jman012 Posted January 3, 2013 Share Posted January 3, 2013 (edited) Hello all! So first of all urlsnarf doesn't seem to output any logs from client's traffic.Sometimes urlsnarf would output random traffic, but there doesn't seem to be a pattern that I can see. Is there something urlsnarf specifically looks for, or checks for? Maybe I don't know what it specifically does. Second, dnsspoof is spotty in how it works. Sometimes it will correctly re-direct traffic, but other times it won't. It's a little hard to explain, here is a ping output: xandermbp:~ alexander$ ping www.reddit.comPING a659.b.akamai.net (165.254.26.73): 56 data bytes64 bytes from 165.254.26.73: icmp_seq=0 ttl=48 time=73.265 ms92 bytes from pineapple.lan (172.16.42.1): Redirect Host(New addr: 172.16.42.42)Vr HL TOS Len ID Flg off TTL Pro cks Src Dst4 5 00 0054 25bb 0 0000 3f 01 bec7 172.16.42.207 165.254.26.7364 bytes from 165.254.26.73: icmp_seq=1 ttl=48 time=71.029 ms64 bytes from 165.254.26.73: icmp_seq=2 ttl=48 time=101.353 ms64 bytes from 165.254.26.73: icmp_seq=3 ttl=48 time=83.039 ms64 bytes from 165.254.26.73: icmp_seq=4 ttl=48 time=85.661 ms64 bytes from 165.254.26.73: icmp_seq=5 ttl=48 time=77.908 ms64 bytes from 165.254.26.73: icmp_seq=6 ttl=48 time=72.256 ms64 bytes from 165.254.26.73: icmp_seq=7 ttl=48 time=70.567 ms^C--- a659.b.akamai.net ping statistics ---8 packets transmitted, 8 packets received, 0.0% packet lossround-trip min/avg/max/stddev = 70.567/79.385/101.353/9.832 msxandermbp:~ alexander$ ping google.comPING google.com (74.125.224.228): 56 data bytes64 bytes from 74.125.224.228: icmp_seq=0 ttl=51 time=32.533 ms92 bytes from pineapple.lan (172.16.42.1): Redirect Host(New addr: 172.16.42.42)Vr HL TOS Len ID Flg off TTL Pro cks Src Dst4 5 00 0054 22d5 0 0000 3f 01 5693 172.16.42.207 74.125.224.22864 bytes from 74.125.224.228: icmp_seq=1 ttl=51 time=19.402 ms64 bytes from 74.125.224.228: icmp_seq=2 ttl=51 time=22.356 ms64 bytes from 74.125.224.228: icmp_seq=3 ttl=51 time=19.230 ms64 bytes from 74.125.224.228: icmp_seq=4 ttl=51 time=20.175 ms64 bytes from 74.125.224.228: icmp_seq=5 ttl=51 time=20.814 ms64 bytes from 74.125.224.228: icmp_seq=6 ttl=51 time=19.545 ms64 bytes from 74.125.224.228: icmp_seq=7 ttl=51 time=24.446 ms64 bytes from 74.125.224.228: icmp_seq=8 ttl=51 time=23.360 ms64 bytes from 74.125.224.228: icmp_seq=9 ttl=51 time=22.641 ms64 bytes from 74.125.224.228: icmp_seq=10 ttl=51 time=25.756 ms^C--- google.com ping statistics ---11 packets transmitted, 11 packets received, 0.0% packet lossround-trip min/avg/max/stddev = 19.230/22.751/32.533/3.722 ms[/CODE]It seems, for the pings, that the pineapple did something but it was still pinging google's and reddit's address.And lastly, the pineapple sometimes seems to be a bottleneck for clients connected to it. Both testing at home and especially at a local coffee shop, clients connected through the pineapple had significantly slower and choppier connections. Right now it's setup connected to my eee pc which is sharing its wifi connection over ethernet to the pineapple. Usually all that is running is karma, urlsnarf, and sslstripBy the way, my Pineapple is a Mark IV, 8GB USB with the swap space correctly made (I followed Darren's tutorial and used the flash script()). Also it is indeed plugged into the wall, so there shouldn't be a power issue. Edited January 3, 2013 by jman012 Quote Link to comment Share on other sites More sharing options...
vector Posted January 3, 2013 Share Posted January 3, 2013 (edited) you might want to check and see if nscd is the culprit. i dont know much of anything about the pineapple or whats loaded on it. i sorta know what it does but this may or may not help. theres a program called nscd that caches various things. is useful if you have a lot of users and use a network protocol to get /etc/passwd information, since nscd will cache such things as NIS and LDAP results. but it also caches DNS and can sometimes (depending on the OS) ignore DNS information like TTLs (time to live. so if you've just changed something in DNS, the system may not pick that up right away, but all your command line utilities that do direct DNS queries (nslookup, host, etc.) will see the right values. you could force nscd to invalidate its DNS cache you could just kill the daemon and restart it you can also deactivate the nscd DNS cache entirely. now im not sure if this is the problem or not but its worth a look. as far as urlsnarf goes just make your own log file where ever you want something like urlsnarf -i <iface> | grep http > /whichever/directory/you-like/whatever.txt also one more thing. im looking through that setup script you have linked and i dont see urlsnarf anywhere there. Edited January 3, 2013 by vector Quote Link to comment Share on other sites More sharing options...
jman012 Posted January 3, 2013 Author Share Posted January 3, 2013 I figured out that using dnsspoof with ip addresses and not DNS names seems to work, and that successfully goes around the nscd stuff. Through this thread, http://forums.hak5.org/index.php?/topic/28146-urlsnarf-module-simultaneously-with-sslstrip-module/, it turns out that sslstrip is the culprit. I turned off ssltrip and sure enough, urlsnarf worked perfectly. But as you said there, sslstrip shouldn't be hogging a port to cause the problem, so it must be something else. Quote Link to comment Share on other sites More sharing options...
BlackZero Posted January 27, 2013 Share Posted January 27, 2013 I still can't use sslstrip and urlsnarf the same time. I must set sslstrip off in order urlsnarf to sniff :P As I said in my thread (http://forums.hak5.org/index.php?/topic/28146-urlsnarf-module-simultaneously-with-sslstrip-module/#entry214006) I can run both urlsnard and sslstrip in BT5 in a fakeap script Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.