How to Bypass HTTPS

Zaid Sabih
A free video tutorial from Zaid Sabih
Ethical Hacker, Computer Scientist & CEO of zSecurity
4.6 instructor rating • 9 courses • 579,433 students

Lecture description

All the programs we built so far only work with HTTP pages, this is because data sent over HTTPS is encrypted.

This lecture will fix this issue and teach you how to downgrade HTTPS to HTTP.

Learn more from the full course

Learn Python & Ethical Hacking From Scratch

Start from 0 & learn both topics simultaneously from scratch by writing 20+ hacking programs

24:53:40 of on-demand video • Updated June 2021

  • 170+ videos on Python programming & ethical hacking
  • Install hacking lab & needed software (on Windows, OS X and Linux)
  • Learn 2 topics at the same time - Python programming & Ethical Hacking
  • Start from 0 up to a high-intermediate level
  • Write over 20 ethical hacking and security programs
  • Learn by example, by writing exciting programs
  • Model problems, design solutions & implement them using Python
  • Write programs in Python 2 and 3
  • Write cross platform programs that work on Windows, OS X & Linux
  • Have a deep understanding on how computer systems work
  • Have a strong base & use the skills learned to write any program even if its not related to hacking
  • Understand what is Hacking, what is Programming, and why are they related
  • Design a testing lab to practice hacking & programming safely
  • Interact & use Linux terminal
  • Understand what MAC address is & how to change it
  • Write a python program to change MAC address
  • Use Python modules and libraries
  • Understand Object Oriented Programming
  • Write object oriented programs
  • Model & design extendable programs
  • Write a program to discover devices connected to the same network
  • Read, analyse & manipulate network packets
  • Understand & interact with different network layers such as ARP, DNS, HTTP ....etc
  • Write a program to redirect the flow of packets in a network (arp spoofer)
  • Write a packet sniffer to filter interesting data such as usernames and passwords
  • Write a program to redirect DNS requests (DNS Spoofer)
  • Intercept and modify network packets on the fly
  • Write a program to replace downloads requested by any computer on the network
  • Analyse & modify HTTP requests and responses
  • Inject code in HTML pages loaded by any computer on the same network
  • Downgrade HTTPS to HTTP
  • Write a program to detect ARP Spoofing attacks
  • Write payloads to download a file, execute command, download & execute, download execute & report .....etc
  • Use sockets to send data over TCP
  • Send data reliably over TCP
  • Write client-server programs
  • Write a backdoor that works on Windows, OS X and Linux
  • Implement cool features in the backdoor such as file system access, upload and download files and persistence
  • Write a remote keylogger that can register all keystrikes and send them by Email
  • Interact with files using python (read, write & modify)
  • Convert python programs to binary executables that work on Windows, OS X and Linux
  • Convert malware to torjans that work and function like other file types like an image or a PDF
  • Bypass Anti-Virus Programs
  • Understand how websites work, the technologies used and how to test them for weaknesses
  • Send requests towebsites and analyse responses
  • Write a program that can discover hidden paths in a website
  • Write a program that can map a website and discover all links, subdomains, files and directories
  • Extract and submit forms from python
  • Run dictionary attacks and guess login information on login pages
  • Analyse HTML using Python
  • Interact with websites using Python
  • Write a program that can discover vulnerabilities in websites
English [Auto] Now, so far, we learned how to become the man in the middle and once are the man in the middle, we learned how we can read all the data that's been sent. So we were able to read usernames, passwords, URLs, images or anything that the people, browsers, we were also able to modify this data. So we were able to inject JavaScript code or any type of code that we want in the target browser when they target Rouse's websites. This also allowed us to replace downloads and do so many cool attacks. Now, everything that we did so far will only work against HTTP pages. The reason why it works against HTTP because as we see in the data and HTTP is sent as plain text. So it's text that humans like us can read and understand. That's why when we're in the middle we're able to read this text and if we wanted, we're able to modify this text as we wish. Now this is obviously a problem and this problem was fixed in https. So as you know, most websites these days use https and all good websites, famous websites use https. The reason why, like I said, because it's a more secure version of HTTP and basically the way it works is it keeps the implementation of HTTP exactly the same. So all the headers, all the way that the data is sent is kept the same. So HTP is not modified, but it adds an extra layer over HTTP, which is where the S comes from. So it's a secure http protocol and this extra layer will encrypt the plaintext data that HTTP sends. So if a person manages to become the man in the middle, they will be able to read this data. But the data will be gibberish. It will not be readable to the person intercepting the connection. It's only going to make sense to the user and to the server because they both have the key and are able to decrypt the encrypted data. So let's have an example of what this would look like now in general, when we become the man in the middle using ERP spoofing or any other method, as we know, the requests will flow through the hacker. The hacker will forward this to the Internet or to the access point, then the Internet, and then the responses will flow through the hacker computer and down to the victim. Now, usually if a person or a user tries to go to a website and let's say they try to go to BBC dot com, they will send the request. Now, this request, this initial request will not be sent over https unless the user types https before the