The HTTPS protocol (Hypertext Transfer Protocol Secure) allows us to browse the Internet safely, since the web browser establishes a secure communication that is encrypted and authenticated point to point, from our web browser to the web server where we are connecting. HTTPS is the secure version of HTTP, since in HTTP all the information is sent without any type of encryption, so if anyone intercepts the communications, they will be able to see absolutely everything that is being sent and / or received, including the passwords. Today in this article we are going to show you how to do a Man in the Middle attack to capture network traffic , and decrypt HTTPS traffic by configuring an HTTP / HTTPS proxy using the popular bettercap tool for Linux.
What is HTTPS and what is it for?
Currently, the vast majority of websites such as this article, bank websites, electronic commerce in general and a long etcetera, have the HTTPS protocol to provide security to customers. HTTPS is the secure version of HTTP , where all communications are encrypted and authenticated point-to-point, in addition, the integrity of all data is also checked. We must remember that encryption provides us with confidentiality , that is, even if someone captures the data traffic, they will not be able to decrypt it because everything is encrypted point to point, although there are techniques to put ourselves in the “middle” of the communication and proceed to decrypt said traffic . Authentication means that we are who we say we are, that is, we establish communication with the web server, and a third party will not be able to impersonate us so that the information is also sent to them. Finally, integrity is a very important characteristic of cryptography, this allows us to verify that all the data that leaves from an origin, reaches a destination without any type of modification. If someone is able to interfere with the communication of the data, and modifies it, the HTTPS protocol (and all the protocols that participate) will automatically detect it and will not accept said data.
HTTPS makes use of the TLS protocol to provide security for its communications, the vast majority of HTTPS connections make use of TLSv1.2 and TLSv1.3 , the latter protocol is much faster and also more secure than TLSv1.2, since only supports certain secure cipher suites, it does not allow the incorporation of less secure cipher suites as it does with TLSv1.2. Of course, when using TLS, below we make use of the popular transport layer protocol TCP on its port 443 by default. In the case of HTTP, TCP is used directly on its port 80 by default, this is very important for you to know for what we will explain soon.
Bettercap features and installation
Bettercap is a very powerful tool that is compatible with the main Linux-based distributions, some of its main features are the following:
- WiFi network scanner, allows deauthentication attacks, also allows attacks without clients to PMKID associations, allows capturing handshakes of clients that use WPA and WPA2 protocols.
- BLE (Bluetooth Low Energy) device scanner to read and write information.
- Scanner of wireless devices using the 2.4GHz band, such as wireless mice, also allows MouseJacking attacks with data injection.
- Allows passive and active attacks on IP networks
- It allows to carry out MitM attacks based on ARP, DNS and also DHCPv6, in order to capture all the information.
- It allows to create an HTTP / HTTPS proxy to lift secure HTTPS traffic, and greatly facilitates the use of scripts.
- Very powerful network sniffer for collecting user credentials.
- Very fast port scanner, although for this, better to use Nmap than the king of port scanners.
- It has a powerful REST API to make attacks easily.
- It incorporates a graphical user interface to facilitate attacks, although the command terminal is very powerful.
- We have a large number of modules of different categories to expand functionalities.
In Linux distributions oriented towards computer security, bettercap may be installed by default. Otherwise, we will have to install it ourselves with all the dependencies. The easiest way to use Bettercap is to use Docker (version 17.05 or higher), since it is in the Docker software repositories, and just do:
docker pull bettercap/bettercap
docker pull bettercap/dev
And we execute it with:
docker run -it --privileged --net=host bettercap/bettercap -h
In case we don’t have Docker, we will have to compile it from source code and we will need the following dependencies:
- build-essential
- libpcap-dev
- libusb-1.0-0-dev
- libnetfilter-queue-dev
For example, on Debian-based operating systems, it is installed as follows:
sudo apt update
sudo apt install golang git build-essential libpcap-dev libusb-1.0-0-dev libnetfilter-queue-dev
Later, we will have to download the source code and compile it:
git clone https://github.com/bettercap/bettercap
cd bettercap
make build
Once we have installed this Bettercap tool, we will be able to start using it, we will run via the «bettercap» console and we will see the version.
Before we start, we could also run Bettercap with the graphical user interface web UI, to do so we must execute the following command:
bettercap -eval "caplets.update; ui.update; q"
And to launch the graphical environment, we do the following:
sudo bettercap -caplet http-ui
If we open the web browser and put http://127.0.0.1 we can access the graphical user interface:
The bettercap web UI username is “user”, and the password is “pass”, as it appears in the configuration file:
Once we access the bettercap administration menu through the browser, we can see the following menus:
There are many attacks that can be executed directly from the graphical user interface, but we are going to put it for you by commands because it is almost as simple, however, we are also going to teach you how to make certain attacks through the graphical interface of user.
So you can decrypt HTTPS communications
The test scenario where we have performed all the tests are two VMs in VMware in a NAT environment, with the subnet 192.168.248.0/24, and default gateway 192.168.248.2.
