15

I am trying to understand how to bypass HSTS protection. I've read about tools by LeonardoNve ( https://github.com/LeonardoNve/sslstrip2 and https://github.com/LeonardoNve/dns2proxy ). But I quite don't get it.

  • If the client is requesting for the first time the server, it will work anytime, because sslstrip will simply strip the Strict-Transport-Security: header field. So that's OK.
  • If not? What happens? Will the client automatically try to connect to the server wih HTTPS? In that case, MITM is useless, isn't it?

Looking at the code, I kinda get that SSLstrip2 will change the domain name of the resources needed by the client, so the client will not have to use HSTS since these resources are not on the same domain (is that true?). The client will send a DNS request that the DNS2proxy tool will intercept and sends back the IP addres for the real domain name. At the end, the client will just HTTP the resources it should have done in a HTTPS manner.

Example: From the server response, the client will have to download mail.google.com. The attacker change that to gmail.google.com, so it's not the same (sub) domain. Then client will DNS request for this domain, the DNS2proxy will answer with the real IP of mail.google.com. The client will then simply ask this resource over HTTP.

What I don't get is before that: How the attacker can HTML-strip while the connection should be HTTPS from the client to server?

Deer Hunter
  • 5,297
  • 5
  • 33
  • 50
Nikkolasg
  • 253
  • 1
  • 2
  • 6
  • Do note that many browsers use built-in HSTS lists to get around this exact problem of the very first connection getting MITMed. –  Jul 06 '15 at 11:17

2 Answers2

3

To answer the original question - most people never type https://example.com directly. They rely either on links (click here to access our secure login server) or on redirects (type "gmail.com" in the browser, and you will be automatically redirected to a secure site).

This is where SSLStrip comes in: it intercepts the original, unsecured HTTP reply, and replaces <a href="https">; links with HTTP (insecure) versions. Also, it changes redirects ("Location:" headers) that point to HTTPS URLs.

With SSLStrip2, this goes a bit further (intercept, redirect to an invalid subdomain, use DNS interception to actually provide a valid IP for that subdomain).

StackzOfZtuff
  • 17,783
  • 1
  • 50
  • 86
Bogd
  • 146
  • 3
  • Unfortunately, my reputation does not yet allow me to comment on the original question. @user2064000: SSLStrip2 is designed to get around HSTS lists, by using the methods mentioned above. – Bogd Apr 26 '16 at 17:19
1

There is a walkthrough of the entire process here: http://sign0f4.blogspot.com/2014/10/mitmf-v07-released-sslstrip-integration.html

In summary, the author of the blog posts demonstrates using sslstrip2 and dns2proxy to capture credentials. While the author is using his own MITMf tool, the tool encapsulates sslstrip2 and dns2proxy, as well as the HSTS configuration file associated with them. He provides screenshots of the commands, browsers, and the tool outputs. There are two case studies demonstrated: Google and Facebook.

NULL
  • 503
  • 1
  • 5
  • 13
atdre
  • 18,885
  • 6
  • 58
  • 107
  • Broken link...here it is in Wayback: https://web.archive.org/web/20150921195009/http://sign0f4.blogspot.com/2014/10/mitmf-v07-released-sslstrip-integration.html – NULL Aug 12 '17 at 21:01