Jump to content

Recommended Posts

Posted (edited)

Hello all! So first of all urlsnarf doesn't seem to output any logs from client's traffic.Sometimes urlsnarf would output random traffic, but there doesn't seem to be a pattern that I can see. Is there something urlsnarf specifically looks for, or checks for? Maybe I don't know what it specifically does.

Second, dnsspoof is spotty in how it works. Sometimes it will correctly re-direct traffic, but other times it won't. It's a little hard to explain, here is a ping output:


xandermbp:~ alexander$ ping www.reddit.com
PING a659.b.akamai.net (165.254.26.73): 56 data bytes
64 bytes from 165.254.26.73: icmp_seq=0 ttl=48 time=73.265 ms
92 bytes from pineapple.lan (172.16.42.1): Redirect Host(New addr: 172.16.42.42)
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 25bb 0 0000 3f 01 bec7 172.16.42.207 165.254.26.73
64 bytes from 165.254.26.73: icmp_seq=1 ttl=48 time=71.029 ms
64 bytes from 165.254.26.73: icmp_seq=2 ttl=48 time=101.353 ms
64 bytes from 165.254.26.73: icmp_seq=3 ttl=48 time=83.039 ms
64 bytes from 165.254.26.73: icmp_seq=4 ttl=48 time=85.661 ms
64 bytes from 165.254.26.73: icmp_seq=5 ttl=48 time=77.908 ms
64 bytes from 165.254.26.73: icmp_seq=6 ttl=48 time=72.256 ms
64 bytes from 165.254.26.73: icmp_seq=7 ttl=48 time=70.567 ms
^C
--- a659.b.akamai.net ping statistics ---
8 packets transmitted, 8 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 70.567/79.385/101.353/9.832 ms
xandermbp:~ alexander$ ping google.com
PING google.com (74.125.224.228): 56 data bytes
64 bytes from 74.125.224.228: icmp_seq=0 ttl=51 time=32.533 ms
92 bytes from pineapple.lan (172.16.42.1): Redirect Host(New addr: 172.16.42.42)
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 22d5 0 0000 3f 01 5693 172.16.42.207 74.125.224.228
64 bytes from 74.125.224.228: icmp_seq=1 ttl=51 time=19.402 ms
64 bytes from 74.125.224.228: icmp_seq=2 ttl=51 time=22.356 ms
64 bytes from 74.125.224.228: icmp_seq=3 ttl=51 time=19.230 ms
64 bytes from 74.125.224.228: icmp_seq=4 ttl=51 time=20.175 ms
64 bytes from 74.125.224.228: icmp_seq=5 ttl=51 time=20.814 ms
64 bytes from 74.125.224.228: icmp_seq=6 ttl=51 time=19.545 ms
64 bytes from 74.125.224.228: icmp_seq=7 ttl=51 time=24.446 ms
64 bytes from 74.125.224.228: icmp_seq=8 ttl=51 time=23.360 ms
64 bytes from 74.125.224.228: icmp_seq=9 ttl=51 time=22.641 ms
64 bytes from 74.125.224.228: icmp_seq=10 ttl=51 time=25.756 ms
^C
--- google.com ping statistics ---
11 packets transmitted, 11 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 19.230/22.751/32.533/3.722 ms
[/CODE]

It seems, for the pings, that the pineapple did something but it was still pinging google's and reddit's address.

And lastly, the pineapple sometimes seems to be a bottleneck for clients connected to it. Both testing at home and especially at a local coffee shop, clients connected through the pineapple had significantly slower and choppier connections. Right now it's setup connected to my eee pc which is sharing its wifi connection over ethernet to the pineapple. Usually all that is running is karma, urlsnarf, and sslstrip

By the way, my Pineapple is a Mark IV, 8GB USB with the swap space correctly made (I followed Darren's tutorial and used the flash script()). Also it is indeed plugged into the wall, so there shouldn't be a power issue.

Edited by jman012
Posted (edited)

you might want to check and see if nscd is the culprit. i dont know much of anything about the pineapple or whats loaded on it. i sorta know what it does but this may or may not help.

theres a program called nscd that caches various things.

is useful if you have a lot of users and use a network protocol to get /etc/passwd information, since nscd will cache such things as NIS and LDAP results. but it also caches DNS and can sometimes (depending on the OS) ignore DNS information like TTLs (time to live. so if you've just changed something in DNS, the system may not pick that up right away, but all your command line utilities that do direct DNS queries (nslookup, host, etc.) will see the right values.

you could force nscd to invalidate its DNS cache

you could just kill the daemon and restart it

you can also deactivate the nscd DNS cache entirely. now im not sure if this is the problem or not but its worth a look.

as far as urlsnarf goes just make your own log file where ever you want something like

urlsnarf -i <iface> | grep http > /whichever/directory/you-like/whatever.txt

also one more thing. im looking through that setup script you have linked and i dont see urlsnarf anywhere there.

Edited by vector
Posted

I figured out that using dnsspoof with ip addresses and not DNS names seems to work, and that successfully goes around the nscd stuff.

Through this thread, http://forums.hak5.org/index.php?/topic/28146-urlsnarf-module-simultaneously-with-sslstrip-module/, it turns out that sslstrip is the culprit. I turned off ssltrip and sure enough, urlsnarf worked perfectly. But as you said there, sslstrip shouldn't be hogging a port to cause the problem, so it must be something else.

  • 4 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...