In the previous section, we saw how to sniff and capture anything sent over HTTP requests. Most famous websites use HTTPS instead of HTTP. This means that when we try to become the MITM, when the person goes to that website, the website will display a warning saying that the certificate of that website is invalid. That way, the person will be suspicious and probably won't log in to that page. So, what we're going to do is use a tool called SSLstrip, which will downgrade any HTTPS request to HTTP; so whenever the target person tries to go to https://hotmail.com, for example, they'll be redirected to the HTTP of hotmail.com. Let's go the browser on the target, and we are going to try to go to hotmail.com. Now, as we can see in the following screenshot, on the top in the address bar you will see that the website uses HTTPS, so if we try to become the MITM, this website will display a warning:

To bypass the warning, we're going to use a tool called SSLstrip to downgrade any request to the HTTPS website and get it redirected to the HTTP version of this website. Once we go to the HTTP version, sniffing the data will be trivial, exactly like what happened in the previous section.

We can use SSLstrip manually, but luckily, MITMf starts it automatically for us. We are actually going to run exactly the same command that we saw in the previous section. We are not going to change anything in it.

If we look at the following screenshot, once we run this program we will see that it will actually tell us that SSLstrip has been started and it's online:

So, we are going to go back and we are going to try to go to hotmail.com, and we will see in the following screenshot that, instead of the HTTPS version that we're getting here, we're actually going to go to a HTTP version of hotmail.com. Now, notice the address bar here. There is no HTTPS, so we're actually at the HTTP version of the website. We will also notice that we didn't see any warnings, so it just looks like exactly a normal website, looking exactly like hotmail.com.

So, we are going to put in our email, and again we are going to use a false password. We are just going to put 123456, and we are going to sign in. Now, if we go to the Kali machine, we will see that we managed to capture an email from [email protected], and we also managed to capture the password, which is 123456:

Websites such as Facebook and Google are actually using something called HSTS, and what that does is this; basically, the browser comes in with a pre-hardcoded list of websites that have to be browsed as HTTPS. So, even if we try to downgrade the HTTPS connection to HTTP, the browser will just refuse to show the website, or just show a HTTPS version of it. This is because, without connecting to anything, the browser has a list stored locally on the local computer saying that it shouldn't open Facebook, Gmail, and such websites as HTTP. So, whatever way we try to do it, the website will just refuse to open in HTTP.

Now, MITMf actually has, an HSTS plugin that attempts to bypass HSTS, but it only works against old browsers. It used to use an old vulnerability, which is patched now in new browsers. With new browsers, there is no way of bypassing the HTTPS connection to Gmail and Facebook at the moment because they use HSTS, which basically means they come in with a hardcoded list, so the browser refuses to open these websites as HTTP.