Jump to content

MitM HTTPS in 2022?


drcall2
 Share

Go to solution Solved by PanicAcid,

Recommended Posts

  • 2 weeks later...
  • Solution
On 1/16/2022 at 10:52 AM, drcall2 said:

Hello is it possbile do sniff passwords and usernames etc using MITM on HTTPS in 2020?

Sorry newb here

Will you be able to do SSL stripp without the browser blocking the request even if the have the cookie that protects them

Only if you can install your own certificate on the device beforehand which unless you have complete control of the device, is basically a no.

Edited by PanicAcid
  • Upvote 1
Link to comment
Share on other sites

  • 1 month later...
  • 10 months later...

In order to not just answer "no", I want to provide why the answer is "no" and where we coming from. Although, I will not go into the details of HTTPS

  • SSL Strip: this is - possible - the most famous method for Mitm-Attacks. This is just a downgrade from HTTPS to HTTP. There shouldn't be interesting Sites online, which have HTTP-only connections. SSL-Strip is just done.
  • Proxy-Connections. You take the request and send it further. Everything goes through your device. What is the problem here? You need the private key to decrypt the traffic. Two ways possible: 1.) You have the server and just want to fiddle around, then you have the private, load it up in wireshark, sip your coffe and go for it. 2.) You need a new certificate where you also own the private key. Problem here: you just can't get a signed certificate for a foreign domain. So you need to install a self-signed certificate and force trust it on the target. This is what Fiddler 4 does. But of course it is highly visible to do so. You need access to the target and if you have: you don't don't mitm-attacks anymore, you just grep data before it is encrypted. 

I hope, this answer helps to spare your and our time to search into dead ends.

Greetings,
Salacryl

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...