All language subtitles for 8. Bypassing HTTPS

af Afrikaans
sq Albanian
am Amharic
ar Arabic Download
hy Armenian
az Azerbaijani
eu Basque
be Belarusian
bn Bengali
bs Bosnian
bg Bulgarian
ca Catalan
ceb Cebuano
ny Chichewa
zh-CN Chinese (Simplified)
zh-TW Chinese (Traditional)
co Corsican
hr Croatian
cs Czech
da Danish
nl Dutch
en English Download
eo Esperanto
et Estonian
tl Filipino
fi Finnish
fr French
fy Frisian
gl Galician
ka Georgian
de German
el Greek
gu Gujarati Download
ht Haitian Creole
ha Hausa
haw Hawaiian
iw Hebrew
hi Hindi
hmn Hmong
hu Hungarian
is Icelandic
ig Igbo
id Indonesian
ga Irish
it Italian
ja Japanese
jw Javanese
kn Kannada
kk Kazakh
km Khmer
ko Korean
ku Kurdish (Kurmanji)
ky Kyrgyz
lo Lao
la Latin
lv Latvian
lt Lithuanian
lb Luxembourgish
mk Macedonian
mg Malagasy
ms Malay
ml Malayalam
mt Maltese
mi Maori
mr Marathi
mn Mongolian
my Myanmar (Burmese)
ne Nepali
no Norwegian
ps Pashto
fa Persian Download
pl Polish
pt Portuguese
pa Punjabi
ro Romanian
ru Russian
sm Samoan
gd Scots Gaelic
sr Serbian
st Sesotho
sn Shona
sd Sindhi
si Sinhala
sk Slovak
sl Slovenian
so Somali
es Spanish
su Sundanese
sw Swahili
sv Swedish
tg Tajik
ta Tamil
te Telugu
th Thai
tr Turkish
uk Ukrainian
ur Urdu
uz Uzbek
vi Vietnamese
cy Welsh
xh Xhosa
yi Yiddish
yo Yoruba
zu Zulu
or Odia (Oriya)
rw Kinyarwanda
tk Turkmen
tt Tatar
ug Uyghur
Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 1 00:00:00,760 --> 00:00:03,240 Okay, so now that we understand the theory 2 2 00:00:03,240 --> 00:00:08,240 behind bypassing HTTPS and we have the correct caplet 3 3 00:00:08,360 --> 00:00:10,540 placed in the correct path, 4 4 00:00:10,540 --> 00:00:14,060 let's go ahead and use this caplet with Bettercap 5 5 00:00:14,060 --> 00:00:18,330 and see how we can downgrade HTTPS to HTTP 6 6 00:00:18,330 --> 00:00:21,830 and steal passwords from login pages 7 7 00:00:21,830 --> 00:00:25,213 that use HTTPS by default. 8 8 00:00:26,320 --> 00:00:30,830 So I'm gonna go to my terminal and I'm gonna use Bettercap 9 9 00:00:30,830 --> 00:00:33,740 exactly as I've been using it before. 10 10 00:00:33,740 --> 00:00:36,500 So we're doing Bettercap, the name of the program. 11 11 00:00:36,500 --> 00:00:40,350 We're giving it our interface after the iface argument, 12 12 00:00:40,350 --> 00:00:44,280 we're using the caplet argument to specify a caplet to run 13 13 00:00:44,280 --> 00:00:46,630 as soon as we run the program 14 14 00:00:46,630 --> 00:00:48,380 and we're running the spoof caplet, 15 15 00:00:48,380 --> 00:00:50,970 the one that we built in the previous lecture 16 16 00:00:50,970 --> 00:00:53,370 that'll run the ARP spoofing command 17 17 00:00:53,370 --> 00:00:55,940 and run the sniffer for us. 18 18 00:00:55,940 --> 00:00:59,300 So I'm gonna hit enter and as you can see, 19 19 00:00:59,300 --> 00:01:02,310 everything got executed as expected. 20 20 00:01:02,310 --> 00:01:06,170 If we do help, we'll see all the running modules 21 21 00:01:06,170 --> 00:01:09,760 and we have the ARPspoof and the sniffer running 22 22 00:01:09,760 --> 00:01:12,360 with the recon and with the probe. 23 23 00:01:12,360 --> 00:01:15,333 So this is exactly what we wanted from our caplet. 24 24 00:01:16,410 --> 00:01:17,960 The next thing that we wanna do 25 25 00:01:17,960 --> 00:01:20,960 is run the HSTS bypass caplet 26 26 00:01:20,960 --> 00:01:22,880 the one that we just downloaded 27 27 00:01:22,880 --> 00:01:26,690 and placed in our Bettercap directory. 28 28 00:01:26,690 --> 00:01:30,260 So first of all, the HSTS bypass caplet 29 29 00:01:30,260 --> 00:01:34,470 is one of many caplets that Bettercap comes with. 30 30 00:01:34,470 --> 00:01:36,950 If you want to list all of these caplets, 31 31 00:01:36,950 --> 00:01:41,950 you can do caplets.show and as you can see, 32 32 00:01:42,710 --> 00:01:46,490 you'll get a list of all of the caplets that you have 33 33 00:01:46,490 --> 00:01:49,133 and their location on the system. 