Network Hacking - Post-Connection Attacks - MITM Attacks

8. Bypassing HSTS

In the previous lecture, we saw how to downgrade HTTPS websites to HTTP, and this allowed us to basically see anything a user does on these websites because data and HTTP are sent in plain text. Therefore, we were able to see the username use the passwords, the URLs, and anything else they do on HTTPS websites. At the end of the lecture, I also showed you that the method will not work against Facebook, Twitter, and other websites that use HSTs. The reason why it won't work against these websites is that modern web browsers come with a list of websites that they should only load over HTTPS. See what we were doing in the previous lecture. Whenever a browser requests a website, we load it even if it uses Https, but we always give it back the HTTP version in HSTs. The browser knows that this website, for example,Facebook.com, should always be loaded over Https. So, even before sending this request to us, it will always send it in Https and accept it if it returns in Https. So there is nothing we can do, really,once we become demand in the middle. Because the browser is doing this checklocally, it's checking this against a list that is stored on the computer itself. Therefore, the only practical solution at the moment to bypass HSTs is to make the browser think that it is loading another website. To do this, we're going to replace all the links in loaded pages with similar links,but they're not the same links. For example, we could replace Facebook.com with Facebook.com.

Now, I know this seems very suspicious, but trust me, when it goes into the URL bar, the RN here at the middle, it will seem very similar to the M letter. Another way of doing this is by replacing Twitter.com with Twitter.com, but with a single t here instead of an att. I know this sounds a little bit confusing right now,but let me go and do it practically and you will see how this is going to work. So right here I have my Kali machine,and we're actually going to use the HSTscapital that we used in the previous lecture. As mentioned in the previous lecture, this capletis is already installed in the custom Kali. If you want to use it with the original Kali,you'll have to manually download it and place it in the right path in the user's local share bettercaplets. I have the template right here. Like I said, this is already the correct answer because I am using the custom Kelly. If we go inside it, we have a file called HSTs hijack dot cap. This is the configuration file of the capital. So I'm going to right click it. I'm going to open it with other applications. I'm going to click on View all applications, and you'll want to pick any text editor that you have. So I'm going to keep this at leaf pad.You might have to scroll down to find it. But I have it here. I'm going to select and, as you can see, we have a normal text file with all the configurations that we can set. And I've already preconfigured this for you. The main things that you want to understand and maybe change are the targets and the replacements.

So the targets are the domains that use HSTs that you want to replace. For example, I have Twitter.com in here and I also have Star Twitter.com. Basically, when you use a star, this is a wild card and it basically means any subdomain of Twitter.com is a target as well. In the replacement, you want to tell the programme what to replace this target with. For example, whenever we see Twitter.com, we're going to replace it with Twitter.com. The same is true for Facebook, Apple, and a few other domains I registered. You can also play around with the obfuscate and encode options. I've set both of these to false because basically what they'll do is obfuscate the code and encode it. But I noticed some browsers, like Firefox, will block obfuscated or encoded code. That's why I set both of these to false, so the code is left as is here in the payloads. You can set any other JavaScript code that you want to inject. Leave this the same. We'll talk about JavaScript injection in a future lecture. Finally, you want to make sure that the DNS records are set exactly the same as the replacements in here. So I literally copied this line and pasted it here. Now, I'm actually going to keep all of this the same. I don't need to modify any of it. But like I said, if you are targeting different websites or if you want to use different replacements, for example,if you wanted to use Twitter with a singletand keepthis.com, you can do that here. If you wanted to use Facebook with a single and keepthis.com again instead of corn, you can do it here.

Once done, make sure you save and quit this file, and we're ready to run the attack. So, running this attack is actually going to be similar to what we did in the previous lecture. You just want to make sure you modify this file properly. So going back to Bettercap, I'm going to clear the screen, run Bettercap with the same command, load the Spoofcapt so we can do all of the ARP Spoofingcommands and run the sniffer all automatically and perfectly. As you can see, everything is running as expected with no errors. If you run this and you get an error, just exit and run Bettercap again. Next, we want to run the HSTs exactly as shown in the previous lecture. All we have to do is type HS Tab, it will autocomplete for us, and hit Enter to run it again. As you can see, no errors. So everything is working as expected. Let's go to the target machine and see how this is going to work. So I have my Windows machine right here. This is Chrome, the latest version released in April 2019. And before I do anything, like I said, it's always a good idea to always just remove the browsing data and before I actually load any websites. It is very important to understand that even with everything that we're doing right now, if you try to go to Facebook and type.com at the end here, it will not work. What we're doing right now will not work because Chrome right here has a list that is stored on this computer that says do not loadfacebook.com unless it is loaded over HTTPS.

