1 1 00:00:00,760 --> 00:00:03,240 Okay, so now that we understand the theory 2 2 00:00:03,240 --> 00:00:08,240 behind bypassing HTTPS and we have the correct caplet 3 3 00:00:08,360 --> 00:00:10,540 placed in the correct path, 4 4 00:00:10,540 --> 00:00:14,060 let's go ahead and use this caplet with Bettercap 5 5 00:00:14,060 --> 00:00:18,330 and see how we can downgrade HTTPS to HTTP 6 6 00:00:18,330 --> 00:00:21,830 and steal passwords from login pages 7 7 00:00:21,830 --> 00:00:25,213 that use HTTPS by default. 8 8 00:00:26,320 --> 00:00:30,830 So I'm gonna go to my terminal and I'm gonna use Bettercap 9 9 00:00:30,830 --> 00:00:33,740 exactly as I've been using it before. 10 10 00:00:33,740 --> 00:00:36,500 So we're doing Bettercap, the name of the program. 11 11 00:00:36,500 --> 00:00:40,350 We're giving it our interface after the iface argument, 12 12 00:00:40,350 --> 00:00:44,280 we're using the caplet argument to specify a caplet to run 13 13 00:00:44,280 --> 00:00:46,630 as soon as we run the program 14 14 00:00:46,630 --> 00:00:48,380 and we're running the spoof caplet, 15 15 00:00:48,380 --> 00:00:50,970 the one that we built in the previous lecture 16 16 00:00:50,970 --> 00:00:53,370 that'll run the ARP spoofing command 17 17 00:00:53,370 --> 00:00:55,940 and run the sniffer for us. 18 18 00:00:55,940 --> 00:00:59,300 So I'm gonna hit enter and as you can see, 19 19 00:00:59,300 --> 00:01:02,310 everything got executed as expected. 20 20 00:01:02,310 --> 00:01:06,170 If we do help, we'll see all the running modules 21 21 00:01:06,170 --> 00:01:09,760 and we have the ARPspoof and the sniffer running 22 22 00:01:09,760 --> 00:01:12,360 with the recon and with the probe. 23 23 00:01:12,360 --> 00:01:15,333 So this is exactly what we wanted from our caplet. 24 24 00:01:16,410 --> 00:01:17,960 The next thing that we wanna do 25 25 00:01:17,960 --> 00:01:20,960 is run the HSTS bypass caplet 26 26 00:01:20,960 --> 00:01:22,880 the one that we just downloaded 27 27 00:01:22,880 --> 00:01:26,690 and placed in our Bettercap directory. 28 28 00:01:26,690 --> 00:01:30,260 So first of all, the HSTS bypass caplet 29 29 00:01:30,260 --> 00:01:34,470 is one of many caplets that Bettercap comes with. 30 30 00:01:34,470 --> 00:01:36,950 If you want to list all of these caplets, 31 31 00:01:36,950 --> 00:01:41,950 you can do caplets.show and as you can see, 32 32 00:01:42,710 --> 00:01:46,490 you'll get a list of all of the caplets that you have 33 33 00:01:46,490 --> 00:01:49,133 and their location on the system. 34 34 00:01:49,990 --> 00:01:52,340 Now, the caplet that we want to run 35 35 00:01:52,340 --> 00:01:55,040 is the HSTS hijack couplet. 36 36 00:01:55,040 --> 00:01:56,560 This one right here. 37 37 00:01:56,560 --> 00:01:58,270 And you can see it's stored in here. 38 38 00:01:58,270 --> 00:02:00,950 This is the location where we actually replaced it 39 39 00:02:00,950 --> 00:02:03,430 with the one that we downloaded. 40 40 00:02:03,430 --> 00:02:06,170 And to run any of these caplets, all you have to do 41 41 00:02:06,170 --> 00:02:09,080 is literally just type its name. 42 42 00:02:09,080 --> 00:02:12,280 And as usual, you can use the tab to auto complete. 