Search the Community

I want to use Charles/Fiddler to capture HTTPS traffic from application. After installing trusted root certificate I've noticed that not every application will accept it. For example, I can intercept all requests made by Chrome, but on Firefox I need to add trusted certificate. When capturing traffic for Java application, certificate need to be added to JVM TrustStore, and in case of using Python script we need to add line of code that use exported certificate. How can I analyze requests made by some software that support proxy (so reverse proxy can be easily used), but after running it I cannot get plaintext as it needs trusted certificate?

Hello Group, I figure I'd ask this question here and see what kind of response is put fourth. TIA Security is always on my mind and creating many embedded devices using Linux (custom builds) are some of the things I do and want to be security minded. Most small IoT device have some sort of setup, monitoring and configuration via a HTTP server. I would like to use HTTPS (SSL or TLS). It seems that I'll need a cert for each device for https in order it to function as needed. Q1: Do I really need a separate cert for each device? Q2: What happens with a https server in a air-gaped (isolated from the internet) network? Q3: Is the cert thing the reason why most IoT device don't encrypt? Q4: Is there a group trying to tackle this problem. Again, thanks for the help and Hak5 thank for making me more security conscience. Cheers! Like in beer.

Hi, I am looking on the TETRA module and thinking about to buy it. I want to deploy it without connection to a computer running on battery pack. First i have a couple of questions, is there any way to get IMAP/POP SSL credentials if the target uses client on phone or desktop? Is it working to use a PineAP module or is it protected by HSTS? My idea is to use Karma to get targeted clients in and let them surf through my stick in the TETRA If pop/imap is not protected with HSTS i would like to filter only imap/pop ssl traffic and strip that and let https calls pass unedited, any guides? I have searched a lot but found no clear info in the matter. Thanks Best 0

Hello everyone. I'm new here. I watch the Youtube channel from time to time and I decided to get an account with the forums due to how recent SSL threads were on this board. I'm still a bit new to this. Most of my knowledge comes from a series of tutorials but it's starting to come together. Anyways, Google isn't turning up answers for my concern but then I remember that a lot of the threads I was reading were outdated. To my understanding, SSL strip used to work but the invention of HSTS prevented that. Yet things like "Bettercap and SSLStrip2 should work"-Forum posters: 1 year ago. Keep in mind I do not own a Pineapple. What I do have is two computers hardwired to a Belkin N300 router. One of them is the attacker and the other is the target. Since a year has past I'm not sure if these techniques still work. I have tried sslstrip2 and bettercap, but each time I try to strip my windows 8.1 target machine, I keep getting the classic 404. It says http:// can not be found so at least I know the attacker is actively TRYING to do it's job. Are these outdated methods that no longer work or am I just doing it wrong? I feel that I can't be THAT far off since I'm getting the same results with both Bettercap and sslstrip2. My target computer is running an older Core 2 Quad and an older motherboard so it might just be too slow. But even then i doubt it since it's not THAT slow. Any suggestions? If I am doing it wrong, then here is what I am working with Machine(Attacker) 192.168.2.6 >Windows 10 (Latest) >Virtual Box Version: 5.1.0r108711 running Kali 2016.1 >Hardwired ethernet to onboard port. set to Bridge mode in virtual box >Using dns2proxy >using sslstrip2 Machine(Target) 192.168.2.5 >Windows 8.1 >Logging into my personal Facebook with Internet Explorer >Logging into my personal Facebook with Google Chrome >Hardwired ethernet to onboard port. Router: Belkin N300 192.168.2.1 >Generic setup. Inly change I made was using Google's DNS Steps Taken for sslstrip2 > wrote 1 to ip_forward. cat'd the file to ensure that it wrote. >flushed IP tables >flushed ip tables with -t nat >redirected TCP traffic from port 80 to 8080 >redirected udp traffic from port 53 to port 53 >Ran iptables -t nat -L PREROUTING TCP and UDP have the source and destination set to "anywhere" so it should work... right? >Have 5 terminal tabs open. >One for running dns2proxy.py >One for running sslstrip with -a >One for running arpspoof -i eth0 -t 192.168.2.5 192.168.2.1 >One for running arpspoof -i eth0 -t 192.168.2.1 192.168.2.5 >One for tailing the sslstrip.log file >attempted to log into facebook, gmail, xfinity, and yahoo with IE, chrome and firefox. All of them return 404. Steps Taken for Bettercap > wrote 1 to ip_forward. cat'd the file to ensure that it wrote. >flushed IP tables >flushed ip tables with -t nat >redirected TCP traffic from port 80 to 8080 >ran Bettercap. Same results as when I was running sslstrip2

