Jump to content

Does (sslstrip-Infusion) only work on Facebook.com?


mrgray
 Share

Recommended Posts

I've been gone for a while and i just came back trying to get caught up with everything.
I installed Sslstrip and it only works with facebook.com? Is that normal?

Thanks in advance!

Mr G

Link to comment
Share on other sites

Facebook works. Gmail works. Twitter works.

What really irks me is that apps don't work. With the proliferation of mobile apps and less and less reliance on proper websites, sslstrip will continue to become less and less useful as time goes on. UNLESS someone (Moxie?) comes up with a way to strip apps of their custom ssl implementations. Moxie has already commented on this a bit, and if he can't crack it, god help us all.

telot

Link to comment
Share on other sites

Facebook works. Gmail works. Twitter works.

What really irks me is that apps don't work. With the proliferation of mobile apps and less and less reliance on proper websites, sslstrip will continue to become less and less useful as time goes on. UNLESS someone (Moxie?) comes up with a way to strip apps of their custom ssl implementations. Moxie has already commented on this a bit, and if he can't crack it, god help us all.

telot

That's scary! :o

Well hackers could always just do java drive byes from injecting it threw the internet, more info coming threw but always a chance it will flag an AV.

Hopefully Moxie will make another better one or someone else can step in,

Link to comment
Share on other sites

Facebook works. Gmail works. Twitter works.

What really irks me is that apps don't work. With the proliferation of mobile apps and less and less reliance on proper websites, sslstrip will continue to become less and less useful as time goes on. UNLESS someone (Moxie?) comes up with a way to strip apps of their custom ssl implementations. Moxie has already commented on this a bit, and if he can't crack it, god help us all.

telot

Are you sure about gmail and twitter? I am 100% sure they are HSTS protected and SSLstrip shouldn't work on those.

Link to comment
Share on other sites

Thanks for y'alls replys!

mpgh.net

instructables.com

work

Haven't tested others

Link to comment
Share on other sites

Are you sure about gmail and twitter? I am 100% sure they are HSTS protected and SSLstrip shouldn't work on those.

I just did it. I'm looking at my credentials for my gmail and twitter in my sslstrip.log, so thats pretty 100% in my book :)

telot

Link to comment
Share on other sites

  • 2 weeks later...

I have no problems with Facebook, Gmail, Twitter, USAA, BofA, and most other SSL websites using sslstrip. I agree on the apps thing though. That's where the money is :/ Custom Javascript works great if you know what your doing with the sites that are not working with sslstrip. That's what DNS spoofing is for. Geez. JMHO. wget, dnsspoof go hand in hand :)

Link to comment
Share on other sites

Wow guys it's working for you? Because I'm having tooooo many problems. I turn on Port forwarding, I set up the iptables to redirect to the port 1234 then I tell sslstrip to go to 1234. Afterwards, I get up the arpspoofing to no avail. Can anyone who has this work help me?

Link to comment
Share on other sites

Sly14Cat - theres no need to arpspoof, as you're already the man in the middle. See my wiki post about using sslstrip with the command line and following the instructions exactly (its what I do everytime and it works well). Or you visit WhistleMasters sslstrip forum post and checkout the module if you want a gui

telot

Link to comment
Share on other sites

A *very* high level overview.

Client types www.google.com

Connects to www.google.com, gets redirected to https://www.google.com

HSTS is set in the clients browser, never again will this client use an insecure connection to www.google.com ;)

Now, if we can capture this the *first* time a client is visiting the page in question, we can zpwn it.

Still, sslstrip is very very basic. It's only the tip of the iceberg of what can be done with full control over a targets environment.

Link to comment
Share on other sites

Sorry about that guys. I was tired and it came out sorta noobish. I was able to finally get it working but it won't work on the HSTS protected websites as expected but I'm happy it works because now I have another tool to play around with on my network, VM's etc.

Link to comment
Share on other sites

  • 2 weeks later...

I can confirm it works 100% with gmail, hotmail and m.facebook.com and not only of first time browsing to a site.

But for the life of me I can't get it to work with Facebook.com even though it has once or twice worked at complete random.

Is there a way to run SSLstrip without a USB in the pineapple?

Link to comment
Share on other sites

  • 4 weeks later...
Guest nvysel24

I can confirm it works 100% with gmail, hotmail and m.facebook.com and not only of first time browsing to a site.

But for the life of me I can't get it to work with Facebook.com even though it has once or twice worked at complete random.

Is there a way to run SSLstrip without a USB in the pineapple?

unfortunately you wont have enough space on the pineapple. I have confirmed facebook does work however I do agree with you I have on a few occasions have it not work. Also gmail does work but if you have 2 step auth on you can't capture the number.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...