Sniffing on HTTPS

I want to do mitm attack.
I want to sniff data which is sent over https with python script

@GHOSTontheWire said:

I want to do mitm attack.
I want to sniff data which is sent over https with python script

Good luck.

If the data is encrypted between the endpoint and the remote server, you need to either crack the encryption or spoof the certificate and hope the endpoint doesn’t get an invalid cert notification.

Cracking encryption is a next level thing so
How can i spoof the certificate.

@GHOSTontheWire said:

Cracking encryption is a next level thing so
How can i spoof the certificate.

You need to install a TLS certificate on your interception platform and get clients to authenticate to it.

There MiTM tools which will do this for you and tools like Sslstrip might help. It might be worth looking into Ettercap/Bettercap but its a while since I’ve touched either.

Just to reiterate though, TLS MiTM is super noisy (the clients will get a warning that the certificate is invalid) and it won’t work for sites where key pinning is being used. One of the primary reasons why TLS is used is to prevent MiTM…

@TazWake
Then how to crack encryption.

@GHOSTontheWire said:

@TazWake
Then how to crack encryption.

If you aren’t NSA, you are fighting a losing battle here. What is your objective?

If you aren’t NSA, you are fighting a losing battle here.

That was my first thought as well… but then I thought: who knows, if he doesn’t realize how hard it is, maybe he can pull it off. People did things based on the fact they didn’t know it was impossible.

I don’t have a lot of experience, all I know is that ‘removing the ‘s’ from https’, ain’t what it used to be.
For just about any mayor site out there, any reasonable modern browser will literally tell your subject that he’s on a site that should be https, but is now http and refuse connection. Basically rendering your MITM useless.

There have been a few borderline cases where some guy managed to get an actual valid signed ‘google’ certificate. So whatever browser connected to that fake (but actually verified) certificate, got the message ‘this is real’.
But that involved knowing someone in the company that hands out those certificates and have him do all the paperwork. There’s only a handful of company’s over the world doing that.
So he could just basically pretend to be Google and for the time he wasn’t caught, listen to whatever traffic was trying to reach to Google.

My bet is he didn’t get that certificate by baking a cake for the ceo’s wife of that certificate company… That smells like money and connections you just don’t want to be involved in.

Thanks to @TazWake @gnothiseauton
So what I am trying to do is completely stupid thing.

@GHOSTontheWire said:

Thanks to @TazWake @gnothiseauton
So what I am trying to do is completely stupid thing.

Potentially.

It might help to reframe your objective and see if there is a better solution.

Type your comment> @GHOSTontheWire said:

Thanks to @TazWake @gnothiseauton
So what I am trying to do is completely stupid thing.

Don’t say that man. Stupidity and genius are not far apart: If you consider trying stuff that other people think is hard or impossible, it always hard saying if it’s genius at work or stupidity.

Anyway: if people say it’s impossible, always follow your own hunch. The best work in this world is just that: one man doing what every one else thought was impossible.

You’ll see it’s not the easiest task out there to sniff on https, but I wouldn’t dare saying it can’t be done. It’s just not straightforward or easy.

@gnothiseauton said:

Type your comment> @GHOSTontheWire said:

Thanks to @TazWake @gnothiseauton
So what I am trying to do is completely stupid thing.

Don’t say that man. Stupidity and genius are not far apart: If you consider trying stuff that other people think is hard or impossible, it always hard saying if it’s genius at work or stupidity.

Super valid point and in hindsight I think “stupid” is a misleading term entirely here.

Anyway: if people say it’s impossible, always follow your own hunch. The best work in this world is just that: one man doing what every one else thought was impossible.

Clarke’s first law relates to this:

When a distinguished but elderly scientist states that something is possible, he is almost certainly right. When he states that something is impossible, he is very probably wrong.

You’ll see it’s not the easiest task out there to sniff on https, but I wouldn’t dare saying it can’t be done. It’s just not straightforward or easy.

So here is the conundrum. It is entirely possible that a new exploit can be discovered (or at least new to the public) which allows for HTTPS attacks. We’ve seen with things like heartbleed, poodle, logjam etc.

If one of these exploits is made public, there is a lot of fame attached (even if not a lot of fortune).

The only way you can really know if it was a bad plan or not is based on the end results. That means only you can decide how much time, effort and resource you want to throw at the problem.

For example, if you spend 5 years locked away from society trying to crack TLS1.3 and fail, would you look back and say it was a mistake? If you succeed, would you think it was a good idea?

Circling back - Using myself as an example, I wouldn’t try this until I’d exhausted every other option to achieve my goal. If my goal was “crack TLS encryption”, I’d think about how good my crypto knowledge is and decide to find a new goal.

@TazWake @gnothiseauton
Yes, we should be straightforward to our goal.
From Black hat python chapter 6 “Extending Burp Proxy” using that python script we can try…
Because burp suite works in all condition.

Or missing “hsts” header is the main point.

you can use "Fiddler " from Telerik it’s a powerful tool

see here an example: - YouTube

@tlopasha thanks for video.

A resourse to decrypt ssl/tls traffic…
https://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/