Can we bypassing HSTS by using this MITM technique? The attack works on latest versions of iOS including iOS 8.1.1 and On most Android devices. Source: https://blog.zimperium.com/doubledirect-zimperium-discovers-full-duplex-icmp-redirect-attacks-in-the-wild/

I've created a payload in C# that appears as a legitimate application but grants an attacker admin remote shell access on a windows system. My primary focus now it to encrypt the network traffic as best as I can for obvious reasons. I haven't done this before so I would like some guidance on how it should be done. I've done some research and come across two methods, AES using RSA to encrypt the key and SSL. I'm worried that the SSL method could easily be attacked with SSL-Strip since there is no HSTS-like implementation to prevent it. I know how to start with AES in C# as the System.Security.Cryptography namespace makes that fairly simple. However, I have no idea how to use RSA to encrypt the AES key and send it over the network. A lot of my research lead me to using AES-HMAC but some of the recent posts I've seen hint toward that only being used for encryption of local information rather than network information. Can someone shed some light on these methods, which is the most secure, and how to use it?

Hello all, I recently attempting upgrading my Mark V to SSL. I followed the (mubix) instructions here: https://github.com/hak5/wifipineapple-wiki/blob/gh-pages/add_ssl.md as well as the (4nzx) instructions here: http://4nzx.blogspot.com/2015/05/so-you-bought-new-wifi-pineapple-markv.html However, I am receiving "sec_error_bad_signature" whenever I try to access the pineapple through https. I searched the forums and came across this: https://forums.hak5.org/index.php?/topic/33395-changing-pineapple-interface-to-ssl/ But it was no help. Any suggestions? Has anyone encountered this same issue and resolved it? Thanks, SK

hiii i have make some fake pages for known pages like Facebook etc i have also install dnsmasq in Kali and setup Apache server and every thing is okay now when the victim visit Facebook in chrome for example it will told him that this is unsecured cuz of https is there any way or tools in Kali to avoid that or any other thing would be greet thanks :)

Hi All, Proud new owner of a Pineapple mk V here but fairly new user. I'm trying to test a network which is 'Open' and redirects any connected users to a captive portal (requiring AD logins). I'm wondering if it would be possible to perform an attack that does the following: wlan0 broadcasts 'TARGET_SSID' as Open with the same spoofed MAC address/ESSID etc Wlan1 connects to the 'legitimate' 'TARGET_SSID' and connects to the captive portal page When a user connects to the fake TARGET_SSID on wlan0 they should see a SSL-stripped version of the captive portal. Ideally, Once they login, the login should pass through WLAN1 to get internet/network access. If that's occurred successfully, the user should be allowed to browse as per usual while having a SSL-stripping attack performed. I'm not sure how to tie all these attacks together, from what i've been able to read so far, each of these attacks can happen but all happen individually. Could anyone point me in the direction of any guides etc that will help me do this or have any pointers? Many thanks,

Hey guys, Just got my Mark V and I definitely have watched a ton of tutorials. My question is does the SSL strip feature even work? When I connect a client to the Pineapple AP on Chrome and Mozilla it don't budge every connection stays htttps:\\ On Internet Explorer some connections do change to http:\\ but Facebook won't even load and some connections take decades to load? If you guys can help me out, because in all the youtube tutorials it seems that even mozilla loads so seemless. Or is it that chrome, mozilla fight against SSL strip attacks. I was looking so forward to getting it, but if this is the case it really sucks. Thanks for the responses!!!

