Jump to content

HSTS bypass and SSL stripping


cooper
 Share

Recommended Posts

Now all i need to do is find a tut on installing bettercap on to my pineapple-nano, then maybe portable mitm will actually be easy again

Been toying around with this for a while, cant get it to ssl strip any connections I give it. I hope someone makes a tut of some kind on how to just use the thing

Link to comment
Share on other sites

The first thing to confirm is if the nano can support ruby. The bettercap is written using ruby, my assumption is yes, but I have not confirmed it as I don't develop in ruby.

The next challenge would be to confirm if all the code is written by bettercap, or if they rely on any 3rd party libraries, which may not be supported by the nano.

I'd start there first.

Link to comment
Share on other sites

For this reason, Leonardo Nve Egea presented sslstrip+ ( or sslstrip2 ) during BlackHat Asia 2014.

2014? Is that right? I thought this was new... So it still works this method? Perhaps this one wouldn't be so easy for the browsers to just fix since it's technically changing the subdomain to a completely invalid one, but then you redirect it anyway since you're in control!

Wouldn't it be more noticeable though if you catch an extra w in that url! :) wwwW dot! (well it would only be if you looked at the link where it points to right?) Or it could be anything but probably that would blend in the most.

The first thing to confirm is if the nano can support ruby. The bettercap is written using ruby, my assumption is yes, but I have not confirmed it as I don't develop in ruby.

The next challenge would be to confirm if all the code is written by bettercap, or if they rely on any 3rd party libraries, which may not be supported by the nano.

I'd start there first.

Yea DataHead said he uses it on his pineapple, so definitely ruby can work on them!

Edited by AlfAlfa
Link to comment
Share on other sites

Salatrip+ was incorporated into MITMf a while ago, along with a dns server. When I tried using it to mitm my home network, hsts still prevailed. No logins, https at the top of all the pages.

Can someone explain how bettercap is different?

As far as i can tell, it has active support which i guess is supposed to raise its reliability. However, ive had similar results trying to mitm on my home network too. It properly sniffs all http-https connections, but fails to strip them and constantly drops my 'clients'. However i believe the last problem is my wireless cards fault.

Link to comment
Share on other sites

You should remember that HSTS isn't "broken". It's circumvented by having the user go to something that looks eerily similar, like wvvw.facebook.com or something.

Since what you're connecting to will be a new domain (from your browser's perspective) that you never visited before in, HSTS isn't a factor and thus allows the regular MitM process to occur.

Link to comment
Share on other sites

hello,use it today like this "bettercap -T 192.168.1.104 --proxy-https -P POST" NOT WORKING give me an errors "Your connection is not private" ...... can someone tell me is there possible to turn off hsts preload list with some js script or something like this?

one more thing can you tell me when i am sniffing on my main computer internet connection is crushing down ..... same thing with Ettercap sniffing ,and with Csploit on android device ...when i am sniffing with tis programs my internet connection is crushing down,can anyone tell me why or how to fix it?

Link to comment
Share on other sites

I've been working on this all day and I think I got my hopes up too high for Bettercap. It seems like a great tool and definitely has a lot of modularity but it still doesn't conquer HSTS. I'll lay out the testing environment I used today and what I experienced. If anyone else has better results please let me know how you accomplished them.

Method 1:
• Setup Backbox Linux with Bettercap on my home network containing multiple end user devices.

• Access websites with MBP and Windows 10 desktop which are connected to the same network.

Method 2:
• Using Backbox Linux, hostapd, dnsmasq, iptables, and the Alfa AWUS036NEH, I set up an AP on my laptop to become an actual MITM.
• Connected MBP to evil AP.

The following commands were used during both methods:

bettercap -X -I wlan0
bettercap -X -L wlan0
bettercap -X --proxy-https -I wlan0

The first command tells Bettercap to sniff all traffic in the subnet associated with wlan0 (in this case 192.168.1.0/24). Bettercap immediately found a bunch of targets (including my NAS, Domain Controller, Printer, laptops, phones, etc) and began displaying a bunch of traffic. I hopped on my MBP to see what would be captured when I browsed the internet but the network was brought to a halt. So I switched to my desktop and found the same issue. I pressed Ctrl+C in Bettercap and after a few seconds it stopped and my network came back up.

