How to hack HTTP?
You may have seen all the HTTP sites migrating to HTTPS. Why and What’s wrong with HTTP? Well, you’ll understand once you know how simple it is to hack the plain HTTP. Have you seen a Hacker sitting in the corner of a public coffee shop and sniffing all the credit card details over the public WiFi? Let me guide you through how to do that. Wait, Don’t get excited. This technique works only with HTTP and almost all sites have been migrated to HTTPS. So, drop any dream of becoming a millionaire by stealing cards.
Basic knowledge on Networking is needed to understand what’s going on. Don’t worry even if you are not introduced to networking ; Simply follow the tutorial.
Let’s get some basics.
Before we begin let me introduce you some fundamentals of today’s web. In case you want to skip the boring theories click here.
Obviously, you won’t be reading till here without knowing HTTP. HTTP works by request and response mechanism. The client which needs data, sends HTTP request message and the server responds with a response message. Mainly HTTP requests are of GET and POST types (Other types are beyond the scope of this tutorial). GET request is sent to server to retrieve the specified object. POST request is used to send data such as form entries(even your card details) to server.
Address resolution protocol is used by your switch to translate IP address to MAC address. The arriving packet will have your IP address and the switch you are connected to will have the ARP tables mapping your IP address to MAC address. This much understanding of ARP is enough for the hack.
So, What we gonna do?
We are going to perform the Man in the Middle attack. Once we are connected in the same network as of the victim, we fool the switch that we are the victim and the victim that we are the switch. So, the switch will send all the victim’s packets to us and the victim will send all the outgoing packets to us thinking that we’re the switch and we simply keep forwarding the traffic.
Now all the victim’s traffic will be going through us. Next is to grab a packet sniffing tool and read the packets transferred via us to get the victim’s details.
Let’s get our hands dirty
I found this nice tool called Ettercap which does all the above work for us. It’s available for Linux and Mac. Get it installed through apt, yum or brew on corresponding platforms.
I had hard time finding a website that still uses HTTP for sensitive data. Finally found this one having login and still not using HTTPS. I chose my old laptop as the victim and connected both of my machines to the same network.
Step 1 — Find the local IP address of your victim
Run the below command to find all the hosts in your network. All the IP addresses and their corresponding MAC address in your network will be shown. If not your victim is found try pinging the broadcast address before the command. The output of the command on my network is on the image below. batman-pc is the victim and the IP address is 192.168.43.133
Step 2 — Get in the middle
Now it’s time to call ettercap for the dirty job. Follow this to get to know the ettercap command basics. The command to fool the ARP is
sudo ettercap -T -M ARP /192.168.43.133///
T is for Text GUI mode. -M is for Man in the middle and replace the IP address with that of your victim. Now ettercap will do all the magic and the victim’s packet will be moving through you. Ettercap will log all the packets in the terminal. It’s nasty and you cannot find your required data.
Step 3 — Call Wireshark for rescue
Install wireshark, the cool packet sniffer. open wireshark and select the interface you’re using. I’m on WiFi, selecting WiFi shows all the packets going through the interface. Still it would be difficult to find the needed data. Apply filter http.request.method==”POST” as shown in the image to view only POST data. Remember client sends data through POST to server. Login to that website from the other machine and you can see the packet getting captured in wireshark.
To inspect the packet right click and select Follow->HTTP stream. The HTTP message can be read and the credentials can be found there. Below is my screenshot attached.
The last line has the email and password. Well done, hacker.
That’s why HTTPs
HTTPS encrypts these data before sending, so that a hacker like this will end up reading unmeaningful ciphertext. HTTPS saves you from becoming bankrupt every time you transact online.