Hi I was always able to do a mitm attack targetting a specific IP and using sslstrip, ettercap, arpspoof, ... But today I tried (for the first time) to do the whole network at once and it was like sslstrip wasn't doing anything. No errors whatsoever and yet all I could see was the usual "sslstrip 0.9 by Moxie Marlinspike" and then nothing. When I target one computer I usually do something like: echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000 sslstrip -a -k -f arpspoof -i wlan0 -t <targetIP> -r <gatewayIP> ettercap -Tq -L etterlogs -i wlan0 urlsnarf -v -i wlan0 and it works. To do the whole network I tried the same only replacing the <targetIP> by the Bcast (ie 192.168.1.255). I think one time it said "couldn't arp for ..." So then I tried method 2: echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 10000 ettercap -T -q -i wlan0 -M ARP:REMOTE // // sslstrip -a -l 10000 urlsnarf -i wlan0 It ran I think but nothing happened and I couldn't see the traffic. What am I doing wrong? I'm not very experienced at this and if anyone knows a better way to do an sslstrip on the whole network I'd be grateful. I have the latest version of Kali btw. Cheers

Hi guys, On my blog I wrote a post about MitM attack using SSLStrip + arpspoof. It's in Italian so I don't know if u can undestand: http://www.gianlucaghettini.net/intercettazione-traffico-https-e-recupero-dati-sensibili/ Other than the actual attack (which is very well known) I focused on the HSTS policy and how it is useful to prevent such attacks. Do you known any successful attempt to break such security policy? Poisoning the DNS cache of the target host could lead to a scenario in which the target browser goes to a fake domain, receive a forged HTTP header with a max-age value of zero: Strict-Transport-Security: max-age=0; includeSubDomains and then get redirected to the real site. The HSTS RFC says that browser SHOULD ignore the HSTS header when in HTTP mode but maybe this very specific check was not implemented on all browser.

Hey guys, Cloudflare has made a challenge!!! So you can legaly try and steal the sll key from there challenge server. More info: https://www.cloudflarechallenge.com/heartbleed

Hey guys, Sorry if i put this in the wrong category. I'm trying to use ssl strip + arp spoofing. I do exact the same like on every tutorial. But once everything is done, my victim has no internet. He can't load the page! If i just arp spoof my target, use something like urlsnarf. Everything works fine... Can someone please help me, i'm searching a while for a solution. By the way, sorry for my bad english. :(

Hey guys, Just working with sslstrip on my pineapple and just got resource error. Makes sense since the pineapple does not have a whole lot of internal storage. I uninstalled it and then reinstalled on SD card and that seemed to fix it. Just curious if this was the only way of doing it or is there a way of selecting where to store the dump file? Should I reinstall tcpdump on the SD card to avoid running out of room too? Just curious if this is the only way.

Hey guys! I am having a problem with running ssl strip. I am currently running the 3.0 firmware for the mark IV. I installed ssl strip into an external usb storage and I am able to run it,but it does not show any output. I have the infusion too,same thing. SOMETIMES it outputs information,I guess when it decides to run. It's not from the infusion I am sure,SSH-ing in and running ssl strip doesn't give any results either. Just a few hours ago it ran just fine for 5 minutes,I went to 3 different websites,logged in etc (one of them is facebook) and it was alright. And suddenly,it just stopped working. The infusion reported that it's not working and that's that. I am not running anything else except for karma. Any help would be appriciated because I am out of ideas. Cheers! :)

Hey guys, I've just covered HTTP Strict Transport Security (HSTS) and how it helps to improve web security. Any feedback on the blog or input anyone has would be much welcomed. Check it out here: http://scotthel.me/hsts Scott.

