Using MITMF with SSLSTRIP and Captive Portal options
In this video we will try out a variation of the man-in-the-middle with SSLSTRIP attack that we performed previously. In MITMF, in addition to ARP spoofing and SSLSTRIP, we will also be using the Captive Portal option. Please review the videos listed below, if needed: Bettercap with SSLSTRIP attack - Does it still work ? SSLSTRIP attacks with Bettercap and MITMF - HSTS and Web browsers We saw in the previous videos that websites correctly configured for HSTS, can't be attacked using SSLSTRIP. On the other hand, at this moment, a lot of websites still don't use HSTS or have HSTS incorrectly configured - which leaves those websites vulnerable to man-in-the-middle and SSLSTRIP attacks. Because it is unlikely for a user to browse ONLY correctly configured HSTS websites; an attacker can redirect the SSLSTRIP vulnerable websites to a Captive Portal and trick the user into giving up credentials belonging to websites that can't be attacked directly (for example: social media