Quantify Cyber Risk Now

header ads

Performing Man in the Middle Attack on HTTPS Powered Environments | Lucideus Research

Hypertext Transfer Protocol Secure (HTTPS) is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The 'S' at the end of HTTPS stands for 'Secure'. It means all communications between your browser and the website are encrypted. HTTPS is often used to protect highly confidential online transactions like online banking and online shopping order forms.
  • HTTPS is a combination of HTTP and SSL/TLS protocols.
  • HTTPS uses PKI (Public Key Infrastructure) to authenticate the Web server.
  • HTTPS uses one-time encryption key to encrypt data send to and receive from the server.
What does HTTPS do?
When properly configured, an HTTPS connection guarantees three things:
  • Confidentiality. The visitor’s connection is encrypted, obscuring URLs, cookies, and other sensitive metadata.
  • Authenticity. The visitor is talking to the “real” website, and not to an impersonator or through a “man-in-the-middle”.
  • Integrity. The data sent between the visitor and the website has not been tampered with or modified.
A plain HTTP connection can be easily monitored, modified, and impersonated.

How Does HTTPS Work?
HTTPS pages typically use one of two secure protocols to encrypt communications - SSL (Secure Sockets Layer) or TLS (Transport Layer Security). Both the TLS and SSL protocols use what is known as an 'asymmetric' Public Key Infrastructure (PKI) system. An asymmetric system uses two 'keys' to encrypt communications, a 'public' key and a 'private' key. Anything encrypted with the public key can only be decrypted by the private key and vice-versa.

What is a HTTPS certificate?
When you request a HTTPS connection to a webpage, the website will initially send its SSL certificate to your browser. This certificate contains the public key needed to begin the secure session. Based on this initial exchange, your browser and the website then initiate the 'SSL handshake'. The SSL handshake involves the generation of shared secrets to establish a uniquely secure connection between yourself and the website. When a trusted SSL Digital Certificate is used during a HTTPS connection, users will see a padlock icon in the browser address bar. When an Extended Validation Certificate is installed on a web site, the address bar will turn green

What is SSL?
SSL (Secure Sockets Layer) is a standard security protocol for establishing encrypted links between a web server and a browser in an online communication. The usage of SSL technology ensures that all data transmitted between the web server and browser remains encrypted.

What is SSL/TLS Certificate?
SSL or TLS (Transport Layer Security) certificates are data files that bind a cryptographic key to the details of an organization. When SSL/TLS certificate is installed on a web server, it enables a secure connection between the web server and the browser that connects to it. The website's URL is prefixed with "https" instead of "http" and a padlock is shown on the address bar. If the website uses an extended validation (EV) certificate, then the browser may also show a green address bar.

Why Is an SSL Certificate Required?
All communications sent over regular HTTP connections are in 'plain text' and can be read by any hacker that manages to break into the connection between your browser and the website. This presents a clear danger if the 'communication' is on an order form and includes your credit card details or social security number. With a HTTPS connection, all communications are securely encrypted. This means that even if somebody managed to break into the connection, they would not be able decrypt any of the data, which passes between you and the website.

What is MITM (Man-In-The-Middle) attack?
The man-in-the middle attack intercepts a communication between two systems. For example, in an http transaction the target is the TCP connection between client and server. Using different techniques, the attacker splits the original TCP connection into two new connections, one between the client and the attacker and the other between the attacker and the server, as shown in figure 1.
Once the TCP connection is intercepted, the attacker acts as a proxy, being able to read, insert and modify the data in the intercepted communication. The MITM attack is very effective because of the nature of the http protocol and data transfer which are all ASCII based. In this way, it is possible to view and interview within the http protocol and in the data transferred.
The MITM attack could also be done over an https connection by using the same technique; the only difference consists in the establishment of two independent SSL sessions, one over each TCP connection. The browser sets a SSL connection with the attacker, and the attacker establishes another SSL connection with the web server.

MITM Attack Tools
There are several tools to realize a MITM attack. These tools are particularly efficient in LAN network environments, because they implement extra functionalities, like the arp-spoof capabilities that permit the interception of communication between hosts.
1.       PacketCreator
2.       Ettercap / Bettercap
3.       Dsniff
4.       Cain n Abel

We are  using Bettercap for MITM attack on HTTP.
Bettercap is a powerful, flexible and portable tool created to perform various types of MITM attacks against a network, manipulate HTTP, HTTPS and TCP traffic in real-time, sniff for credentials and much more.

Installation Process
Bettercap comes packaged as a Ruby gem, meaning you will need a Ruby interpreter (>= 1.9) and a Ruby Gems environment installed.

All dependencies will be automatically installed through the Ruby Gems system
·         On Linux: $ Sudo apt-get install build-essential ruby-dev libpcap-dev net-tools
·         On OSX: $ brew install libpcap

From Source: $ git clone https://github.com/evilsocket/bettercap
·         $ cd bettercap
·         $ gem build bettercap.gemspec
·         $ sudo gem install bettercap*.gem

·         $ apt-get update
·         $ apt-get dist-upgrade
·         $ apt-get install bettercap

Bettercap already includes an ARP spoofer (working both in full duplex and half-duplex mode, which is the default), a DNS spoofer and the first, working and completely automatized ICMP Double Direct spoofer.

Sniffing is different from spoofing. The basic Difference is that sniffing is passive and spoofing is active. Sniffing is what gives you the protocol dissection in order to see credentials and such. It is obviously most powerful when combined with spoofing

Bettercap is shipped with a HTTP/HTTPS and raw TCP transparent proxies that you can use to manipulate HTTP/HTTPS or low level TCP traffic at runtime, for instance, you could use the HTTP/HTTPS proxy to inject java scripts into the targets visited pages.

Capturing Credentials with Bettercap
Using bettercap, we can analyze the traffic of entire network and find suspicious activity in the network.
1.    Run the command bettercap on the terminal
2.    Wait for bettercap to acquire targets.
3.    When bettercap discovers the target you are looking for, note down its IP address. Let us call it TARGET_IP.
4.    Run this command : $ bettercap -T TARGET_IP --proxy -P POST (replace TARGET_IP with the appropriate IP)
·         -T : specify MITM targets (IP or MAC)
·         --Proxy : specify the Proxy

5. On the other side I open a victim machine and login to HTTPS websites www.paytm.com , www.snapdeal.com on Mozilla Firefox Quantum (57.0.3 V)

6.    Its starts the url manipulation ( DNS Spoofing) on and canceling the SSL certification, its redirect the HTTPS to HTTP

7.    On the attacker machine, Bettercap is also capturing request header and request body show in figure.

Here showing the DNS spoofing logs in request header http://wwww.snapdeal.com


8.   Finally, when the victim enters something on any login page, you can see his/her username and password.

Conclusion : Its better to have strong HTTP Strict Transport Security (HSTS) implementing , this will help to downgrade the protocol from https to http  . Mozilla and Chrome are pretty much quipped with this security mechanism but still as you can see in above POC we are able to intercept the credentials in plain text . On the other side Edge and IE all versions also unable to give any hope in terms of securing the transmission content.

Post a comment


  1. Its awesome!! Hope to see more awesome blogs :-)

  2. now a days malware is also started to using https so how can we detect malware in https (in encrypted form)??