Results 1 to 3 of 3

Thread: Browser automatically chooses HTTPS depending upon past usage

  1. #1
    Very good friend of the forum Virchanza's Avatar
    Join Date
    Jan 2010
    Posts
    863

    Default Browser automatically chooses HTTPS depending upon past usage

    For sniffing decrypted SSL traffic, SSLstrip works very well in conjunction with Ettercap.

    This only works however when the user's web browser requests the web page over port 80 (i.e. as normal HTTP), and then SSLstrip deals with encryption keys and changing the destination port to 443.

    What doesn't work, however, is when the user's web browser requests HTTPS (for example if the user were to type in "https://facebook.com").

    The other alternative of doing a MITM attack with a forged certificate would result in the user seeing an "Untrusted Website" dialogue, which may be too noisey depending on the pentester's client's naivety.

    Humour me for a second. Try something.

    Clear your web browser history/cache/etc. Now type "facebook.com" into the address bar. You'll see that it uses normal HTTP over port 80. No surprises there because you didn't explicitly specify port 443 by typing https://facebook.com (and also http://facebook.com doesn't send back a message demanding HTTPS).

    Now close that tab in your browser and this time type in "https://facebook.com" and hit return. Of course this time it uses HTTPS over port 443 as expected. No surprises there.

    Now close that tab. Without deleting any cache/history, open up a new tab and simply type in "facebook.com". All browsers I've tested this on will immediately choose HTTPS over HTTP because that's what's been used in the past.

    So my question is, from the pentester's point of view, is there any way of redirecting the user's web browser calls from HTTPS (port 443) to HTTP (port 80)? The most the user would get would be "You are now leaving an unencrypted connection" which isn't an uncommon message when dealing with sites like online banking, nowhere near as alarming as the Untrusted Connection dialogue you get with doing MITM and forged SSL certs.

    To achieve what I'm trying to achieve, I forsee that it would work something like:
    (1) The user types "https://facebook.com" into their web browser.
    (2) This HTTP request to port 443 gets redirected (possibly by iptables) to some sort of program which will redirect the request to "http://facebook" (i.e. HTTP over port 80). The user might be presented with a not-too-intrusive dialogue saying "You're now leaving an encrypted connection", nothing major.
    (3) The user's web browser then makes a normal HTTP request over port 80 to "facebook.com".
    (4) From here, the usual SSLstrip and Ettercap does its job.

    Has this been achieved? If so, please advise me how to go about it. I presume iptables would be used in conjunction with another program to perform a redirect from HTTPS to HTTP? If someone could write out a line-by-line explanation of how this would achieved, I'd be greatly appreciative.

    So far, here's what I've got for Steps 3 and 4

    Code:
    echo 1 > /proc/sys/net/ipv4/ip_forward 
    iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
    sslstrip -a -k -f &
    [hit the return key]
    ettercap -Tqi wlan0
    I presume the code you'd have to execute for redirecting HTTPS to HTTP would be something like:

    Code:
    iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-port 666
    ./my_program_that_redirects_https_to_http --port 666
    This would allow full SSL workaround even when the destination website doesn't allow unsecure connections (because SSLStrip deals with that). The most warning the pentesting client would get would be something simple like "You're now leaving an encrypted connection".

    Any input appreciated on how to achieve this. Thanks for reading this far.
    Last edited by Virchanza; 10-21-2012 at 03:11 PM.
    Ask questions on the open forums, that way everybody benefits from the solution, and everybody can be corrected when they make mistakes. Don't send me private messages asking questions that should be asked on the open forums, I won't respond. I decline all "Friend Requests".

  2. #2
    Very good friend of the forum Virchanza's Avatar
    Join Date
    Jan 2010
    Posts
    863

    Default Re: Browser automatically chooses HTTPS depending upon past usage

    Just thinking there.... maybe an Ettercap filter could be used to do a redirect from "https://*" to "http://*" and then Ettercap could listen on port 666? The filter would send back the redirect message to the web browser, and the web browswer would then go over port 80 to the website and then SSLstrip would work from there.

    Yes, no, maybe?
    Ask questions on the open forums, that way everybody benefits from the solution, and everybody can be corrected when they make mistakes. Don't send me private messages asking questions that should be asked on the open forums, I won't respond. I decline all "Friend Requests".

  3. #3
    Very good friend of the forum Virchanza's Avatar
    Join Date
    Jan 2010
    Posts
    863

    Default Re: Browser automatically chooses HTTPS depending upon past usage

    Quote Originally Posted by Virchanza View Post
    Just thinking there.... maybe an Ettercap filter could be used to do a redirect from "https://*" to "http://*" and then Ettercap could listen on port 666? The filter would send back the redirect message to the web browser, and the web browswer would then go over port 80 to the website and then SSLstrip would work from there.

    Yes, no, maybe?
    Or maybe I could just refuse "https://facebook.com" altogether and so the user would figure that the SSL side of things is down and so they have to connect by http temporarily.

    Any thoughts?
    Ask questions on the open forums, that way everybody benefits from the solution, and everybody can be corrected when they make mistakes. Don't send me private messages asking questions that should be asked on the open forums, I won't respond. I decline all "Friend Requests".

Similar Threads

  1. Will not load past 24%
    By macinslaw in forum BackTrack 5 Beginners Section
    Replies: 5
    Last Post: 07-13-2012, 07:17 PM
  2. I can't even get past the fist screen. (root@bt:~#)
    By Keypel in forum Beginners Forum
    Replies: 2
    Last Post: 05-19-2010, 11:59 PM
  3. Getting past bios or even boot menu?
    By Squaggs in forum Beginners Forum
    Replies: 1
    Last Post: 05-05-2010, 05:28 PM
  4. Cant get past login on bt4
    By Boodar in forum OLD Latest Public Release - BackTrack4 Beta
    Replies: 8
    Last Post: 03-21-2009, 07:24 PM
  5. Will not boot past scsi init
    By opticledilusi0n in forum OLD Newbie Area
    Replies: 2
    Last Post: 09-10-2007, 09:23 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •