Jump to content

Sslstrip


Recommended Posts

  • Replies 142
  • Created
  • Last Reply

Top Posters In This Topic

Posted · Hidden by legion, May 5, 2012 - Oops
Hidden by legion, May 5, 2012 - Oops

Hi !

Since sslstrip is now working, I made a module for it :)

The module is still in testing phase, so as usual, if you want to beta test it, send me a PM ;)

Features

- sslstrip log history

- logs on USB

- install iptables rules from ui

- start sslstrip from ui

Screenshots

a40a3e59ee0274629ff2cbf849972afd65856c3d9668c4a0bf7213b4c907944b2g.jpgc0e0908421994a6c92a975a9631f3d07066f741adac40f88ecf953eb3ac404d92g.jpg

Count me in!

Link to comment

cool, I would have a feature request :-)

Would be great if iptable nat rules would be editable.

Example do only NAT if source is in net x.x.x.x

e.g.:

iptables -t nat -A PREROUTING -p tcp -s 172.16.42.0/24 --destination-port 443 -j REDIRECT --to-ports 10000

Helps to access the port 80 webinterface if only some subnets are redirected :-)

Link to comment
Share on other sites

cool, I would have a feature request :-)

Would be great if iptable nat rules would be editable.

Example do only NAT if source is in net x.x.x.x

e.g.:

iptables -t nat -A PREROUTING -p tcp -s 172.16.42.0/24 --destination-port 443 -j REDIRECT --to-ports 10000

Helps to access the port 80 webinterface if only some subnets are redirected :-)

From my understanding WM has already accounted for the iptables redirect locking out the web GUI.

Link to comment
Share on other sites

From my understanding WM has already accounted for the iptables redirect locking out the web GUI.

True :) I simplified to only one link (screenshots are not up-to-date) which will setup and start sslstrip.

As soon as I received enough feedback, I will release the first version.

Link to comment
Share on other sites

From my understanding WM has already accounted for the iptables redirect locking out the web GUI.

Sorry, didn't notice that. Just saw the print screens and the feature list saying: "- iptables rules automatically installed". There were nothing mentioned regarding „customizable“ iptable settings :unsure:

Link to comment
Share on other sites

Actually you can't customize the iptables rules from the UI. I prefer having a standard, simplified and working way for the moment from the UI for most of the users. I assumed advanced users can still go with ssh ;).

I will maybe add a configuration section to modify the iptables command. I'm just wondering, in which case(s) you would like to customize the commands ?

Edited by Whistle Master
Link to comment
Share on other sites

Actually you can't customize the iptables rules from the UI. I prefer having a standard, simplified and working way for the moment from the UI for most of the users. I assumed advanced users can still go with ssh ;).

I will maybe add a configuration section to modify the iptables command. I'm just wondering, in which case(s) you would like to customize the commands ?

Two cases I can think about iptable customization would help:

1) I sometimes use a topology where I connect the MK4 directly to the DSL Subnet but do not use a separate PC for connection sharing (ics). Therefor I hide (masquerade) normally the WLAN subnet behind the WAN Port IP address (DSL Range) with an iptable rule (safes me from creating back routes on DSL router :rolleyes: ). This is more to iptables directly and has more or less nothing to do with your sslstrip module I guess. But the whole thinks works perfect - also with sslstrip :)

2) Correct me if I'm wrong but if I redirect the whole traffic to port 80 I will also not be able to connect to the MK4 webinterface anymore (with any topology). So that would be a second scenario where customization of iptable would help. Maybe it would be possible to enter just a source IP range from where redirection should take place?

But you are absolutely right. It can also be done by ssh.

Link to comment
Share on other sites

Regarding (2), if sslstrip is running BEFORE adding the iptables rule, you can still access the pineapple interface (you are redirected yourself through sslstrip).

Correct me if I wrong, but this command would not help as we are accessing the pineapple with the IP 172.16.42.42 which is in the source subnet of this iptables rule

iptables -t nat -A PREROUTING -p tcp -s 172.16.42.0/24 --destination-port 443 -j REDIRECT --to-ports 10000

except if you are accessing your pineapple from a different subnet like 192.168.1.0/24, right ?

We could add the following rule to not redirect our IP to sslstrip:

iptables -t nat -A PREROUTING -s 172.16.42.42 -p tcp --dport 80 -j ACCEPT

And this IP could also be determined before starting sslstrip from the UI and therefore be anything else.

Just a little brainstorm :)

Edited by Whistle Master
Link to comment
Share on other sites

Regarding (2), if sslstrip is running BEFORE adding the iptables rule, you can still access the pineapple interface (you are redirected yourself through sslstrip).

Correct me if I wrong, but this command would not help as we are accessing the pineapple with the IP 172.16.42.42 which is in the source subnet of this iptables rule

iptables -t nat -A PREROUTING -p tcp -s 172.16.42.0/24 --destination-port 443 -j REDIRECT --to-ports 10000

except if you are accessing your pineapple from a different subnet like 192.168.1.0/24, right ?

We could add the following rule to not redirect our IP to sslstrip:

iptables -t nat -A PREROUTING -s 172.16.42.42 -p tcp --dport 80 -j ACCEPT

And this IP could also be determined before starting sslstrip from the UI and therefore be anything else.

Just a little brainstorm :)

1) Regarding your first point (running sslstrip before IPtabel): don't want to see my own password in the log file :rolleyes:

No, serious: didn't try that but makes sense. You probably do not even have to start the script first BUT you have to start it and it should not crash, otherwise you have to use ssh or the powercycle method to access the webinterface ...

2) Don't want to correct you :) . You are correct of course. I’m connecting from a different IP as you noted but not from 172.16.42.0/24 subnet.

3) Don't know if I got your idea but then it should be

iptables -t nat -A PREROUTING -s ! 172.16.42.42 -p tcp --dport 80 -j ACCEPT

Not testet, but as far as I remember the "!" add an exception

So it would NAT everything but the management station. Maybe there is a way to get the IP of the management host (connection log: Pineapple authpriv.notice dropbear[10456]: Password auth succeeded for 'root' from x.x.x.x) an add an auto exception for this IP just in case the management connects not from 172.16.42.42.

Was also only a little brainstorming. Maybe it's getting a little too complicated now and you better add only the standard iptable rules as planed and everyone needs to change it, can change the config file where the iptable commands are defined

Link to comment
Share on other sites

Posted · Hidden by Whistle Master, May 9, 2012 - No reason given
Hidden by Whistle Master, May 9, 2012 - No reason given

Hi !

Since sslstrip is now working, I made a module for it :)

Features

- sslstrip log history & logs can be stored on USB

- iptables rules automatically installed

- start/stop sslstrip from ui

Screenshots

8e2ed9699e5ce254f8175a84782006cc675d8f653853d603859a84d07ee8b7e62g.jpgf415c4e6f8143336fd3569452820c412dd3eedafb33dce142cfe247c6d0f29e12g.jpg

Link to comment
  • 2 weeks later...

so after updating to the new firmware 2.1.0 and after setting up the usb correctly again and then going to the pineapple bar i installed sslstrip to usb

after that i pinned the sslstrip to the hotbar when i scroll over launch it shows sslstrip.php but when i click it it brings me to redirect.php and just keeps clicking and refreshing on that.

Link to comment
Share on other sites

Can you ssh to your pineapple and see if the module is correctly installed on USB ? Post the following output:

ls -la /www/pineapple/modules/

ls -la /usb/modules/

ls -la /usb/modules/sslstrip

EDIT: I just tried to remove and install again the module on USB and it's working fine. I guess the problem is on your side...

Edited by Whistle Master
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...