SSLStrip not working in 2.11

[derekkddj]

Sslstrip is not working in bettercap 2.11. When I go to http://yahoo.com, it responds with error 301 , and Location: https://yahoo.com/ . In this case, sslstrips is suposed to remove https://yahoo.com/, and change it with http://yahoo.com/ .
But bettercaps is not doing this change. I can see this in the logs:

> 10.42.0.0/24 > 10.42.0.1  » [13:45:59] [net.sniff.http.request] http 10.42.0.87 GET yahoo.com/
> 10.42.0.0/24 > 10.42.0.1  » [13:45:59] [sys.log] [inf] [sslstrip] Got redirection from HTTPS to HTTP: http://yahoo.com -> https://yahoo.com
> 10.42.0.0/24 > 10.42.0.1  » [13:45:59] [net.sniff.http.response] http 98.138.219.231:80 301 Moved Permanently -> 10.42.0.87 (8 B text/html)
> 
> HTTP/1.1 301 Moved Permanently
> Access-Control-Allow-Methods: *
> Content-Type: text/html
> Location: https://yahoo.com/
> Via: http/1.1 media-router-fp1007.prod.media.ne1.yahoo.com (ApacheTrafficServer [c s f ])
> Access-Control-Allow-Headers: *
> Date: Fri, 30 Nov 2018 12:45:59 GMT
> Server: ATS
> Access-Control-Allow-Origin: *
> Cache-Control: no-store, no-cache
> Content-Language: en
> Set-Cookie: B=73tsq89e02c87&b=3&s=md; expires=Sat, 30-Nov-2019 12:45:59 GMT; path=/; domain=.yahoo.com
> Allow-Access-From-Same-Origin: *
> Connection: keep-alive
> Content-Length: 8

And the device gets redirect to https://yahoo.com, and i get a certificate error.

Environment

Please provide:

• Bettercap version you are using. 2.11
• OS version and architecture you are using. Kali Linux Rolling 2018
• Go version if building from sources.
• Command line arguments you are using. sudo bettercap -i wlan0
• Caplet code you are using or the interactive session commands.
• Full debug output while reproducing the issue ( bettercap -debug ... ).