- Attacking machine: Kali Linux with IP 192.168.248.131
- Victim machine: Debian with IP 192.168.248.129
The first thing we are going to do is execute the typical ARP Spoofing attack to capture all the traffic, the HTTPS traffic will be encrypted and we will not be able to decrypt it. We will also capture ICMP traffic, TCP and UDP traffic, and HTTP traffic. To be able to do this, we simply have to execute the following commands:
sudo bettercap
Once inside bettercap, we must execute several commands to configure the software. The first thing we must do is define the target, in our case the Debian machine with IP 192.168.248.129. It is not necessary to also put the default gateway.
set arp.spoof.targets 192.168.248.129
arp.spoof on
If we execute the “help” command, bettercap will tell us everything that is working:
An interesting part is if we execute “help arp.spoof”, since all the options available in this module will appear. One of the most interesting options is “arp.spoof.fullduplex”, this option allows ARP Spoofing both to the target and to the default gateway (gateway), but if the router has protection against ARP Spoofing attacks, the attack will fail . Our recommendation is that you always activate it, therefore, the list of commands would be as follows:
set arp.spoof.targets 192.168.248.129
arp.spoof.fullduplex true
arp.spoof on
Once this is done, if in Kali Linux we run Wireshark to capture all the packets from the eth0 interface, we will be able to see all the traffic coming and going to and from the victim. If you look, we have the ICMP traffic of 192.168.248.129, that is, the Debian team that we are attacking.
We will also capture all DNS, TCP, UDP and all protocol traffic, including encrypted traffic, but we will not be able to decrypt it with ARP Spoofing alone.
If we get into bettercap through the graphical environment, we can do the same, and we can even select to do an ARP Spoofing to the default gateway.
To carry out this attack through the graphical interface, we go to LAN, select the target or targets, add them to “arp.spoof.targets” and click on “Full-Duplex spoofing”. We will see the list of equipment available on the local network, if they do not appear, click on the «Play» icon in recon module.
Once we know how to do the typical ARP Spoofing attack, now we are going to do the same, but enabling the HTTP proxy with ssltrip activated, to lift all HTTPS communications.
We run bettercap on Kali Linux as usual:
bettercap
Once inside, we must configure bettercap in the following way:
set http.proxy.sslstrip true
set net.sniff.verbose false
set arp.spoof.targets 192.168.248.129
arp.spoof.fullduplex true
arp.spoof on
http.proxy on
net.sniff on
When we have done this, if the victim visits a site with HTTPS, it will automatically convert to HTTP, and we can capture the user credentials. Below, you can see perfectly how I have tried to log into pccomponentes, and it has captured both the username (email) and also the password. Logically, we have introduced false credentials so as not to show ours, for this reason it returns a 401 error.
If we browse other websites, we can also see all the traffic.
If the web has HSTS (HTTP Strict Transport Security) enabled, we will not be able to “lift” HTTPS traffic, therefore, all traffic will be encrypted.
What is HSTS and what is it for?
As you have seen, decrypting HTTPS communications is very simple, but it is not always possible. Currently many websites make use of the HSTS protocol to further protect their users’ communications. HSTS, or also known as HTTP Strict Transport Security, is a web security policy that prevents this same attack that we have just taught you, thanks to the use of cookies, the web server “tells” to the web browser, that whenever it returns to Access your website, use the HTTPS protocol, so communication will be encrypted point to point, and even if we intercept communication by sniffing traffic, we will not be able to see the exchanged traffic because we cannot use bettercap to “lift” the TLS encryption . These cookies have an expiration date, but a good configuration policy (for the web server) is to set a very high value, for example, one year (max-age = 31536000).
The operation of HSTS is very simple, there are some web browsers that incorporate certain HSTS cookies by default, especially the “big ones” on the Internet such as Google and many others have their domains in the HSTS “preload” list, therefore, we can never access these domains through the HTTP protocol. If the browser detects that this domain cannot be accessed via HTTPS, it rejects the connection and we will not be able to connect. If the browser detects that the server’s digital certificate is self-signed, it will also deny the connection and we will not be able to connect. In fact, even if we access incognito mode we will not be able to connect. All current browsers usually incorporate this list to protect users.
In the case of “the rest of the Internet” such as e-commerce websites, banks, media and many others, we will have to enter at least once, so that the HSTS cookie is downloaded in our web browser and we obtain this protection . In this case, if from the second time, the browser detects that that domain cannot be accessed via HTTPS, it will reject the connection and give us an error when connecting. Furthermore, if the browser detects that the server’s digital certificate is self-signed, the connection will also be denied and we will not be able to connect. If you want to access this website (for whatever reason), you should use another web browser with which you have never accessed before, but this is not recommended because they could be attacking you, it is better not to connect to the web.
If we want to carry out an attack on a user and they enter a website with HSTS, the only time the connection could be decrypted is before the user’s first historical connection (because it is a new browser, a newly formatted computer, it is never has entered that website etc.) Let’s imagine that the victim user has bought a new laptop, goes to a hotel and connects for the first time to the bank with his newly installed browser, in this case we could attack him because he still does not have the HSTS cookie in your web browser. To avoid this, we have the “preload” directive on web servers, but we have to use it carefully because we have to sign up for the HSTS Preload list, otherwise users will have problems connecting.
As you have seen, the HSTS policy helps to protect website users from passive and active attacks, this security measure is one of the most important that must be configured on a web server, because a MitM attacker will have a minimal capacity to intercept requests and responses between the victim and the web server.
Bettercap incorporates a “caplet” that allows us to carry out an HSTS Hijack attack and bypass this protection, it is based on doing DNS Spoofing and forwarding the victim to another domain under our control, to later capture all the information. The caplets are Bettercap scripts that come preconfigured, but that we can easily modify, to download them we have to execute the following commands in the Linux terminal:
git clone https://github.com/bettercap/caplets.git
cd caplets
sudo make install
Once done, we execute it by putting:
bettercap -caplet RUTA
In the following screenshot you can see the execution of the default caplet:
And here is the record of the attack carried out:
We recommend you visit the official Bettercap website where you will find all the information about this great tool.