How to Bypass HTTPS

Zaid Sabih
A free video tutorial from Zaid Sabih
Ethical Hacker, Computer Scientist & CEO of zSecurity
4.6 instructor rating • 9 courses • 674,709 students

Lecture description

All the programs we built so far only work with HTTP pages, this is because data sent over HTTPS is encrypted.

This lecture will fix this issue and teach you how to downgrade HTTPS to HTTP.

Learn more from the full course

Learn Python & Ethical Hacking From Scratch

Start from 0 & learn both topics simultaneously from scratch by writing 20+ hacking programs

24:59:17 of on-demand video • Updated June 2022

  • 170+ videos on Python programming & ethical hacking
  • Install hacking lab & needed software (on Windows, OS X and Linux)
  • Learn 2 topics at the same time - Python programming & Ethical Hacking
  • Start from 0 up to a high-intermediate level
  • Write over 20 ethical hacking and security programs
  • Learn by example, by writing exciting programs
  • Model problems, design solutions & implement them using Python
  • Write programs in Python 2 and 3
  • Write cross platform programs that work on Windows, OS X & Linux
  • Have a deep understanding on how computer systems work
  • Have a strong base & use the skills learned to write any program even if its not related to hacking
  • Understand what is Hacking, what is Programming, and why are they related
  • Design a testing lab to practice hacking & programming safely
  • Interact & use Linux terminal
  • Understand what MAC address is & how to change it
  • Write a python program to change MAC address
  • Use Python modules and libraries
  • Understand Object Oriented Programming
  • Write object oriented programs
  • Model & design extendable programs
  • Write a program to discover devices connected to the same network
  • Read, analyse & manipulate network packets
  • Understand & interact with different network layers such as ARP, DNS, HTTP ....etc
  • Write a program to redirect the flow of packets in a network (arp spoofer)
  • Write a packet sniffer to filter interesting data such as usernames and passwords
  • Write a program to redirect DNS requests (DNS Spoofer)
  • Intercept and modify network packets on the fly
  • Write a program to replace downloads requested by any computer on the network
  • Analyse & modify HTTP requests and responses
  • Inject code in HTML pages loaded by any computer on the same network
  • Downgrade HTTPS to HTTP
  • Write a program to detect ARP Spoofing attacks
  • Write payloads to download a file, execute command, download & execute, download execute & report .....etc
  • Use sockets to send data over TCP
  • Send data reliably over TCP
  • Write client-server programs
  • Write a backdoor that works on Windows, OS X and Linux
  • Implement cool features in the backdoor such as file system access, upload and download files and persistence
  • Write a remote keylogger that can register all keystrikes and send them by Email
  • Interact with files using python (read, write & modify)
  • Convert python programs to binary executables that work on Windows, OS X and Linux
  • Convert malware to torjans that work and function like other file types like an image or a PDF
  • Bypass Anti-Virus Programs
  • Understand how websites work, the technologies used and how to test them for weaknesses
  • Send requests towebsites and analyse responses
  • Write a program that can discover hidden paths in a website
  • Write a program that can map a website and discover all links, subdomains, files and directories
  • Extract and submit forms from python
  • Run dictionary attacks and guess login information on login pages
  • Analyse HTML using Python
  • Interact with websites using Python
  • Write a program that can discover vulnerabilities in websites
English [Auto] Now. So far we learned how to become the man in the middle. And once we are the man in the middle, we learned how we can read all the data that's being sent. So we were able to read usernames, passwords, URLs, images or anything that the people browses. We were also able to modify this data, so we were able to inject JavaScript code or any type of code that we want in the target browser when the target browses websites. This also allowed us to replace downloads and do so many cool attacks. Now everything that we did so far will only work against HTTP pages. The reason why it works against HTTP because as we see in the data and HTTP is sent as plain text. So it's text that humans like us can read and understand. That's why when we're the man in the middle, we're able to read this text. And if we wanted, we're able to modify this text as we wish. Now, this is obviously a problem, and this problem was fixed in https. So as you know, most websites these days use HTTPS and all good websites. Famous websites use HTTPS. The reason why, like I said, because it's a more secure version of HTTP. And basically the way it works is it keeps the implementation of HTTP exactly the same. So all the headers, all the way that the data is sent is kept the same. So HTTP is not modified, but it adds an extra layer over http, which is where the TSS comes from. So it's a secure HTTP protocol and this extra layer will encrypt the plaintext data that HTTP sends. So if a person manages to become the man in the middle, they will be able to read this data. But the data will be gibberish. It will not be readable to the person intercepting the connection. It's only going to make sense to the user and to the server because they both have the key and are able to decrypt the encrypted data. So let's have an example of what this would look like. Now in general, when we become the man in the middle using ARP spoofing or any other method, as we know, the requests will flow through the hacker. The hacker will forward this to the internet or to the access point, then the Internet, and then the responses will flow through the hacker computer and down to the victim. Now, usually, if a person or a user tries to go to a website and let's say they try to go to BBC.com, they will send the request. Now, this request, this initial request will not be sent over https unless the user types