- This topic has 51 replies, 3 voices, and was last updated 8 months, 3 weeks ago by
.
- Posts
Well i downloaded the custom kali again just to make sure everything is new, and I didn’t upgrade bettercap, and the resources is just a file I didn’t find instructions on how to do it. Do you have a video?
did you mean I should add the hstshijack caplet in the same spoof caplet??? you can find a screenshot of what I mean here https://drive.google.com/drive/folders/1-_XQpmx4CRNhPnuA1y-MHGeFYv_sXTqB the picture is named “hstshijack caplet in the spoof caplet” , I would appreciate it if you provided a step by step instruction I am so beginner in this
Hi!
No, you don’t need to add it to the spoof caplet. Which lecture are you on currently? Because in lecture 12.8 Zaid shows how to place the caplet in the correct folder.Greetings!
Diegohey so I saw lecture 12.8 and Zaid in this lecture talks about bypassing hsts not HTTP and I noticed that his hstshijack caplet is different from what i have, maybe this is why it’s not working for me, you can see a screenshot for it here https://drive.google.com/drive/folders/1-_XQpmx4CRNhPnuA1y-MHGeFYv_sXTqB name of the picture is hstshijack.cap.png , and this is the file that was already in the kali image I didn’t do or make any changes in it
please help me with this it is such a distracting problem I can’t continue with things if I couldn’t fix this
Hi!
That is the original caplet, use the custom one. You can download it from the resources of lecture 12.7, it’s a whole folder. And in lecture 12.8 Zaid showed where to place such folder.Greetings!
Diegowell I downloaded the custom caplet from lecture 12.7 but the problem here is that in lecture 12.8 zaid talks about bypassing hsts not https, or do you at least know which minute of the video he starts talking about where to place the folder??
hey I think I fixed it and placed the files in the right path but there’s a small problem in here, after running the hstshijcak caplet I tried visiting LinkedIn in the target machine and the link of LinkedIn appears in bettercap that the target machine have visited it, but what appears in the target machine itself is ( http://www.linkedin.com refused to connect ) you can see new screenshots in here “hstshijack worked” and “LinkedIn refusing to connect” https://drive.google.com/drive/folders/1-_XQpmx4CRNhPnuA1y-MHGeFYv_sXTqB
Hi!
Basically there are 2 challenges:
Websites that use normal https like zsecurity.org, stackoverflow.com ….etc you should be able to bypass all of these even if accessed directly.Websites that use HSTS like facebook and twitter, these websites will only load over HTTPS if accessed directly because the browser has a list of famous websites that use HSTS, therefore it will only load them over https, the only way around this is to use the custom hstshijack caplet that Zaid provided, this will only work if the user searches for the website using a search engine that does not use HSTS, for example if they use the local google domain such as google.ie to search for facebook / twitter …etc in this case the script will replace the .com at the end with .corn bypassing the list of famous websites that the browser has and allowing us to downgrade these websites to http.So clear browser’s cache for All Times or Everything on victim’s machine, then run the attack and enter linkedin.com in the browser’s address bar, just like that, without prepending https://
Let me know how it goes!
DiegoI am using custom hstshijack caplet:
1: the only website that worked now is likedin.com
2: zsecurity.org AND stackoverflow.com are now working whether I access them directly or not
3:i tried going to Facebook.com through the local google domain (google.ie) and it did not work
4: I cleared the browser’s cache for All times on the victim’s machine and LinkedIn worked but whenever I try to sign in the username and password doesn’t show up in bettercapI have done everything in the right way as you said but nothing is working except for LinkedIn and not all of it is working. should I show you the contents of the hstshijack file??
Hi!
If the website has been downgraded then the credentials should be captured as well, just look among all the packets displayed in bettercap.
You also said that zsecurity.org AND stackoverflow.com are now working but at the end you said that only linkedin, so can you explain?Which browser are you using for testing?
Greetings!
Diegosorry I made a mistake in point 2 I meant to say that zsecurity and stackoverflow are not working whether I try to access them directly or indirectly
and LinkedIn is the only website that state “not secure” when I run the hstshijack caplet so it’s working but also when I try to sign in to see if there is password and username to appear in bettercap, the page can’t load and it says “Hmmm… can’t reach this page” this is in the target machine, also I tried going to Facebook.com through the local google domain (google.ie) and in the search bar it says “Facebook.com” not Facebook.corn. last but not least I just started the course and it was the first few lectures I’ve seen about cybersecurity and hacking so I would appreciate it if you told me what should I look for in the packets of bettercapHi!
Ok, then let’s go step by step.
Launch a simple arp spoof attack (without using the hstshijack caplet) and visit vulnweb.com in victim machine, check if you can get the credentials.
Also share a screenshot of arp -a in windows before and during the attack.And in any case you don’t have to enter facebook.com in the search bar nor the text in it will change to facebook.corn, I suggest to watch the lecture again and pay attention to the things Zaid does and take notes, it will be very helpful.
Greetings!
Diegohello sorry for the late reply I was busy with school but cybersecurity is my real passion
so, I did everything as you said but I wasn’t sure if I should have net.sniff on so I did it anyway, simple arp spoof attack without the hstshijack caplet and then I visited vulnweb.com but the surprise here is that it’s not loading in the victim machine, I also shared a screenshot of arp -a before and during the attack, you can find the 3 screenshots here https://drive.google.com/drive/folders/1-_XQpmx4CRNhPnuA1y-MHGeFYv_sXTqB the pictures called ( vulnweb.com) (kali machine) (arp -a before and after)also I paid too much attention and tried everything. I couldn’t pass the problems in the lecture 12.7 to even go to lecture 12.8 but I did so because you said that Zaid explains where to place the folder of the caplet which iv’e placed right, im just saying maybe LinkedIn is not working like it did for Zaid in lecture 12.7 and Facebook.corn in lecture 12.8 because of buttercup’s version???
- You must be logged in to reply to this topic.
