1 1 00:00:00,400 --> 00:00:01,990 In the previous lecture 2 2 00:00:01,990 --> 00:00:06,567 we seen how to downgrade HTTPS websites to HTTP 3 3 00:00:07,470 --> 00:00:12,060 and this allowed us to basically see anything a user does 4 4 00:00:12,060 --> 00:00:14,930 on these websites because data in HTTP 5 5 00:00:14,930 --> 00:00:16,940 is sent in plain text. 6 6 00:00:16,940 --> 00:00:20,040 Therefore we were able to see the user names, the passwords, 7 7 00:00:20,040 --> 00:00:24,993 the URLs, and anything they do on HTTPS websites. 8 8 00:00:26,110 --> 00:00:27,200 At the end of the lecture, 9 9 00:00:27,200 --> 00:00:29,400 I also showed you that the method 10 10 00:00:29,400 --> 00:00:32,530 will not work against Facebook, Twitter, 11 11 00:00:32,530 --> 00:00:36,393 and other websites that use HSTS. 12 12 00:00:37,340 --> 00:00:40,610 The reason why it won't work against these websites, 13 13 00:00:40,610 --> 00:00:45,610 because modern web browsers come with a list of websites 14 14 00:00:45,960 --> 00:00:50,463 that they should only load over HTTPS. 15 15 00:00:51,490 --> 00:00:54,330 See what we were doing in the previous lecture, 16 16 00:00:54,330 --> 00:00:58,050 whenever a browser requests a website, 17 17 00:00:58,050 --> 00:01:01,557 we load that website even if it uses HTTPS, 18 18 00:01:01,557 --> 00:01:05,700 but we always give him back the HTTP version. 19 19 00:01:05,700 --> 00:01:10,520 In HSTS, the browser knows that this website, for example, 20 20 00:01:10,520 --> 00:01:15,500 facebook.com should always be loaded over HTTPS. 21 21 00:01:15,500 --> 00:01:18,660 So even before sending this request to us, 22 22 00:01:18,660 --> 00:01:21,640 it will always send it in HTTPS 23 23 00:01:21,640 --> 00:01:24,240 and it'll always only accept it 24 24 00:01:24,240 --> 00:01:26,123 if it comes back as HTTPS. 25 25 00:01:27,050 --> 00:01:31,230 So there is nothing we can do really once we become the man 26 26 00:01:31,230 --> 00:01:33,490 in the middle because the browser 27 27 00:01:33,490 --> 00:01:35,630 is doing this check locally, 28 28 00:01:35,630 --> 00:01:37,760 it's checking this against a list 29 29 00:01:37,760 --> 00:01:41,063 that is stored on the computer itself. 30 30 00:01:42,160 --> 00:01:45,050 Therefore, the only practical solution 31 31 00:01:45,050 --> 00:01:50,050 at the moment to bypass HSTS is to make the browser think 32 32 00:01:51,450 --> 00:01:54,253 that it is loading another website. 33 33 00:01:55,620 --> 00:01:59,540 To do this, we're gonna replace all HSTS links 34 34 00:01:59,540 --> 00:02:02,370 in loaded pages to similar links, 35 35 00:02:02,370 --> 00:02:04,890 but they're not the same links. 36 36 00:02:04,890 --> 00:02:09,890 For example, we can replace facebook.com with facebook.corn. 37 37 00:02:10,350 --> 00:02:13,710 Now I know this seems very suspicious, 38 38 00:02:13,710 --> 00:02:17,070 but trust me, when it goes into the URL bar, 39 39 00:02:17,070 --> 00:02:19,210 the RN here at the middle, 40 40 00:02:19,210 --> 00:02:22,103 it'll seem very similar to the M letter. 41 41 00:02:23,020 --> 00:02:24,240 Another way of doing this, 42 42 00:02:24,240 --> 00:02:28,000 you can replace twitter.com with twiter.com 43 43 00:02:28,000 --> 00:02:31,323 but with a single T here instead of a double T, 44 44 00:02:32,530 --> 00:02:35,340 I know this sounds a little bit confusing right now, 45 45 00:02:35,340 --> 00:02:37,920 but let me go and do it practically 46 46 00:02:37,920 --> 00:02:40,493 and you will see how this is gonna work. 47 47 00:02:41,470 --> 00:02:44,090 So right here I have my Cali machine 48 48 00:02:45,250 --> 00:02:49,400 and we're actually gonna use the HSTS caplets 49 49 00:02:49,400 --> 00:02:51,610 that we used in the previous lecture. 