BlackZero Posted December 5, 2012 Posted December 5, 2012 Hi guys. I have Mark IV Pineapple with the latest firmware: 2.7.0 and the modules: sslstrip, urlsnarf installed in an external stick mounted in my pineapple. I can run sslstrip and urlsnarf succesfully but only separately. If I start both of them, urlsnarf is not showing any log output (Refresh is enabled, and Logging to usb is enabled). Is there a way to run them simultaneously? (because in a typical sslstrip mitm attack both of the tools can run). I don't know if it's a problem that only I face. Thanks in advance Quote
tertko Posted December 5, 2012 Posted December 5, 2012 i have the similar issue. i usually have urlsnarf working for couple of minutes and then it stops, and sslstrip takes over and only sslstrip works. i think you cannot have both running simultaneously as sslstrip is forwarding everything to port 10000, and urlsnarf doesnt catch that at least this was the explanation that i found on this forum a while ago. Quote
BlackZero Posted December 5, 2012 Author Posted December 5, 2012 Hmm thanks for your answer, but I think that generally sslstrip and urlsnarf can work together. I have tested them both in airssl script before and in custom mitm/sslstrip attacks in my test environment. I think that WhistleMaster know the reason for that "conflict". Quote
Whistle Master Posted December 5, 2012 Posted December 5, 2012 Actually, I don't know the reason... but I will have a look at it ;) Quote
vector Posted January 3, 2013 Posted January 3, 2013 i have the similar issue. i usually have urlsnarf working for couple of minutes and then it stops, and sslstrip takes over and only sslstrip works. i think you cannot have both running simultaneously as sslstrip is forwarding everything to port 10000, and urlsnarf doesnt catch that at least this was the explanation that i found on this forum a while ago. urlsnarf should not interfere with sslstrip for a few reasons. first we gotta understand that sslstrip doesnt forward anything anywhere. The kernel forwards everything along except for traffic destined to port 80, thats why youll normally have to enable forwarding mode, because iptables is doing all the forwarding in which it redirects all the http traffic to the sslstrip $LISTEN port which could be any port you choose, in this case its 10000. sslstrip usually requires python-twisted-web module as well. urlsnarf on the other hand doesnt listen on a port but on an interface. you can just tell it what and where to log something like urlsnarf -i <iface> | grep http > /whichever/directory/you-like/whatever.txt Quote
jman012 Posted January 3, 2013 Posted January 3, 2013 I too am having this problem, I refer to this thread I made: http://forums.hak5.org/index.php?/topic/28422-i-have-some-problems-with-urlsnarf-dnsspoof-and-slow-internet/ I just tried keeping sslstrip turned off and sure enough, urlsnarf worked perfectly. I don't really know why ssltrip would interfere if what vector said is true. Quote
BlackZero Posted January 27, 2013 Author Posted January 27, 2013 Yeah. I have both sslstrip and urlsnarf running on my laptop in Backtrack 5f3 in a Fake AP similar to Pineapple and works great. I have upgraded to 2.7.4. Reinstalled sslstrip and urlsnard and they can't run simultaneously again. Is there a fix for that? Quote
Whistle Master Posted January 27, 2013 Posted January 27, 2013 Are you running sslstrip and urlsnarf both from the module gui or command line ? Quote
Xander Posted January 28, 2013 Posted January 28, 2013 Are you running sslstrip and urlsnarf both from the module gui or command line ? In my case when I have this problem, I'm running both sslstrip and urlsnarf from the module gui. Haven't tried doing them from the command line. Quote
BlackZero Posted January 30, 2013 Author Posted January 30, 2013 Are you running sslstrip and urlsnarf both from the module gui or command line ? I'm running them from the module gui. I first run urlsnarf and after that in another browser tab I run the sslstrip. When the sslstrip is enabled, urlsnarf cannot print any output..and I must set it to off. I have the modules installed in USB. In my case when I have this problem, I'm running both sslstrip and urlsnarf from the module gui. Haven't tried doing them from the command line. How do you succeed to fix that issue when you have this problem? Quote
