Jump to content

(Newbie Question) Password Intercepting?

austin.rose

By austin.rose
in WiFi Pineapple Mark IV

 Share

Recommended Posts

austin.rose Newbie

austin.rose

Posted
Posted

Morning all,

I'm not particularly knowledgeable about how the wifi pineapple works, or how networking in general works for that matter. So I'm hoping this question makes sense.

Is it possible to use the wifi pine apple to log like the username/password someone enters online? I'm imagining a scenario like this:

- I set up my pineapple, and it's successfully middle-maning some computer near me.

- That computer navigates to gmail.com or something, and logs in.

I understand that it's easy to monitor the websites a connected computer visits, but I wonder if some sort of encryption prevents login info from being sent in the clear.

If anyone's concerned, I assure I have no malicious intent. The goal is to learn what I can about network security and whatnot by playing around with my home network :) .

Thanks!

Link to comment
Share on other sites
inTheDMZ Newbie

inTheDMZ

Posted
Posted (edited)

SSL encryption is used by gmail to prevent users login information from passing in cleartext.

You can use sslstrip to try and prevent the ssl encryption from taking place.

if you are using the pineapple connected to a laptop/computer and ICS'ing you can use sslstrip on the computer and capture the login (possibly)

if you wanted to use sslstrip on the pineapple you can search the forums, and will need to:

-install a USB with swap space and storage space on the pineapple

-install sslstrip (i would install to the usb stick)

-run sslstrip and dump the logs to the usb stick

I would research into ssl encryption to understand how you are performing this attack if i was you - its ok to know how to perform the attack but to learn how it works and understanding how sslstrip works is better for you.

Edited by inTheDMZ
Link to comment
Share on other sites
unixmito Newbie

unixmito

Posted
Posted

In an additional note, certain websites will hash the password before sending by using javascript. I believe that at one point Yahoo used this method of protecting a cleart-text password appearing on the site. To circumvent this, I remember using ettercap to load a filter and remove references to the onsubmit="" javascript event handler.

Link to comment
Share on other sites
  • 3 weeks later...
Malachai Newbie

Malachai

Posted
Posted

SSL encryption is used by gmail to prevent users login information from passing in cleartext.

You can use sslstrip to try and prevent the ssl encryption from taking place.

if you are using the pineapple connected to a laptop/computer and ICS'ing you can use sslstrip on the computer and capture the login (possibly)

if you wanted to use sslstrip on the pineapple you can search the forums, and will need to:

-install a USB with swap space and storage space on the pineapple

-install sslstrip (i would install to the usb stick)

-run sslstrip and dump the logs to the usb stick

I would research into ssl encryption to understand how you are performing this attack if i was you - its ok to know how to perform the attack but to learn how it works and understanding how sslstrip works is better for you.

This is good steps on how to install sslstrip... I tried looking on the forum before posting or I'm searching for the wrong phrase but how do you create the swap on the usb, and install the sslstrip software on the usb? Sorry i'm new to the whole pineapple stuff. Starting to learn from scratch...

Link to comment
Share on other sites
dustbyter Newbie

dustbyter

Posted
Posted

As the others have said above there are many ways to perform the password interception. However keep in mind that each method employed may have certain clues on the client machine that allows them to detect something MAY be going wrong.

Concider the pros and cons from each before you actually perform a particular attack.

Link to comment
Share on other sites
Malachai Newbie

Malachai

Posted
Posted

As the others have said above there are many ways to perform the password interception. However keep in mind that each method employed may have certain clues on the client machine that allows them to detect something MAY be going wrong.

Concider the pros and cons from each before you actually perform a particular attack.

Well that's a good idea, but I'm still trying to figure out where I could download those modules , and how to install them... Once I figure out where to read about them, and see which one I like then iw ill have to figure out how to install them and run them.

Link to comment
Share on other sites
Sebkinne Grand Master

Sebkinne

Posted
Posted

Well that's a good idea, but I'm still trying to figure out where I could download those modules , and how to install them... Once I figure out where to read about them, and see which one I like then iw ill have to figure out how to install them and run them.

I replied to your thread. You can find them in the pineappleUI under pineapple bar.

Best Regards,

Sebkinne

Link to comment
Share on other sites
Malachai Newbie

Malachai

Posted
Posted

I replied to your thread. You can find them in the pineappleUI under pineapple bar.

Best Regards,

Sebkinne

Thank you I will look once again, right now I'm just creating other VM on ubuntu .. Once that is done I will set it up and check.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...