mrgray Posted April 27, 2013 Posted April 27, 2013 I've been gone for a while and i just came back trying to get caught up with everything.I installed Sslstrip and it only works with facebook.com? Is that normal? Thanks in advance! Mr G Quote
Johnnie Posted April 27, 2013 Posted April 27, 2013 In my limited experience I saw that it worked for google and ebay so I don't think it's normal to work for facebook only. Quote
WallE Posted April 27, 2013 Posted April 27, 2013 You can see a list of HSTS protected website here: http://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json?view=log Quote
TwistedPacket Posted April 27, 2013 Posted April 27, 2013 I have noticed that it does not work on 95% of the https sites I have tested with it. -Tp Quote
WallE Posted April 28, 2013 Posted April 28, 2013 Can you tell us a list of website which is working and not working? Quote
TwistedPacket Posted April 28, 2013 Posted April 28, 2013 I have not made a list. The best way is to check them yourself. Connect to the pineapple and see what works :) -Tp Quote
telot Posted April 28, 2013 Posted April 28, 2013 Facebook works. Gmail works. Twitter works. What really irks me is that apps don't work. With the proliferation of mobile apps and less and less reliance on proper websites, sslstrip will continue to become less and less useful as time goes on. UNLESS someone (Moxie?) comes up with a way to strip apps of their custom ssl implementations. Moxie has already commented on this a bit, and if he can't crack it, god help us all. telot Quote
mrgray Posted April 28, 2013 Author Posted April 28, 2013 Facebook works. Gmail works. Twitter works. What really irks me is that apps don't work. With the proliferation of mobile apps and less and less reliance on proper websites, sslstrip will continue to become less and less useful as time goes on. UNLESS someone (Moxie?) comes up with a way to strip apps of their custom ssl implementations. Moxie has already commented on this a bit, and if he can't crack it, god help us all. telot That's scary! :o Well hackers could always just do java drive byes from injecting it threw the internet, more info coming threw but always a chance it will flag an AV. Hopefully Moxie will make another better one or someone else can step in, Quote
WallE Posted April 29, 2013 Posted April 29, 2013 Facebook works. Gmail works. Twitter works. What really irks me is that apps don't work. With the proliferation of mobile apps and less and less reliance on proper websites, sslstrip will continue to become less and less useful as time goes on. UNLESS someone (Moxie?) comes up with a way to strip apps of their custom ssl implementations. Moxie has already commented on this a bit, and if he can't crack it, god help us all. telot Are you sure about gmail and twitter? I am 100% sure they are HSTS protected and SSLstrip shouldn't work on those. Quote
mrgray Posted April 30, 2013 Author Posted April 30, 2013 Thanks for y'alls replys! mpgh.net instructables.com work Haven't tested others Quote
telot Posted April 30, 2013 Posted April 30, 2013 Are you sure about gmail and twitter? I am 100% sure they are HSTS protected and SSLstrip shouldn't work on those. I just did it. I'm looking at my credentials for my gmail and twitter in my sslstrip.log, so thats pretty 100% in my book :) telot Quote
Crypiehef Posted May 9, 2013 Posted May 9, 2013 I have no problems with Facebook, Gmail, Twitter, USAA, BofA, and most other SSL websites using sslstrip. I agree on the apps thing though. That's where the money is :/ Custom Javascript works great if you know what your doing with the sites that are not working with sslstrip. That's what DNS spoofing is for. Geez. JMHO. wget, dnsspoof go hand in hand :) Quote
Sly14Cat Posted May 12, 2013 Posted May 12, 2013 Wow guys it's working for you? Because I'm having tooooo many problems. I turn on Port forwarding, I set up the iptables to redirect to the port 1234 then I tell sslstrip to go to 1234. Afterwards, I get up the arpspoofing to no avail. Can anyone who has this work help me? Quote
telot Posted May 14, 2013 Posted May 14, 2013 Sly14Cat - theres no need to arpspoof, as you're already the man in the middle. See my wiki post about using sslstrip with the command line and following the instructions exactly (its what I do everytime and it works well). Or you visit WhistleMasters sslstrip forum post and checkout the module if you want a gui telot Quote
j4k3 Posted May 14, 2013 Posted May 14, 2013 A *very* high level overview. Client types www.google.com Connects to www.google.com, gets redirected to https://www.google.com HSTS is set in the clients browser, never again will this client use an insecure connection to www.google.com ;) Now, if we can capture this the *first* time a client is visiting the page in question, we can zpwn it. Still, sslstrip is very very basic. It's only the tip of the iceberg of what can be done with full control over a targets environment. Quote
Sly14Cat Posted May 16, 2013 Posted May 16, 2013 Sorry about that guys. I was tired and it came out sorta noobish. I was able to finally get it working but it won't work on the HSTS protected websites as expected but I'm happy it works because now I have another tool to play around with on my network, VM's etc. Quote
Davepheadrus Posted May 30, 2013 Posted May 30, 2013 I can confirm it works 100% with gmail, hotmail and m.facebook.com and not only of first time browsing to a site. But for the life of me I can't get it to work with Facebook.com even though it has once or twice worked at complete random. Is there a way to run SSLstrip without a USB in the pineapple? Quote
Davepheadrus Posted May 30, 2013 Posted May 30, 2013 Ps I tested on an iPad & win7 with chrome (more extensively on iPad) Quote
Guest nvysel24 Posted June 25, 2013 Posted June 25, 2013 I can confirm it works 100% with gmail, hotmail and m.facebook.com and not only of first time browsing to a site. But for the life of me I can't get it to work with Facebook.com even though it has once or twice worked at complete random. Is there a way to run SSLstrip without a USB in the pineapple? unfortunately you wont have enough space on the pineapple. I have confirmed facebook does work however I do agree with you I have on a few occasions have it not work. Also gmail does work but if you have 2 step auth on you can't capture the number. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.