50 50 00:02:51,610 --> 00:02:53,900 So I've already showed you where to download it 51 51 00:02:53,900 --> 00:02:55,320 and where to place it, 52 52 00:02:55,320 --> 00:02:58,180 please make sure you use the caplet that I gave you 53 53 00:02:58,180 --> 00:03:00,030 in the resources of this lecture, 54 54 00:03:00,030 --> 00:03:02,540 not the one that comes with BetterCAP 55 55 00:03:02,540 --> 00:03:05,050 because the one that I gave you in the resources 56 56 00:03:05,050 --> 00:03:08,940 of this lecture is modified and it contains code 57 57 00:03:08,940 --> 00:03:10,710 that will actually replace 58 58 00:03:10,710 --> 00:03:13,370 the domain names as shown in here. 59 59 00:03:13,370 --> 00:03:15,920 The original one does not contain that code 60 60 00:03:15,920 --> 00:03:18,893 so it won't work as I'm gonna show you right now. 61 61 00:03:20,630 --> 00:03:22,700 So as shown in the previous lecture, 62 62 00:03:22,700 --> 00:03:24,750 I already have my caplet in here 63 63 00:03:24,750 --> 00:03:28,047 in user share BetterCAP caplets 64 64 00:03:28,047 --> 00:03:30,010 and this is the name of the caplet. 65 65 00:03:30,010 --> 00:03:35,010 If we go inside it, we have a file called hstshijack.cap. 66 66 00:03:35,700 --> 00:03:39,570 This is the configuration file of the caplet, 67 67 00:03:39,570 --> 00:03:41,350 so I'm gonna right-click it, 68 68 00:03:41,350 --> 00:03:44,200 I'm gonna open it with other application. 69 69 00:03:44,200 --> 00:03:47,030 I'm gonna click on view all applications 70 70 00:03:47,030 --> 00:03:50,550 and you wanna pick any text editor that you have. 71 71 00:03:50,550 --> 00:03:53,190 So I'm gonna keep this at Leafpad you might have 72 72 00:03:53,190 --> 00:03:56,400 to scroll down to find it, but I have it here. 73 73 00:03:56,400 --> 00:03:57,450 I'm gonna select 74 74 00:03:58,480 --> 00:04:01,160 and as you can see we have a normal text file 75 75 00:04:01,160 --> 00:04:04,070 with all the configurations that we can set 76 76 00:04:04,070 --> 00:04:07,030 and I've already pre-configured this for you. 77 77 00:04:07,030 --> 00:04:09,690 The main things that you wanna understand 78 78 00:04:09,690 --> 00:04:14,550 and maybe change is the targets and the replacements. 79 79 00:04:14,550 --> 00:04:18,440 So the targets are the domains that use HSTS 80 80 00:04:18,440 --> 00:04:20,240 that you want to replace. 81 81 00:04:20,240 --> 00:04:22,787 For example, I have twitter.com in here 82 82 00:04:22,787 --> 00:04:26,360 and I also have *.twitter.com 83 83 00:04:26,360 --> 00:04:28,060 basically when you use a star, 84 84 00:04:28,060 --> 00:04:30,510 this is a wild card and it basically means 85 85 00:04:30,510 --> 00:04:35,193 any subdomain .twitter.com is a target as well. 86 86 00:04:36,310 --> 00:04:37,410 Enter replacement, 87 87 00:04:37,410 --> 00:04:41,780 you wanna tell the program what to replace this target with. 88 88 00:04:41,780 --> 00:04:44,320 For example, whenever we see twitter.com 89 89 00:04:44,320 --> 00:04:47,160 we're gonna replace it with twitter.corn. 90 90 00:04:47,160 --> 00:04:50,070 Similar goes for Facebook and Apple 91 91 00:04:50,070 --> 00:04:52,267 and a few other domains that I set. 92 92 00:04:53,300 --> 00:04:55,880 You can also play around with the obfuscate 93 93 00:04:55,880 --> 00:04:57,780 and encode options. 94 94 00:04:57,780 --> 00:05:01,130 I've set both of these to false because basically 95 95 00:05:01,130 --> 00:05:02,050 what these will do, 96 96 00:05:02,050 --> 00:05:05,410 they'll obfuscate the code and encode it, 97 97 00:05:05,410 --> 00:05:08,490 but I noticed some browsers like Firefox 98 98 00:05:08,490 --> 00:05:11,690 will block obfuscated or encoded code. 99 99 00:05:11,690 --> 00:05:14,080 That's why I set both of these to false 100 100 00:05:14,080 --> 00:05:16,363 so that the code is left as is. 101 101 00:05:18,000 --> 00:05:19,370 Here in the payloads 102 102 00:05:19,370 --> 00:05:21,410 you can set any other JavaScript code 103 103 00:05:21,410 --> 00:05:23,710 that you want to inject leave this the same, 104 104 00:05:23,710 --> 00:05:27,740 we'll talk about JavaScript injection in a future lecture. 