43 43 00:02:12,280 --> 00:02:15,810 So to run our caplets right here, all I have to do 44 44 00:02:15,810 --> 00:02:19,560 is literally type HS and press tab. 45 45 00:02:19,560 --> 00:02:23,530 And as you can see, it'll automatically auto-complete for me 46 46 00:02:23,530 --> 00:02:26,040 and type the caplet name. 47 47 00:02:26,040 --> 00:02:28,710 Now if I hit enter, this will load the caplet 48 48 00:02:28,710 --> 00:02:32,630 with all of its options and it'll run it for me. 49 49 00:02:32,630 --> 00:02:35,380 So as you can see, because we don't see any errors, 50 50 00:02:35,380 --> 00:02:39,130 this means everything got executed as expected. 51 51 00:02:39,130 --> 00:02:43,500 So let's go to the windows machine, browse some HTTPS pages 52 52 00:02:43,500 --> 00:02:48,390 and see if we can sniff data, usernames, passwords, and URLs 53 53 00:02:48,390 --> 00:02:50,643 that they enter on their computer. 54 54 00:02:51,870 --> 00:02:54,270 So I have my windows machine here. 55 55 00:02:54,270 --> 00:02:56,010 I have Chrome installed. 56 56 00:02:56,010 --> 00:02:58,170 This is the latest version of Chrome 57 57 00:02:58,170 --> 00:03:00,420 at the time of recording this lecture, 58 58 00:03:00,420 --> 00:03:03,620 which is in April, 2019. 59 59 00:03:03,620 --> 00:03:06,860 Now, a really good idea before trying all of these things 60 60 00:03:06,860 --> 00:03:09,000 is to remove your browsing data 61 61 00:03:09,000 --> 00:03:12,130 because the websites that we're gonna try to access 62 62 00:03:12,130 --> 00:03:13,320 might be cached 63 63 00:03:13,320 --> 00:03:16,130 and they might be just loaded from your cache. 64 64 00:03:16,130 --> 00:03:18,930 This will only happen if you're visiting the same website 65 65 00:03:18,930 --> 00:03:21,750 over and over again, mostly when testing. 66 66 00:03:21,750 --> 00:03:25,910 Therefore, it's a really good idea to control shift, delete 67 67 00:03:25,910 --> 00:03:29,510 and click on clear browsing data. 68 68 00:03:29,510 --> 00:03:31,260 Make sure all of this is clicked, 69 69 00:03:31,260 --> 00:03:34,890 make sure it's set to all the time and click on clear 70 70 00:03:34,890 --> 00:03:36,690 to remove all of it. 71 71 00:03:36,690 --> 00:03:40,623 And let's go ahead and go to a website that uses HTTPS. 72 72 00:03:41,610 --> 00:03:45,233 So a good example would be linkedin.com. 73 73 00:03:48,120 --> 00:03:50,980 And perfect, if you look here at the top, 74 74 00:03:50,980 --> 00:03:55,673 you'll see the website is loading over HTTP, not over HTTPS. 75 75 00:03:56,580 --> 00:04:00,690 Therefore, we'll be able to see anything the user enters 76 76 00:04:00,690 --> 00:04:01,863 in these boxes. 77 77 00:04:02,850 --> 00:04:04,320 So let's put a user name. 78 78 00:04:04,320 --> 00:04:07,167 Let's set it to zaid@zsecurity.org 79 79 00:04:10,460 --> 00:04:15,190 and I'll put our password as 1234567890. 80 80 00:04:15,190 --> 00:04:17,900 It doesn't really matter, you can use any password. 81 81 00:04:17,900 --> 00:04:20,423 And I'm gonna hit enter to log in. 82 82 00:04:21,810 --> 00:04:25,000 This is wrong, so obviously we're getting an error message, 83 83 00:04:25,000 --> 00:04:27,900 but if we go back to Kali, as you can see 84 84 00:04:27,900 --> 00:04:29,720 we're capturing all of this data 85 85 00:04:29,720 --> 00:04:33,460 because it's not being sent over HTTPS anymore. 86 86 00:04:33,460 --> 00:04:35,703 It's being sent over HTTP. 87 87 00:04:37,130 --> 00:04:38,780 And if you look in here, 88 88 00:04:38,780 --> 00:04:41,940 you can see we captured login information. 