Bettercap 2.x SSLStrip Is Not Breaking TLS (Without HSTS)

Question

I have the latest version of bettercap. I have the latest version of Kali linux using the latest version of VirtualBox on the latest version of Windows 10. My target machine is the lowest possible version of WindowsXP with the default IE and Chrome installed. I will first start by going over what I think I know and troubleshooting I have done. Bettercap appears to be functioning in the sense that it can grab passwords from normal HTTP websites but not HTTPS websites.

What I THINK I know.

-SSLStrip converts HTTPS to HTTP

-SSLStrip will not work on anything that has HSTS preloaded

-SSLStrip will only work on non-preloaded HSTS websites if and only if the user is visiting it for the "first" time.

-SSLStrip will work against TLS and SSL if HSTS is not used

-If HSTS is not implemented, A victim doesn't need to do anything specific or be tricked into installing any certs.

-SSLStrip will attempt to redirect ALL HTTPS websites the victim visits to their HTTP counterpart.

What I Want To Do -Monitor the victim's computer's traffic

-Get the victim user to go to my personal LAMP server, click the login page I wrote myself and receive an HTTP version of my domain. (more accurately http://accounts.shopify.com)

-Get the victim user to go to a real non HSTS website like shopify.com, click the login page and receive an HTTP version of http://shopify.com (more accurately http://accounts.shopify.com)

What I have done

I used a typical install method

apt-get install bettercap

I have been following this website

https://www.peerlyst.com/posts/bettercap-2-x-mitm-framework-general-info-examples-cyberpunk-1

I have used these commands once I activate bettercap

» set http.proxy.sslstrip true
» set net.sniff.verbose false
» set arp.spoof.targets 192.168.1.6
» arp.spoof on
» http.proxy on
» net.sniff on

What is working

-Can successfully redirect victim traffic to the attacking device

-Can successfully grab headers

-Can successfully display the password when I enter it in non-HTTP websites

What is NOT

-The part where HTTPS is supposed to automatically be converted into HTTP

So guys, I feel like I'm missing something essential. This sounds too straightforward of a process to fail. So what is it? What am I missing?

Answer 1

after a lot of searching I just found out that Bettercap 2.x apparently just does not do the HSTS bypass thing. The sslstrip from the http.proxy module works just fine, I've tested it on my network, all the HTTPS website where now HTTP, however Chrome, Firefox and so on block them cause you visited them once with HTTPS, some website are still visitable by clicking the "Proceed (unsafe)" button, for for https://google.com and/or https://facebook.com the button just won't show up.

With Bettercap 1.x HSTS bypass was basically working because it was changing the URL in order to make the browser think that this is the first time you visit that page, and so https://www.google.com become http://wwww.google.com

And well... that HSTS feature is just missing apparently, or it's well hidden cause I've not found any answer or article using it in Bettercap 2.x.

(Sorry, I would have commented instead of posting an answer, but I did not have enough reputation. Also, sorry for any stupid grammatical English error, it's not my main language.

Any help in the comment for that is really appreciated, Bettercap 2.x it's supposed to be better than 1.x, but if it does not have HSTS bypass it's pretty much useless...)

UPDATE:

After some testings, I managed to make Bettercap use the HSTS Bypass. By running ARP spoof, DNS spoof and the sniffer module it works fine (enabling ssl strip in the modules). This way, I got the URL modified into http://wwww.google.com Unluckily though, the latest Firefox blocked all the web pages, still trying to get it right.

Answer 2

• SSLStrip converts HTTPS to HTTP

Not exactly; you cannot "convert HTTPS to HTTP" once a SSL/TLS connection has been established (unless the server sends the client such a redirect, but you cannot impersonate the server without its private key). It only does this in the sense that URLs are rewritten from https:// to http://.

• SSLStrip will work against TLS and SSL if HSTS is not used

• SSLStrip will not work on anything that does not have HSTS preloaded

• SSLStrip will only work on non-preloaded HSTS websites if and only if the user is visiting it for the "first" time.

Similarly, the attack here is not against SSL/TLS itself. SSLStrip works by intercepting insecure, plaintext HTTP requests and rewriting the contents such that the client never tries to use HTTPS. See this related question/answer. HSTS is effectively designed to defeat attacks like SSLStrip by forcing the client to initiate HTTPS connections from the beginning (in the case of preload) or once it has been sent the correct header.

• SSLStrip will attempt to redirect ALL HTTPS websites the victim visits to their HTTP counterpart.

Well, we can't redirect HTTPS to HTTP if the client is already trying to connect via HTTPS, for reasons mentioned above.

Get the victim user to go to a real non HSTS website like shopify.com, click the login page and receive an HTTP version of http://shopify.com (more accurately http://accounts.shopify.com)

According to hstspreload.org, shopify.com is preloaded, so any tests against this domain are going to fail since the browser will automatically try to connect with HTTPS.

So, in order to test SSLStrip correctly, you need the "victim" to enter an HTTP (not HTTPS) URL with a domain that is not preloaded.

Answer 3

Try using the same tools and strategy but with one modification. Before you do all that first try to setup a fake hotspot. You will need additional wireless adapter which supports monitor mode. No matter if you use framework or you setup hotspot manually. I think that SSLStrip is much more effective when all the traffic are literally flying trough you. You can also create your own redirect pages you so you can bypass HSTS.