Hello! Does anyone know how can the NSA spy on https traffic? As far as I know (Please correct me if I'm wrong), a SSL certificate has a public key, a private key and the issuer has a MASTER key? And that key is used by the NSA to listen to https traffic? What about a https connection without a 'certified' SSL certificate? When my server generates it, it only has a pair of keys, no MASTER key..... Does this mean that this type of a https connection is safer then one with a Verisign issues certificate? Why does Darren keep saying that https is not that secure, and a VPN is more secure.. only because the data can be compromised at the receiving end? Looking forward for an enlightening discussion.

Hi All, Scenario/Background: I'm on a boat. We use VSAT + two year old Cisco router. Router has been locked down. The only ports open are 80 (http), 443 (https), 25 (mail), 3389 (RDP). When travelling I used to be able to use OpenVPN (udp), PPTP VPN (tcp), or a socksified (-D) SSH connection to tunnel my traffic. That's no longer the case. I borked my VPS server trying to get around the above stated issue. It's left me in a bit of a pickle. I can use TOR to get to my VPS's CPANEL (control panel). I have to use a service like TOR, because the CPANEL is on a non-standard web port (5454). I can't reinstall the server though. To do that I need to VNC to the VPS. I use 'Chicken of the VNC' which doesn't support proxying, like a web browser. I've looked at a few options, like NoVNC, etc which are browser based HTML5 implementations of a VNC client but they rely on a companion server which my VPS is not running. Any ideas? (1A) Help! *I'm asking a friend to remotely reconfigure my server, and to run SSH on port 443 so I'll have SSH access and web proxying ability, but it has led me to even more questions. I hope that the firewall doesn't filter to the Layer 7 networking stack, otherwise I might need a better solution. What are some ways to accomplish this? (2A) Below is what I've found so far. Please help me add to the list of possibilites. Is there a software solution (Mac OS X or Ubuntu) that allows a user to specify which application uses the socksified SSH connection (ex ssh -D 8080 username@y.y.y.y) on the local machine? (3A) It woud be ideal if an application could force traffic over the SSH connection. Example, tell 'Chicken of the VNC', Adium, etc to route through SSH without having to set a proxy in their individual preferences (most don't even have the option/ability). Future Solutions 1B. #Ubuntu wiki says this might be a problem on some VPS's - https://help.ubuntu....y/IptablesHowTo #execute on remote server iptables -t nat -I PREROUTING -p tcp -m conntrack --ctstate NEW -s x.x.x.x -d y.y.y.y --dport 443 -j REDIRECT --to-port 22 or #execute on remote server iptables -t nat -I PREROUTING --src x.x.x.x --dst y.y.y.y -p tcp --dport 443 -j REDIRECT --to-ports 22 sudo iptables -t nat -L -n -v #execute on local machine in Terminal ssh -p 443 -D 8080 username@y.y.y.y 2B. http://www.thoughtcr...tware/firemole/ 3B. http://dag.wieers.co...http-tunneling/ *anyone know of a more current way to do this? (4A) software doesn't look like it's been updated since 2009 4B. sudo nano /etc/ssh/sshd_config change the line "Port 22" to "Port 443" to save --> hit ctrl+o, then ctrl+x sudo restart ssh *how does encrypted web traffic (https 443) still work if SSH is now using port 443 on the VPS? (5A)

Ok so I had this idea a few months ago but don't know how hard it might be to actually do. maybe someone that knows could point me in the right direction. what I want to do is make a MITM module or program for the pineapple that inserts the HSTS header into all http requests, http://en.wikipedia....y#Applicability once I have figured out how to slip in HSTS into headers I want to make one page that populates/connects to 10s or 100s of popular websites that don't use ssl, basically the victim can no longer browse to those pages because there browser believes it should be encrypted. what do you think would this work and what tools could I use to insert the hsts header? ettercap?

Hello, I created a bunch of phishing pages for Facebook, twitter, and gmail to test out the dns-spoof function on Mark IV pineapple. The pages work fine and Pineapple will redirect the traffic to the fake login pages that I created however, when the victims type in a HTTPS address like https://twitter.com the redirect won't work and a connection error message would show up in browser, or sometimes they will see the real site's HTTPS version. Is there anyway around this? can I redirect HTTPS links to a landing page as well? Thanks