urlsnarf module simultaneously with sslstrip module?

[BlackZero]

Hi guys. I have Mark IV Pineapple with the latest firmware: 2.7.0 and the modules: sslstrip, urlsnarf installed in an external stick mounted in my pineapple.

I can run sslstrip and urlsnarf succesfully but only separately. If I start both of them, urlsnarf is not showing any log output (Refresh is enabled, and Logging to usb is enabled). Is there a way to run them simultaneously? (because in a typical sslstrip mitm attack both of the tools can run). I don't know if it's a problem that only I face.

Thanks in advance

[tertko]

i have the similar issue.

i usually have urlsnarf working for couple of minutes and then it stops, and sslstrip takes over and only sslstrip works.

i think you cannot have both running simultaneously as sslstrip is forwarding everything to port 10000, and urlsnarf doesnt catch that

at least this was the explanation that i found on this forum a while ago.

[BlackZero]

Hmm thanks for your answer, but I think that generally sslstrip and urlsnarf can work together. I have tested them both in airssl script before and in custom mitm/sslstrip attacks in my test environment.

I think that WhistleMaster know the reason for that "conflict".

[Whistle Master]

Actually, I don't know the reason... but I will have a look at it ;)

[vector]

i have the similar issue.

i usually have urlsnarf working for couple of minutes and then it stops, and sslstrip takes over and only sslstrip works.

i think you cannot have both running simultaneously as sslstrip is forwarding everything to port 10000, and urlsnarf doesnt catch that

at least this was the explanation that i found on this forum a while ago.

urlsnarf should not interfere with sslstrip for a few reasons. first we gotta understand that sslstrip doesnt forward anything anywhere. The kernel forwards everything along except for traffic destined to port 80, thats why youll normally have to enable forwarding mode, because iptables is doing all the forwarding in which it redirects all the http traffic to the sslstrip $LISTEN port which could be any port you choose, in this case its 10000. sslstrip usually requires python-twisted-web module as well.

urlsnarf on the other hand doesnt listen on a port but on an interface. you can just tell it what and where to log something like urlsnarf -i <iface> | grep http > /whichever/directory/you-like/whatever.txt

[jman012]

I too am having this problem, I refer to this thread I made: http://forums.hak5.org/index.php?/topic/28422-i-have-some-problems-with-urlsnarf-dnsspoof-and-slow-internet/

I just tried keeping sslstrip turned off and sure enough, urlsnarf worked perfectly. I don't really know why ssltrip would interfere if what vector said is true.

[BlackZero]

Yeah. I have both sslstrip and urlsnarf running on my laptop in Backtrack 5f3 in a Fake AP similar to Pineapple and works great.

I have upgraded to 2.7.4. Reinstalled sslstrip and urlsnard and they can't run simultaneously again. Is there a fix for that?

[Whistle Master]

Are you running sslstrip and urlsnarf both from the module gui or command line ?

[Xander]

Are you running sslstrip and urlsnarf both from the module gui or command line ?

In my case when I have this problem, I'm running both sslstrip and urlsnarf from the module gui. Haven't tried doing them from the command line.

[BlackZero]

Are you running sslstrip and urlsnarf both from the module gui or command line ?

I'm running them from the module gui. I first run urlsnarf and after that in another browser tab I run the sslstrip. When the sslstrip is enabled, urlsnarf cannot print any output..and I must set it to off.

I have the modules installed in USB.

In my case when I have this problem, I'm running both sslstrip and urlsnarf from the module gui. Haven't tried doing them from the command line.

How do you succeed to fix that issue when you have this problem?

[Xander]

I'm running them from the module gui. I first run urlsnarf and after that in another browser tab I run the sslstrip. When the sslstrip is enabled, urlsnarf cannot print any output..and I must set it to off.

I have the modules installed in USB.

How do you succeed to fix that issue when you have this problem?

I don't, haha. I still experience the issue, I was just stating that I've only tried it through the gui when I have the problem

[BlackZero]

I don't, haha. I still experience the issue, I was just stating that I've only tried it through the gui when I have the problem

So, you open in two tabs urlsnarf and ssltrip both in usb (install and log) and running together smoothly??? weird

[Whistle Master]

I guess you both have the same issue ;)

Let me have a look at it, it may be an issue with some iptables stuff.

[BlackZero]

I guess you both have the same issue ;)

Let me have a look at it, it may be an issue with some iptables stuff.

Thanks Whistle Master. I don't know if it helps but in a soft rogue AP (called AirSSL, airssl.sh) sslstrip and urlsnarf works like a charm.

Yes maybe it's an iptable issue.

Edited January 30, 2013 by BlackZero

[Whistle Master]

Do you run airssl.sh on the pineapple ?

[BlackZero]

Do you run airssl.sh on the pineapple ?

No in laptop with BT5 (soft fake ap with airebase-ng).

I mentioned this to report a case which work simultaneously

Edited January 30, 2013 by BlackZero

[comatose603]

Any update on this?

[Whistle Master]

Did not have the time to have a look at it yet, I was quite busy actually but I will have a look at it.

What is your network setup ? NATed ? Bridged ?

Edited February 6, 2013 by Whistle Master

[comatose603]

Just your typical setup. Pineapple into laptop via eth, ./wp4.sh, laptop is connect to internet via its own wlan0 and a nat'd wifi-router.

[comatose603]

Why is iptables setup for port 80 and 443? Moxie's instructions say to just do port 80...so...??? And, if I leave it as such with both port 80 and 443, https traffic stops working for clients.

Also, Moxie's sslstrip is up to 0.9. Why are we still on 0.6? ... it doesnt seem to be stripping all SSL POSTS, e.g., Gmail logons produce nothing. [EDIT: ah, HSTS sites that why]

Edited February 9, 2013 by comatose603

[Whistle Master]

0.9 runs on the pineapple actually :) May be a good idea to include it in the next version of sslstrip module :P In the meatime, you can download v0.9 here and copy it on your pineapple, then:

tar zxvf sslstrip-0.9.tar.gz
cd sslstrip-0.9
python ./setup.py install

Regarding port 80 and 443 redirection, this comes from this discussion with telot. I agree that according to some users and Moxie documentation, port 443 redirection should not be necessary.

Edited February 9, 2013 by Whistle Master

[comatose603]

I think I got this working. Running URLsnort against wlan0 instead of br-lan is keeping both SSLstrip and URLsnort happy so far.

[Whistle Master]

I will add the option to select the interface where urlsnarf is running, may allow to use both at the same time. urlsnarf v2.6 is out with interface selection :)

Someone also suggested to get sslstrip to run on port 8080, which could allow urlsnarf to pick up the traffic.

Edited February 9, 2013 by Whistle Master

[comatose603]

Great! ... I'm not sure why Telot wanted port 443, he doesnt seem to say in that thread...no? If I have it in the PREROUTING table, as it is by default in the module, all https just grinds to a halt for clients. So something should be done.

Also, SSLstrip logs should state the source/client IP address. It's super confusing as to what POST is coming from what client.

Another issue I noticed is that not all SSL POSTs (say to Facebook) get logged. The intial logon attempt works, but for some reason it's not picking up retries. Any thoughts?

Edited February 9, 2013 by comatose603

[Whistle Master]

v2.8 of sslstrip without 443 redirection is out. Let me know if it works better now ;)