited) I've been working on this all day and I think I got my hopes up too high for Bettercap. It seems like a great tool and definitely has a lot of modularity but it still doesn't conquer HSTS. I'll lay out the testing environment I used today and what I experienced. If anyone else has better results please let me know how you accomplished them.Method 1: • Setup Backbox Linux with Bettercap on my home network containing multiple end user devices. • Access websites with MBP and Windows 10 desktop which are connected to the same network.Method 2: • Using Backbox Linux, hostapd, dnsmasq, iptables, and the Alfa AWUS036NEH, I set up an AP on my laptop to become an actual MITM. • Connected MBP to evil AP.The following commands were used during both methods: bettercap -X -I wlan0 bettercap -X -L wlan0 bettercap -X --proxy-https -I wlan0 The first command tells Bettercap to sniff all traffic in the subnet associated with wlan0 (in this case 192.168.1.0/24). Bettercap immediately found a bunch of targets (including my NAS, Domain Controller, Printer, laptops, phones, etc) and began displaying a bunch of traffic. I hopped on my MBP to see what would be captured when I browsed the internet but the network was brought to a halt. So I switched to my desktop and found the same issue. I pressed Ctrl+C in Bettercap and after a few seconds it stopped and my network came back up.I tested this out a few more times throughout the day and at various points the network was either down completely or dragging very slowly, while at other times it seemed to work just fine. I did notice if I killed the connection to my VPN on Windows that I could get back out to the internet (didn't try on my MBP) but this only worked once or twice. Most of the time I couldn't browse to any sites at all.Then I attempted to use Method 2 and the second command (with -L to sniff local traffic on my laptop) and it seemed when I connected my MBP to the evil AP it was able to get out to the internet just fine. All of the traffic was logged with the protocol being used but since everything was HTTPS I couldn't view any of the data.The final command I used (this time using Method 1 again) enabled the HTTPS proxy server in Bettercap. This is a really cool builtin feature but it didn't work out as I had hoped. I hopped back on my MBP, and my desktop, and noticed the network was super slow again. I browsed to www[.]facebook[.]com, https://www[.]facebook[.]com,and https://wwww[.]facebook[.]com. The one with four w's seemed to work until I noticed on my MBP that Chrome had the "Your Connection is Not Secure" message. I clicked the "Advanced" link hoping it would let me bypass the invalid certificate but it said due to HSTS I wasn't allowed to continue. I tried to browse to a couple different sites, including these forums, on my desktop but nothing loaded as if I wasn't even connected to the internet. Like I mentioned before I was able to see src, dst, proto, and url so I was able to tell that my wife was spending all day on Facebook on her phone but I got nothing beyond that. I probably missed a couple steps in this post but it's difficult for me to condense all of the setup, troubleshooting, and testing to a few lines. If I wasn't clear enough about my testing I'll be glad to answer any questions you may have. Overall it seems like a great tool but it certainly doesn't defeat HSTS and I'm kinda bummed it slows down the network so much. Edited February 20, 2016 by sud0nick Quote Link to comment Share on other sites More sharing options...
513RR4 Posted February 26, 2016 Share Posted February 26, 2016 Somebody are following this topic with the new update of bettercap 1.4.4? https://www.bettercap.org/blog/server-name-indication/ I am stuck in the part i have to install the bettercap-ca.pem file on the target device (windows 10). I follow the link with the instructions of windows but in the Certificate Manager when i import the file it seems that windows not allow .pem certificates and not find the way to convert .pem to a valid one. Somebody can help me please! Quote Link to comment Share on other sites More sharing options...
jermzz Posted March 1, 2016 Share Posted March 1, 2016 Seems kinda pointless if you have to physically access the computer you're trying to compromise. If I could do that, there's other ways to get this done. This is supposed to be a remote network sniff scenario. Quote Link to comment Share on other sites More sharing options...
