1 1 00:00:00,630 --> 00:00:03,010 Now everything that we did so far 2 2 00:00:03,010 --> 00:00:07,130 will only work against HTTP pages. 3 3 00:00:07,130 --> 00:00:09,610 The reason why it works against HTTP 4 4 00:00:09,610 --> 00:00:13,180 because as we've seen the data and HTTP 5 5 00:00:13,180 --> 00:00:15,210 is sent as plain text. 6 6 00:00:15,210 --> 00:00:20,210 So it's text that humans like us can read and understand. 7 7 00:00:20,310 --> 00:00:22,300 That's why when we are the man in the middle 8 8 00:00:22,300 --> 00:00:23,880 we are able to read this text. 9 9 00:00:23,880 --> 00:00:24,930 And if we wanted 10 10 00:00:24,930 --> 00:00:28,490 we are able to modify this text as we wish. 11 11 00:00:28,490 --> 00:00:30,600 Now this is obviously a problem 12 12 00:00:30,600 --> 00:00:33,523 and this problem was fixed in HTTPS. 13 13 00:00:35,700 --> 00:00:39,410 So as you know most websites use HTTPS 14 14 00:00:41,090 --> 00:00:42,410 the reason why, like I said 15 15 00:00:42,410 --> 00:00:45,910 because it's a more secure version of HTTP 16 16 00:00:45,910 --> 00:00:48,430 and basically the way it works is 17 17 00:00:48,430 --> 00:00:51,830 it adds an extra layer over HTTP 18 18 00:00:51,830 --> 00:00:53,910 which is where the S comes from. 19 19 00:00:53,910 --> 00:00:56,850 So it's a secure HTTP protocol 20 20 00:00:56,850 --> 00:00:59,890 and this extra layer will encrypt 21 21 00:00:59,890 --> 00:01:03,690 the plain text data that HTTP sends. 22 22 00:01:03,690 --> 00:01:07,170 So if a person manages to become the man in the middle 23 23 00:01:07,170 --> 00:01:09,350 they will be able to read this data. 24 24 00:01:09,350 --> 00:01:11,110 But the data will be gibberish, 25 25 00:01:11,110 --> 00:01:13,310 it will not be readable 26 26 00:01:13,310 --> 00:01:16,053 to the person intersecting the connection. 27 27 00:01:18,260 --> 00:01:22,410 Now HTTPS relies on TLS or SSL 28 28 00:01:22,410 --> 00:01:24,200 to encrypt the data., 29 29 00:01:24,200 --> 00:01:27,380 and this is every difficult to break. 30 30 00:01:27,380 --> 00:01:30,210 Therefore in order to by pass this 31 31 00:01:30,210 --> 00:01:33,193 the easiest method is to downgrade 32 32 00:01:33,193 --> 00:01:37,210 HTTPS connections to HTTP. 33 33 00:01:37,210 --> 00:01:39,320 So since we are the man in the middle 34 34 00:01:39,320 --> 00:01:44,130 we can check if the target is requesting a HTTPS website. 35 35 00:01:44,130 --> 00:01:48,820 And instead of giving him the HTTPS version of that website 36 36 00:01:48,820 --> 00:01:52,220 we will give him the HTTP version. 37 37 00:01:52,220 --> 00:01:55,180 This way the data will be sent in plain text, 38 38 00:01:55,180 --> 00:01:58,710 and we will be able to read it exactly as I showed you 39 39 00:01:58,710 --> 00:02:00,780 in the previous lecture. 40 40 00:02:00,780 --> 00:02:03,500 To do this we'll have to manually configure 41 41 00:02:03,500 --> 00:02:06,490 and use a tool called SSL Strip. 42 42 00:02:06,490 --> 00:02:10,400 And I show how to do this is my more advanced courses. 43 43 00:02:10,400 --> 00:02:12,870 But luckily BetterCAP has a caplet 44 44 00:02:12,870 --> 00:02:16,230 that will do all of this for us. 45 45 00:02:16,230 --> 00:02:20,390 The only problem is this caplet does not replace 46 46 00:02:20,390 --> 00:02:23,800 all HTTPS links to HTTP 47 47 00:02:23,800 --> 00:02:25,810 in the loaded pages. 48 48 00:02:25,810 --> 00:02:28,730 So I modified this caplet for you 49 49 00:02:28,730 --> 00:02:31,630 to make sure that it's gonna work as expected. 50 50 00:02:31,630 --> 00:02:35,260 And I've included it in the resources of this lecture. 51 51 00:02:35,260 --> 00:02:37,930 So all we have to do is download the zip 52 52 00:02:37,930 --> 00:02:40,090 in the resources of this lecture 53 53 00:02:40,090 --> 00:02:43,700 and I have it downloaded in my Kali machine. 54 54 00:02:43,700 --> 00:02:48,700 So I'm gonna go to my files and to my downloads. 