Lecture Transcript - Bypassing HTTPS

Now, everything that we did so far will only work against hasty pages.

The reason why it works against the TTP because as we see in the data and TTP is sent as plain text.

So it's text that humans like us can read and understand.

That's why when we're man in the middle, we're able to read this text.

And if we wanted, we're able to modify this text as we wish.

Now, this is obviously a problem and this problem was fixed in https.

So as you know, most websites use https.

The reason why, like I said, because it's a more secure version of HTTP and basically the way it works

is it adds an extra layer over HTTP, which is where the S comes from.

So it's a secure HTTP protocol and this extra layer will encrypt the plaintext data that HTTP sends.

So if a person manages to become the man in the middle, they will be able to read this data.

But the data will be gibberish.

It will not be readable to the person intercepting the connection.

Now, TPS relies on TLC or SSL to encrypt the data, and this is very difficult to break.

Therefore, in order to bypass this, the easiest method is to downgrade https connections to HTTP.

So since we're the man in the middle, we can check if the target is requesting a HTTPS website.

And instead of giving him the TPS version of that website, we will give him the TTP version.

This way the data will be sent in plain text and we'll be able to read it exactly as I showed you in

the previous lecture, to do this will have to manually configure and use a tool called SSL Strip,

and I show how to do this in my more advanced courses.

But luckily Buttercup has a couplet that does all of that for us.

I also modified this couplet myself to get it to work more reliably and on more websites.

So please make sure you use the custom color image that I made for this course because it comes with

this modified couplet by default.

If you want to use the original card, then you're going to have to manually download this couplet and

put it in the right path.

I am using the custom in here so I won't need to do any of that.

I can simply run better, come up and use it.

But before doing that, I just want to go to the home directory and modify disproof couplet that we

have been using in the previous lectures.

And I just want to modify one thing in this, so I'm going to.

Right.

Click it and open it with Leaford.

And what I want to modify is I want to add an option to the sniff in here.

So, as you know, this line, not that sniff on will turn on my sniffer, but before turning it on,

I want to set the net that sniff that local.

To true and what this option will do, it will tell Buttercup to sniff all data, even if it thinks

this data is local data.

The reason why I said this option to true, because once we use the TPS bypass couplet, the data will

seem as if it's being sent from our computer.

So Buttercup will think these passwords belong to me, to my computer, and it will not display it to

me on screen.

That's why we're setting it to true so that we can see all the usernames and passwords sent on the websites

that we will downgrade from https to HTTP.

So I'm going to save this control us and quited control Q And now we are actually ready to go and use

this couplet and see how we can downgrade https to HTTP and steal passwords from login pages that use

Hastey tips by default.

So I'm going to go to my terminal and I'm going to use better cop exactly as I've been using it before.

So we're doing better.

Carped the name of the program.

We're giving it our interface after the efface argument.

We're using the Chappellet argument to specify a couplet to run as soon as we run the program and we're

running the spoof couplet, the one that we built in the previous lecture that run the AARP spoofing

command and run the sniffer for us.

So I'm going to hit enter.

And as you can see, everything got executed as expected.

If we do help, we'll see all the running modules.

And we have the AARP spoof and the sniffer running with the recon and with the probe.

So this is exactly what we wanted from our capelet.

So first of all, the tests bypass capelet is one of many couplets that better cop comes with.

If you want to list all of these couplets, you can do couplets that show.

And as you can see, you'll get a list of all of the couplets that you have and their location on the

system.

Now, the couplet that we want to run is the STC highjacked couplet, this one right here.

And to run any of these couplets, all you have to do is literally just type its name.

And as usual, you can use the top to autocomplete.

So to run our couplet right here, all I have to do is literally type HHS and press tab.

And as you can see, it'll automatically autocomplete for me and type the Catholic name.

Now if I hit enter this allowed the couplet with all of its options and it'll run it for me.

So as you can see, because we don't see any errors, this means everything got executed as expected.

So let's go to the Windows machine, brough some pages and see if we can sniff data, usernames, passwords

and URLs that they enter on their computer.

So I have my Windows machine here, I have Chrome installed, this is the latest version of Chrome at

the time of recording this lecture, a really good idea before trying all of these things is to remove

your browsing data, because the websites that we're going to try to access might be cached and they

might be just loaded from your cache.

This will only happen if you're visiting the same website over and over again, mostly when testing.

Therefore, it's a really good idea to control, shift, delete and click on clear browsing data.

Make sure all of this is clicked, make sure it's set to all the time and click on Clear to remove all

of it.

And let's go ahead and go to a website that uses https.

So a good example would be LinkedIn dot com.

And perfect, if you look here at the top, you'll see the website is loading overhasty, not overhasty.

Tepes therefore will be able to see anything the user enters in these boxes.

So let's put a user name, let's add A to Z at Z security dot org, and I'll put a password as one,

two, three, four, five, six, seven, eight, nine zero.

It doesn't really matter.

You can use any password and I'm going to hit enter to log in.

This is wrong, so obviously we're getting an error message, but if we go back to Cali, as you can

see, we're capturing all of this data because it's not being sent over https anymore.

It's being sent over HTTP.

And if you look in here, you can see we captured login information it sent to LinkedIn, Dotcom sent

to this specific URL, a log in the URL, and you can see the user name is Zaide Adsit, security dot

org.

And the password is one, two, three, all the way up to nine zero.

So that's really, really good.

Let's go ahead and test another HTTPS website.

Let's go to stack overflow dot com.

Again, you can see on top it's loading Overhasty, not Tepes, so I'm going to click on Log In.

And again, I'm going to put my emails that that security dot org and we'll put a password as one,

two, three, four, five, six, seven eight nine zero hit enter and let's go to the machine again.

Scroll down this time because we're stuck on top and perfect.

You can see we have a post request in here.

It's sent to this specific URL.

Again, you can see you log in in the URL.

You can see the website itself, stack overflow dot com.

And if we scroll down a little bit more, we can see that the user name is Zade at that security dot

org.

And the password again, one, two, three, all the way up to nine zero.

So that is really, really good.

Now we can downgrade any https connection to HTTP as long as the Target website uses https, not ests.

So this method will work against pretty much all websites that use https, except for the really popular

websites such as Facebook, Twitter and so on.

So let me show you a quick example.

If I go here and try to go to Facebook dot com.

You'll see that the website got loaded, overhasty, Tepes, not overhasty cheap, even though we configured

our capelet correctly, and even though we're able to downgrade HTTPS connections on a lot of websites

such as LinkedIn and Stack Overflow, this is happening because Facebook is using Høst, which is a

little bit trickier to bypass.

In the next lecture, we'll talk more about what ESTs is, why it's tricky to bypass and how to partially

bypass it and still get usernames and passwords from the websites that implemented, such as Facebook, Twitter and so on.