Jump to content

urlsnarf module simultaneously with sslstrip module?


Recommended Posts

Hi guys. I have Mark IV Pineapple with the latest firmware: 2.7.0 and the modules: sslstrip, urlsnarf installed in an external stick mounted in my pineapple.

I can run sslstrip and urlsnarf succesfully but only separately. If I start both of them, urlsnarf is not showing any log output (Refresh is enabled, and Logging to usb is enabled). Is there a way to run them simultaneously? (because in a typical sslstrip mitm attack both of the tools can run). I don't know if it's a problem that only I face.

Thanks in advance

Link to post
Share on other sites

i have the similar issue.

i usually have urlsnarf working for couple of minutes and then it stops, and sslstrip takes over and only sslstrip works.

i think you cannot have both running simultaneously as sslstrip is forwarding everything to port 10000, and urlsnarf doesnt catch that

at least this was the explanation that i found on this forum a while ago.

Link to post
Share on other sites

Hmm thanks for your answer, but I think that generally sslstrip and urlsnarf can work together. I have tested them both in airssl script before and in custom mitm/sslstrip attacks in my test environment.

I think that WhistleMaster know the reason for that "conflict".

Link to post
Share on other sites
  • 4 weeks later...

i have the similar issue.

i usually have urlsnarf working for couple of minutes and then it stops, and sslstrip takes over and only sslstrip works.

i think you cannot have both running simultaneously as sslstrip is forwarding everything to port 10000, and urlsnarf doesnt catch that

at least this was the explanation that i found on this forum a while ago.

urlsnarf should not interfere with sslstrip for a few reasons. first we gotta understand that sslstrip doesnt forward anything anywhere. The kernel forwards everything along except for traffic destined to port 80, thats why youll normally have to enable forwarding mode, because iptables is doing all the forwarding in which it redirects all the http traffic to the sslstrip $LISTEN port which could be any port you choose, in this case its 10000. sslstrip usually requires python-twisted-web module as well.

urlsnarf on the other hand doesnt listen on a port but on an interface. you can just tell it what and where to log something like urlsnarf -i <iface> | grep http > /whichever/directory/you-like/whatever.txt

Link to post
Share on other sites
  • 4 weeks later...

Yeah. I have both sslstrip and urlsnarf running on my laptop in Backtrack 5f3 in a Fake AP similar to Pineapple and works great.

I have upgraded to 2.7.4. Reinstalled sslstrip and urlsnard and they can't run simultaneously again. Is there a fix for that?

Link to post
Share on other sites
Are you running sslstrip and urlsnarf both from the module gui or command line ?

In my case when I have this problem, I'm running both sslstrip and urlsnarf from the module gui. Haven't tried doing them from the command line.

Link to post
Share on other sites

Are you running sslstrip and urlsnarf both from the module gui or command line ?

I'm running them from the module gui. I first run urlsnarf and after that in another browser tab I run the sslstrip. When the sslstrip is enabled, urlsnarf cannot print any output..and I must set it to off.
I have the modules installed in USB.

In my case when I have this problem, I'm running both sslstrip and urlsnarf from the module gui. Haven't tried doing them from the command line.

How do you succeed to fix that issue when you have this problem?

Link to post
Share on other sites
I'm running them from the module gui. I first run urlsnarf and after that in another browser tab I run the sslstrip. When the sslstrip is enabled, urlsnarf cannot print any output..and I must set it to off.
I have the modules installed in USB.

How do you succeed to fix that issue when you have this problem?

I don't, haha. I still experience the issue, I was just stating that I've only tried it through the gui when I have the problem

Link to post
Share on other sites

I guess you both have the same issue ;)

Let me have a look at it, it may be an issue with some iptables stuff.

Thanks Whistle Master. I don't know if it helps but in a soft rogue AP (called AirSSL, airssl.sh) sslstrip and urlsnarf works like a charm.

Yes maybe it's an iptable issue.

Edited by BlackZero
Link to post
Share on other sites

Why is iptables setup for port 80 and 443? Moxie's instructions say to just do port 80...so...??? And, if I leave it as such with both port 80 and 443, https traffic stops working for clients.

Also, Moxie's sslstrip is up to 0.9. Why are we still on 0.6? ... it doesnt seem to be stripping all SSL POSTS, e.g., Gmail logons produce nothing. [EDIT: ah, HSTS sites that why]

Edited by comatose603
Link to post
Share on other sites

0.9 runs on the pineapple actually :) May be a good idea to include it in the next version of sslstrip module :P In the meatime, you can download v0.9 here and copy it on your pineapple, then:

tar zxvf sslstrip-0.9.tar.gz
cd sslstrip-0.9
python ./setup.py install

Regarding port 80 and 443 redirection, this comes from this discussion with telot. I agree that according to some users and Moxie documentation, port 443 redirection should not be necessary.

Edited by Whistle Master
Link to post
Share on other sites

I will add the option to select the interface where urlsnarf is running, may allow to use both at the same time. urlsnarf v2.6 is out with interface selection :)

Someone also suggested to get sslstrip to run on port 8080, which could allow urlsnarf to pick up the traffic.

Edited by Whistle Master
Link to post
Share on other sites

Great! ... I'm not sure why Telot wanted port 443, he doesnt seem to say in that thread...no? If I have it in the PREROUTING table, as it is by default in the module, all https just grinds to a halt for clients. So something should be done.

Also, SSLstrip logs should state the source/client IP address. It's super confusing as to what POST is coming from what client.


Another issue I noticed is that not all SSL POSTs (say to Facebook) get logged. The intial logon attempt works, but for some reason it's not picking up retries. Any thoughts?

Edited by comatose603
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...