I'm using MITMf for replacing images over HTTP, and everything works fine. But how can I replace images on sites like Google or Facebook that uses HTTPS?
My actual command:
sudo python mitmf.py -i wlan0 --spoof --arp --hsts --gateway 192.168.1.254 --target 192.168.1.43 --imgrand --img-dir /home/pi/spof/better/MITMf/img/
For sites like google and facebook several browser have preloaded HSTS (enforce HTTPS) and HPKP (certificate/public key pinning) settings. This means that the browser knows that these sites should be reachable by https only and how the certificate should look like. And this means that stripping SSL and the HSTS header (i.e. your --hsts option) will not work against these sites. It will only work against sites where the browser does not know (yet) that HTTPS is mandatory.
What you would need is to do real SSL man in the middle where you have a HTTPS connection from browser to your man in the middle proxy and from the proxy to the real server. In this case the HTTPS connection to the client is signed by certificates created by the proxy and the relevant proxy CA needs to be explicitly setup as trusted inside the browser/OS.
But from a look at mitmf I don't see that it offers an option for doing real SSL man in the middle, it can only do SSL stripping (i.e. downgrade to plain HTTP) which does not help in case of preloaded HSTS/HPKP. Thus you would need to use other tools like mitmproxy.
The whole point of using HTTPS is that it prevents such attacks that break the integrity of the connection. You would need to do an SSL MiTM and break the SSL. However breaking SSL will mean that the user's browser will prompt the user about this break in SSL, and you would need to be dependent on the user ignoring such errors. Also keep in mind that it is becoming more and more difficult to break SSL due to mechanisms like HSTS, Certificate Pre Loading, and Pinning
