Possible to break HSTS

It is possible to break HSTS but there are a few extra steps and tools involved. I’ll leave the explanation of the attack on here for anyone interested. Essentially HSTS has a set time on most current browsers that forces the browser to connect using https even if the site being visited doesn’t use https. This was the problem I was experiencing as the browsers automatically have this feature upon open box. I’ve seen some interesting ideas to deal with this such as adding a header in the apache2 server and setting the preload time to “0”, but since the cert we created is self signed the browser flags this and doesn’t listen to the command which should clear the HSTS time limit. Instead what must be done is a NTP(Network Time Protocol) attack. By forcing the computer to think it’s so far in the future the browser must fetch a new key, however in conjunction with a MITM attack, this is not possible. The tool to use is Delorean by PentesterSE from github. Zaid has explained in the past how to perform a MITM attack so there’s no need to explain that here and there are many tools to do this as well. Once this is performed, you must have your apache2 server on standby as well as already have dnsmasq configured and the static ip of the wireless adapter you wish to use already set as well as netmask of “255.255.255.0” set and wait with hostapd command on. When the victim computer has had the boost into the future, only then can they connect to your apache2 server and have it read in plain text from http since the HSTS will no longer be in play. In addition to this, you can have a redirect in <VirtualHost:* 443> to <VirtualHost:* 80> placed after the SSLEngine and cert/key so that the cert still shows when the victim searches items but redirects to HTTP after for plaintext read with wireshark. I’m not sure if this will work for anyone else, but it did work for me.

1 Like