Jump to content

Search the Community

Showing results for tags 'https'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Talk
    • Everything Else
    • Gaming
    • Questions
    • Business and Enterprise IT
    • Security
    • Hacks & Mods
    • Applications & Coding
    • Trading Post
  • Hak5 Gear
    • Hak5 Cloud C²
    • WiFi Pineapple Mark VII
    • USB Rubber Ducky
    • Bash Bunny
    • Key Croc
    • Packet Squirrel
    • Shark Jack
    • Signal Owl
    • LAN Turtle
    • Screen Crab
    • Plunder Bug
  • O.MG (Mischief Gadgets)
    • O.MG Cable
    • O.MG DemonSeed EDU
  • WiFi Pineapple (previous generations)
    • WiFi Pineapple TETRA
    • WiFi Pineapple NANO
    • WiFi Pineapple Mark V
    • WiFi Pineapple Mark IV
    • Pineapple Modules
    • WiFi Pineapples Mark I, II, III
  • Hak5 Shows
  • Community
    • Forums and Wiki
    • #Hak5
  • Projects
    • SDR - Software Defined Radio
    • Community Projects
    • Interceptor
    • USB Hacks
    • USB Multipass
    • Pandora Timeshifting

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...


  • Start





Website URL







Enter a five letter word.

Found 19 results

  1. I want to use Charles/Fiddler to capture HTTPS traffic from application. After installing trusted root certificate I've noticed that not every application will accept it. For example, I can intercept all requests made by Chrome, but on Firefox I need to add trusted certificate. When capturing traffic for Java application, certificate need to be added to JVM TrustStore, and in case of using Python script we need to add line of code that use exported certificate. How can I analyze requests made by some software that support proxy (so reverse proxy can be easily used), but
  2. it´s possible to make a middle man attack in our proxy, i mean, i want to make a proxy server on a raspberry pi 3, and get all data (like wireshark when sniffs), incluying https requests. my second question is, how to make the data get in my server (the rpi) without configuring the modem and the dmz, something like redirect the request with a external server and a client on the pi. my internet company change mi modem recently, and even so when i configure the dmz on it, and the portforwarding, the external connections don't get in, im looking for a alternative. (again, sorry for my b
  3. Hello Group, I figure I'd ask this question here and see what kind of response is put fourth. TIA Security is always on my mind and creating many embedded devices using Linux (custom builds) are some of the things I do and want to be security minded. Most small IoT device have some sort of setup, monitoring and configuration via a HTTP server. I would like to use HTTPS (SSL or TLS). It seems that I'll need a cert for each device for https in order it to function as needed. Q1: Do I really need a separate cert for each device? Q2: What happens with a https server in a air-ga
  4. Hi, I m new to pentesting. I have got my pineapple nano last month. i have been learning by watching tutorials available on internet since then. Most of the material available is related to the nano's predecessors. And i have found that some of them dont work anymore or i m not being guided appropriately. Modules like SSLsplit, DNSspoof, DNSMasq Spoof, Evil portal etc dont seem to work anymore. Like SSLsplit and DNSMasq dont seem to work in case of https sites. On browsers like chrome, firefox etc. the sites like facebook, gmail, etc. dont even open when i try to dnsspoof, and secondly the da
  5. Hello community, I have a Alfa Hornet AP121-U access point, the hardware basis of the wifi pineapple MK4 and I have successfully flashed Firmware V3.0.0 on the device. But the connection functions/options back to the cloud.wifipineapple.com to get updates, infusions, or even to show the Internet IP do not work. I think this is because of the backend was migrated to https based connections, and the wget software, part of busybox 1.19.4 (as it comes with FW 3.0.0) does not support https encrypted connections, only http or ftp connections are supported. Idea: Since wget is provided by busybo
  6. I am experiencing a slight problem. I used to use Kali Linux 1.1.0 and it was running very well. So I chose to update to Kali Linux 2.0.0. since my update to Kali 2.0.0 my Metasploit cannot establish a connection through the HTTPS Payload. The connection will be accepted and will open but my PC will say "Session is not valid and will be closed" if the connection gets established and stays open - (it sometimes works..) then my commands will not be executed. I have already created a new payload with mfsvenom and it doesn't solve my problem. Do you have any suggestions or experiences with
  7. Anyone seen this or have any thoughts on it? HTTPS Bicycle Attack: https://guidovranken.files.wordpress.com/2015/12/https-bicycle-attack.pdf Sounds good especially if you have some https data you've been wanting to decrypt laying around. Also seems like it's going to be up to webmasters to implement changes to prevent it and not something end users can do on their own to get around it being a problem.
  8. Can we bypassing HSTS by using this MITM technique? The attack works on latest versions of iOS including iOS 8.1.1 and On most Android devices. Source: https://blog.zimperium.com/doubledirect-zimperium-discovers-full-duplex-icmp-redirect-attacks-in-the-wild/