34 34 00:01:49,990 --> 00:01:52,340 Now, the caplet that we want to run 35 35 00:01:52,340 --> 00:01:55,040 is the HSTS hijack couplet. 36 36 00:01:55,040 --> 00:01:56,560 This one right here. 37 37 00:01:56,560 --> 00:01:58,270 And you can see it's stored in here. 38 38 00:01:58,270 --> 00:02:00,950 This is the location where we actually replaced it 39 39 00:02:00,950 --> 00:02:03,430 with the one that we downloaded. 40 40 00:02:03,430 --> 00:02:06,170 And to run any of these caplets, all you have to do 41 41 00:02:06,170 --> 00:02:09,080 is literally just type its name. 42 42 00:02:09,080 --> 00:02:12,280 And as usual, you can use the tab to auto complete. 43 43 00:02:12,280 --> 00:02:15,810 So to run our caplets right here, all I have to do 44 44 00:02:15,810 --> 00:02:19,560 is literally type HS and press tab. 45 45 00:02:19,560 --> 00:02:23,530 And as you can see, it'll automatically auto-complete for me 46 46 00:02:23,530 --> 00:02:26,040 and type the caplet name. 47 47 00:02:26,040 --> 00:02:28,710 Now if I hit enter, this will load the caplet 48 48 00:02:28,710 --> 00:02:32,630 with all of its options and it'll run it for me. 49 49 00:02:32,630 --> 00:02:35,380 So as you can see, because we don't see any errors, 50 50 00:02:35,380 --> 00:02:39,130 this means everything got executed as expected. 51 51 00:02:39,130 --> 00:02:43,500 So let's go to the windows machine, browse some HTTPS pages 52 52 00:02:43,500 --> 00:02:48,390 and see if we can sniff data, usernames, passwords, and URLs 53 53 00:02:48,390 --> 00:02:50,643 that they enter on their computer. 54 54 00:02:51,870 --> 00:02:54,270 So I have my windows machine here. 55 55 00:02:54,270 --> 00:02:56,010 I have Chrome installed. 56 56 00:02:56,010 --> 00:02:58,170 This is the latest version of Chrome 57 57 00:02:58,170 --> 00:03:00,420 at the time of recording this lecture, 58 58 00:03:00,420 --> 00:03:03,620 which is in April, 2019. 59 59 00:03:03,620 --> 00:03:06,860 Now, a really good idea before trying all of these things 60 60 00:03:06,860 --> 00:03:09,000 is to remove your browsing data 61 61 00:03:09,000 --> 00:03:12,130 because the websites that we're gonna try to access 62 62 00:03:12,130 --> 00:03:13,320 might be cached 63 63 00:03:13,320 --> 00:03:16,130 and they might be just loaded from your cache. 64 64 00:03:16,130 --> 00:03:18,930 This will only happen if you're visiting the same website 65 65 00:03:18,930 --> 00:03:21,750 over and over again, mostly when testing. 66 66 00:03:21,750 --> 00:03:25,910 Therefore, it's a really good idea to control shift, delete 67 67 00:03:25,910 --> 00:03:29,510 and click on clear browsing data. 68 68 00:03:29,510 --> 00:03:31,260 Make sure all of this is clicked, 69 69 00:03:31,260 --> 00:03:34,890 make sure it's set to all the time and click on clear 70 70 00:03:34,890 --> 00:03:36,690 to remove all of it. 71 71 00:03:36,690 --> 00:03:40,623 And let's go ahead and go to a website that uses HTTPS. 72 72 00:03:41,610 --> 00:03:45,233 So a good example would be linkedin.com. 73 73 00:03:48,120 --> 00:03:50,980 And perfect, if you look here at the top, 74 74 00:03:50,980 --> 00:03:55,673 you'll see the website is loading over HTTP, not over HTTPS. 75 75 00:03:56,580 --> 00:04:00,690 Therefore, we'll be able to see anything the user enters 76 76 00:04:00,690 --> 00:04:01,863 in these boxes. 77 77 00:04:02,850 --> 00:04:04,320 So let's put a user name. 78 78 00:04:04,320 --> 00:04:07,167 Let's set it to zaid@zsecurity.org 79 79 00:04:10,460 --> 00:04:15,190 and I'll put our password as 1234567890. 80 80 00:04:15,190 --> 00:04:17,900 It doesn't really matter, you can use any password. 