So if you type Facebook right here, it will not work. The only way we can do this is if the user first goes to a search engine. For example, Google, ie. for Ireland. And then in Google, as you can see, Google doesn't use HSTs. So we bypass this using the normal HTTPS bypass. And then if the user here searches for their target website, for example, Facebook, our script is going to run in the background and it's going to replace all links on this page for Facebook.com with Facebook.com. So if I actually hover over this, you'll see in the status bar, the website that will be loaded is Facebook Corn, not Facebook.com. This is fine here. It still says Facebook.com, but only in the code of the HTML page. Facebook.com was replaced by Facebook.com. So if I click on this link again, as you can see, we get a normal Facebook page. But if you look here on top,you'll see there is no Https. And if you look at the domain name, you'll see it says "Corn not.com. Again, Like I said, you can actually keep this.com and useFacebook with 10 or you can add an extra. You can be as creative as you want with this. This is just an example that I'm giving you. Once we're here, we can log in normally with my username, so Zayed@zsecurity.org and put in my password 123-456-7890, hitenter, and if we go back, scroll up. Perfect. As you can see, we have the user name Zaid at thesecuritytour.org and the password all the way up to 90. Now, like I said, the only way for this to work is if the user gets to Facebook through another website that does not use HSTs. If they go to the URL bar and type Facebook.com, we will not be able to do this. That's why this is considered a partial solution and not a full one.

9. DNS Spoofing - Controlling DNS Requests on The Network

Now in this lecture, we're going to learn what DNS poofing is and how to perform it. A DNS is a server that converts domain names such as Google.com to the IP address of the server that is hosting this website. So when you type Google.com in your browser, the request goes to a DNS server. The server responds with the IP where Google.com files are stored, and the browser will load the website from this IP. Now, when we are the man in the middle,the request for Google.com will be passed to us first before it goes to the DNS server. Therefore, instead of giving the IP address of the server that is hosting Google.com, we can actually give any IP address we want. So we can redirect them to a fake website with a backdoor or with evil code,hijack software updates and so much more. We'll actually have examples of this in future lectures, but for now, let's see how we can run a basic DNS spoofing attack in which we redirect requests from a specific website to our own website or our own web server.

Now, before we run Bettercap, let's decide where to redirect our target to, so we can redirect them to any website we want. For example, when someone requests Google.com,we can redirect them to Yahoo! But what I want to do is to redirect them to my own website, to an alocal website that I'm going to start on Kali. So Kali comes with its own web server, so we can actually use it as a website. And to do this, all we have to do is just start the web server. So we're going to do service at Apache Two start.So Apache Two is the name of the web server, and we're saying that we want to start the service. If I hit enter, we see no errors, which means that the server is working now, and to access this website, to access this server, we have to go to Kali's IP. So as you know, to get our IP, we can do config and we can see our IP is 100 215.

So if I just go to a web browser and go to 100 to 15, you'll see I'll get the default page of this website. Now the pages for this default website are stored in VAR, www, and HTML, so I'm going to open my file manager and I'm going to click here on the titlebar, press forward slash to open it, and we're going to go to VAR, www, and HTML, and as you can see, these are the files for this website. So if you want to install a fake website or any type of website, all you have to do is just put its files here. Now index.html is the file that gets loaded here by default. So this is what you see here. So I'm actually going to right-click it. I'm going to open it with another application. I'm going to select my text editor. This will open the HTML code for me. And I'm actually just going to remove this and I'll just press mildly face. Like I said, we're just doing this for testing.