  9. After reading countless threads about SSLSTRIP not working on systems such as Safari, Firefox, and Chrome I wanted to inquire about something that was released at Defcon Asia... SSLSTRIP 2 and DNS2PROXY https://github.com/LeonardoNve/sslstrip2 This is a new version of Moxie´s SSLstrip with the new feature to avoid HTTP Strict Transport Security (HSTS) protection mechanism. This version changes HTTPS to HTTP as the original one plus the hostname at html code to avoid HSTS. Check my slides at BlackHat ASIA 2014 OFFENSIVE: EXPLOITING DNS SERVERS CHANGES for more information. For this to wor
  10. hiii i have make some fake pages for known pages like Facebook etc i have also install dnsmasq in Kali and setup Apache server and every thing is okay now when the victim visit Facebook in chrome for example it will told him that this is unsecured cuz of https is there any way or tools in Kali to avoid that or any other thing would be greet thanks :)
  11. Hello, I attempted to follow the guide that allows you to use SSL with the Pineapple. I beleive I have followed the steps and generated everything correctly, however even with importing the ca.pem file into my brower (I have tried this with IE, Chrome, and Firefox) I still receive an SSL error that will not allow me to continue on to the web interface. The error I receive in Firefox is sec_error_bad_signature. Google has not yielded any fruitful results related to this particular setup. Any help would be greatly appreciated.
  12. Hi guys, On my blog I wrote a post about MitM attack using SSLStrip + arpspoof. It's in Italian so I don't know if u can undestand: http://www.gianlucaghettini.net/intercettazione-traffico-https-e-recupero-dati-sensibili/ Other than the actual attack (which is very well known) I focused on the HSTS policy and how it is useful to prevent such attacks. Do you known any successful attempt to break such security policy? Poisoning the DNS cache of the target host could lead to a scenario in which the target browser goes to a fake domain, receive a forged HTTP header with a max-age value of ze
  13. Hi everyone, I using Mark V and i want to https on uhttpd, so i try install uhttpd-mod-tls and luci-ssl then restart uhttpd root@Pineapple:~# /etc/init.d/uhttpd restart Generating RSA private key, 1024 bit long modulus Generating selfsigned certificate with subject 'C=DE;ST=Berlin;L=Berlin;CN=OpenWrt;' and validity 2014-03-24 12:03:50-2016-03-23 12:03:50 Then i try access to via web browser but i got messges (Error code: ssl_error_rx_record_too_long) This is my uhttpd config file # Server configuration config uhttpd main option 'index_page' 'index.php' option '
  14. Hey guys, Sorry if i put this in the wrong category. I'm trying to use ssl strip + arp spoofing. I do exact the same like on every tutorial. But once everything is done, my victim has no internet. He can't load the page! If i just arp spoof my target, use something like urlsnarf. Everything works fine... Can someone please help me, i'm searching a while for a solution. By the way, sorry for my bad english. :(
  15. Hey guys, I've just covered HTTP Strict Transport Security (HSTS) and how it helps to improve web security. Any feedback on the blog or input anyone has would be much welcomed. Check it out here: http://scotthel.me/hsts Scott.
  16. Hello! Does anyone know how can the NSA spy on https traffic? As far as I know (Please correct me if I'm wrong), a SSL certificate has a public key, a private key and the issuer has a MASTER key? And that key is used by the NSA to listen to https traffic? What about a https connection without a 'certified' SSL certificate? When my server generates it, it only has a pair of keys, no MASTER key..... Does this mean that this type of a https connection is safer then one with a Verisign issues certificate? Why does Darren keep saying that https is not that secure, and a VPN is more secure.. on
  17. Hi All, Scenario/Background: I'm on a boat. We use VSAT + two year old Cisco router. Router has been locked down. The only ports open are 80 (http), 443 (https), 25 (mail), 3389 (RDP). When travelling I used to be able to use OpenVPN (udp), PPTP VPN (tcp), or a socksified (-D) SSH connection to tunnel my traffic. That's no longer the case. I borked my VPS server trying to get around the above stated issue. It's left me in a bit of a pickle. I can use TOR to get to my VPS's CPANEL (control panel). I have to use a service like TOR, because the CPANEL is on a non-standard web port (5454). I
  18. I've just ordered my Pineapple ... all excited. My application is not security oriented -- it's just to be an access point that will serve internal web pages & PDFs to connected client devices, as in a classroom for example, or for advertising. In this application, the Pineapple will not be connected to the Internet. All Wi-Fi connections to the Pineapple SSID will need to be redirected to the internal webserver. If I understand correctly, this should be easy. Could anyone answer a few questions? 1. Will https attempts be redirected, or go nowhere? For example, some user browsers defau
  19. Hello, I created a bunch of phishing pages for Facebook, twitter, and gmail to test out the dns-spoof function on Mark IV pineapple. The pages work fine and Pineapple will redirect the traffic to the fake login pages that I created however, when the victims type in a HTTPS address like https://twitter.com the redirect won't work and a connection error message would show up in browser, or sometimes they will see the real site's HTTPS version. Is there anyway around this? can I redirect HTTPS links to a landing page as well? Thanks
  • Create New...