81 81 00:04:17,900 --> 00:04:20,423 And I'm gonna hit enter to log in. 82 82 00:04:21,810 --> 00:04:25,000 This is wrong, so obviously we're getting an error message, 83 83 00:04:25,000 --> 00:04:27,900 but if we go back to Kali, as you can see 84 84 00:04:27,900 --> 00:04:29,720 we're capturing all of this data 85 85 00:04:29,720 --> 00:04:33,460 because it's not being sent over HTTPS anymore. 86 86 00:04:33,460 --> 00:04:35,703 It's being sent over HTTP. 87 87 00:04:37,130 --> 00:04:38,780 And if you look in here, 88 88 00:04:38,780 --> 00:04:41,940 you can see we captured login information. 89 89 00:04:41,940 --> 00:04:44,960 It's sent to linkedin.com, 90 90 00:04:44,960 --> 00:04:49,200 sent to this specific URL, a login URL 91 91 00:04:49,200 --> 00:04:53,730 and you can see the username is zaid@zsecurity.org 92 92 00:04:53,730 --> 00:04:55,730 and the password is one, two, three 93 93 00:04:55,730 --> 00:04:58,163 all the way up to nine zero. 94 94 00:04:59,150 --> 00:05:01,040 So that's really, really good. 95 95 00:05:01,040 --> 00:05:04,320 Let's go ahead and test another HTTPS website. 96 96 00:05:04,320 --> 00:05:07,353 Let's go to stackoverflow.com. 97 97 00:05:09,570 --> 00:05:13,793 Again, you can see on top it's loading over HTTP, not HTTPS. 98 98 00:05:15,030 --> 00:05:16,973 So I'm gonna click on login. 99 99 00:05:18,060 --> 00:05:22,150 And again I'm gonna put my email zaid@zsecurity.org 100 100 00:05:22,150 --> 00:05:24,950 and we'll put our password as 1234567890, hit enter. 101 101 00:05:29,500 --> 00:05:32,850 And let's go to the Kali machine again, 102 102 00:05:32,850 --> 00:05:35,483 scroll down this time 'cause we're stuck on top. 103 103 00:05:36,550 --> 00:05:40,270 And perfect, you can see we have a post request in here. 104 104 00:05:40,270 --> 00:05:42,210 It's sent to this specific URL. 105 105 00:05:42,210 --> 00:05:44,590 Again, you can see login in the URL. 106 106 00:05:44,590 --> 00:05:48,500 You can see the website itself, stackoverflow.com 107 107 00:05:48,500 --> 00:05:51,620 and if we scroll down a little bit more 108 108 00:05:51,620 --> 00:05:56,620 we can see that the username is zaid@zsecurity.org 109 109 00:05:57,830 --> 00:05:59,220 and the password, again, 110 110 00:05:59,220 --> 00:06:02,033 one, two, three all the way up to nine zero. 111 111 00:06:03,290 --> 00:06:05,450 So that is really, really good. 112 112 00:06:05,450 --> 00:06:10,450 Now we can downgrade any HTTPS connection to HTTP 113 113 00:06:11,460 --> 00:06:16,460 as long as the target website uses HTTPS, not HSTS. 114 114 00:06:18,500 --> 00:06:22,140 So this method will work against pretty much all websites 115 115 00:06:22,140 --> 00:06:27,010 that use HTTPS except for the really popular websites 116 116 00:06:27,010 --> 00:06:30,740 such as Facebook, Twitter, and so on. 117 117 00:06:30,740 --> 00:06:32,800 So let me show you a quick example. 118 118 00:06:32,800 --> 00:06:36,800 If I go here and try to go to facebook.com 119 119 00:06:38,850 --> 00:06:42,343 you'll see that the website got loaded over HTTPS, 120 120 00:06:43,660 --> 00:06:45,900 not over HTTP, 121 121 00:06:45,900 --> 00:06:50,300 even though we configured our caplet correctly, 122 122 00:06:50,300 --> 00:06:54,670 and even though we're able to downgrade HTTPS connections 123 123 00:06:54,670 --> 00:06:59,363 on a lot of websites such as LinkedIn and Stack Overflow. 124 124 00:07:00,460 --> 00:07:04,750 This is happening because Facebook is using HSTS 125 125 00:07:04,750 --> 00:07:07,703 which is a little bit trickier to bypass. 126 126 00:07:08,600 --> 00:07:12,780 In the next lecture we'll talk more about what HSTS is, 127 127 00:07:12,780 --> 00:07:17,410 why it's tricky to bypass and how to partially bypass it 128 128 00:07:17,410 --> 00:07:20,000 and still get usernames and passwords 129 129 00:07:20,000 --> 00:07:22,170 from the websites that implement it 130 130 00:07:22,170 --> 00:07:25,213 such as Facebook, Twitter, and so on. 11519

Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.