Jump to content
Nytro

SSL Stripping and HSTS Bypass with BetterCap

Recommended Posts

Posted

SSL Stripping and HSTS Bypass with BetterCap

 

Since version 1.3.0 BetterCap is able to perform SSL stripping and since version 1.3.8 it also performs HSTS bypass, but what are exactly these techniques and how can we use them?

SSL Stripping

SSL stripping is a technique introduced by Moxie Marlinspike during BlackHat DC 2009, the website description of this technique goes like:

It will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links.

Long story short, this technique will replace every https link in webpages the target is browsing with http ones so, if a page would normally look like:

... <a href="https://www.facebook.com/">Login</a> ...

During a SSL stripping attack its HTML code will be modified as:

... <a href="http://www.facebook.com/">Login</a> ...

Being the man in the middle, this allow us to sniff and modify pages that normally we wouldn't be able to even see.

HSTS Bypass

SSL stripping worked quite well until 2010, when the HSTS specification was introduced, Wikipedia says:

HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol. HSTS is an IETF standards track protocol and is specified in RFC 6797.

Moreover HSTS policies have been prebuilt into major browsers meaning that now, even with a SSL stripping attack running, the browser will

connect to HTTPS anyway, even if the http:// schema is specified, making the attack itself useless.

with-hsts.png
Picture credits to Scott Helme

For this reason, Leonardo Nve Egea presented sslstrip+ ( or sslstrip2 ) during BlackHat Asia 2014.

This tool was an improvement over the original Moxie's version, specifically created to bypass HSTS policies.

Since HSTS rules most of the time are applied on a per-hostname basis, the trick is to downgrade HTTPS links to HTTP and to prepend some custom sub domain name to them. Every resulting link won't be valid for any DNS server, but since we're MITMing we can resolve these hostnames anyway.

Let's take the previous example page:

... <a href="https://www.facebook.com/">Login</a> ...

A HSTS bypass attack will change it to something like:

... <a href="http://wwww.facebook.com/">Login</a> ...
Notice that https has been downgraded to http and www replaced with wwww ).

When the "victim" will click on that link, no HSTS rule will be applied ( since there's no rule for such subdomain we just created ) and the MITM software ( BetterCap in our case ^_^ ) will take care of the DNS resolution, allowing us to see and alter the traffic we weren't supposed to see.

sslstrip-2.png

Using BetterCap

Using BetterCap to perform such attack is very easy, there's no special command line argument for it since everything ( both SSL stripping and HSTS bypass ) was implemented as builtin features of the transparent proxy, you only need to enable it:

sudo bettercap --proxy -P POST

The following screenshot was taken during a test run, as you can see Facebook was succesfully SSL-stripped and I was able to sniff login credentials in cleartext.

HSTS bypassed

 

 

Sursa: https://www.bettercap.org/blog/sslstripping-and-hsts-bypass/#.VsHQflQ9TwA.twitter

  • Upvote 2

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...