Whistle Master Posted March 27, 2016 Share Posted March 27, 2016 I tried to run bettercap on the nano but it does indeed require native library such as eventmachine which are not working on the nano and have to be cross-compiled. I'm working on it and hope to be have it running soon. The first thing to confirm is if the nano can support ruby. The bettercap is written using ruby, my assumption is yes, but I have not confirmed it as I don't develop in ruby. The next challenge would be to confirm if all the code is written by bettercap, or if they rely on any 3rd party libraries, which may not be supported by the nano. I'd start there first. Quote Link to comment Share on other sites More sharing options...
513RR4 Posted April 17, 2016 Share Posted April 17, 2016 I tried to run bettercap on the nano but it does indeed require native library such as eventmachine which are not working on the nano and have to be cross-compiled. I'm working on it and hope to be have it running soon. Do you have any update? Quote Link to comment Share on other sites More sharing options...
CB99 Posted September 10, 2016 Share Posted September 10, 2016 1 nano + pi3 running Bettercap = ssl stripping . This set-up works quite well for me and is portable . Quote Link to comment Share on other sites More sharing options...
kleo Posted September 21, 2016 Share Posted September 21, 2016 On 9/9/2016 at 9:58 PM, CB99 said: 1 nano + pi3 running Bettercap = ssl stripping . This set-up works quite well for me and is portable . I'm currently setting this up, can you share some tips on your setup? Does this work on mobile devices? Quote Link to comment Share on other sites More sharing options...
papasan Posted September 21, 2016 Share Posted September 21, 2016 On 10 september 2016 at 3:58 AM, CB99 said: 1 nano + pi3 running Bettercap = ssl stripping . This set-up works quite well for me and is portable . Nice, should be possible to use a alfa usb stick and a pi3 as well right? What distro do you use on the PI3? Quote Link to comment Share on other sites More sharing options...
Rainman_34 Posted September 21, 2016 Share Posted September 21, 2016 What about running kali with bettercap on a beaglebone black? Quote Link to comment Share on other sites More sharing options...
yonomas Posted October 25, 2016 Share Posted October 25, 2016 On 9/9/2016 at 9:58 PM, CB99 said: 1 nano + pi3 running Bettercap = ssl stripping . This set-up works quite well for me and is portable . could you explain more about it? Quote Link to comment Share on other sites More sharing options...
Fuylo Posted January 17, 2017 Share Posted January 17, 2017 On 2/20/2016 at 6:52 PM, sud0nick said: I've been working on this all day and I think I got my hopes up too high for Bettercap. It seems like a great tool and definitely has a lot of modularity but it still doesn't conquer HSTS. I'll lay out the testing environment I used today and what I experienced. If anyone else has better results please let me know how you accomplished them. Method 1: • Setup Backbox Linux with Bettercap on my home network containing multiple end user devices. • Access websites with MBP and Windows 10 desktop which are connected to the same network. Method 2: • Using Backbox Linux, hostapd, dnsmasq, iptables, and the Alfa AWUS036NEH, I set up an AP on my laptop to become an actual MITM. • Connected MBP to evil AP. The following commands were used during both methods: bettercap -X -I wlan0 bettercap -X -L wlan0 bettercap -X --proxy-https -I wlan0 The first command tells Bettercap to sniff all traffic in the subnet associated with wlan0 (in this case 192.168.1.0/24). Bettercap immediately found a bunch of targets (including my NAS, Domain Controller, Printer, laptops, phones, etc) and began displaying a bunch of traffic. I hopped on my MBP to see what would be captured when I browsed the internet but the network was brought to a halt. So I switched to my desktop and found the same issue. I pressed Ctrl+C in Bettercap and after a few seconds it stopped and my network came back up. I tested this out a few more times throughout the day and at various points the network was either down completely or dragging very slowly, while at other times it seemed to work just fine. I did notice if I killed the connection to my VPN on Windows that I could get back out to the internet (didn't try on my MBP) but this only worked once or twice. Most of the time I couldn't browse to any sites at all. Then I attempted to use Method 2 and the second command (with -L to sniff local traffic on my laptop) and