2

I have the latest version of bettercap. I have the latest version of Kali Linux using the latest version of VirtualBox on the latest version of Windows 10. My target machine is the latest version of Windows 10 with Chrome version 70.0.3538.110. I have all the extensions removed. I will first start by going over what I think I know and troubleshooting I have done. Bettercap appears to be functioning in the sense that it can grab passwords from normal HTTP websites but not HTTPS websites.

What I THINK I know.

  • SSLStrip will NOT convert an HTTPS connection to an HTTP
  • SSLStrip WILL, however, rewrite HTTPS URLs to HTTP.
  • SSLStrip will not work on anything that has HSTS preloaded
  • SSLStrip will only work against non-preloaded HSTS websites if and only if the user is visiting it for the "first" time.
  • SSLStrip will work against TLS and SSL if HSTS is not used
  • If HSTS is not implemented, A victim doesn't need to do anything specific or be tricked into installing any certs.

What I Want To Do

  • Monitor the victim's computer's traffic
  • Verify that weibo is vulnerable (it is https://hstspreload.org/?domain=weibo.com )
  • Get the victim user to go to http://mediaroom.scholastic.com/socialmedia , scroll to the bottom and click the link to the Weibo website.
  • Receive an HTTP version of weibo.com
  • Alternatively, I would accept clicking a Facebook link and receiving a "Connection is not private" alert. This is also acceptable.

What I have done

  • Cleared my victim's chrome cache and deleted the domain security policies for weibo.com

  • Restarted Chrome

  • used a typical install method

    apt-get install bettercap

I have been following this website

I have used these commands once I activate bettercap

set http.proxy.sslstrip true
set net.sniff.verbose false
set arp.spoof.targets 192.168.1.3
arp.spoof on
http.proxy on
net.sniff on

What IS working

  • Can successfully redirect victim traffic to the attacking device
  • Can successfully grab headers
  • Can successfully display the password when I enter it in non-HTTP websites
  • When the victim navigates from mediaroom.scholastic.com to weibo.com, the weibo.com link is correctly converted to http in html. Woohoo, progress!!

What is NOT working

  • When I actually click the link I still get the HTTPS version.

So, I still feel like I'm missing something essential. This sounds too straightforward of a process to fail. So what is it? What am I missing?

Note for mods. The original link is here. I updated this one with the corrections made by the one answer.

schroeder
  • 123,438
  • 55
  • 284
  • 319
user21303
  • 151
  • 2
  • 4
  • 11
  • *"SSLStrip will work on anything that has HSTS preloaded"* - it doesn't since the site is never visited with HTTP in the first place. *"SSLStrip will work against TLS and SSL if HSTS is not used"* - not sure what you mean by this but it will not work if the user explicitly visits the site with HTTPS instead of HTTP. – Steffen Ullrich Dec 11 '18 at 04:15
  • Sorry. I forgot to put a NOT in there – user21303 Dec 11 '18 at 04:16
  • At any rate, do you know why my http link isn’t loading the new site in http? – user21303 Dec 11 '18 at 04:17
  • I don't get a link to weibo on this site. Please provide the exact link you get and follow and then one might see what's going on. Ideally also provide a packet capture (wireshark) so that one can see what happens in your environment. – Steffen Ullrich Dec 11 '18 at 04:20
  • http://mediaroom.scholastic.com/socialmedia – user21303 Dec 11 '18 at 04:21
  • I would suggest that there is Javascript constructing links within the browser. sslstrip is not able to infer with this but only with static links visible in the transferred data. – Steffen Ullrich Dec 11 '18 at 04:28
  • I don’t think you understand. The links on the scholastic webpage do become http. I can hover over the link and it will say http:// the problem is that when I actually click on the link, it brings me to the https version of the site. – user21303 Dec 11 '18 at 04:31
  • If you make a packet capture or look into the browsers developer tools you will likely see that it will not bring you immediately to the `https://` site but that first a `http://` request will be done and later it will switch to `https://`. And my assumption is that there is some javascript (loaded via http) which rewrites `window.location` and thus causes a javascript based change of the URL which sslstrip cannot deal with. – Steffen Ullrich Dec 11 '18 at 04:55
  • I don't think that is the case. I clicked the Facebook link and it's not giving me an "unsecured connection" alert. EDIT: wait, I think I get what you are saying. It won't work if it opens a new tab right? Because that is what happens when you click any link. – user21303 Dec 11 '18 at 05:18

1 Answers1

0

When I go to the Scholastics page, then click the Tumblr link (specifically the Goosebumps one) I get redirected to HTTP. Many of the other links on the site are HTTP and others are HTTPS. This is the desired result and I did not get the same results with weibo.com. So I guess that means it works right? From this, we can conclude that the absence of HSTS does not guarantee an attacker's success. To further prove this, I went to time.com and noticed none of the links were converted to HTTP like they were on the Scholastic site. I guess it depends on how the site is built? I don't know honestly.

user21303
  • 151
  • 2
  • 4
  • 11
  • I think it is not wordking as expected, I still use dns2proxy and sslstrip+ because they work as expected. bettercap still does not work. – David Herrero Dec 14 '18 at 11:19