> bettercap v2.11 (type 'help' for a list of commands)
> 
> 10.42.0.0/24 > 10.42.0.1  » [13:49:03] [sys.log] [dbg] FindGateway(wlan0) [cmd=ip opts=[route] parser=^(default|[0-9\.]+)\svia\s([0-9\.]+)\sdev\s(\w+)(?:\s.*|)$]
> 10.42.0.0/24 > 10.42.0.1  » [13:49:03] [sys.log] [dbg] FindGateway(wlan0) output:
> default via 192.168.1.1 dev eth0 proto dhcp metric 100 
> 10.42.0.0/24 dev wlan0 proto kernel scope link src 10.42.0.1 metric 600 
> 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.115 metric 100
> 10.42.0.0/24 > 10.42.0.1  » [13:49:03] [sys.log] [dbg] FindGateway(wlan0): nothing found :/
> 10.42.0.0/24 > 10.42.0.1  » [13:49:03] [sys.log] [war] Could not detect gateway.
> 10.42.0.0/24 > 10.42.0.1  » [13:49:03] [session.started] {session.started 2018-11-30 13:49:03.909608559 +0100 CET m=+0.071027294 <nil>}
> 10.42.0.0/24 > 10.42.0.1  » [13:49:03] [mod.started] events.stream
> 10.42.0.0/24 > 10.42.0.1  » [13:49:03] [mod.started] net.recon
> 10.42.0.0/24 > 10.42.0.1  » [13:49:03] [endpoint.new] endpoint 10.42.0.87 detected as c4:9a:02:6b:db:b3 (LG Electronics (Mobile Communications)).
> 10.42.0.0/24 > 10.42.0.1  » set http.proxy.sslstrip true
> 10.42.0.0/24 > 10.42.0.1  » set https.proxy.sslstrip true
> 10.42.0.0/24 > 10.42.0.1  » net.sniff on
> [13:49:43] [mod.started] net.sniff
> 10.42.0.0/24 > 10.42.0.1  » http.proxy on
> [13:49:46] [sys.log] [dbg] Applied redirection [wlan0] (TCP) :80 -> 10.42.0.1:8080
> [13:49:46] [mod.started] http.proxy
> 10.42.0.0/24 > 10.42.0.1  » [13:49:46] [sys.log] [inf] http.proxy started on 10.42.0.1:8080 (sslstrip enabled)
> 10.42.0.0/24 > 10.42.0.1  » https.proxy on
> [13:49:50] [sys.log] [inf] loading proxy certification authority TLS key from /root/.bettercap-ca.key.pem
> [13:49:50] [sys.log] [inf] loading proxy certification authority TLS certificate from /root/.bettercap-ca.cert.pem
> [13:49:50] [sys.log] [dbg] Applied redirection [wlan0] (TCP) :443 -> 10.42.0.1:8083
> [13:49:50] [mod.started] https.proxy
> 10.42.0.0/24 > 10.42.0.1  » [13:49:50] [sys.log] [inf] https.proxy started on 10.42.0.1:8083 (sslstrip enabled)
> 10.42.0.0/24 > 10.42.0.1  » [13:50:07] [sys.log] [dbg] (http.proxy) < 10.42.0.87:56010 GET yahoo.com/
> 10.42.0.0/24 > 10.42.0.1  » [13:50:07] [net.sniff.http.request] http 10.42.0.87 GET yahoo.com/
> 10.42.0.0/24 > 10.42.0.1  » [13:50:07] [sys.log] [dbg] (http.proxy) > 10.42.0.87:56010 GET yahoo.com/
> 10.42.0.0/24 > 10.42.0.1  » [13:50:07] [sys.log] [inf] [sslstrip] Got redirection from HTTPS to HTTP: http://yahoo.com -> https://yahoo.com
> 10.42.0.0/24 > 10.42.0.1  » [13:50:07] [net.sniff.http.response] http 98.138.219.231:80 301 Moved Permanently -> 10.42.0.87 (8 B text/html)
> 
> HTTP/1.1 301 Moved Permanently
> Access-Control-Allow-Headers: *
> Content-Language: en
> Content-Type: text/html
> Allow-Access-From-Same-Origin: *
> Date: Fri, 30 Nov 2018 12:50:07 GMT
> Cache-Control: no-store, no-cache
> Connection: keep-alive
> Location: https://yahoo.com/
> Set-Cookie: B=8iq4ba5e02cfv&b=3&s=av; expires=Sat, 30-Nov-2019 12:50:07 GMT; path=/; domain=.yahoo.com
> Via: http/1.1 media-router-fp1017.prod.media.ne1.yahoo.com (ApacheTrafficServer [c s f ])
> Access-Control-Allow-Methods: *
> Access-Control-Allow-Origin: *
> Server: ATS
> Content-Length: 8
> 
> 10.42.0.0/24 > 10.42.0.1  » [13:50:07] [sys.log] [dbg] [https.proxy] proxying connection from 10.42.0.87 to yahoo.com
> 10.42.0.0/24 > 10.42.0.1  » [13:50:07] [sys.log] [dbg] Creating spoofed certificate for yahoo.com:443
> 10.42.0.0/24 > 10.42.0.1  » [13:50:07] [sys.log] [dbg] Fetching TLS certificate from yahoo.com:443 ...
> [13:50:07] [net.sniff.https] sni 10.42.0.87 > https://yahoo.com
> 10.42.0.0/24 > 10.42.0.1  »  
> 

Steps to Reproduce

1. Create an AP with mi kali linux, in wlan0 interface. I have IP 10.42.0.1 and I am the gateway for other devices*
2. Connect an smartphone to this network, it has IP 10.42.0.87
3. Open browser in smartphone, with incognito mode on, try to access http://yahoo.com

Expected behavior: Smartphone gets redirect to http://yahoo.com

Actual behavior: Smartphone get redirects to https://yahoo.com

[AJRiley]

Same problem, however after leaving it for afew minutes it started to work for me then went off, not sure if it will for you.
bettercap 1.6.2 SSLstrip still works.
Strange.

[derekkddj]

I did more tests, and seems that bettercap changes the domains and links in the HTML, but afther the change...they didnt work as expected. I will do more tests next week.

Regards.