So I'm just showing you which files get loaded by default and where you can actually put a website if you want to host a proper website here. So I'm going to go back here and if I refresh the page, you can see we get this mildly facial expression in here. Now that's perfect. Right now, we still haven't executed our DNS spoofing attack. But what I want to do is when my target tries to go to a specific website, I'm going to redirect them to this page that shows this smiley face. So let's go to the target machine first, and then let's go to our target website. I'm going to do this against my own website, zsecurity.org. So if you load this website, you'll see you get an actual security website with a number of topics and all that kind of stuff. Basically, the website is working as expected. Let's go ahead and run this attack. So I'm going to go to Bettercap. I'm going to run it using the exact same command that we've been using so far. So we're just doing Bettercap with the interface Spoof Capt so we can intercept data and modify it as it's flowing through our computer. And as you can see, it's running with no errors. So that's all good. Now, the module that we want to use is called DNS Poof. So if I do help right now, you can see it right here. It's called DNS Proof and it's not running. And as usual, if we don't know how to use a module, all we have to do is do help, followed by the module name. And in this case, it's DNS proof. And as you can see, we get all the options that we can set for this module. The first option is the DNS proof address.

This is the address that the user will be redirected to. So if you want to redirect them to another website, you have to put the IP of this other website here. In my case, I want to redirect them to my local website, to the website that we have here, which is running at 100 215. Therefore, I'm not going to have to modify this because, by default, this is set to the IP of my interface. The next thing that we want to modify is the DNS Spoof all.We want to set this to true so that Bettercap responds to any DNS request. So just like any other option with Bettercap changing its value, we have to do set followed by the option name that we want to modify. And in this case, it's DNS Spoof all and we want to set this to true. Sorry, this has all been produced by the sniffer. The next option that we want to test is the DNS spoof domains. This will specify the domains that we want to target and which we want to spoof. And as mentioned, we can use acomma to separate more than one domain. And as you know, we want to target Zetseecurity.org and we want to redirect that to our own website running on Kali. So we need to change this option right here, DNS spoof domains. And again, we're going to do this by setting the option name, which is DNS spoof domains,and we're going to set this to Zsecurity.org. As mentioned in the options, we can use the comma to specify more than one domain.

And the other domain that I want to specify is star Zsecurity.org.So the star right here is an awild card and it basically means that I want to target any subdomain of Zsecurity.org. So I'm going to hit Enter and we don't see any errors. So everything is set as expected. And all we need to do now is start the DNS spoof. And to do this, we just need to run DNS Spoofon exactly the same way that we start any other module. I'm going to hit Enter, and this should be running right now. And as you can see, it's telling us that it's going to spoof Zsecurity.org to this IP, which is again, this is our IP. We verified this using the ifconfig command. And keep in mind, we actually did not have to give Bettercap this IP. It got it automatically. It's also telling us that the other target is Starzet Security.org, and it will be spoofed to look like this. Now let's go to the target machine and test this. And before you test this, please keep in mind that you might need to wait for a minute or two for the changes to propagate. Also, if you just loaded this website just like I did right now, it's a good idea to remove all your browsing data. You won't have to do this in real life scenarios unless the target person is constantly loading the same page, which doesn't happen a lot.

But if the target person goes ahead and browses a few websites, comes back to Zsecurity.org, and everything is perfect. As you can see, we get redirected to the smiley face instead of loading Zsecurity.org. Now, this will work against all websites even if they use Https. As you saw earlier, Z Security uses HTTPS and it loads over HTTPS by default. The only websites that this will not work against are websites that use HSTs, because again, as I mentioned before,the browser has a list of these websites. The list is stored locally on the target computer, so it doesn't send any requests, and it will only load these websites over HTTP. So even though the attack will work, the browser will refuse to load the website that we are spoofing them to.Now, as you can see, what we have done so far is not very useful. All we did is just show a smiley face. But DNS spoofing is very, very useful in so many scenarios. You can use it, for example, when someone is trying to go to a login page and show them a fake page, or if they're trying to go to ZSecurity, for example, and then just show them another ZSecurity website with some malware embedded into it. You can also use it to serve fake updates. So whenever they have a software that's going to check for updates, we can DNS proof that request and send them a fake update with a backdoor. We'll see that later on in the course. So it's a really really handy skill that can be used in so many scenarios.