I tested this out a few more times throughout the day and at various points the network was either down completely or dragging very slowly, while at other times it seemed to work just fine. I did notice if I killed the connection to my VPN on Windows that I could get back out to the internet (didn't try on my MBP) but this only worked once or twice. Most of the time I couldn't browse to any sites at all.

Then I attempted to use Method 2 and the second command (with -L to sniff local traffic on my laptop) and it seemed when I connected my MBP to the evil AP it was able to get out to the internet just fine. All of the traffic was logged with the protocol being used but since everything was HTTPS I couldn't view any of the data.

The final command I used (this time using Method 1 again) enabled the HTTPS proxy server in Bettercap. This is a really cool builtin feature but it didn't work out as I had hoped. I hopped back on my MBP, and my desktop, and noticed the network was super slow again. I browsed to www[.]facebook[.]com, https://www[.]facebook[.]com,and https://wwww[.]facebook[.]com. The one with four w's seemed to work until I noticed on my MBP that Chrome had the "Your Connection is Not Secure" message. I clicked the "Advanced" link hoping it would let me bypass the invalid certificate but it said due to HSTS I wasn't allowed to continue. I tried to browse to a couple different sites, including these forums, on my desktop but nothing loaded as if I wasn't even connected to the internet.

Like I mentioned before I was able to see src, dst, proto, and url so I was able to tell that my wife was spending all day on Facebook on her phone but I got nothing beyond that. I probably missed a couple steps in this post but it's difficult for me to condense all of the setup, troubleshooting, and testing to a few lines. If I wasn't clear enough about my testing I'll be glad to answer any questions you may have. Overall it seems like a great tool but it certainly doesn't defeat HSTS and I'm kinda bummed it slows down the network so much.

Edited by sud0nick
Link to comment
Share on other sites

Somebody are following this topic with the new update of bettercap 1.4.4? https://www.bettercap.org/blog/server-name-indication/

I am stuck in the part i have to install the bettercap-ca.pem file on the target device (windows 10).


I follow the link with the instructions of windows but in the Certificate Manager when i import the file it seems that windows not allow .pem certificates and not find the way to convert .pem to a valid one.


Somebody can help me please!

Link to comment
Share on other sites

  • 4 weeks later...

I tried to run bettercap on the nano but it does indeed require native library such as eventmachine which are not working on the nano and have to be cross-compiled.

I'm working on it and hope to be have it running soon.

The first thing to confirm is if the nano can support ruby. The bettercap is written using ruby, my assumption is yes, but I have not confirmed it as I don't develop in ruby.

The next challenge would be to confirm if all the code is written by bettercap, or if they rely on any 3rd party libraries, which may not be supported by the nano.

I'd start there first.

Link to comment
Share on other sites

  • 3 weeks later...

I tried to run bettercap on the nano but it does indeed require native library such as eventmachine which are not working on the nano and have to be cross-compiled.

I'm working on it and hope to be have it running soon.

Do you have any update?

Link to comment
Share on other sites

  • 4 months later...
  • 2 weeks later...
On 9/9/2016 at 9:58 PM, CB99 said:

1 nano + pi3 running Bettercap = ssl stripping .

This set-up works quite well for me and is portable .

I'm currently setting this up, can you share some tips on your setup?

Does this work on mobile devices?

Link to comment
Share on other sites

  • 1 month later...
  • 2 months later...
On 2/20/2016 at 6:52 PM, sud0nick said:

I've been working on this all day and I think I got my hopes up too high for Bettercap. It seems like a great tool and definitely has a lot of modularity but it still doesn't conquer HSTS. I'll lay out the testing environment I used today and what I experienced. If anyone else has better results please let me know how you accomplished them.

Method 1:
• Setup Backbox Linux with Bettercap on my home network containing multiple end user devices.

• Access websites with MBP and Windows 10 desktop which are connected to the same network.

Method 2:
• Using Backbox Linux, hostapd, dnsmasq, iptables, and the Alfa AWUS036NEH, I set up an AP on my laptop to become an actual MITM.
• Connected MBP to evil AP.