105 105 00:05:27,740 --> 00:05:31,440 Finally, you wanna make sure that the DNS spoof domains 106 106 00:05:31,440 --> 00:05:36,070 are set exactly the same as the replacements in here. 107 107 00:05:36,070 --> 00:05:39,303 So I literally copy this line and paste it here. 108 108 00:05:40,230 --> 00:05:42,310 Now I'm actually gonna keep all of this the same. 109 109 00:05:42,310 --> 00:05:44,830 I don't need to modify any of it, but like I said, 110 110 00:05:44,830 --> 00:05:46,950 if you are targeting different websites 111 111 00:05:46,950 --> 00:05:49,430 or if you want to use different replacements. 112 112 00:05:49,430 --> 00:05:52,710 For example, if you wanted to use a Twitter with a single T 113 113 00:05:52,710 --> 00:05:55,230 and keep this .com you can do that here. 114 114 00:05:55,230 --> 00:05:58,360 If you wanted to use a Facebook with a single O 115 115 00:05:58,360 --> 00:06:01,430 and keep this .com again instead of .corn, 116 116 00:06:01,430 --> 00:06:02,970 you can do it here. 117 117 00:06:02,970 --> 00:06:05,900 Once done, make sure you save and quit this file 118 118 00:06:06,948 --> 00:06:08,910 and we're ready to run the attack. 119 119 00:06:08,910 --> 00:06:12,110 So running this attack is actually gonna be identical 120 120 00:06:12,110 --> 00:06:14,230 to what we did in the previous lecture. 121 121 00:06:14,230 --> 00:06:18,460 You just wanna make sure you modify this file properly. 122 122 00:06:18,460 --> 00:06:21,980 So going back to BetterCAP, I'm gonna clear the screen, 123 123 00:06:21,980 --> 00:06:24,170 run BetterCAP with the same command, 124 124 00:06:24,170 --> 00:06:27,160 loading the spoof caplet so we can do 125 125 00:06:27,160 --> 00:06:29,440 all of the ARP spoofing commands 126 126 00:06:29,440 --> 00:06:33,000 and run the sniffer all automatically. 127 127 00:06:33,000 --> 00:06:33,833 And perfect. 128 128 00:06:33,833 --> 00:06:35,570 As you can see, everything is running 129 129 00:06:35,570 --> 00:06:37,770 as expected with no errors. 130 130 00:06:37,770 --> 00:06:39,820 If you run this and you get an error, 131 131 00:06:39,820 --> 00:06:42,693 just do exit and run BetterCAP again. 132 132 00:06:43,700 --> 00:06:45,620 Next we wanna run the caplet, 133 133 00:06:45,620 --> 00:06:49,020 the HSTS hijack caplet exactly as shown 134 134 00:06:49,020 --> 00:06:50,100 in the previous lecture. 135 135 00:06:50,100 --> 00:06:52,720 All we have to do is type HS tab, 136 136 00:06:52,720 --> 00:06:56,343 it'll auto complete for us and hit enter to run it. 137 137 00:06:57,250 --> 00:06:59,210 Again as you can see, no errors, 138 138 00:06:59,210 --> 00:07:01,493 so everything is working as expected. 139 139 00:07:02,410 --> 00:07:04,110 Let's go to the target machine 140 140 00:07:04,110 --> 00:07:06,563 and see how this is going to work. 141 141 00:07:07,890 --> 00:07:10,310 So I have my Windows machine right here. 142 142 00:07:10,310 --> 00:07:14,840 This is Chrome, the latest version in April, 2019 143 143 00:07:14,840 --> 00:07:16,710 and before I do anything, like I said, 144 144 00:07:16,710 --> 00:07:19,870 it's a good idea to always just remove the browsing data 145 145 00:07:21,840 --> 00:07:24,530 and before I actually load any websites, 146 146 00:07:24,530 --> 00:07:28,100 it is very important to understand that even 147 147 00:07:28,100 --> 00:07:30,560 with everything that we're doing right now, 148 148 00:07:30,560 --> 00:07:35,510 if you try to go to Facebook and type .com at the end here, 149 149 00:07:35,510 --> 00:07:36,580 it will not work. 150 150 00:07:36,580 --> 00:07:39,460 What we're doing right now will not work 151 151 00:07:39,460 --> 00:07:43,730 because Chrome right here has a list that is stored 152 152 00:07:43,730 --> 00:07:48,300 on this computer that says do not load facebook.com 153 153 00:07:48,300 --> 00:07:50,633 unless it is loaded over HTTPS. 