Bettercap with SSLSTRIP attack - Does it still work ?

For a long time, performing a MITM attack with SSLSTRIP was relatively easy to implement. This situation changed after websites had started to use HSTS (HTTP Strict Transport Security).

Using SSLSTRIP alone is powerless against HTTPS websites which correctly implement HSTS.
On the other hand, many websites on the Internet DO NOT configure HSTS correctly. This misconfiguration still leaves them vulnerable to MITM attacks using SSLSTRIP, in particular conditions.

In this video we will test Bettercap and SSLSTRIP against different categories of websites. All the tested websites use HTTPS, but they differ in the way they implement HSTS:
- The first category of websites have HSTS correctly implemented and the HSTS status for each website is also preloaded into the Internet browser. (The website's HSTS status is known by the web browser, before the first access.) The test sites in the first category are: facebook.com, gmail.com and twitter.com
- The second category of websites have HSTS correctly implemented, but the HSTS status is not preloaded into the Internet browser. The test site in this category is: shopify.com
- The third category of websites have HSTS web server directive implemented, but the overall HSTS configuration is not done correctly. We will see that these websites are still vulnerable to SSLSTRIP attacks in particular conditions. The test sites in this category are: digicert.com and outlook.com
- The forth category of websites are not using HSTS at all, even if they are configured to redirect the traffic to HTTPS. The test site in this category is: webs.com

What is HSTS ?


HTTP Strict Transport Security (HSTS) is a web server directive that forces user agents and web browsers to respond via HTTPS connections instead of HTTP.

Use the following links to find out more information about HSTS:
https://www.troyhunt.com/understanding-http-strict-transport/
https://blog.stackpath.com/glossary/hsts/
https://www.globalsign.com/en/blog/what-is-hsts-and-how-do-i-use-it/
https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

What is it essential for HSTS to work correctly ?


1. The Web server should be configured to send the HSTS response header.

The HSTS web server directive will appear into the response header as:
Strict-Transport-Security: max-age=expireTime [; includeSubdomains] [; preload]

2. The Web browser should understand the HSTS response header.

Older web browsers do not understand the HSTS directive, but all the main current ones are HSTS aware.
The HSTS status for some websites is preloaded into the web browsers (The HSTS website status is part of the web browser configuration at installation). In this way, the web browser knows that it has to access that particular website only via HTTPS, even if it has never accessed that website previously.

The preload status for a particular website can be checked via the: https://hstspreload.org/ website.

3. The initial HTTP request to the root domain, should immediately be redirected to HTTPS to the root domain, before redirecting to the "www" subdomain.

4. The HSTS response header for the first HTTPS request, should satisfy the following conditions:
- The "includeSubDomains" directive must be specified.
- The "preload" directive must be specified.
- The "max-age" must be at least 31536000 seconds (1 year).

How comes that SSLSTRIP can still be effective against sites using HSTS ?


This is happening because many Internet websites don't implement HSTS correctly. Let's take "digicert.com" as an example.
When a user types "digicert.com" into the browser, the web browser will perform the first access by default via HTTP, by browsing to: http://digicert.com
The web server hosting "digicert.com" will respond with two successive redirections:
- the first one redirects http://digicert.com to http://www.digicert.com ("www" subdomain)
- the second one redirects http://www.digicert.com to https://www.digicert.com
The HSTS directive is configured in the www.digicert.com HTTPS header response.
During a MITM attack, SSLSTRIP is effective because it can force the client computer to communicate with a different subdomain of the "digicert.com" root domain, which is not covered by the HSTS directive (In this case, as shown in the video, SSLSTRIP forces the client computer to communicate via HTTP with the "wwwww.digicert.com" subdomain)
A correct configuration, would have:
- redirected http://digicert.com to https://digicert.com and the subsequent HTTPS header response would have contained the HSTS directive with "preload" and "includeSubDomains" options
- performed a second redirection from https://digicert.com to https://www.digicert.com

Bettercap


Bettercap was used during the demonstration, in order to perform the MITM attack.
It is a good idea to update Kali Linux before installing Bettercap. The commands below were used in order to install Bettercap on Kali Linux:
apt-get update
apt-get dist-upgrade
apt-get install bettercap

In my case, after installing Bettercap , I got the following error when I tried to launch it:
bash: /usr/local/bin/bettercap: /usr/bin/ruby2.3: bad interpreter: No such file or directory

In order to fix the error, I had to reinstall the Bettercap Ruby Script (gem), then reboot the Kali machine:
cd /usr/local/bin 
gem install bettercap
reboot now

The following Bettercap command was used in order to perform the MITM attack:
bettercap -T 192.168.254.70 --proxy -P POST

Check the following link for explanations on Bettercap and its command options:
https://danielmiessler.com/study/bettercap/

Bettercap with SSLSTRIP attack - Does it still work ?



Comments

Popular Posts

MS17-010 Vulnerability - Using EternalBlue exploit module in Metasploit

Generating shellcode - using msfvenom to generate a binary payload

MS17-010 Vulnerability - Scanning using Metasploit on KALI Linux