The following commands were used during both methods:


bettercap -X -I wlan0

bettercap -X -L wlan0

bettercap -X --proxy-https -I wlan0

The first command tells Bettercap to sniff all traffic in the subnet associated with wlan0 (in this case 192.168.1.0/24). Bettercap immediately found a bunch of targets (including my NAS, Domain Controller, Printer, laptops, phones, etc) and began displaying a bunch of traffic. I hopped on my MBP to see what would be captured when I browsed the internet but the network was brought to a halt. So I switched to my desktop and found the same issue. I pressed Ctrl+C in Bettercap and after a few seconds it stopped and my network came back up.

I tested this out a few more times throughout the day and at various points the network was either down completely or dragging very slowly, while at other times it seemed to work just fine. I did notice if I killed the connection to my VPN on Windows that I could get back out to the internet (didn't try on my MBP) but this only worked once or twice. Most of the time I couldn't browse to any sites at all.

Then I attempted to use Method 2 and the second command (with -L to sniff local traffic on my laptop) and it seemed when I connected my MBP to the evil AP it was able to get out to the internet just fine. All of the traffic was logged with the protocol being used but since everything was HTTPS I couldn't view any of the data.

The final command I used (this time using Method 1 again) enabled the HTTPS proxy server in Bettercap. This is a really cool builtin feature but it didn't work out as I had hoped. I hopped back on my MBP, and my desktop, and noticed the network was super slow again. I browsed to www[.]facebook[.]com, https://www[.]facebook[.]com,and https://wwww[.]facebook[.]com. The one with four w's seemed to work until I noticed on my MBP that Chrome had the "Your Connection is Not Secure" message. I clicked the "Advanced" link hoping it would let me bypass the invalid certificate but it said due to HSTS I wasn't allowed to continue. I tried to browse to a couple different sites, including these forums, on my desktop but nothing loaded as if I wasn't even connected to the internet.

Like I mentioned before I was able to see src, dst, proto, and url so I was able to tell that my wife was spending all day on Facebook on her phone but I got nothing beyond that. I probably missed a couple steps in this post but it's difficult for me to condense all of the setup, troubleshooting, and testing to a few lines. If I wasn't clear enough about my testing I'll be glad to answer any questions you may have. Overall it seems like a great tool but it certainly doesn't defeat HSTS and I'm kinda bummed it slows down the network so much.

A couple of things:

Have you tried using -T to specify a target?  I don't believe I've ever been able to get anything more than wireshark-style packet sniffing without specifying a target along with the HTTP proxy command.  Look at the bettercap website for details.

Is there a reason you're using BackBox?  Not that there's really anything wrong with it, but I'm pretty sure you're going to get better support, better compatibility with ruby, and more up-to-date libraries with newer Kali and Debian distros.  Don't expect newer tools (especially pen-testing tools) that are updated frequently to work with a distro that hasn't updated their downloadable image in over 6 months.  That's a pretty long time in the world of infosec.

Also, try testing against different browsers, and try getting creative with JavaScript and BeEF.  This tool was built IMO to make it easier for session highjacking; not script-kiddy-ing through ssl-stripping (though you can in certain situations).  I've tested it against the newest version of Mozilla Firefox (as of Jan 2017) and ssl stripping worked well.  It didn't work against Safari or Chrome.

As for those wondering about getting it to work on the pineapple:  save yourself finding out that the pineapple doesn't run it well and just get a RasPi 3 with Kali.  My mobile setup is a Nano with a AWUS Alfa 036NH added to it, RasPi 3 model B configured to auto-connect to the MGMT AP on the Pineapple on boot, running Kali with Bettercap.  I control the Nano via webui on my iPhone, and the RasPi 3 via vSSH lite (free SSH), all battery powered.  The alfa card is used for the mgmt AP, and the range is fantastic. With some practice you can do a ton of really cool stuff with it.

Link to comment
Share on other sites

8 hours ago, Fuylo said:

Is there a reason you're using BackBox?  Not that there's really anything wrong with it, but I'm pretty sure you're going to get better support, better compatibility with ruby, and more up-to-date libraries with newer Kali and Debian distros.  Don't expect newer tools (especially pen-testing tools) that are updated frequently to work with a distro that hasn't updated their downloadable image in over 6 months.  That's a pretty long time in the world of infosec.

I posted that almost a year ago...  I doubt any of it is relevant anymore.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...