Just a thought, but I would really like to see a video from Alexis covering the theory behind ssl/tls certificates and the theory on how to bypass them. I have seen certain tools people use for this like sslstrip and sslsniff, but I have never really come across any examples of these working well.
@Hubert I might as well link my question to this since i’m having the same doubts. I have used sslstrip, and the other tools when MITM, but unless you got a really good signal going, the other person can easily detect something is up as the webpages will show up as insecure and user needs to accept them since you strip HTTPS from initial webpages.
My question for @HackerSploit is can you demo how to decrypt 802.11 wifi packets where you can actually see the websites and possibly credentials of HTTPS traffic under TCP protocol. I’ve seen a lot of videos claiming to do this but its intrusive. How can this be done passively without detection of remote user. Sure we can use wireshark and put in the PSK key for a network but it doesn’t show much. When looking at the decryption tab, nothing of any use since its still somewhat binary. How to get private key via a capture and then use it would be ultimate hack and “ghost” hacker. And no Pfishing or MITM or Social Engineering…yes they all can work but its a waiting game to see if user is stupid enough to click on a link these days where they know its potentially not real.
@Hubert if I remember correctly there was an sslstrp 2 released which could bypass HSTS and SSL BUT it was banned due to some reason possibly because the amount of web application it would affect
it seems it was taken down due to gag law
BUT good people always exist
You will need dns2proxy to get it working:
@HackerSploit can you make a video on the process? off course assuming it’s still legal to do so
It is possible to break HSTS but there are a few extra steps and tools involved. I’ll leave the explanation of the attack on here for anyone interested. Essentially HSTS has a set time on most current browsers that forces the browser to connect using https even if the site being visited doesn’t use https. This was the problem I was experiencing as the browsers automatically have this feature upon open box. I’ve seen some interesting ideas to deal with this such as adding a header in the apache2 server and setting the preload time to “0”, but since the cert we created is self signed the browser flags this and doesn’t listen to the command which should clear the HSTS time limit. Instead what must be done is a NTP(Network Time Protocol) attack. By forcing the computer to think it’s so far in the future the browser must fetch a new key, however in conjunction with a MITM attack, this is not possible. The tool to use is Delorean by PentesterSE from github. Zaid has explained in the past how to perform a MITM attack so there’s no need to explain that here and there are many tools to do this as well. Once this is performed, you must have your apache2 server on standby as well as already have dnsmasq configured and the static ip of the wireless adapter you wish to use already set as well as netmask of “255.255.255.0” set and wait with hostapd command on. When the victim computer has had the boost into the future, only then can they connect to your apache2 server and have it read in plain text from http since the HSTS will no longer be in play. In addition to this, you can have a redirect in <VirtualHost:* 443> to <VirtualHost:* 80> placed after the SSLEngine and cert/key so that the cert still shows when the victim searches items but redirects to HTTP after for plaintext read with wireshark. I’m not sure if this will work for anyone else, but it did work for me, and if you’re having trouble understanding what I’m talking about I’d turn you to (https://www.youtube.com/watch?v=hkw9tFnJk8k)