Search the Community

I want to use Charles/Fiddler to capture HTTPS traffic from application. After installing trusted root certificate I've noticed that not every application will accept it. For example, I can intercept all requests made by Chrome, but on Firefox I need to add trusted certificate. When capturing traffic for Java application, certificate need to be added to JVM TrustStore, and in case of using Python script we need to add line of code that use exported certificate. How can I analyze requests made by some software that support proxy (so reverse proxy can be easily used), but after running it I cannot get plaintext as it needs trusted certificate?

it´s possible to make a middle man attack in our proxy, i mean, i want to make a proxy server on a raspberry pi 3, and get all data (like wireshark when sniffs), incluying https requests. my second question is, how to make the data get in my server (the rpi) without configuring the modem and the dmz, something like redirect the request with a external server and a client on the pi. my internet company change mi modem recently, and even so when i configure the dmz on it, and the portforwarding, the external connections don't get in, im looking for a alternative. (again, sorry for my bad english)

Hello Group, I figure I'd ask this question here and see what kind of response is put fourth. TIA Security is always on my mind and creating many embedded devices using Linux (custom builds) are some of the things I do and want to be security minded. Most small IoT device have some sort of setup, monitoring and configuration via a HTTP server. I would like to use HTTPS (SSL or TLS). It seems that I'll need a cert for each device for https in order it to function as needed. Q1: Do I really need a separate cert for each device? Q2: What happens with a https server in a air-gaped (isolated from the internet) network? Q3: Is the cert thing the reason why most IoT device don't encrypt? Q4: Is there a group trying to tackle this problem. Again, thanks for the help and Hak5 thank for making me more security conscience. Cheers! Like in beer.

Hi, I m new to pentesting. I have got my pineapple nano last month. i have been learning by watching tutorials available on internet since then. Most of the material available is related to the nano's predecessors. And i have found that some of them dont work anymore or i m not being guided appropriately. Modules like SSLsplit, DNSspoof, DNSMasq Spoof, Evil portal etc dont seem to work anymore. Like SSLsplit and DNSMasq dont seem to work in case of https sites. On browsers like chrome, firefox etc. the sites like facebook, gmail, etc. dont even open when i try to dnsspoof, and secondly the data is still encrypted after using sslsplit. Infact we just cant open the site without https. So i needed to know that after the implementation of HSTS, have these modules become completely useless??? or is there some way around using them? P.S. I m a newbie so please guide me thoroughly.. :)

Hello community, I have a Alfa Hornet AP121-U access point, the hardware basis of the wifi pineapple MK4 and I have successfully flashed Firmware V3.0.0 on the device. But the connection functions/options back to the cloud.wifipineapple.com to get updates, infusions, or even to show the Internet IP do not work. I think this is because of the backend was migrated to https based connections, and the wget software, part of busybox 1.19.4 (as it comes with FW 3.0.0) does not support https encrypted connections, only http or ftp connections are supported. Idea: Since wget is provided by busybox, would it be possible to recompile busybox and replacing it on the pineapple? The latest version of busybox can be found here: https://busybox.net/downloads/ for cross compiling busybox for an arm target, I followed this description: http://wiki.beyondlogic.org/index.php?title=Cross_Compiling_BusyBox_for_ARM I get a binary busybox file with 964KB using all the default options set for busybox version 1.24.2 The Busybox binary on my pineapple has a size of 417.6KB I doubt that my new busybox fits on the memory of the AP-121U based pineapple libopenssl seems to be installed on the FW 3.0.0, check: opkg status | grep -A 7 Package:\ libopenssl gets me this: Package: libopenssl Version: 1.0.1.e-1 Depends: libc, zlib Providers: Status: install ok installed Architecture: ar71xx Installed-Time: some_number so, my understanding about this, that openssl is available on the pineapple, so wget could make use of it. I believe, wget not supporting https connections is the main problem working with MK4 based hardware. This is my insight after studying these posts: https://forums.hak5.org/index.php?/topic/37829-cant-download-infusion-and-use-opkg-update-command/ https://forums.hak5.org/index.php?/topic/37775-some-mk4-problems/ https://forums.hak5.org/index.php?/topic/37783-markiv-infusions-wanted/ Quote by Sebkinne: We'll ensure the mk4 services are back up soon - the issue is that the mk4 doesn't use ssl. Help needed: So, does anyone have recommendations how to configure the build of busybox, so that I have the same functionality like the one on FW 3.0.0 of the pineapple and also get a similar size? Further input would be helpful, regards, tomscrat

I am experiencing a slight problem. I used to use Kali Linux 1.1.0 and it was running very well. So I chose to update to Kali Linux 2.0.0. since my update to Kali 2.0.0 my Metasploit cannot establish a connection through the HTTPS Payload. The connection will be accepted and will open but my PC will say "Session is not valid and will be closed" if the connection gets established and stays open - (it sometimes works..) then my commands will not be executed. I have already created a new payload with mfsvenom and it doesn't solve my problem. Do you have any suggestions or experiences with this problem; and if yes can you please help me fix it.

