I did all the configuration right. IPtables, port forwarding, ARPspoof, everything.
However, in the browser websites like Facebook and Twitter are still HTTPS.
What am I doing wrong?
Asked
Active
Viewed 420 times
4
2 Answers
4
Pick a softer target.
Update 1
So: Pick a target that doesn't use HSTS and/or pick a browser that doesn't care about HSTS.
StackzOfZtuff
- 17,783
- 1
- 50
- 86
-
I don't want to hack someone. i want to learn. how can i bypass this HSTS? – Antonio Oct 31 '15 at 13:22
-
1@Antonio: HSTS is intended as protection against sslstrip etc, so no bypass of HSTS with sslstip, especially not HSTS preload. – Steffen Ullrich Oct 31 '15 at 13:25
-
@SteffenUllrichs Oh .. alright. so all the websites here https://chromium.googlesource.com/chromium/src/net/+/master/http/transport_security_state_static.json#1401 will not be http ever ? And there is a way to bypass HSTS? not with SSLSTRIP. – Antonio Oct 31 '15 at 13:27
-
@SteffenUllrich what about mitmf? – Antonio Oct 31 '15 at 13:42
-
@Antonio: MITM works only if the CA is already trusted by the browser. If HSTS is used the certificate warnings does not allow override by the user. – Steffen Ullrich Oct 31 '15 at 13:53
-
@Antonio: Answer updated. – StackzOfZtuff Oct 31 '15 at 14:09
-
@StackzOfZtuff I even tried internet explorer. doesn't work on facebook/Twitter . – Antonio Oct 31 '15 at 14:17
-
IE11 and IE-Edge [both use the Preload lists](http://blogs.windows.com/msedgedev/2015/06/09/http-strict-transport-security-comes-to-internet-explorer-11-on-windows-8-1-and-windows-7/). – StackzOfZtuff Oct 31 '15 at 14:22
-
@SteffenUllrich Worked for me just a couple of weeks ago, maybe I used was using a different tool or something. – voices Nov 01 '15 at 00:57
0
I'm pretty sure it's worked for me in the past. If I recall correctly; you may need to de-authenticate your victim and wait for them to re-connect. On account of EAP/EAPOL, I do believe.
voices
- 1,649
- 7
- 22
- 36