it seemed when I connected my MBP to the evil AP it was able to get out to the internet just fine. All of the traffic was logged with the protocol being used but since everything was HTTPS I couldn't view any of the data. The final command I used (this time using Method 1 again) enabled the HTTPS proxy server in Bettercap. This is a really cool builtin feature but it didn't work out as I had hoped. I hopped back on my MBP, and my desktop, and noticed the network was super slow again. I browsed to www[.]facebook[.]com, https://www[.]facebook[.]com,and https://wwww[.]facebook[.]com. The one with four w's seemed to work until I noticed on my MBP that Chrome had the "Your Connection is Not Secure" message. I clicked the "Advanced" link hoping it would let me bypass the invalid certificate but it said due to HSTS I wasn't allowed to continue. I tried to browse to a couple different sites, including these forums, on my desktop but nothing loaded as if I wasn't even connected to the internet. Like I mentioned before I was able to see src, dst, proto, and url so I was able to tell that my wife was spending all day on Facebook on her phone but I got nothing beyond that. I probably missed a couple steps in this post but it's difficult for me to condense all of the setup, troubleshooting, and testing to a few lines. If I wasn't clear enough about my testing I'll be glad to answer any questions you may have. Overall it seems like a great tool but it certainly doesn't defeat HSTS and I'm kinda bummed it slows down the network so much. A couple of things: Have you tried using -T to specify a target? I don't believe I've ever been able to get anything more than wireshark-style packet sniffing without specifying a target along with the HTTP proxy command. Look at the bettercap website for details. Is there a reason you're using BackBox? Not that there's really anything wrong with it, but I'm pretty sure you're going to get better support, better compatibility with ruby, and more up-to-date libraries with newer Kali and Debian distros. Don't expect newer tools (especially pen-testing tools) that are updated frequently to work with a distro that hasn't updated their downloadable image in over 6 months. That's a pretty long time in the world of infosec. Also, try testing against different browsers, and try getting creative with JavaScript and BeEF. This tool was built IMO to make it easier for session highjacking; not script-kiddy-ing through ssl-stripping (though you can in certain situations). I've tested it against the newest version of Mozilla Firefox (as of Jan 2017) and ssl stripping worked well. It didn't work against Safari or Chrome. As for those wondering about getting it to work on the pineapple: save yourself finding out that the pineapple doesn't run it well and just get a RasPi 3 with Kali. My mobile setup is a Nano with a AWUS Alfa 036NH added to it, RasPi 3 model B configured to auto-connect to the MGMT AP on the Pineapple on boot, running Kali with Bettercap. I control the Nano via webui on my iPhone, and the RasPi 3 via vSSH lite (free SSH), all battery powered. The alfa card is used for the mgmt AP, and the range is fantastic. With some practice you can do a ton of really cool stuff with it. Quote Link to comment Share on other sites More sharing options...
Fuylo Posted January 17, 2017 Share Posted January 17, 2017 Also, I forgot to mention a USB hub with a burner android with usb tethering/prepaid data are used for the internet connection (when applicable). Quote Link to comment Share on other sites More sharing options...
sud0nick Posted January 18, 2017 Share Posted January 18, 2017 8 hours ago, Fuylo said: Is there a reason you're using BackBox? Not that there's really anything wrong with it, but I'm pretty sure you're going to get better support, better compatibility with ruby, and more up-to-date libraries with newer Kali and Debian distros. Don't expect newer tools (especially pen-testing tools) that are updated frequently to work with a distro that hasn't updated their downloadable image in over 6 months. That's a pretty long time in the world of infosec. I posted that almost a year ago... I doubt any of it is relevant anymore. Quote Link to comment Share on other sites More sharing options...
Fuylo Posted January 18, 2017 Share Posted January 18, 2017 17 hours ago, sud0nick said: I posted that almost a year ago... I doubt any of it is relevant anymore. True.. Good Grief I need to look at the post dates, sorry about that M8! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.