The built-in sslstripping feature (http.proxy.sslstrip
) in bettercap is not working against HTTPS websites in this issue I will be using cygwin.com and winzip.com as an example, as we can see they are not HSTS preloaded HSTS Preload List Submission HSTS Preload List Submission.
I am using bettercap v2.32.0 (built for linux amd64 with go1.21.0)
my os is
Distributor ID: Kali
Description: Kali GNU/Linux Rolling
Release: 2024.1
Codename: kali-rolling
x86_64
I am using --caplet script.cap
as a command line argument
script.cap contains:
net.probe on
set http.proxy.sslstrip true
http.proxy on
set arp.spoof.fullduplex true
set arp.spoof.targets 192.168.0.100
set net.sniff.local true
arp.spoof on
net.sniff on
Full Debug output: ┌──(root㉿kali)-[~]└─# bettercap --caplet script.cap --debug - Pastebin.com
Steps to Reproduce
- Run the script.cap provided above make sure to change the IP address accordingly
- Go into an HTTPS website on the victim machine
Expected behavior:
- Successfully ARP spoof the victim
- Successfully sniff data from http websites
- Successfully downgrade HTTPS into HTTP
- When downgraded successfully sniff data from HTTPS websites
Actual behavior:
- Successfully ARP spoofed the victim
- Successfully sniffed data from http websites
- Couldn’t downgrade HTTPS into HTTP (loads as HTTPS)
- Since I could not downgrade HTTPS I was not able to sniff any data from HTTPS websites
–
Now as I final note I want to add my own interpretation of this; Generally when bettercap detects HTTPS websites while running SSLstrip it logs something like spoofing the domain or HTTPS detected downgrading etc. but in this instance it is not so maybe this is a bug where it is not correctly detecting HTTPS pages therefore not even trying to downgrade them???
BTW ofcourse I cleared all the web browser cache, I tried both chrome and edge, also I disabled secure DNS on both.