Anyone seen this or have any thoughts on it? HTTPS Bicycle Attack: https://guidovranken.files.wordpress.com/2015/12/https-bicycle-attack.pdf Sounds good especially if you have some https data you've been wanting to decrypt laying around. Also seems like it's going to be up to webmasters to implement changes to prevent it and not something end users can do on their own to get around it being a problem.

Can we bypassing HSTS by using this MITM technique? The attack works on latest versions of iOS including iOS 8.1.1 and On most Android devices. Source: https://blog.zimperium.com/doubledirect-zimperium-discovers-full-duplex-icmp-redirect-attacks-in-the-wild/

After reading countless threads about SSLSTRIP not working on systems such as Safari, Firefox, and Chrome I wanted to inquire about something that was released at Defcon Asia... SSLSTRIP 2 and DNS2PROXY https://github.com/LeonardoNve/sslstrip2 This is a new version of Moxie´s SSLstrip with the new feature to avoid HTTP Strict Transport Security (HSTS) protection mechanism. This version changes HTTPS to HTTP as the original one plus the hostname at html code to avoid HSTS. Check my slides at BlackHat ASIA 2014 OFFENSIVE: EXPLOITING DNS SERVERS CHANGES for more information. For this to work you also need a DNS server that reverse the changes made by the proxy, you can find it athttps://github.com/LeonardoNve/dns2proxy. Demo video at: http://www.youtube.com/watch?v=uGBjxfizy48 The DNS Proxy I am having a really hard time following the instructions, I've tried to contact the developer for clarification but no luck. Anyone else care to chime in on how to setup dns2proxy? - > Also is there anyone willing to take on the challenge on adding this as an infusion to the pineapple? My understanding is this would allow you to compromise all browsers such as Safari, Chrome, and Firefox? The demo video interestingly enough shows quite vividly proof of concept -- just trying to figure out how to do this? I'm running a few Kali Linux machines, can someone clarify how I'm supposed to setup the DNS proxy? To the ENTIRE Hak5 Team; Thankyou for working on a device that is truly amazing and endless with opportunity. We are only limited by our creativity when it comes to deployment with this awesome device. I took it upon myself to invest in all the bells and whistles that came with the Mark 5. Lets talk about build quality - FIRST CLASS! This thing is scary - To the untrained eye you wouldn't have ANY idea what it is... To the trained idea, the only term that comes to mind is pwned and operated. PineAP: ... so thats what Dogma does -- and thats why karma doesn't work as expected anymore :D -- Soooo many questions on this forum could be answered by watching this regarding Karma.. Chris Haralson https://www.youtube.com/channel/UCK15ED34btB3NZznGIXQuwA This guys videos and guides are first class - aimed at people with my skill sets I really couldn't ask for anything to be clearer. I am anxiously awaiting your future guides and videos.. (*I check back everyday*). My office :D And a snazzy little pic of some pineapples....

hiii i have make some fake pages for known pages like Facebook etc i have also install dnsmasq in Kali and setup Apache server and every thing is okay now when the victim visit Facebook in chrome for example it will told him that this is unsecured cuz of https is there any way or tools in Kali to avoid that or any other thing would be greet thanks :)

Hi guys, On my blog I wrote a post about MitM attack using SSLStrip + arpspoof. It's in Italian so I don't know if u can undestand: http://www.gianlucaghettini.net/intercettazione-traffico-https-e-recupero-dati-sensibili/ Other than the actual attack (which is very well known) I focused on the HSTS policy and how it is useful to prevent such attacks. Do you known any successful attempt to break such security policy? Poisoning the DNS cache of the target host could lead to a scenario in which the target browser goes to a fake domain, receive a forged HTTP header with a max-age value of zero: Strict-Transport-Security: max-age=0; includeSubDomains and then get redirected to the real site. The HSTS RFC says that browser SHOULD ignore the HSTS header when in HTTP mode but maybe this very specific check was not implemented on all browser.

