Jump to content

Sslstrip Behavior

diggler

By diggler
in WiFi Pineapples Mark I, II, III

 Share

Recommended Posts

diggler Newbie

diggler

Posted
Posted (edited)

Can anyone comment on the behavior of SSLStrip? After trials with three laptops (two personal and a friend) this evening I found that:

-when sslstrip is running when a victims laptop is browsing the web it first displays a page that says cannot find webpage and then if you refresh the page again it will load the site. I was trying it on a friend and they just gave up trying to browse because it said the website couldn't be displayed, which was frustrating to watch knowing thats how other users might respond.

-the same friend instead of typing in facebook.com for example, would use a url that was saved in history and sslstrip wouldn't redirect to the unencrypted version.

-the same friend was already logged into facebook and was relying on cookies as we bounced her to different APs for internet. the "-k" flag for sslstrip was not forcing her to relogin as the feature suggests. [Mr. Protocol, that's why i suggested using ferret&hamster]

-when logged into facebook.com successfully using sslstrip a huge block of code was at the top like a banner ad.

Does anyone else experience these types of behavior? Is there a way to make it more fluid of an experience without those types of errors?

Edited by diggler
Link to comment
Share on other sites
diggler Newbie

diggler

Posted
  • Author
Posted (edited)

Does it make sense that this would happen because she was using Safari and its not well supported in SSLStrip?

Can anyone comment on the behavior of SSLStrip? After trials with three laptops (two personal and a friend) this evening I found that:

-when sslstrip is running when a victims laptop is browsing the web it first displays a page that says cannot find webpage and then if you refresh the page again it will load the site. I was trying it on a friend and they just gave up trying to browse because it said the website couldn't be displayed, which was frustrating to watch knowing thats how other users might respond.

-the same friend instead of typing in facebook.com for example, would use a url that was saved in history and sslstrip wouldn't redirect to the unencrypted version.

-the same friend was already logged into facebook and was relying on cookies as we bounced her to different APs for internet. the "-k" flag for sslstrip was not forcing her to relogin as the feature suggests. [Mr. Protocol, that's why i suggested using ferret&hamster]

-when logged into facebook.com successfully using sslstrip a huge block of code was at the top like a banner ad.

Does anyone else experience these types of behavior? Is there a way to make it more fluid of an experience without those types of errors?

Edited by diggler
Link to comment
Share on other sites
diggler Newbie

diggler

Posted
  • Author
Posted (edited)

I'm using BT5R1 fully updated and upgraded using apt-get -- its running sslstrip v0.9. I did not manually download and install.

It seems to me that most users rely heavily on autocomplete +cookies + browser history. looks like my choice right now is either all these sslstrip quirks, or a certificate prompt from ettercap : /

[other weird behavior i've noticed today with SSLStrip is that when my friend tries to access regular HTTP sites it displays "webpage cannot be displayed" sometimes too, in addition to that error when first browsing to HTTPS enabled sites. generally it just alerts the user that something is broken and isnt working correctly. it seem's to work after a number of refreshes]

Going to try and add "ferret and hamster" to my script. However, if SSLStrip isn't running it will only capture unencrypted sessions : / So I guess SSLStrip still has to be run, which basically defeats the purpose. hmm...

Are there any HTTP session hijacking (sidejacking) tools that can defeat SSL without sslstrip? maybe some other sslstrip variant, or a different sidejacking process altogether? Firesheep is another option to hamster/ferret for HTTP traffic, but i dont like how it is picky about what version of FF you have to use.

In the tutorials ive been reading wireshark or ettercap are used for network traffic capture (pcap) in conjunction with hamster/ferret, but because we're using a pineapple will hamster/ferret work in real time without running a network capture tool? Can anyone explain how these apps work? it says that ferret is used to collect data seepage and im guessing hamster is the webserver configured to serve up what ferret finds?? there is no documentation on their site and it appears to be down or not well supported. There don't seem to be any "man" documentation or a README in the BTR1 directory /pentest/sniffers/hamster

http://erratasec.blo...-ferret-20.html

http://hamster.erratasec.com/

SSLStrip will not redirect anything from history or favorites, it assumes the site is entered as http first then it will stop it from switching to https (in layman's terms)

I have noticed the banner ad issue you mentioned. but only recently, I don't know what the hell is causing that but its a big red flag.

Are you using backtrack, or did you compile it yourself?

Edited by diggler
Link to comment
Share on other sites
diggler Newbie

diggler

Posted
  • Author
Posted (edited)

What if we could have SSLSTRIP or some other tool to block cookies from being sent? That would force users to log back in, because the "-k" flag doesn't seem to kill the connection to the users website as advertised.

I'm using BT5R1 fully updated and upgraded using apt-get -- its running sslstrip v0.9. I did not manually download and install.

It seems to me that most users rely heavily on autocomplete +cookies + browser history. looks like my choice right now is either all these sslstrip quirks, or a certificate prompt from ettercap : /

[other weird behavior i've noticed today with SSLStrip is that when my friend tries to access regular HTTP sites it displays "webpage cannot be displayed" sometimes too, in addition to that error when first browsing to HTTPS enabled sites. generally it just alerts the user that something is broken and isnt working correctly. it seem's to work after a number of refreshes]

Going to try and add "ferret and hamster" to my script. However, if SSLStrip isn't running it will only capture unencrypted sessions : / So I guess SSLStrip still has to be run, which basically defeats the purpose. hmm...

Are there any HTTP session hijacking (sidejacking) tools that can defeat SSL without sslstrip? maybe some other sslstrip variant, or a different sidejacking process altogether? Firesheep is another option to hamster/ferret for HTTP traffic, but i dont like how it is picky about what version of FF you have to use.

In the tutorials ive been reading wireshark or ettercap are used for network traffic capture (pcap) in conjunction with hamster/ferret, but because we're using a pineapple will hamster/ferret work in real time without running a network capture tool? Can anyone explain how these apps work? it says that ferret is used to collect data seepage and im guessing hamster is the webserver configured to serve up what ferret finds?? there is no documentation on their site and it appears to be down or not well supported.

http://erratasec.blo...-ferret-20.html

http://hamster.erratasec.com/

Edited by diggler
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...