10. Injecting Javascript Code

So far, we have seen a number of things that we can do once we become the man in the middle. So we saw how we can see anything a target computer does on the network. So we were able to see the websites, the usernames, the passwords, the images, and anything else they loaded on their browser. We also saw that since we're the man in the middle, we're able to redirect them to other websites. So whenever they request a domain, we can redirect them somewhere else by doing a DNS proofing attack. Another really cool thing that we can do is modify the HTML and modify the pages as they load on the target browser. Obviously, this is all possible because you're the man in the middle, because we're able to intercept all this data. So we can wait for the HTML code, which is the code that's responsible for loading web pages. And as it flows through our computer, we can insert any piece of code that we want, and the browser will execute this code. Now, HTML is only responsible for rendering the elements that you see on the web page. So it's responsible for the buttons,for the forms, for the text. It doesn't really allow us to do much,but modern browsers can execute JavaScript code. JavaScript is a powerful programming language that we can use to do so many things.

We can actually modify the whole page, removing elements or adding elements into the page.We can replace links. And this is actually what I did when I modified the HSTs plugin. So I added code that will replace the Https with http, and I also added code that will replace the actual link, the actual domain name with the spoof, the domain name with the one with the corn, or to whatever you set it to in the script. You can even use it to hook the browser to other browser exploitation frameworks, which you can use to further exploit the target and even gain full control over their computer. and we'll see that later on in the course. But for now, I'm going to show you how to inject a very simple Java Script code into the loaded pages. And then we'll build up on that in future lectures and see how powerful and useful this can be. So right here I have my Kali machine and before I run Bettercap and show you how to inject JavaScript, first of all, we need to have some JavaScript code to inject into the target browser. So I'm going to open a text editor and I'm going to write some very simple JavaScript code. Like I said, we will see how we can use this to run more useful codes. But for now, we're keeping this simple to just see how we can actually run JavaScript code. So all I'm going to do is alert, open abracket quotation mark, and I'm going to say JavaScript test. I'm going to close the quotation mark, close the bracket, and add a semicolon.

So right here, this code, all it's going to do is display an alert message and an alert message saying JavaScript code. So since we're going to try to inject this code into all pages, every time we load a web page,we should see a message saying "JavaScript test." Now, I'm going to save this. So I'm going to go to File Save and I'm going to put this in my root directory and I'm just going to call it Alert JS. I'm going to hit Enter and that will be saved now in my route. So if I quit it, we can see we have the file right here. So this is the file that contains the code that we want to inject into any web page that loads on the target computer. The next step is to go to our HSTs Hijack plugin. So as I showed you before, this was a local user's share of Bettercaplets HSTs Hijack. Make sure you use the one that I included in the sources, not the one that comes built in with Bettercap, because the built-in one will not work as you want it to. So here we have the HST Hijack cab file.This is the configuration file for the vault plugin. So I'm going to right click this and open it with my text editor. And here, what we want to modify is the payload right here. So, as you can see here, it's already injecting a JavaScript file called keylogger JS. But we also want to inject our own code. So I'm going to add a comma here and I'm going to add a star followed by a column. We added the star right here to say that I want to inject my script into any page that the target loads.

If you want to inject your code into specific domains, then you can remove the star and just list the domains that you want to inject this code into right here. But like I said, we want to inject this into all pages. So I'm going to put this as a star. And after the colon, I'm going to put the location of the JavaScript file that I want to inject into the browser. So if we look back here, this is the file that we just created, which is en route to my home. And it's called Alert JS So I'm going to put it in here. I'm just going to say forward slash root followed by Alert JS. And that's it. I'm going to save these CTRL s and quit CTRL q and we are ready to go. So I'm going to go to my terminal. I'm going to run Bettercap using the exact same command that we've been using. So we're just giving it the interface as880 and we're giving it our spoof fileto automatically run the ARP spoofing attack, putting us in the middle of the connection. And as you can see, this is working with no errors, so everything is perfect. What I also want to do right now is run my HSTs Hijacked plugin. And as you know, all we have to do is just type HSN Tab.