Xander Posted January 30, 2013 Posted January 30, 2013 I'm running them from the module gui. I first run urlsnarf and after that in another browser tab I run the sslstrip. When the sslstrip is enabled, urlsnarf cannot print any output..and I must set it to off. I have the modules installed in USB. How do you succeed to fix that issue when you have this problem? I don't, haha. I still experience the issue, I was just stating that I've only tried it through the gui when I have the problem Quote
BlackZero Posted January 30, 2013 Author Posted January 30, 2013 I don't, haha. I still experience the issue, I was just stating that I've only tried it through the gui when I have the problem So, you open in two tabs urlsnarf and ssltrip both in usb (install and log) and running together smoothly??? weird Quote
Whistle Master Posted January 30, 2013 Posted January 30, 2013 I guess you both have the same issue ;) Let me have a look at it, it may be an issue with some iptables stuff. Quote
BlackZero Posted January 30, 2013 Author Posted January 30, 2013 (edited) I guess you both have the same issue ;) Let me have a look at it, it may be an issue with some iptables stuff. Thanks Whistle Master. I don't know if it helps but in a soft rogue AP (called AirSSL, airssl.sh) sslstrip and urlsnarf works like a charm. Yes maybe it's an iptable issue. Edited January 30, 2013 by BlackZero Quote
Whistle Master Posted January 30, 2013 Posted January 30, 2013 Do you run airssl.sh on the pineapple ? Quote
BlackZero Posted January 30, 2013 Author Posted January 30, 2013 (edited) Do you run airssl.sh on the pineapple ? No in laptop with BT5 (soft fake ap with airebase-ng). I mentioned this to report a case which work simultaneously Edited January 30, 2013 by BlackZero Quote
Whistle Master Posted February 6, 2013 Posted February 6, 2013 (edited) Did not have the time to have a look at it yet, I was quite busy actually but I will have a look at it. What is your network setup ? NATed ? Bridged ? Edited February 6, 2013 by Whistle Master Quote
comatose603 Posted February 7, 2013 Posted February 7, 2013 Just your typical setup. Pineapple into laptop via eth, ./wp4.sh, laptop is connect to internet via its own wlan0 and a nat'd wifi-router. Quote
comatose603 Posted February 9, 2013 Posted February 9, 2013 (edited) Why is iptables setup for port 80 and 443? Moxie's instructions say to just do port 80...so...??? And, if I leave it as such with both port 80 and 443, https traffic stops working for clients. Also, Moxie's sslstrip is up to 0.9. Why are we still on 0.6? ... it doesnt seem to be stripping all SSL POSTS, e.g., Gmail logons produce nothing. [EDIT: ah, HSTS sites that why] Edited February 9, 2013 by comatose603 Quote
Whistle Master Posted February 9, 2013 Posted February 9, 2013 (edited) 0.9 runs on the pineapple actually :) May be a good idea to include it in the next version of sslstrip module :P In the meatime, you can download v0.9 here and copy it on your pineapple, then: tar zxvf sslstrip-0.9.tar.gz cd sslstrip-0.9 python ./setup.py install Regarding port 80 and 443 redirection, this comes from this discussion with telot. I agree that according to some users and Moxie documentation, port 443 redirection should not be necessary. Edited February 9, 2013 by Whistle Master Quote
comatose603 Posted February 9, 2013 Posted February 9, 2013 I think I got this working. Running URLsnort against wlan0 instead of br-lan is keeping both SSLstrip and URLsnort happy so far. Quote
Whistle Master Posted February 9, 2013 Posted February 9, 2013 (edited) I will add the option to select the interface where urlsnarf is running, may allow to use both at the same time. urlsnarf v2.6 is out with interface selection :) Someone also suggested to get sslstrip to run on port 8080, which could allow urlsnarf to pick up the traffic. Edited February 9, 2013 by Whistle Master Quote
comatose603 Posted February 9, 2013 Posted February 9, 2013 (edited) Great! ... I'm not sure why Telot wanted port 443, he doesnt seem to say in that thread...no? If I have it in the PREROUTING table, as it is by default in the module, all https just grinds to a halt for clients. So something should be done. Also, SSLstrip logs should state the source/client IP address. It's super confusing as to what POST is coming from what client. Another issue I noticed is that not all SSL POSTs (say to Facebook) get logged. The intial logon attempt works, but for some reason it's not picking up retries. Any thoughts? Edited February 9, 2013 by comatose603 Quote
Whistle Master Posted February 9, 2013 Posted February 9, 2013 v2.8 of sslstrip without 443 redirection is out. Let me know if it works better now ;) Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.