154 154 00:07:51,630 --> 00:07:54,740 So if you type Facebook right here like this, 155 155 00:07:54,740 --> 00:07:56,370 it will not work. 156 156 00:07:56,370 --> 00:07:58,310 The only way we can do this 157 157 00:07:58,310 --> 00:08:02,920 is if the user first goes to a search engine. 158 158 00:08:02,920 --> 00:08:07,920 For example, google.ie for Ireland and then in Google, 159 159 00:08:08,280 --> 00:08:10,980 as you can see, Google doesn't use HSTS, 160 160 00:08:10,980 --> 00:08:15,340 so we bypass this using the normal HTTPS bypass 161 161 00:08:15,340 --> 00:08:18,130 and then if the user in here searches 162 162 00:08:18,130 --> 00:08:21,763 for their target website, for example, Facebook, 163 163 00:08:24,340 --> 00:08:28,020 then our script is gonna run in the background 164 164 00:08:28,020 --> 00:08:30,350 and it's going to replace all links 165 165 00:08:30,350 --> 00:08:35,350 in this page for facebook.com with facebook.corn. 166 166 00:08:35,850 --> 00:08:38,680 So if I actually hover over this, 167 167 00:08:38,680 --> 00:08:40,940 you'll see in the status bar, 168 168 00:08:40,940 --> 00:08:44,740 the website that will be loaded is facebook.corn, 169 169 00:08:44,740 --> 00:08:46,840 not facebook.com. 170 170 00:08:46,840 --> 00:08:49,840 This is fine here, it still says facebook.com 171 171 00:08:49,840 --> 00:08:53,320 but only in the code of the HTML page, 172 172 00:08:53,320 --> 00:08:57,910 facebook.com got replaced with facebook.corn. 173 173 00:08:57,910 --> 00:08:59,653 So if I click on this link, 174 174 00:09:01,070 --> 00:09:05,100 again, as you can see we get a normal Facebook page, 175 175 00:09:05,100 --> 00:09:10,050 but if you look here on top, you'll see there is no HTTPS. 176 176 00:09:10,050 --> 00:09:12,370 And if you look at the domain name, 177 177 00:09:12,370 --> 00:09:15,723 you'll see it says .corn, not .com. 178 178 00:09:16,600 --> 00:09:19,500 Again, like I said, you can actually keep this .com 179 179 00:09:19,500 --> 00:09:23,450 and use Facebook with one O or you can add an extra O, 180 180 00:09:23,450 --> 00:09:26,740 you can be as creative as you want with this. 181 181 00:09:26,740 --> 00:09:29,003 This is just an example that I'm giving you. 182 182 00:09:30,060 --> 00:09:31,510 Now, once we're here, 183 183 00:09:31,510 --> 00:09:34,300 we can login normally with my username, 184 184 00:09:34,300 --> 00:09:38,900 so zaid@zsecurity.org and put my password, 185 185 00:09:38,900 --> 00:09:41,850 one, two three four five six seven eight nine zero 186 186 00:09:42,770 --> 00:09:44,230 hit enter. 187 187 00:09:44,230 --> 00:09:48,113 And if we go back, scroll up. 188 188 00:09:50,370 --> 00:09:51,203 Perfect. 189 189 00:09:51,203 --> 00:09:52,036 As you can see, 190 190 00:09:52,036 --> 00:09:54,950 we have the username zaid@zsecurity.org 191 191 00:09:54,950 --> 00:09:58,023 and the password all the way up to nine zero. 192 192 00:09:59,550 --> 00:10:03,240 Now, like I said, the only way for this to work 193 193 00:10:03,240 --> 00:10:07,680 is if the user gets to Facebook through another website 194 194 00:10:07,680 --> 00:10:10,430 that does not use HSTS. 195 195 00:10:10,430 --> 00:10:15,430 If they go on the URL bar and type facebook.com themselves, 196 196 00:10:15,450 --> 00:10:17,880 we will not be able to do this. 197 197 00:10:17,880 --> 00:10:21,730 That's why this is considered as a partial solution 198 198 00:10:21,730 --> 00:10:23,353 and not a full solution.