6

I was wondering how I could sniff HTTPS credentials using the Bettercap proxy.

I am using the following command:

bettercap -I wlan0 -T 10.0.0.23 -X  --proxy-https

And when I setup the proxy on my android (In WiFi settings), with the address as 10.0.0.1:8083, I can see when the phone authenticates with my WiFi.

HOWEVER, I can't see any credentials showing up when I log into FaceBook, Instagram etc. In fact, there isn't anything on the terminal except when my device connects to my WiFi.

Am I missing a command line argument?

Jacob Collins
  • 61
  • 1
  • 1
  • 3

1 Answers1

1

Bettercap tool using HSTS technique to bypass https sites, and this type of attack work only for sites not listed on the preloaded list.

You can check the list here.

If you are trying to sniff the traffic of facebook or google apps( such as Gmail, Instagram,...) it's didn't work, even if the client uses the application or the browser, because of the preloaded list listed on the browser, and the certificate embedded in the applications.

Try to open facebook on internet explorer, it will work fine because IE browser does not use preloaded list.

You can create an https proxy with SSL root certificate and install this certificate to your phone, then you can decrypt HTTPS traffic.

https://www.trustwave.com/Resources/SpiderLabs-Blog/Intercepting-SSL-And-HTTPS-Traffic-With-mitmproxy-and-SSLsplit/

peterh
  • 2,938
  • 6
  • 25
  • 31
androux
  • 29
  • 4
  • Thanks for your answer! Your English makes this post hard to understand, though; particularly the first sentence. I assume you mean that HSTS prevents bettercap, not that betterap uses HSTS? – Luc Jun 14 '18 at 05:31
  • @Luc yes bettercap support SSLstrip+ that Partially bypass HSTS – androux Jun 14 '18 at 08:11