This will autocomplete. I'm going to hit enter and everything will run with no errors at all. So everything is perfect. And as you can see here,it's saying that the payloads are loaded,the JavaScript payloads are the keylogger. This is the default one that the file already loaded and the one that we just specified, which is en route alert JS. So now, anytime our target loads any web page, whatever code we put in the alert JS should be injected into the loaded page and it should get executed. The result of that should show us a simple message saying "test JavaScript." So let's go to the target. And as usual, a good idea is just to remove the browsing data just to make sure that nothing is cached. And I always start with the simplest case and work my way up to more complex scenarios. So first of all, I'm going to test it against a normal HTTP page so there is nothing to bypass, no encryption whatsoever. So we're just going to go to Vulnerwheb.com and perfect. As you can see, we have an alert message in here telling us to take the JavaScript test. So basically, this means the JavaScript code in the myalert JS file got injected into this page. So now that we've verified it works against normalHttp pages, let's go ahead and test it against a page that uses Https, such as Stack.Overflow.com perfect.It's working as expected. Another example would be LinkedIn.com. Keep in mind, these websites use Https, and as you can see, we're able to load them with no Https here. So, over HTTP only.

So even if you log in right here, you'll be able to get the username and the password as shown before. Finally, let's go and test it against the HSTs website using the partial HSTs bypass method that I showed you. So for that to work, we'll need to go to Google first of all. And we need to go to a Google domain that does not use HSTs, similar to Google, i.e., this is actually the local Google website for Ireland. And as you can see, the code works. This is fine, Google only uses HTTPS, but let's look at Facebook. Now we know Facebook uses HSTs, and because HSTs are used,we should not be able to inject anything on the website because the browser will only load it over HTTPS. But using our partial bypass method, if you click on Facebook from here, as you can see, the code gets executed because what we're loading right now is Facebook corn Facebook.com. And as you can see, we get the abnormal Facebook page again, which looks identical. And if you log in, you'll be able to get the username and password. So, as you can see, this will work against HTTP and HTTPS pages and even HSTs if the target searches for that website, not if they put the domain name in here. So if the target comes in and literally types Facebook.com into the address bar and hits enter, the browser will force the HTTP connection, as you can see here. Because, like I said, it has a preloaded list of websites that it can only load over HTTPS. And because the browser is establishing an HTTPS connection, the data will be encrypted, therefore we won't be able to inject.

11. Doing All of The Above Using a Graphical Interface

In previous lectures, we learned how to use Bettercapto do a number of cool things. But everything we did, we did it through a text or a terminal interface. There is also a web interface or a graphical interface for Bettercap that we can use to do everything that I showed you so far. The reason why I started with the text interface is that, first of all, I actually prefer using it and use it instead of the graphical interface all the time. I think it's faster. You can use it to achieve your goal and launch attacks much faster. It also requires fewer resources and fewer modules, so it's less likely to fail and less buggy. Not only that, but by learning how to use the textinterface, I also showed you how to manually modify the templates and the scripts where they are stored and how to use them properly without the need for an extra plugin, which is the plugin that runs the web interface. With that being said, some people still think the web interface is more user-friendly and that's why I'm going to cover it in this lecture. So I'm going to start Bettercap by typingBettercap and I'm going to do ifhase to select my interface, which is ETH zero. And I'm not going to specify a caplet this time because I simply just want to start Bettercap on the interface that is connected to the target network.

So we're going to hit Enter and that will run with no issues as usual. Now, if you're using the custom Kali image that I made for this course, then you can simply start the web interface by typing Httpui. But if you're using the original version of Kali or if you're using Bettercap on a different distribution, then you're going to have to install the web interface. So you're going to have to do a UI update to install it. And then, once it's installed, you can simply do HTTP UI. Now, like I said, because I am using the latest customCaddy that is made for this course, I can simply run it by typing HTTP UI without having to install anything. And if I hit Enter, you'll see that it's going to run with no issues on this URL. So I'm going to copy this and we're going to open it in my web browser and perfect. As you can see, we get a login page for the web interface. So the default username is User and the default password is Pass. I'm going to click on Login to log in, and as you can see, we have a very simple and easy to use interface. There are no more commands that we have to run, though we can run commands here through the command line. Right here we have the event log. So this is similar to what you see in the terminal, but it's in a much nicer interface. You can use the search bar here to filter if you're looking for a specific log or for a specific event. And you can actually click on any event type to mute it, so you won't see any of that event on screen. All of this is happening right here in the Events menu.

