Taking over HTTPS traffic with BETTERCAP using SSLSTRIP and explaining HSTSHijack - testing MiTM

IMPORTANT!

Yarwin mentioned that later in the video when showing an example of HSTSHijack i've said an incorrect thing: I've said that wwww is hstshijack's action, but according to Yarwin it wasnt. I apologize about that. Everything else in the video is legit, just know that when you see (for example) .corn instead of .com then you are sure that you are using hstshijack.

Big thanks to @Yarwin for correcting this

HoxFramework

This was very interesting and educational, thank you for sharing your knowledge. i learned a lot!

guidomedina

One of you asked if they can redirect traffic to their own website - youtube removed the comment from some reason.

Ofcourse. Its basic cybersecurity - DNS Spoof.
But then again i see no specific point in doing this ... If you are gonna use DNSSpoof then you dont need this tutorial - i have one specifically on DNSSpoof so check that out.

*ALSO*
Big thanks to you all for 400 subs !

HoxFramework

your videos are really cool and awesome.

syedalizainnaqvi

hello i recently subbed bc i like all of ur hacking tuturials and the fact you reply to ppls reqests and comments. thank you very much

awex

Awesome video, one point, just the HSTS module can bypass modern browsers or the problem still the same ? (and the target needs using old-browsers)

hugosantiago

One of you asked "Hey, is it necessary to use version 2.23 in bettercap in order to down grade https to http... Cause I'm using 2.3 version and when I try to down grade my Target machine its not working. It either l..."
Again - version 2.23 worked for me, maybe the latest version works as well but i dont know i didnt try it

Your version might not work because it doesnt, or because something is blocking your MITM like your router

HoxFramework

Haha, funny to actually see you'r not alone having troubles..
I've found an easy way to bypass some HTTPS requests encryptions, using MITM redirecting to a javascript on custom server, no need to do much, the scipt is human error based, it timed out https requests, and asked to refresh using http, no warning message from Firefox nor Google Chrome, but a custom message ID'ed as "warning message".
This worked, as I'm tipping this and trying same thing, Firefox displays the usual warning message, after the custom message.
So the last update don't allow to change ID's in simple CSS changes it seems, this was the case before but never worked well..
It was too easy, can't think this worked so long.
Maybe have a look at the displaying of those windows :).
If you control usual error messages displayed, you fool anyone.
It's always obvious.
For educational purpose.

magnificblue

Got it running but no luck with any browser :/. Does this do it to all the computers on the network?

_marcobaez

Hey I am having problems downgrading to bettercap 2.23. I did as you said :
- Downloaded and extracted the bettercap file
- Removed the old bettercap file from /usr/bin
- Copied the extracted bettercap file to /usr/bin

However, now when I run `sudo bettercap --version` I get command not found.

Any help with that?

giuliodizio

Hi, I'm using bettercap version 2.29. But having a problem with downgrading http to https, should I use 2.23 ??

abinashburman

I did what you have told for installing the last whenever i try to open run the programe it said
zsh: exec format error: bettercap


any help? :(

jolimoigtd

so i DID it from wlan0 and getting sniff from all of the devices but the thing is that SSLStrip is not working. i tried in couples devices but its not changing https to httpblabla like on your screen. Did the same thing.

MateuszMichalak-mnlc

Hey! I did exactly like in the video. Downgraded version to 2.23, exactly the same set up. But the page won’t load. And I test it with different browsers. I successfully make it downgrade to http but the problem is that the site will not load. Test it out with iPhone. What’s the problem?

filipberlin

Github link for the correct version (if you have DIAL TCP error) :
Also thank you so much for 200 subs :)

HoxFramework

One of you asked why dont i put the used commands in the description - but i did, as i said in the video its on my website (not all commands since thats really not neccessary there is like few of them) but some explanation along with the github link for the version im using. (even tho github link is in the description as well)

HoxFramework

Hey Hox ! Nice work explaining things ! your work is much appreciated ! i'vev got a successful mitm attack against facebook recently ! its a complex method that requires the combination of several attack vectors ! but it rmains basically mitm ! i've set a captive portal to install mimtproxy certeficate into browser trusted certs ! and than everything is basically done ! hope someone comes up with a way for braking hsts anytime soon xD ! till then we need to get creative ! hit me up if you have any other ideas to work around hsts ! Greetings mate !

alamechken

Basically you can set it up to exclude sites that only use https now that way they dont get that warning about some attacker that google chrome gives out. do that instead. I have not used this network but do you know how to set rules to not do SSLstrip and HSTShijack on websites you dont want? I mean to be able to ad a rule to exclude certain websites and or network protocols?

andretarvok

when I run "hstshijack/hstshijack" it says [err] open no such file or directory

parthrusia

Hey, i used every command but my hstshijack isn't working, it can't able to convert https into http. Please help!!!

rishidutt