Forum Replies Created
- Posts
Hi!
Did you clear the entire browser’s cache? Because by default it will only clear the last hour.
Linkedin and facebook can be downgraded successfully, I tested it. Are you using an apple M1/M2 computer?Greetings!
DiegoHi!
No, it’s not the adapter, the one that assigns the ips is the router. Yes, this is related to static ips. But each router is very different from each other so you’ll need to find that out yourself, use google to look for possible solutions with the exact router brand and model you have. Also, you call the ISP and ask them about it.Greetings!
DiegoHi!
Ok, then let’s go step by step.
Launch a simple arp spoof attack (without using the hstshijack caplet) and visit vulnweb.com in victim machine, check if you can get the credentials.
Also share a screenshot of arp -a in windows before and during the attack.And in any case you don’t have to enter facebook.com in the search bar nor the text in it will change to facebook.corn, I suggest to watch the lecture again and pay attention to the things Zaid does and take notes, it will be very helpful.
Greetings!
DiegoHi!
If the website has been downgraded then the credentials should be captured as well, just look among all the packets displayed in bettercap.
You also said that zsecurity.org AND stackoverflow.com are now working but at the end you said that only linkedin, so can you explain?Which browser are you using for testing?
Greetings!
DiegoHi!
Sorry for the late response.
About the ip constant change that might be something relate to your router, so check it out.
You have to kill the backdoor and then you should be able to stop Script Editor.Greetings!
DiegoHi!
Basically there are 2 challenges:
Websites that use normal https like zsecurity.org, stackoverflow.com ….etc you should be able to bypass all of these even if accessed directly.Websites that use HSTS like facebook and twitter, these websites will only load over HTTPS if accessed directly because the browser has a list of famous websites that use HSTS, therefore it will only load them over https, the only way around this is to use the custom hstshijack caplet that Zaid provided, this will only work if the user searches for the website using a search engine that does not use HSTS, for example if they use the local google domain such as google.ie to search for facebook / twitter …etc in this case the script will replace the .com at the end with .corn bypassing the list of famous websites that the browser has and allowing us to downgrade these websites to http.So clear browser’s cache for All Times or Everything on victim’s machine, then run the attack and enter linkedin.com in the browser’s address bar, just like that, without prepending https://
Let me know how it goes!
DiegoHi!
That is the original caplet, use the custom one. You can download it from the resources of lecture 12.7, it’s a whole folder. And in lecture 12.8 Zaid showed where to place such folder.Greetings!
DiegoHi!
You can also try to run the portable executable. Once you downloaded the .zip file from the resources unzip and you’ll find a directory named Portable, cd into that directory, it contains 2 executables. Use wine to run any of the executables. I just tested it and it worked fine.Greetings!
DiegoHi!
No, you don’t need to add it to the spoof caplet. Which lecture are you on currently? Because in lecture 12.8 Zaid shows how to place the caplet in the correct folder.Greetings!
Diego