Hi everyone, I using Mark V and i want to https on uhttpd, so i try install uhttpd-mod-tls and luci-ssl then restart uhttpd root@Pineapple:~# /etc/init.d/uhttpd restart Generating RSA private key, 1024 bit long modulus Generating selfsigned certificate with subject 'C=DE;ST=Berlin;L=Berlin;CN=OpenWrt;' and validity 2014-03-24 12:03:50-2016-03-23 12:03:50 Then i try access to https://172.16.42.1 via web browser but i got messges (Error code: ssl_error_rx_record_too_long) This is my uhttpd config file # Server configuration config uhttpd main option 'index_page' 'index.php' option 'error_page' '/index.php' # HTTP listen addresses, multiple allowed list listen_http 0.0.0.0:80 # list listen_http [::]:80 # HTTPS listen addresses, multiple allowed list listen_https 0.0.0.0:443 # list listen_https [::]:443 # Server document root option home /www # Reject requests from RFC1918 IP addresses # directed to the servers public IP(s). # This is a DNS rebinding countermeasure. option rfc1918_filter 1 # Certificate and private key for HTTPS. # If no listen_https addresses are given, # the key options are ignored. option cert /etc/uhttpd.crt option key /etc/uhttpd.key # CGI url prefix, will be searched in docroot. # Default is /cgi-bin option cgi_prefix /cgi-bin # List of extension->interpreter mappings. # Files with an associated interpreter can # be called outside of the CGI prefix and do # not need to be executable. list interpreter ".php=/usr/bin/php-cgi" # list interpreter ".cgi=/usr/bin/perl" # Lua url prefix and handler script. # Lua support is disabled if no prefix given. # option lua_prefix /luci # option lua_handler /usr/lib/lua/luci/sgi/uhttpd.lua # CGI/Lua timeout, if the called script does not # write data within the given amount of seconds, # the server will terminate the request with # 504 Gateway Timeout response. option script_timeout 60 # Network timeout, if the current connection is # blocked for the specified amount of seconds, # the server will terminate the associated # request process. option network_timeout 30 # TCP Keep-Alive, send periodic keep-alive probes # over established connections to detect dead peers. # The value is given in seconds to specify the # interval between subsequent probes. # Setting this to 0 will disable TCP keep-alive. option tcp_keepalive 1 # Basic auth realm, defaults to local hostname # option realm OpenWrt # Certificate defaults for px5g key generator config cert px5g # Validity time option days 730 # RSA key size option bits 1024 # Location option country DE option state Berlin option location Berlin # Common name option commonname OpenWrt config uhttpd pineapple list listen_http 0.0.0.0:1471 option home /pineapple option index_page index.php option 'error_page' '/index.php' option no_dirlists 1 # Configuration file in busybox httpd format option config /etc/config/httpd.conf option rfc1918_filter 1 # Certificate and private key for HTTPS. # If no listen_https addresses are given, # the key options are ignored. option cert /etc/uhttpd.crt option key /etc/uhttpd.key # CGI url prefix, will be searched in docroot. # Default is /cgi-bin option cgi_prefix /cgi-bin # List of extension->interpreter mappings. # Files with an associated interpreter can # be called outside of the CGI prefix and do # not need to be executable. list interpreter ".php=/usr/bin/php-cgi" # CGI/Lua timeout, if the called script does not # write data within the given amount of seconds, # the server will terminate the request with # 504 Gateway Timeout response. option script_timeout 60 # Network timeout, if the current connection is # blocked for the specified amount of seconds, # the server will terminate the associated # request process. option network_timeout 30 # TCP Keep-Alive, send periodic keep-alive probes # over established connections to detect dead peers. # The value is given in seconds to specify the # interval between subsequent probes. # Setting this to 0 will disable TCP keep-alive. option tcp_keepalive 1 Anyone got same problem? How i can fix that, thanks for helping. p/s: i see 2 files uhttpd.crt and uhttpd.key has been created.

Hey guys, Sorry if i put this in the wrong category. I'm trying to use ssl strip + arp spoofing. I do exact the same like on every tutorial. But once everything is done, my victim has no internet. He can't load the page! If i just arp spoof my target, use something like urlsnarf. Everything works fine... Can someone please help me, i'm searching a while for a solution. By the way, sorry for my bad english. :(

Hey guys, I've just covered HTTP Strict Transport Security (HSTS) and how it helps to improve web security. Any feedback on the blog or input anyone has would be much welcomed. Check it out here: http://scotthel.me/hsts Scott.

Hello! Does anyone know how can the NSA spy on https traffic? As far as I know (Please correct me if I'm wrong), a SSL certificate has a public key, a private key and the issuer has a MASTER key? And that key is used by the NSA to listen to https traffic? What about a https connection without a 'certified' SSL certificate? When my server generates it, it only has a pair of keys, no MASTER key..... Does this mean that this type of a https connection is safer then one with a Verisign issues certificate? Why does Darren keep saying that https is not that secure, and a VPN is more secure.. only because the data can be compromised at the receiving end? Looking forward for an enlightening discussion.

