Sleven Posted February 21, 2012 Posted February 21, 2012 Anyone experience this issue with SSLStrip? Also still posting pages in HTTPS. Eth0 pineapple/Wlan0 Pogoplug Quote
Mr-Protocol Posted February 21, 2012 Posted February 21, 2012 There was a counter measure to SSL Strip that was implemented after Moxie had released it. Not sure what it is called, don't remember. You could be running into that though. Quote
Sleven Posted February 21, 2012 Author Posted February 21, 2012 There was a counter measure to SSL Strip that was implemented after Moxie had released it. Not sure what it is called, don't remember. You could be running into that though. Forgot to add my test environment. Victim --> Backtrack 5 R1 Attacker--> ARMv5 XFCE. Victim attempting to access gmail via mozilla firefox 9.0.1. Quote
Mr-Protocol Posted February 21, 2012 Posted February 21, 2012 Gmail has a way to avoid sslstrip, it has HSTS (Just had Moxie confirm what it was called). http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security Quote
PineDominator Posted February 21, 2012 Posted February 21, 2012 Gmail has a way to avoid sslstrip, it has HSTS (Just had Moxie confirm what it was called). http://en.wikipedia....nsport_Security that is good thing? lol I just had a sick idea for a prank exploit. create a tool that adds HSTS headers to every web page request, that way the persons browser is essentially useless on those pages that can't serve up https. I wonder if you could even speed it up by adding 10s or 100s of sites into one page owning multiple in one go. Quote
Sleven Posted February 21, 2012 Author Posted February 21, 2012 (edited) Gmail has a way to avoid sslstrip, it has HSTS (Just had Moxie confirm what it was called). http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security Did some troubleshooting. Came up with some strange results. One my computer time was way off. Another was while using Backtrack 5 as a victim I was able to grab passwords for twitter and so on but not gmail. When I switched to Windows 7 as the victim. I could grab them all. Don't have a mac os to try yet. Thought it was kinda strange. Edited February 21, 2012 by Sleven Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.