website. And we know most users, including myself, we don't really type https, we just type the name of the website. So if they want to go to BBC dot com, they'll just type VBC dot com. So the initial request is going to be sent over http they are kearby in demand in the middle is going to receive this and forwarded to the Internet. BBC dot com, on the other hand, is going to respond by saying, hey, why don't you talk to me? Overhasty https. It's more secure now that the target knows that BBC can communicate over https. Then they're going to communicate with the BBC using https from now on. So all the requests that will follow after the initial request will be sent over, he stops the car, will receive this forwarded to the Internet again as he https this server will respond with https. And as you can see now, all the communication, all the requests and the responses are sent over https. Now, like I said, https adds an extra encryption layer to the HTTP protocol. This will mean that the plaintext data that we usually read in HTTP will be encrypted and it will be not useful for us. So now that we are in the middle, we're able to see all this data, we're able to read it. But this data will be gibberish. It will not be readable, and therefore we won't be able to see the usernames and passwords, the URLs or the HTML code. So we won't be able to inject code or modify these packets because we can't even read them in the first place. Now, this is really bad for us as a hacker because we did all the hard work of trying to become the man in the middle and once was the man in the middle were not able to make use of this very good position. Luckily, there is a smart guy called Moxey who has been defeating SSL for a very long time. And one of the ways that this guy came up with allows us to bypass https and downgraded to HTTP. Now, Moxey didn't only discover this attack. He also wrote a great tool that will do this for us. So the way this will work is let's have a look again on the initial request. And like we said, usually people don't type https when they request a Web page. So they'll type, for example, BBC dot com. This will go through the hacker computer who is who is already the man in the middle and is also running a tool called SSL Strip, which is the tool that implements Markus's attack. Now, the tool is going to see that this is a TTP request, so it's not going to play with it. This is good for us as a hacker and it'll just forwarded to the Internet. Next, BBC dot com is going to respond by saying, hey, why don't you communicate with me over https now as this alstrup is going to detect this? And by the way, when I say BBK is going to say, hey, why don't you communicate with me over https, the process is actually a little bit more complicated than this, but I'm just trying to keep it as simple as possible. So SSL SREP is going to detect that the server is trying to tell the target to communicate over https and it's going to remove or strip all the fields and all the data that's basically saying let's upgrade this connection to a HTTPS connection. So the response is going to come as a HTTPS response, but SSL strip is going to strip that and only forward the parts that look like a normal HTTP response to the victim. Now, so far, the victim doesn't know that the server can communicate over https. Therefore, it'll send its next request as a normal HTTP request. Now here is where SSL strip is smart because it's going to keep track of all the websites that have sent a HTTP response. So even though the victim is going to send the request when it's communicating with BBK dot com SSL strip knows that BBC dot com likes to communicate over https. So what it's going to do is once it gets a request from the victim or the target, it will actually upgrade that connection to a hasty's connection. So as far as BBC dot com is concerned, it told the target that you should communicate with me over https and the target responded by starting communicating over https. So this is perfect for BBC dot com and for the victim. As far as they're concerned, they don't think BBC dot com can't communicate over https because every time they send the request they are getting a HTTP response. So they don't think that BBC can communicate over https because if it can, then it'll respond to the victim saying communicate with me over https. Now, this configuration is perfect now because us. As a hacker, we're able to read the requests and the responses in plain text, and nobody knows that we are playing around with the connection. The target thinks that the website that they're trying to access only supports HTP and the Web server is happy also because it's communicating over https with what they think is their client. But who they're connecting with is actually us. Now, we're able in here when we get responses from the Internet, we're actually able to read them because we are the ones initiating the requests. So you can see the https cycle is actually only between us and the Internet or the Web server, and it's not between the victim and the Web server. Now, another thing that SSL strip will do is when it loads the Web page, it will actually convert all the links in the page from https to a normal HTTP. And this way, when SSL strip is working, all the HTTPS connections will be downgraded to HTTP. Now, since the connections are going to be downgraded to HTTP, that means the data is going to be sent in plaintext, which means that will be able to read and modify this data just like we usually do with HTTP. Now there is one exception to this whole rule, which is websites that use H. S t. S now headrests is used by Facebook, PayPal and Gmail, for example. And basically the way this works is the browser at the victim at the target comes up with a hard coded list of websites that it should only load as Tepes. So even if we try everything that we can and try to downgrade this connection to HTP, the browser will just refuse to load this page because it knows that this page has to load over https. Now, so far, there isn't a practical way of bypassing Hirst's the Rabois, but that got fixed. But I will update you as soon as there is a new way to bypass it.