BYPASSING FACEBOOK/HSTS

Updated: Apr 22



Bettercap is a powerful, easily extensible and portable framework written in Go which aims to offer to security researchers, red teamers and reverse engineers an easy to use, all-in-one solution with all the features they might possibly need for performing reconnaissance and attacking WiFi networks, Bluetooth Low Energy devices, wireless HID devices and Ethernet networks.




In this article we will learn how to bypass facebook ,we have to downgrade HTTPS websites to HTTP and this will allow us to basically see anything a user does

on these websites because data in HTTP is sent in plain text.

Therefore we will able to see the user names, the passwords, the URLs, and anything they do on HTTPS websites. But the downgrading will not work against Facebook, Twitter, and other websites that use HSTS. The reason why it won't work against these websites, because modern web browsers come with a list of websites that they should only load over HTTPS, whenever a browser requests a website, we load that website even if it uses HTTPS, but we always give him back the HTTP version. In HSTS, the browser knows that this website, for example, facebook.com should always be loaded over HTTPS. So even before sending this request to us, it will always send it in HTTPS

and it'll always only accept it if it comes back as HTTPS. So there is nothing we can do really once we become the man in the middle because the browser is doing this check locally, it's checking this against a list that is stored on the computer itself. Therefore, the only practical solution at the moment to bypass HSTS is to make the browser think that it is loading another website. To do this, we're gonna replace all HSTS links in loaded pages to similar links, but they're not the same links.

For example, we can replace facebook.com with facebook.corn.

Now I know this seems very suspicious, but trust me, when it goes into the URL bar,

the RN here at the middle, it'll seem very similar to the M letter.

Another way of doing this, you can replace twitter.com with twiter.com but with a single T here instead of a double T, I know this sounds a little bit confusing right now,

but let me go and do it practically and we will see how this is gonna work.



So right here I am working on my Kali machine and we're actually gonna use the caplet shown below, so basically we have to open leafpad, write this commands, enter the mac addresses of your targets and Yes you can select more than one target and after all done give it a name here i have named it as spoof

Now we have to use bettercap

# bettercap -iface X -caplet Y

  • X is your network interface can find it from #ifconfig

  • Y is name of caplet created above


Hit enter and you will start getting information from your target and now at this point you are ready to bypass the non secure websites that is http but for bypassing hsts we definitely have to work more.


Now the last step is to run one more caplet that is named as # hstshijack/hstshijack

but first we have to open that caplet in any text editor and have to modify according to our need

For example,i have twitter.com in here and I also have *.twitter.com basically when you use a star, this is a wild card and it basically means any subdomain .twitter.com is a target as well. Enter replacement, you wanna tell the program what to replace this target with.

For example, whenever we see twitter.com we're gonna replace it with twitter.corn.

Similar goes for Facebook and Apple and a few other domains that I set.

when done with modification save it and run # hstshijack/hstshijack on terminal





Now, the terminal is ready to listen connections from your targets it will simply redirect the users into non secure link as shown below:


As you can see we get a normal Facebook page, but if you look here on top, you'll see there is no HTTPS. And if you look at the domain name, you'll see it says .corn, not .com.

When the target search for facebook instead of getting results from facebook.com he will end up with facebook.corn and once he starts filling his information in that page you can access it from your terminal .

The only way for this to work is if the user gets to Facebook through another website that does not use HSTS. If they go on the URL bar and type facebook.com themselves,

we will not be able to do this. That's why this is considered as a partial solution and not a full solution.





67 views1 comment