Hi All, Scenario/Background: I'm on a boat. We use VSAT + two year old Cisco router. Router has been locked down. The only ports open are 80 (http), 443 (https), 25 (mail), 3389 (RDP). When travelling I used to be able to use OpenVPN (udp), PPTP VPN (tcp), or a socksified (-D) SSH connection to tunnel my traffic. That's no longer the case. I borked my VPS server trying to get around the above stated issue. It's left me in a bit of a pickle. I can use TOR to get to my VPS's CPANEL (control panel). I have to use a service like TOR, because the CPANEL is on a non-standard web port (5454). I can't reinstall the server though. To do that I need to VNC to the VPS. I use 'Chicken of the VNC' which doesn't support proxying, like a web browser. I've looked at a few options, like NoVNC, etc which are browser based HTML5 implementations of a VNC client but they rely on a companion server which my VPS is not running. Any ideas? (1A) Help! *I'm asking a friend to remotely reconfigure my server, and to run SSH on port 443 so I'll have SSH access and web proxying ability, but it has led me to even more questions. I hope that the firewall doesn't filter to the Layer 7 networking stack, otherwise I might need a better solution. What are some ways to accomplish this? (2A) Below is what I've found so far. Please help me add to the list of possibilites. Is there a software solution (Mac OS X or Ubuntu) that allows a user to specify which application uses the socksified SSH connection (ex ssh -D 8080 username@y.y.y.y) on the local machine? (3A) It woud be ideal if an application could force traffic over the SSH connection. Example, tell 'Chicken of the VNC', Adium, etc to route through SSH without having to set a proxy in their individual preferences (most don't even have the option/ability). Future Solutions 1B. #Ubuntu wiki says this might be a problem on some VPS's - https://help.ubuntu....y/IptablesHowTo #execute on remote server iptables -t nat -I PREROUTING -p tcp -m conntrack --ctstate NEW -s x.x.x.x -d y.y.y.y --dport 443 -j REDIRECT --to-port 22 or #execute on remote server iptables -t nat -I PREROUTING --src x.x.x.x --dst y.y.y.y -p tcp --dport 443 -j REDIRECT --to-ports 22 sudo iptables -t nat -L -n -v #execute on local machine in Terminal ssh -p 443 -D 8080 username@y.y.y.y 2B. http://www.thoughtcr...tware/firemole/ 3B. http://dag.wieers.co...http-tunneling/ *anyone know of a more current way to do this? (4A) software doesn't look like it's been updated since 2009 4B. sudo nano /etc/ssh/sshd_config change the line "Port 22" to "Port 443" to save --> hit ctrl+o, then ctrl+x sudo restart ssh *how does encrypted web traffic (https 443) still work if SSH is now using port 443 on the VPS? (5A)

I've just ordered my Pineapple ... all excited. My application is not security oriented -- it's just to be an access point that will serve internal web pages & PDFs to connected client devices, as in a classroom for example, or for advertising. In this application, the Pineapple will not be connected to the Internet. All Wi-Fi connections to the Pineapple SSID will need to be redirected to the internal webserver. If I understand correctly, this should be easy. Could anyone answer a few questions? 1. Will https attempts be redirected, or go nowhere? For example, some user browsers default to an https site such as for E-mail. They'll need to be redirected automatically to the internal web. 2. How much storage space is there internally for the webserver? Can it get files from external USB storage if needed? 3. What actual webserver is it? Apache? Nginx ... etc.? Got PHP? 4. It may be necessary to use WPA. This is not for security reasons, it's because some user browsers like on my Kindle Fire throw up their own "login" screen when the user attempts to connect to a truly nonsecured access point. And it confuses the user because if my AP is open, it isn't asking for login. Don't even get me started on iOS devices with their "success.html" thing that has to be simulated in order to avoid their Log In browser. So I may have to use WPA and give out a password. I understand that the Pineapple AP doesn't do WPA. So can the Pineapple bypass its internal AP and be hardwire connected to an external AP that is set up with WPA? I sure hope so. Thanks.

Hello, I created a bunch of phishing pages for Facebook, twitter, and gmail to test out the dns-spoof function on Mark IV pineapple. The pages work fine and Pineapple will redirect the traffic to the fake login pages that I created however, when the victims type in a HTTPS address like https://twitter.com the redirect won't work and a connection error message would show up in browser, or sometimes they will see the real site's HTTPS version. Is there anyway around this? can I redirect HTTPS links to a landing page as well? Thanks