Does (sslstrip-Infusion) only work on Facebook.com?

[mrgray]

I've been gone for a while and i just came back trying to get caught up with everything.
I installed Sslstrip and it only works with facebook.com? Is that normal?

Thanks in advance!

Mr G

[Johnnie]

In my limited experience I saw that it worked for google and ebay so I don't think it's normal to work for facebook only.

[WallE]

It is not working on HSTS protected website

[WallE]

You can see a list of HSTS protected website here:

http://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json?view=log

[TwistedPacket]

I have noticed that it does not work on 95% of the https sites I have tested with it.

-Tp

[WallE]

Can you tell us a list of website which is working and not working?

[TwistedPacket]

I have not made a list. The best way is to check them yourself. Connect to the pineapple and see what works :)

-Tp

[telot]

Facebook works. Gmail works. Twitter works.

What really irks me is that apps don't work. With the proliferation of mobile apps and less and less reliance on proper websites, sslstrip will continue to become less and less useful as time goes on. UNLESS someone (Moxie?) comes up with a way to strip apps of their custom ssl implementations. Moxie has already commented on this a bit, and if he can't crack it, god help us all.

telot

[mrgray]

Facebook works. Gmail works. Twitter works.

What really irks me is that apps don't work. With the proliferation of mobile apps and less and less reliance on proper websites, sslstrip will continue to become less and less useful as time goes on. UNLESS someone (Moxie?) comes up with a way to strip apps of their custom ssl implementations. Moxie has already commented on this a bit, and if he can't crack it, god help us all.

telot

That's scary! :o

Well hackers could always just do java drive byes from injecting it threw the internet, more info coming threw but always a chance it will flag an AV.

Hopefully Moxie will make another better one or someone else can step in,

[WallE]

Facebook works. Gmail works. Twitter works.

What really irks me is that apps don't work. With the proliferation of mobile apps and less and less reliance on proper websites, sslstrip will continue to become less and less useful as time goes on. UNLESS someone (Moxie?) comes up with a way to strip apps of their custom ssl implementations. Moxie has already commented on this a bit, and if he can't crack it, god help us all.

telot

Are you sure about gmail and twitter? I am 100% sure they are HSTS protected and SSLstrip shouldn't work on those.

[mrgray]

Thanks for y'alls replys!

mpgh.net

instructables.com

work

Haven't tested others

[telot]

Are you sure about gmail and twitter? I am 100% sure they are HSTS protected and SSLstrip shouldn't work on those.

I just did it. I'm looking at my credentials for my gmail and twitter in my sslstrip.log, so thats pretty 100% in my book :)

telot

[Crypiehef]

I have no problems with Facebook, Gmail, Twitter, USAA, BofA, and most other SSL websites using sslstrip. I agree on the apps thing though. That's where the money is :/ Custom Javascript works great if you know what your doing with the sites that are not working with sslstrip. That's what DNS spoofing is for. Geez. JMHO. wget, dnsspoof go hand in hand :)

[Sly14Cat]

Wow guys it's working for you? Because I'm having tooooo many problems. I turn on Port forwarding, I set up the iptables to redirect to the port 1234 then I tell sslstrip to go to 1234. Afterwards, I get up the arpspoofing to no avail. Can anyone who has this work help me?

[telot]

Sly14Cat - theres no need to arpspoof, as you're already the man in the middle. See my wiki post about using sslstrip with the command line and following the instructions exactly (its what I do everytime and it works well). Or you visit WhistleMasters sslstrip forum post and checkout the module if you want a gui

telot

[j4k3]

A *very* high level overview.

Client types www.google.com

Connects to www.google.com, gets redirected to https://www.google.com

HSTS is set in the clients browser, never again will this client use an insecure connection to www.google.com ;)

Now, if we can capture this the *first* time a client is visiting the page in question, we can zpwn it.

Still, sslstrip is very very basic. It's only the tip of the iceberg of what can be done with full control over a targets environment.

[Sly14Cat]

Sorry about that guys. I was tired and it came out sorta noobish. I was able to finally get it working but it won't work on the HSTS protected websites as expected but I'm happy it works because now I have another tool to play around with on my network, VM's etc.

[Davepheadrus]

I can confirm it works 100% with gmail, hotmail and m.facebook.com and not only of first time browsing to a site.

But for the life of me I can't get it to work with Facebook.com even though it has once or twice worked at complete random.

Is there a way to run SSLstrip without a USB in the pineapple?

[Davepheadrus]

Ps I tested on an iPad & win7 with chrome (more extensively on iPad)

[Guest nvysel24]

I can confirm it works 100% with gmail, hotmail and m.facebook.com and not only of first time browsing to a site.

But for the life of me I can't get it to work with Facebook.com even though it has once or twice worked at complete random.

Is there a way to run SSLstrip without a USB in the pineapple?

unfortunately you wont have enough space on the pineapple. I have confirmed facebook does work however I do agree with you I have on a few occasions have it not work. Also gmail does work but if you have 2 step auth on you can't capture the number.