55 55 00:02:48,910 --> 00:02:50,010 And I have it right here. 56 56 00:02:50,010 --> 00:02:53,650 It;s called hstshijacked.zip. 57 57 00:02:53,650 --> 00:02:57,960 I'm gonna right click it and extract it here. 58 58 00:02:57,960 --> 00:03:00,620 This is the folder of this caplet, 59 59 00:03:00,620 --> 00:03:02,260 and I'm gonna copy it 60 60 00:03:03,400 --> 00:03:06,520 and paste it in the correct location, 61 61 00:03:06,520 --> 00:03:10,610 where BetterCAP loads caplets from. 62 62 00:03:10,610 --> 00:03:12,810 So to go to that location, 63 63 00:03:12,810 --> 00:03:16,700 you can either press Control and L on your keyboard 64 64 00:03:16,700 --> 00:03:20,210 to open the Path Bar, or you can press here 65 65 00:03:20,210 --> 00:03:23,980 and press forward slash again to open the Path Bar. 66 66 00:03:23,980 --> 00:03:25,760 Once the Path Bar is open 67 67 00:03:25,760 --> 00:03:27,287 we wanna go to USR, 68 68 00:03:28,930 --> 00:03:30,510 share, 69 69 00:03:30,510 --> 00:03:33,293 BetterCAP, caplets. 70 70 00:03:34,360 --> 00:03:37,010 So like I said this is the default location 71 71 00:03:37,010 --> 00:03:40,330 where BetterCAP stores all of the caplets. 72 72 00:03:40,330 --> 00:03:42,240 I'm gonna hit Enter 73 73 00:03:42,240 --> 00:03:45,640 and as you can see we already have this caplet in here 74 74 00:03:45,640 --> 00:03:48,410 but like I said this caplet is buggy, 75 75 00:03:48,410 --> 00:03:50,540 it doesn't work as expected. 76 76 00:03:50,540 --> 00:03:52,023 So I'm gonna delete it. 77 77 00:03:52,860 --> 00:03:55,520 So right click, move to Trash. 78 78 00:03:55,520 --> 00:03:59,263 And I'm gonna paste the one I just copied in here. 79 79 00:04:00,930 --> 00:04:02,580 So that's it, we're good to go. 80 80 00:04:02,580 --> 00:04:06,490 We can go ahead and use this caplet from BetterCAP. 81 81 00:04:06,490 --> 00:04:08,230 But before we do that, 82 82 00:04:08,230 --> 00:04:12,300 I also want to go to my home directory, 83 83 00:04:12,300 --> 00:04:15,610 this is where I stored the caplet that we created 84 84 00:04:15,610 --> 00:04:17,000 in the previous lecture. 85 85 00:04:17,000 --> 00:04:18,290 The spoof caplet, 86 86 00:04:18,290 --> 00:04:21,930 the one that will run the ARP spoofing command. 87 87 00:04:21,930 --> 00:04:23,483 And then run the sniffer. 88 88 00:04:24,600 --> 00:04:26,810 I just wanna modify one thing in this. 89 89 00:04:26,810 --> 00:04:31,100 So I'm gonna right click it, and open it with Leafpad. 90 90 00:04:31,100 --> 00:04:33,100 And what I wanna modify is, 91 91 00:04:33,100 --> 00:04:36,713 I want to add an option to the sniff in here. 92 92 00:04:37,780 --> 00:04:40,830 So as you know the line net.sniff.on 93 93 00:04:40,830 --> 00:04:42,550 will turn on my sniffer, 94 94 00:04:42,550 --> 00:04:44,730 but before turning it on, 95 95 00:04:44,730 --> 00:04:49,730 I want to set the net.sniff.local to true 96 96 00:04:53,550 --> 00:04:55,610 and what this option will do 97 97 00:04:55,610 --> 00:04:59,150 it will tell BetterCAP to sniff all data 98 98 00:04:59,150 --> 00:05:03,220 even if it thinks this data is local data. 99 99 00:05:03,220 --> 00:05:05,990 The reason why I set this option to true 100 100 00:05:05,990 --> 00:05:10,460 because once we use the HTTPS bypass caplet 101 101 00:05:10,460 --> 00:05:15,130 the data will seem as if it is being sent from our computer. 102 102 00:05:15,130 --> 00:05:18,300 So BetterCAP will think these passwords belong to me, 103 103 00:05:18,300 --> 00:05:22,470 to my computer and it will not display it to me on screen. 104 104 00:05:22,470 --> 00:05:24,440 That's why we are setting it to true. 105 105 00:05:24,440 --> 00:05:28,170 So that we can see all of the usernames and the passwords 106 106 00:05:28,170 --> 00:05:30,840 sent on the websites that we will downgrade 107 107 00:05:30,840 --> 00:05:33,573 from HTTPS to HTTP. 108 108 00:05:34,920 --> 00:05:36,400 So I'm gonna save this. 109 109 00:05:36,400 --> 00:05:39,660 Control + S and quit it, Control + Q. 110 110 00:05:39,660 --> 00:05:44,393 And now we are actually ready to go and use this caplet. 111 111 00:05:45,830 --> 00:05:47,190 So in the next lecture, 112 112 00:05:47,190 --> 00:05:49,810 I'm gonna show you how to use this caplet 113 113 00:05:49,810 --> 00:05:53,890 to downgrade HTTPS connections to HTTP. 114 114 00:05:53,890 --> 00:05:57,380 And therefore be able to sniff the URLs, 115 115 00:05:57,380 --> 00:06:00,210 the login information and passwords 116 116 00:06:00,210 --> 00:06:02,730 that people enter on websites 117 117 00:06:02,730 --> 00:06:06,113 that use HTTPS by default.