[Bartosz]

Hello there!
I’m sorry in case I’m repeating an already existing question… Couldn’t find anything by searching since searching for “https” returns all posts that contain any links in them 😉

I was wondering if you could recommend to me any resources on bypassing https that would be more up-to-date (if there are any?). This topic is briefly mentioned in the course, with the assumption, that downgrading connections with SSLstrip will do the trick. Now all browsers literally scream at you (if not just block the connection altogether) whenever you connect through http. Not to mention the growing implementation of HSTS. So from my understanding it’s no longer a matter of hoping that the user will overlook the lack of padlock in the url bar 😉

I think this is crucial, since right now all the steps of becoming the MITM seem irrelevant.
Please correct me if I’m wrong. From what I understand, there either must be new ways of bypassing https, or becoming MITM kinda lost it’s purpose nowadays(?)

[Diego Pérez]

Hi!
No, using sslstrip is still working, not for all the sites but many of them will be downgraded. The Ethical Hacking course shows how to do it with bettercap and the Network Advanced course shows how to do it with mitmproxy, so you can enroll in such courses and test that solutions as well. With bettercap there’s a workaround for hsts sites too. But yeah, some sites are implemeting some kind of protection like preventing logging in from an http connection. Another possible solution will be to get access to the target machine, via backdoor, trojan or similar, and then force the use of a proxy like Burp (I mean kali’s Burp) which can be used to sniff data, this has the advantage that the victim can still have it’s https connection but as we are a proxy server we can intercept https traffic and read it in plain text. This requires many steps and it’s not so staright forward, but it’s a cool attack. Maybe I’ll do some post about it in the futere, need to work more on it.

Greetings!
Diego

[Bartosz]

Hey, thanks for the comprehensive response!

What I mean concerns more the client (target) side, not the server side. If you’re ever so kind to donate even more of your time to my question, here it is more detailed:

// Let’s assume we want to become the MITM to gain access to the target. So no backdoors etc (if we already have access, we can pretty much do whatever anyways, right? :))

So regardless of what method we choose as MITM, the target still connects through http. We can use SSLstrip or any other method, and sure it will work with many (most?) websites. But “work” means we will establish a connection, and as far as the server is concerned, we’re the client, so for them it looks like a legitimate https connection.

But the client machine knows it’s connected through http. And that’s what concerns me. If the client is using any modern browser, it will surely let him know that this is not a private connection with flashy alerts and this pretty much raises a red flag. Even if the user has no knowledge of http(S) protocols, he or she will think twice before going further. If I remember right, on Chrome for example you need to click “advanced” and than “allow the connection anyways”, stating that you’re aware of how dangerous it might be.

So that’s what I meant in the original question. Is there a way to fool the target into thinking it is actually connecting through https? (without having access to the target machine).

[Bartosz]

Sorry, I rushed with my reply there! 🙂

I see mitmproxy attempts to do exactly that. I thought you just listed other similar ways of downgrading the connection. Thanks, I will look into that. And I’ll be on the lookout for your posts on the topic 🙂

Another thing, just a quick suggestion. Everyone is doing courses on “the cool stuff” like gaining access and hijacking webcams. But there is very little accessible knowledge on covering our tracks afterwards. Clearing logs etc. I’m not sure why, for me this concept is also fascinating, and regardless, it is very important. Maybe you guys would like to focus a little on that at some point 😉
I know it’s beside the scope of this thread, but it’s all connected, and I won’t be creating another post just to suggest this to you, you obviously know stuff 😉

Anyways, thanks again!

[Diego Pérez]

Hi!
Cool, thanks for the suggestion.

Yeah, it’s not possible to fool the browser into thinking it’s using an https connection, even sslstrip has an option to display a lock icon, I think it’s -f, you can run –help to get all the options sslstrip has, but you need the ico file, check the sslstrip github repo. Haven’t tried that option for a long time so don’t know if it works or not, may be give it a try.

Greetings!
Diego

[Author]

Posts