Hello All,
I was experimenting with MITM in my home lab. I am successfully able to capture all the traffic from victim PC. But SSL strip doesn't work for the websites like facebook, Gmail. Then I researched and found that these websites are using Extended validated certificates (Made by Digi-cert) which is specifically made to nullify the effect of SSLStrip.
Is this the end of road Or I am missing something. Kindly guide me in right direction.
Regards,
Abhishek
PS- I was able capture FTP passwords.
3 Responses
If they built a system to defend from SSLStrip, it is the end of the road for it.
You may try with this new concept, SSLStrip+, that usesDNS hijacking.
This gets bypassed by advanced browser security technology, anyway.
I haven't tried it, but another option might be to use Beef to create a facebook (or custom) logon screen to strip the l/p. What might work for some sites (but probably not facebook and other large sites) is using Beef to rewrite https:// to http://. I haven't tested but have to imagine facebook and others wouldn't allow http logins buut, worth testing and not hard to do in your home lab and would absolutely work for some sites.
Thanks guys. I will look in to these methods.
Share Your Thoughts