Nytro Posted February 16, 2016 Report Share Posted February 16, 2016 SSL Stripping and HSTS Bypass with BetterCap Since version 1.3.0 BetterCap is able to perform SSL stripping and since version 1.3.8 it also performs HSTS bypass, but what are exactly these techniques and how can we use them? SSL Stripping SSL stripping is a technique introduced by Moxie Marlinspike during BlackHat DC 2009, the website description of this technique goes like: It will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links. Long story short, this technique will replace every https link in webpages the target is browsing with http ones so, if a page would normally look like: ... <a href="https://www.facebook.com/">Login</a> ... During a SSL stripping attack its HTML code will be modified as: ... <a href="http://www.facebook.com/">Login</a> ... Being the man in the middle, this allow us to sniff and modify pages that normally we wouldn't be able to even see. HSTS Bypass SSL stripping worked quite well until 2010, when the HSTS specification was introduced, Wikipedia says: HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol. HSTS is an IETF standards track protocol and is specified in RFC 6797. Moreover HSTS policies have been prebuilt into major browsers meaning that now, even with a SSL stripping attack running, the browser will connect to HTTPS anyway, even if the http:// schema is specified, making the attack itself useless. Picture credits to Scott Helme For this reason, Leonardo Nve Egea presented sslstrip+ ( or sslstrip2 ) during BlackHat Asia 2014. This tool was an improvement over the original Moxie's version, specifically created to bypass HSTS policies. Since HSTS rules most of the time are applied on a per-hostname basis, the trick is to downgrade HTTPS links to HTTP and to prepend some custom sub domain name to them. Every resulting link won't be valid for any DNS server, but since we're MITMing we can resolve these hostnames anyway. Let's take the previous example page: ... <a href="https://www.facebook.com/">Login</a> ... A HSTS bypass attack will change it to something like: ... <a href="http://wwww.facebook.com/">Login</a> ... Notice that https has been downgraded to http and www replaced with wwww ). When the "victim" will click on that link, no HSTS rule will be applied ( since there's no rule for such subdomain we just created ) and the MITM software ( BetterCap in our case ) will take care of the DNS resolution, allowing us to see and alter the traffic we weren't supposed to see. Using BetterCap Using BetterCap to perform such attack is very easy, there's no special command line argument for it since everything ( both SSL stripping and HSTS bypass ) was implemented as builtin features of the transparent proxy, you only need to enable it: sudo bettercap --proxy -P POST The following screenshot was taken during a test run, as you can see Facebook was succesfully SSL-stripped and I was able to sniff login credentials in cleartext. Sursa: https://www.bettercap.org/blog/sslstripping-and-hsts-bypass/#.VsHQflQ9TwA.twitter 2 Quote Link to comment Share on other sites More sharing options...
madur Posted March 3, 2016 Report Share Posted March 3, 2016 functioneaza si daca Kali e instalat pe Vmware cu conexiune bridged la Wifi host? Multumesc Quote Link to comment Share on other sites More sharing options...
