MITM List website

[flammeur]

Hello Folks,

 

I am actually facing the problem with HSTS when i perform MITM ,

i would like to know if i could filter the website i want to track during the attack , example : don't redirect www.facebook.com to my MITM

 

Thanks in advance !

[digininja]

It would all depend on what tool you are using to do the MITM.

[flammeur]

Well i am familiar with sslstrip and ethercap but i am open to any tool to do so , have you got some idea ?

[digip]

I've been using straight up arpspoof and dnsspoof with hosts file changes, but HSTS will block that quickly. I tried mitmf(man in the middle framework), which claims it can do SSl strip and HSTS blocking, but sadly, I couldn't even get it to hook my test box for any site, at all. getting it to work would be nice though since it has a host of things it can do from injecting keylogger via javascript injection to various types of MITM attacks with the SSL/HSTS being the one I wanted to test. Google seems to block with HSTS while something like AOL.com, was hit or miss for me with the arp and dns spoof alone. Sometimes I got my default apache page for local web server, other times it loaded the https site, so if that HSTS header is seen, it's pretty hard to block as browsers know not to load the page. My Opera browser testing for google put up an error about possible security issue, so browsers are also getting smarter to some extent, and I think certain sites like Google for one, have some hard coded/saved data for known HSTS sites(but don't quote me on that).

[digininja]

Think you are talking about HSTS preloading

https://scotthelme.co.uk/hsts-preloading/

[digip]

11 minutes ago, digininja said:

Think you are talking about HSTS preloading

https://scotthelme.co.uk/hsts-preloading/

That's great info. I knew Chrome did something like this, but I use Opera(which is based on chrome in parts) and shares a lot of functions of Chrome and interface. This confirms my suspicions though that browsers have loaded site lists. Thank you!