http - HSTS bypass with sslstrip+ & dns2proxy -


i trying understand how bypass hsts protection. i've read tools leonardonve ( https://github.com/leonardonve/sslstrip2 , https://github.com/leonardonve/dns2proxy ). quite don't it.

  • if client requesting first time server, work anytime, because sslstrip strip strict-transport-security: header field. we're in old case original sslstrip.

  • if not ... ? happens ? client know should interact server using https, automatically try connect server https, no ? in case, mitm useless ... ><

looking @ code, kinda sslstrip2 change domain name of ressources needed client, client not have use hsts since these ressources not on same domain (is true?). client send dns request dns2proxy tool intercept , sends ip address real domain name.at end, client http ressources should have done in https manner.

example : server response, client have download mail.google.com. attacker change gmail.google.com, it's not same (sub) domain. client dns request domain, dns2proxy answer real ip of mail.google.com. client ask ressource on http.

what don't before that... how attacker can html-strip while connection should https client server ... ?

a piece missing ... :s

thank you

ok after watching video, better understanding of scope of action possible dns2proxy tool. understood :

  • most of users on https page either clicking link, or redirection. if user directly fetch https version, attack fails because unable decrypt traffic without server certificate.
  • in case of redirection or link sslstrip+ + dns2proxy enabled being in middle of connection .. mitm ! ==>
    • the user goes on google.com
    • the attacker intercept traffic server client , change link sign in "https://account.google.com" "http://compte.google.com".
    • the user browser make dns request "compte.google.com".
    • the attacker intercept request, make real dns request real name "account.google.com" , sends response "fake domain name + real ip" user.
    • when browser receives dns answer, search if domain should accessed https. checking preloaded hsts list of domains, or seeing domain visited in cache or session, dunno. since domain not real, browser make http connection real address ip. ==> http traffic @ end ;)

so real limitations still need indirect https links work. sometime browser directly "re-type" url entered https link.

cheers !


Comments

Popular posts from this blog

google chrome - Developer tools - How to inspect the elements which are added momentarily (by JQuery)? -

angularjs - Showing an empty as first option in select tag -

php - Cloud9 cloud IDE and CakePHP -