Blog | G5 Cyber Security

Bettercap SSLStrip: Fix TLS Issues

G5 Cyber Security

TL;DR

Bettercap 2.x’s default SSLStrip setup often fails to intercept HTTPS traffic, even on sites without HTTP Strict Transport Security (HSTS). This is because modern browsers aggressively upgrade connections to TLS. We need to explicitly tell Bettercap to downgrade the connection *before* the browser upgrades it. This guide shows you how.

Solution

  1. Understand the Problem: Modern browsers will attempt to connect via HTTPS (TLS) even if a site allows HTTP. SSLStrip relies on intercepting the initial unencrypted request and downgrading it, but this doesn’t work if the browser immediately tries TLS.
  2. Enable Downgrade Attacks: Bettercap needs specific flags enabled for successful downgrading. Use these options when starting Bettercap: 
    bettercap -iface eth0 --sslstrip --spoof --proxy
    • --sslstrip: Enables SSLStrip functionality.
    • --spoof: Essential for ARP spoofing, allowing you to intercept traffic.
    • --proxy: Runs a local proxy server to handle the intercepted traffic and perform the downgrade.
  3. Configure Bettercap’s Proxy (Important): The default Bettercap proxy configuration might not be aggressive enough for downgrading. Edit your Bettercap config file (usually ~/.bettercap/bettercap.conf) to force HTTP redirects. 
    proxy.listen = true
proxy.redirect = true
proxy.force_http = true
proxy.sslstrip = true
proxy.https_port = 8080 # Or any available port

    The key setting here is proxy.force_http = true, which ensures that even if the server responds with HTTPS redirects, Bettercap will force them to HTTP.

  4. Set up ARP Spoofing: ARP spoofing directs traffic through your machine. 
    net.spoof on eth0 192.168.1.1 192.168.1.100 # Replace with gateway and target IP
    • Replace eth0 with your network interface.
    • Replace 192.168.1.1 with the IP address of your default gateway (router).
    • Replace 192.168.1.100 with the IP address of the target machine you want to intercept traffic from.
  5. Run Bettercap: Start Bettercap with the configured options. 
    bettercap -iface eth0 --sslstrip --spoof --proxy
  6. Verify Interception (Browser): Visit a website you expect to intercept. Check your Bettercap console for intercepted traffic and HTTP requests. Look for connections that were initially HTTPS but are now being handled over HTTP.
  7. Troubleshooting:
    • HSTS: If the site uses HSTS, SSLStrip won’t work without bypassing it (which is more complex). This guide focuses on non-HSTS sites.
    • Browser Caching: Clear your browser cache and cookies before testing.
    • Firewall/Antivirus: Ensure your firewall or antivirus isn’t blocking Bettercap or the proxy server.
    • Network Configuration: Double-check that ARP spoofing is working correctly (use tools like arp -a to verify).
Exit mobile version