Bettercap hstshijack not working

I downloaded this script from Learn Ethical Hacking From Scratch by Zaid Al Quraishi. When I run the caplet in bettercap, it is supposed to downgrade HTTPS to HTTP. But, my target Win 10 computer does not degrade the websites. Furthermore, my DNS spoofing attacks also don’t work. I have verified that the ARP Spoof worked using “arp -a” command on my target computer and by simply creating traffic and viewing it on my Kali VM. Apache2 also works.

Please help me.

Also, the target and replacement is also not working.

facebook.com is not becoming facebook.corn

Hi Arinudh,

Please show us the following to better debug the issue:

  • ifconfig in Kali
  • ipconfig in the target machine
  • The caplet file contents “spoof.cap”
  • Kali’s network settings, so just right Kali machine from Virtual box >> Settings >> Network, take a screenshot and post it here.
  • Results of bettercap --version

Are you also using the custom image provided in the resources of lecture 5?

Thank you.

1 Like

image

(This is before ARP spoofing)

The contents of spoof.cap are :-
net.probe on
set arp.spoof.fullduplex true
set arp.spoof.target 192.168.0.217
arp.spoof on
set net.sniff.local true
set net.sniff.output stored_output.cap
net.sniff on
hstshijack/hstshijack
set dns.spoof.all true
set dns.spoof.domains zsecurity.org,.zsecurity.org,stackoverflow.com,.stackoverflow.com

[The wild card stars are not shown in the post for some reason.]

The version I get is :- bettercap v2.26.1 (built for linux amd64 with go1.13.8)

Yes, I am using the Image from the link in the resources of the lecture. But, the website I got when I visited the link was a little different than as shown in the lecture. At that time, I thought the website just updated over time. It has been one year, after all. But maybe that is the cause??

Also, the target is not a VM. It is a real computer. I have tried the attacks against a mobile phone, another computer and the host machine itself. None of them showed any signs of the attack working. The only thing that did work was the ARP spoof. The HTTPS to HTTP and the DNS Spoof didn’t work.

I tried using the spoof.cap caplet and by manually typing the commands

Is the problem in the image or the code or my commands?

You’re using the wrong version of bettercap (V2.26), if you downloaded and imported the custom ova image provided in the resources of lecture 5, then you should have bettercap V2.23 with the custom hstshijack caplet file already pre-installed.

If you still don’t have them, then download bettercap 2.23

You can install it as shown in the following link:

Make sure that you’re using the custom hstshijack caplet file provided in the resources of lecture 41.

In addition, please try the following if you want to test bettercap in general:

  • Try it first within the nat network as shown in the lecture if you can setup the virtual environment.
  • If it works, then go ahead and test against the real machine connected to the same LAN as Kali.

After I did what you suggested :

Normal http websites are sniffed out fine now, like before. I’m able to see the username and passwords.

But, when I go to https websites like stackoverflow.com, I get 206 Partial Content -> MSEDGEWIN10.local

The packages are http packets, which is an improvement.

This is from the Win 10 VM on the same NAT network.


Yes, I see, but you didn’t tell me if you already tried the above suggestions?

I installed 2.23 of bettercap and got the above results

See, bettercap custom hstshijack will fail to downgrade the connection due to one or more of the following reasons:

  1. You missed a tiny step, so please revise the lectures and make sure you do everything as shown.

  2. You manually typed https:// in the URL bar.

  3. You manually configured the DNS server in the target machine to 8.8.8.8 or 1.1.1.1 or anything else.

  4. You have a browser extension that is stopping this such as https-everywhere or no-javascript.

  5. You did not fully remove browsing data.

  6. Try also to execute the commands manually inside bettercap instead of using the spoof.cap, and try it against different browsers and see if you can downgrade the connection.

I tried without manually typing https://, I erased all browsing data, I tried Chrome, Edge and Firefox.

I did not ever manually tamper with the DNS settings. I only recently installed the Win 10 VM anyway.

I have no extensions installed in any of the browsers.

I have already both manually done the commands and done it using the spoof.cap file.

I am currently reviewing the lecture again, but up till now, I did not find any mistake. I shall keep trying.

image
image

Okay, please try again, just reboot both Kali and Windows for the purpose of testing and let us know if you face the same issue. Try it also within the nat network as shown in the course. If it works, then try to proceed with testing against the real machine. Make sure also that you don’t connect Windows VM to a bridged adapter.

I have rebooted it multiple times, but the same result always occurs. The above result is in the nat network. And yes, the windows VM is not connected to the wireless adapter.

If you are unable to debug this issue, could you send some alternatives and links to their documentation and/or tutorials?? It would be really helpful.

Thanks

Here are the docs:
https://www.bettercap.org/legacy/

Actually, I meant the documentation of the alternatives

1 Like

I 've encountered the same issue.
Spoofing worked but the https downgrade failed.

At the moment I got everything to work, except for login and password capture in https-websites.

I set my spoof.cap to:
net.probe on
set arp.spoof.fullduplex true
set arp.spoof.target 192.168.0.217
arp.spoof on
set net.sniff.local true
set net.sniff.output stored_output.cap
net.sniff on

I ran the spoof:
sudo bettercap iface eth0 -caplet /root/spoof.cap

Checked if it worked, using command help.
Then I already checked the connection by generation traffic on the Windows VM.
And after that traffic was captured in kali.
Then I entered the command:
hstshijack/hstshijack

And then suddenly it did work…

at first the hsts-downgrade failed, because f.i. Facebook.corm gave an error message, so I downgraded to Bettercap 2.23 as shown by AJS.
Then I restarted both Linux VM and Windows VM (target).
And after that also hsts-downgraded website loaded.
And I can capture login and password input.

Only problem is I can’t get the key capture to work for downgraded https websites.
I m gonna try putting some websites in the hstshijack file.

I found an error in the hstshijack.cap as well for linkedin, I think.

hstshijack.targets: www.linkedin.com
hstshijack.replacements: linkedin.com

that should be different I thought.

So I changede it to *.linkedin.com for targets
and *.linkedin.corn for replacements and dns spoof domains.

The downgrade only works when used in http://google.com
https://google.com doesn’t do the trick.

And on bing almost no websites are downgraded.
Luckily google.com does get downgraded on bing.

I don’t get key stroke registration on Linkedin though
But I do so on Facebook and most of the times on Twitter.corn.

The system works but is not entirely stable…

update. I do get https downgrade to work.

But the examples Zaid uses in the course are currently HSTS instead of “regular” https.
Linkedin, Twitter are hsts at the moment.