SSLStrip not working

[infektiv]

Hey guys,

SSLStrip is not working and I cant find any existing threads to troubleshoot this issue.

I've tried installing on SSLStrip on the USB & Internal, Rebooting the wifi pineapple but these didnt help.

I tried different settings within SSLStrip GUI - turning on Verbose, turning on Auto Refresh but still no luck.

The workstation is definitely connected to the pineapple because DNSSpoof Random Roll works.

When I navigate to facebook.com on the victim's workstation the URL still says 'https://facebook.com/?_rdr'

Version:

Wifi Pineapple Firmware version: 2.8.1

Sslstrip v2.9

Thanks in advance for any help you can provide.

[cooper]

Did the victim visit facebook before? If so, HSTS would make the browser default to the https URL resulting in SSLStrip being able to perform its magic.

[infektiv]

Did the victim visit facebook before? If so, HSTS would make the browser default to the https URL resulting in SSLStrip being able to perform its magic.

Yes the victim did visit facebook but i had logged off prior to SSLStrip.

Is there any way around HSTS?

[cooper]

Logging off doesn't matter. Because the browser saw the HSTS tag in the server response it will from that point on always default to https, probably even when the user explicitly puts "http://www.facebook.com" in the URL.

There is no way around HSTS that I know of. You're going to have to completely remove/reinstall the browser on this test machine. Either that, or simply use another browser.

Also note that you should be using ssl-strip-hsts instead of regular ssl-strip. The former also strips the HSTS header from the server response meaning that so long as you're MITM-ing this victim you're golden but once the victim accesses Facebook directly, you're screwed.

[Guest]

SSLstrip is 4 years old so other people have been working on ways to improve it such is this which claims it can avoid HSTS.

[cooper]

It's worth noting that nowadays browsers like Chrome and Firefox are installed with a pre-populated list of hosts for which hsts is on.

Forcing a browser to use https (which is what HSTS enables for a specific timespan relative to the timestamp of the last request to that host) means ssl stripping is impossible, no matter which version/variation of sslstrip you use.

You could try to MITM using an sslbump-enabled proxy but it requires the client to trust your server cert (which I think you needed to have achieved before you can MITM the user) and will probably still fail for DNSSEC certs (the ones where the URL bar in firefox doesn't contain the lock, but also an insert with the name of the company in question).

[infektiv]

Do you guys know if sslstrip2 and dns2proxy will work?

It's worth noting that nowadays browsers like Chrome and Firefox are installed with a pre-populated list of hosts for which hsts is on.

Forcing a browser to use https (which is what HSTS enables for a specific timespan relative to the timestamp of the last request to that host) means ssl stripping is impossible, no matter which version/variation of sslstrip you use.

You could try to MITM using an sslbump-enabled proxy but it requires the client to trust your server cert (which I think you needed to have achieved before you can MITM the user) and will probably still fail for DNSSEC certs (the ones where the URL bar in firefox doesn't contain the lock, but also an insert with the name of the company in question).

[cooper]

Work for what, specifically?

QFE:

[using HSTS] means ssl stripping is impossible

[shamwow]

Sslstrip2 bypasses HSTS.

[overl0ad3r]

I'm doing some pentests on a HTTPS (443) server that DOES NOT have HSTS implemented (no HSTS headers on response and the address is not on chrome HSTS pre loaded list).

The problem is that in my scenario the user has visited the web site before, so it has the first http (80) request response cached on the browser.

So when the user types in "targetaddress.com" the browser automatically gets the cached redirect (301 - http to https) also making the first sslstrip useless.

My workaround for this was to block 443 requests so the user, not being able to connect to the target, goes and manually clear the browser cache/history in a attempt to restore connection. Then sslstrip will be effective as it now will intercept/tamper http request (301 redirect) response.

Are there any other better ways to do this, other than blocking port 443 and without using sslstrip2/dns2proxy ?

[Karit]

If site has HSTS the only way to SSL Strip a user is on the user's very first visit in that browser. As they may got to the HTTP site first.

If they have visited a site with HSTS the browser will never go to the HTTP version.

If the site is in the preload list (https://code.google.com/p/chromium/codesearch#chromium/src/net/http/transport_security_state_static.json) the browser will never go the HTTP regardless. To add a site to the preload need hsts headers then to be added to https://hstspreload.appspot.com/

Given how HSTS use is growing and the preload list is also growing SSL Strip is going to become less effective. As HSTS and preload is designed to stop this. Almost got to look rolling out custom browser or some other totally new class of attack. With sites like https://www.ssllabs.com/ssltest/it is much easier for owners to valid the setup of their site.

Then to help stop rouge certs there is Host Key Pinning that pins on the public or the CA. Google has that set up in the Preload list and other sites are doing it through the headers. https://en.wikipedia.org/wiki/HTTP_Public_Key_PinningWith this if you are trying a MitM the user won't even get a self signed warning to click through the browser just want even let them in.

One attack that may work is actually going after the cipher weaknesses and decrypting the traffic. Use BEAST, POODLE, etc to attack the sites.

[Rainman_34]

I stopped doing testing on my stuff and for my friends about a year and a half ago and as I am back to trying to get my Information Systems Security degree I am back on learning how all of this works again. My oh my how things have changed in what for most things is a short time but for this stuff is a long time.