The next useful page would be the landing page right here, which will show you all the devices connected to the network. So this is similar to when we used to do Net Show.As you can see, right now we only have the Raptor, which is at ten 00:21,and my current computer, which is at ten 00:21. This is Kali. Previously, we had to launch Net Recon and Net Probe to discover all of the devices on the same network. So here, instead of writing the commands, all you have to do is click on this play button to start the Net Recon.You'll get nice notifications here, and as you can see, we managed to discover all of the connected devices. You can also see that we have a nice tag to tell us that this is the gateway and a nice tag telling us that this is our computer. The devices that we discovered are these two devices. And you can see this is my MSH device,the Windows machine that we have always been targeting. Again, because this is a very simple interface, you won't have to type anything. You can click on this little arrow right here beside the machine, beside the IP. You can either scan this machine for ports or add it to your spoofing targets. So you won't have to set ARPSpoof dot targets for this IP. All you have to do is literally click here and it's automatically added to the ARP spoof. Not only that, but we'll see a nice little window in here to configure our ARP spoofer. And remember, we used to set this option to true for the full duplex. So all I have to do now is just click here to check it and to start the spoofer, all I have to do is click on Start Spoofing and done.

Now we should be spoofing the target. As you can see, we also see a nice icon beside this IP to tell us that at the moment we are spoofing this IP, telling it that we are the gateway. So now if I go to my target and just do ARPA,you can see that the Raptors' Mac address has changed to the Mac address of the Kali machine, which is this one. So that means that we are properly spoofing this device, telling us that we are the router and that we managed to become the man in the middle. Now, I've actually shown you how to do all of this before in detail. So if you don't remember any of this or if any of this feels strange, then please go back and revise the lectures where I covered these things. Now, I also showed you how to bypass Https and partially bypass HSTs using a caplet. Again, we have a nice menu here for caplets and, as you can see, we have all the caplets currently available with better cab. And all you have to do is just click on the capt that you want to run, and in my case, it's the HSTs hijacklet. Also, if you remember when we were modifying this capt,we used to have to open the location where the caplets are installed and then open the caplet in the atext editor and modify its options. whereas here you can literally change any option.

Within this menu, click on the disc icon right here to save and then click on Play to run this template. And as you can see, you get nice notifications telling you that everything was executed as expected. And right now, we can go ahead and test this. So if I go here and just clear the browsing data as usual, and then if I just go to a normalHttps page such as Stackoverflow.com, you'll see that this will load over HTTP, so we can log in and we should be able to get the username and password as I showed you before, and we can test the partial HSTs bypass. So if I go to Google and search for Facebook, I click on the first result and everything is perfect. As you can see, it's loading over normal HTTP here. Again, if I log in, the information will be captured by my sniffer. So, as you can see, it is very, very easy to edit templates and even run them through this web interface. You can also run all of the others through the advanced menu here. So for example, if you wanted to start the sniffer, all you have to do is just scroll down here looking for the sniffer and we have it right here, net sniff. If I click on that, as you can see on top, it's telling us it's not running. And right here, instead of running the commands,all you have to do is just click on the command that you want to run. Not only that, but if you want to modify any of the options again, all you have to do is just type whatever you want to modify in here, click on the save in here, and then run the command that you want to run. So if I wanted to start the sniffer now, all I have to do is just click on net sniffon and this will start the sniffer for me. Now the sniffer, combined with the nice events that we can get in here, makes it easier to filter through the data that we capture.

But it's still not the best way to filter through the captured data. I will cover how to properly sniff data and filter it using wireshark, which is the best tool for sniffing and filtering data. But again, this web interface right here provides an easier way of interacting and using better cab. I didn't show you how to use the WiFi,theBle, the Hid, or the Poison menus because we actually did not use any of these modules previously. So I just wanted to focus on showing you how to do everything we've done so far using this interface. Like I said, it is easier to use, I agree,but once you get used to the terminal interface, it will be just as easy as this one. To me, it's more organized, it can be used to achieve my goals much more quickly, it uses fewer resources and it's faster. That's why I prefer using it over the web interface. And if it wasn't for showing you how to use the web interface, I wouldn't even install it. But at the end of the day, I wanted to show you both options, and obviously, you're free to use whatever is easier for you.

Prepared by Top Experts, the top IT Trainers ensure that when it comes to your IT exam prep and you can count on ExamSnap Certified Ethical Hacker v11 Exam certification video training course that goes in line with the corresponding ECCouncil 312-50v11 exam dumps, study guide, and practice test questions & answers.