https before the website. And we know most users, including myself, we don't really type https, we just type the name of the website. So if they want to go to BBC.com, they'll just type BBC.com. So the initial request is going to be sent over HTTP. The hacker being the man in the middle is going to receive this and forwarded to the internet. BBC.com, on the other hand, is going to respond by saying, Hey, why don't you talk to me over https? It's more secure now that the target knows that BBC can communicate over https. Then they're going to communicate with BBC using HTTPS from now on. So all the requests that will follow after the initial request will be sent over https. The hacker will receive this forwarded to the internet again as HTTPS. The server will respond with https and as you can see now, all the communication, all the requests and the responses are sent over https. Now, like I said, HTTPS adds an extra encryption layer to the HTTP protocol. This will mean that the plaintext data that we usually read in HTTP will be encrypted and it will be not useful for us. So now that we are in the middle, we're able to see all this data, we're able to read it. But this data will be gibberish. It will not be readable, and therefore we won't be able to see the usernames, the passwords, the URLs or the HTML code so we won't be able to inject code or modify these packets because we can't even read them in the first place. Now, this is really bad for us as a hacker because we did all the hard work of trying to become the man in the middle. And once we're the man in the middle, were not able to make use of this very good position. Luckily, there is a smart guy called Moxy who has been defeating SSL for a very long time, and one of the ways that this guy came up with allows us to bypass HTTPS and downgrade it to HTTP. Now, Moxy didn't only discover this attack. He also wrote a great tool that will do this for us. So the way this will work is let's have a look again on the initial request. And like we said, usually people don't type https when they request a web page, so they'll type, for example, BBC.COM. This will go through the hacker computer, who is who is already the man in the middle and is also running a tool called SQL Strip, which is the tool that implements Marks's attack. Now, the tool is going to see that this is a HTTP request, so it's not going to play with it. This is good for us as a hacker, and it will just forward it to the Internet. Next, BBC.com is going to respond by saying, Hey, why don't you communicate with me over https? Now, SSL strip is going to detect this. And by the way, when I say BBC is going to say, Hey, why don't you communicate with me over https? The process is actually a little bit more complicated than this, but I'm just trying to keep it as simple as possible. So SSL strip is going to detect that the server is trying to tell the targets to communicate over https and it's going to remove or strip all the fields and all the data. That's basically saying let's upgrade this connection to a HTTPS connection. So the response is going to come as a HTTPS response, but Sstl strip is going to strip that and only forward the parts that look like a normal HTTP response to the victim. Now, so far, the victim doesn't know that the server can communicate over https, therefore it will send its next request as a normal HTTP request. Now here is where SSL strip is smart because it's going to keep track of all the websites that have sent a HTTP response. So even though the victim is going to send the HTTP request when it's communicating with BBC.com, SSL script knows that BBC.com likes to communicate over https. So what it's going to do is once it gets the HTTP request from the victim or the target, it will actually upgrade that connection to a HTTPS connection. So as far as BBC.com is concerned, it told the target that you should communicate with me over HTTPS, and the target responded by starting communicating over https. So this is perfect for BBC.com and for the victim. As far as they're concerned. They don't think BBC.com can communicate over https because every time they send the HTTP request, they are getting a HTTP response. So they don't think that BBC can communicate over https because if it can, then it will respond to the victim saying Communicate with me over https. Now this configuration is perfect now because us. As a hacker were able to read the requests and the responses in plaintext, and nobody knows that we are playing around with the connection. The target thinks that the website that they're trying to access only supports HTTP and the web server is happy also because it's communicating over https with what they think is their client, but who they're connecting with is actually us. Now we're able in here, when we get HTTP responses from the Internet, we're actually able to read them because we are the ones initiating the HTTP requests. So you can see the HTTPS cycle is actually only between us and the internet or the web server, and it's not between the victim and the web server. Now, another thing that Sstl strip will do is when it loads a web page, it will actually convert all the links in the page from HTTPS to a normal HTTP. And this way, when SSL strip is working, all the HTTPS connections will be downgraded to HTTP. Now, since the connections are going to be downgraded to HTTP, that means the data is going to be sent in plaintext, which means that we'll be able to read and modify this data just like we usually do with HTTP. Now there is one exception to this whole rule, which is websites that use HST as now HTTPS is used by Facebook, PayPal and Gmail, for example. And basically the way this works is the browser at the victim at the target comes up with a hardcoded list of websites that it should only load as https. So even if we try everything that we can and try to downgrade this connection to a HTTP, the browser will just refuse to load this page because it knows that this page has to load over https. Now, so far, there isn't a practical way of bypassing hosts. There was, but that got fixed. But I will update you as soon as there is a new way to bypass it.