Jump to content

Recommended Posts

Posted

Hi guys. I have Mark IV Pineapple with the latest firmware: 2.7.0 and the modules: sslstrip, urlsnarf installed in an external stick mounted in my pineapple.

I can run sslstrip and urlsnarf succesfully but only separately. If I start both of them, urlsnarf is not showing any log output (Refresh is enabled, and Logging to usb is enabled). Is there a way to run them simultaneously? (because in a typical sslstrip mitm attack both of the tools can run). I don't know if it's a problem that only I face.

Thanks in advance

Posted

i have the similar issue.

i usually have urlsnarf working for couple of minutes and then it stops, and sslstrip takes over and only sslstrip works.

i think you cannot have both running simultaneously as sslstrip is forwarding everything to port 10000, and urlsnarf doesnt catch that

at least this was the explanation that i found on this forum a while ago.

Posted

Hmm thanks for your answer, but I think that generally sslstrip and urlsnarf can work together. I have tested them both in airssl script before and in custom mitm/sslstrip attacks in my test environment.

I think that WhistleMaster know the reason for that "conflict".

  • 4 weeks later...
Posted

i have the similar issue.

i usually have urlsnarf working for couple of minutes and then it stops, and sslstrip takes over and only sslstrip works.

i think you cannot have both running simultaneously as sslstrip is forwarding everything to port 10000, and urlsnarf doesnt catch that

at least this was the explanation that i found on this forum a while ago.

urlsnarf should not interfere with sslstrip for a few reasons. first we gotta understand that sslstrip doesnt forward anything anywhere. The kernel forwards everything along except for traffic destined to port 80, thats why youll normally have to enable forwarding mode, because iptables is doing all the forwarding in which it redirects all the http traffic to the sslstrip $LISTEN port which could be any port you choose, in this case its 10000. sslstrip usually requires python-twisted-web module as well.

urlsnarf on the other hand doesnt listen on a port but on an interface. you can just tell it what and where to log something like urlsnarf -i <iface> | grep http > /whichever/directory/you-like/whatever.txt

  • 4 weeks later...
Posted

Yeah. I have both sslstrip and urlsnarf running on my laptop in Backtrack 5f3 in a Fake AP similar to Pineapple and works great.

I have upgraded to 2.7.4. Reinstalled sslstrip and urlsnard and they can't run simultaneously again. Is there a fix for that?

Posted
Are you running sslstrip and urlsnarf both from the module gui or command line ?

In my case when I have this problem, I'm running both sslstrip and urlsnarf from the module gui. Haven't tried doing them from the command line.

Posted

Are you running sslstrip and urlsnarf both from the module gui or command line ?

I'm running them from the module gui. I first run urlsnarf and after that in another browser tab I run the sslstrip. When the sslstrip is enabled, urlsnarf cannot print any output..and I must set it to off.
I have the modules installed in USB.

In my case when I have this problem, I'm running both sslstrip and urlsnarf from the module gui. Haven't tried doing them from the command line.

How do you succeed to fix that issue when you have this problem?

Posted
I'm running them from the module gui. I first run urlsnarf and after that in another browser tab I run the sslstrip. When the sslstrip is enabled, urlsnarf cannot print any output..and I must set it to off.
I have the modules installed in USB.

How do you succeed to fix that issue when you have this problem?

I don't, haha. I still experience the issue, I was just stating that I've only tried it through the gui when I have the problem

Posted

I don't, haha. I still experience the issue, I was just stating that I've only tried it through the gui when I have the problem

So, you open in two tabs urlsnarf and ssltrip both in usb (install and log) and running together smoothly??? weird

Posted (edited)

I guess you both have the same issue ;)

Let me have a look at it, it may be an issue with some iptables stuff.

Thanks Whistle Master. I don't know if it helps but in a soft rogue AP (called AirSSL, airssl.sh) sslstrip and urlsnarf works like a charm.

Yes maybe it's an iptable issue.

Edited by BlackZero
Posted (edited)

Do you run airssl.sh on the pineapple ?

No in laptop with BT5 (soft fake ap with airebase-ng).

I mentioned this to report a case which work simultaneously

Edited by BlackZero
Posted (edited)

Did not have the time to have a look at it yet, I was quite busy actually but I will have a look at it.

What is your network setup ? NATed ? Bridged ?

Edited by Whistle Master
Posted (edited)

Why is iptables setup for port 80 and 443? Moxie's instructions say to just do port 80...so...??? And, if I leave it as such with both port 80 and 443, https traffic stops working for clients.

Also, Moxie's sslstrip is up to 0.9. Why are we still on 0.6? ... it doesnt seem to be stripping all SSL POSTS, e.g., Gmail logons produce nothing. [EDIT: ah, HSTS sites that why]

Edited by comatose603
Posted (edited)

0.9 runs on the pineapple actually :) May be a good idea to include it in the next version of sslstrip module :P In the meatime, you can download v0.9 here and copy it on your pineapple, then:

tar zxvf sslstrip-0.9.tar.gz
cd sslstrip-0.9
python ./setup.py install

Regarding port 80 and 443 redirection, this comes from this discussion with telot. I agree that according to some users and Moxie documentation, port 443 redirection should not be necessary.

Edited by Whistle Master
Posted (edited)

I will add the option to select the interface where urlsnarf is running, may allow to use both at the same time. urlsnarf v2.6 is out with interface selection :)

Someone also suggested to get sslstrip to run on port 8080, which could allow urlsnarf to pick up the traffic.

Edited by Whistle Master
Posted (edited)

Great! ... I'm not sure why Telot wanted port 443, he doesnt seem to say in that thread...no? If I have it in the PREROUTING table, as it is by default in the module, all https just grinds to a halt for clients. So something should be done.

Also, SSLstrip logs should state the source/client IP address. It's super confusing as to what POST is coming from what client.


Another issue I noticed is that not all SSL POSTs (say to Facebook) get logged. The intial logon attempt works, but for some reason it's not picking up retries. Any thoughts?

Edited by comatose603

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...