SSLStrip still HTTPS

Question

I did all the configuration right. IPtables, port forwarding, ARPspoof, everything.
However, in the browser websites like Facebook and Twitter are still HTTPS.
What am I doing wrong?

score 4 · Answer 1 · edited Jun 16 '20 at 09:49

4

Pick a softer target.

Update 1

So: Pick a target that doesn't use HSTS and/or pick a browser that doesn't care about HSTS.

edited Jun 16 '20 at 09:49

Community

1

answered Oct 31 '15 at 12:58

StackzOfZtuff

18,093
1
52
86

I don't want to hack someone. i want to learn. how can i bypass this HSTS? – Antonio Oct 31 '15 at 13:22
1

@Antonio: HSTS is intended as protection against sslstrip etc, so no bypass of HSTS with sslstip, especially not HSTS preload. – Steffen Ullrich Oct 31 '15 at 13:25
@SteffenUllrichs Oh .. alright. so all the websites here https://chromium.googlesource.com/chromium/src/net/+/master/http/transport_security_state_static.json#1401 will not be http ever ?
And there is a way to bypass HSTS? not with SSLSTRIP.
– Antonio Oct 31 '15 at 13:27
@SteffenUllrich what about mitmf? – Antonio Oct 31 '15 at 13:42
@Antonio: MITM works only if the CA is already trusted by the browser. If HSTS is used the certificate warnings does not allow override by the user. – Steffen Ullrich Oct 31 '15 at 13:53
@Antonio: Answer updated. – StackzOfZtuff Oct 31 '15 at 14:09
@StackzOfZtuff I even tried internet explorer. doesn't work on facebook/Twitter . – Antonio Oct 31 '15 at 14:17
IE11 and IE-Edge both use the Preload lists. – StackzOfZtuff Oct 31 '15 at 14:22
@SteffenUllrich Worked for me just a couple of weeks ago, maybe I used was using a different tool or something. – voices Nov 01 '15 at 00:57

score 0 · Answer 2 · answered Nov 01 '15 at 00:51

0

I'm pretty sure it's worked for me in the past. If I recall correctly; you may need to de-authenticate your victim and wait for them to re-connect. On account of EAP/EAPOL, I do believe.

answered Nov 01 '15 at 00:51

voices

1,779
8
23
36

SSLStrip still HTTPS

2 Answers2

Update 1