89 89 00:04:41,940 --> 00:04:44,960 It's sent to linkedin.com, 90 90 00:04:44,960 --> 00:04:49,200 sent to this specific URL, a login URL 91 91 00:04:49,200 --> 00:04:53,730 and you can see the username is zaid@zsecurity.org 92 92 00:04:53,730 --> 00:04:55,730 and the password is one, two, three 93 93 00:04:55,730 --> 00:04:58,163 all the way up to nine zero. 94 94 00:04:59,150 --> 00:05:01,040 So that's really, really good. 95 95 00:05:01,040 --> 00:05:04,320 Let's go ahead and test another HTTPS website. 96 96 00:05:04,320 --> 00:05:07,353 Let's go to stackoverflow.com. 97 97 00:05:09,570 --> 00:05:13,793 Again, you can see on top it's loading over HTTP, not HTTPS. 98 98 00:05:15,030 --> 00:05:16,973 So I'm gonna click on login. 99 99 00:05:18,060 --> 00:05:22,150 And again I'm gonna put my email zaid@zsecurity.org 100 100 00:05:22,150 --> 00:05:24,950 and we'll put our password as 1234567890, hit enter. 101 101 00:05:29,500 --> 00:05:32,850 And let's go to the Kali machine again, 102 102 00:05:32,850 --> 00:05:35,483 scroll down this time 'cause we're stuck on top. 103 103 00:05:36,550 --> 00:05:40,270 And perfect, you can see we have a post request in here. 104 104 00:05:40,270 --> 00:05:42,210 It's sent to this specific URL. 105 105 00:05:42,210 --> 00:05:44,590 Again, you can see login in the URL. 106 106 00:05:44,590 --> 00:05:48,500 You can see the website itself, stackoverflow.com 107 107 00:05:48,500 --> 00:05:51,620 and if we scroll down a little bit more 108 108 00:05:51,620 --> 00:05:56,620 we can see that the username is zaid@zsecurity.org 109 109 00:05:57,830 --> 00:05:59,220 and the password, again, 110 110 00:05:59,220 --> 00:06:02,033 one, two, three all the way up to nine zero. 111 111 00:06:03,290 --> 00:06:05,450 So that is really, really good. 112 112 00:06:05,450 --> 00:06:10,450 Now we can downgrade any HTTPS connection to HTTP 113 113 00:06:11,460 --> 00:06:16,460 as long as the target website uses HTTPS, not HSTS. 114 114 00:06:18,500 --> 00:06:22,140 So this method will work against pretty much all websites 115 115 00:06:22,140 --> 00:06:27,010 that use HTTPS except for the really popular websites 116 116 00:06:27,010 --> 00:06:30,740 such as Facebook, Twitter, and so on. 117 117 00:06:30,740 --> 00:06:32,800 So let me show you a quick example. 118 118 00:06:32,800 --> 00:06:36,800 If I go here and try to go to facebook.com 119 119 00:06:38,850 --> 00:06:42,343 you'll see that the website got loaded over HTTPS, 120 120 00:06:43,660 --> 00:06:45,900 not over HTTP, 121 121 00:06:45,900 --> 00:06:50,300 even though we configured our caplet correctly, 122 122 00:06:50,300 --> 00:06:54,670 and even though we're able to downgrade HTTPS connections 123 123 00:06:54,670 --> 00:06:59,363 on a lot of websites such as LinkedIn and Stack Overflow. 124 124 00:07:00,460 --> 00:07:04,750 This is happening because Facebook is using HSTS 125 125 00:07:04,750 --> 00:07:07,703 which is a little bit trickier to bypass. 126 126 00:07:08,600 --> 00:07:12,780 In the next lecture we'll talk more about what HSTS is, 127 127 00:07:12,780 --> 00:07:17,410 why it's tricky to bypass and how to partially bypass it 128 128 00:07:17,410 --> 00:07:20,000 and still get usernames and passwords 129 129 00:07:20,000 --> 00:07:22,170 from the websites that implement it 130 130 00:07:22,170 --> 00:07:25,213 such as Facebook, Twitter, and so on.