Davepheadrus Posted June 5, 2013 Share Posted June 5, 2013 Having issues getting SSL strip to work with facebook, I've tried testing with win7 chrome and ipad Safari and dont seem to get consistent results. Will occasionally strip the SSL but 9/10 times it doesn't do anything. Works pretty well on gmail though maybe 9/10 goes. Anyone found a way to improve the effectiveness? Do they use a different port to put secure traffic down or something? Cheers, Dave Quote Link to comment Share on other sites More sharing options...
tom564 Posted June 6, 2013 Share Posted June 6, 2013 Doesn't Facebook use HSTS which tells the browser to only accept HTTPS connections? I believe that certain browsers have a list of sites that should only be accessed over HTTPS. Quote Link to comment Share on other sites More sharing options...
Drei_Drachen Posted June 7, 2013 Share Posted June 7, 2013 I know HSTS use was in the works at facebook. That said, the moderators on this forum tend to frown upon illegal activity. Mentioning that you are trying to MITM Facebook and gmail passwords probably falls into that category. Lets for the sake of argument pretend you are just trying to 'hack' your own account. Unless you have permission from facebook, gmail, etc, you're violating terms of service and breaking some nifty laws in the process. Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted June 8, 2013 Share Posted June 8, 2013 I know HSTS use was in the works at facebook. That said, the moderators on this forum tend to frown upon illegal activity. Mentioning that you are trying to MITM Facebook and gmail passwords probably falls into that category. Lets for the sake of argument pretend you are just trying to 'hack' your own account. Unless you have permission from facebook, gmail, etc, you're violating terms of service and breaking some nifty laws in the process. I'm not sure this violates the ToS of such sites (who reads those, lol), but, for example, when you use free WiFi and they have that little warning banner explaining "we have full control over your bandwidth and are monitoring", it's not illegal in a sense of wire-tapping. I appreciate the usage of the report system, many thanks for that, it can be difficult to keep track of all the threads all the time. This was originally posted in the Mark IV thread, which is more-so frowned upon. We (Hak5) don't want the WiFi Pineapple to be seen as a "hack facebook" type tool, which is why it was moved from that thread. It is a fine line with illegal activities in regards to a "hacking tool" and selling the WiFi Pineapple as such versus general questions on a tools performance. I understand that facebook, gmail, other common personal services, are used for testing out new tools, and I feel this should be allowed but with caution. If he would have said "Heyz, I w4nt t0 pwn my friend's facebook account", this would have been addressed differently ;). SSLstrip hasn't been updated in 2 years https://github.com/moxie0/sslstrip so that could be the cause of some issue, as well as the implementation of HSTS as previously stated. Quote Link to comment Share on other sites More sharing options...
Drei_Drachen Posted June 8, 2013 Share Posted June 8, 2013 I'm not sure this violates the ToS of such sites (who reads those, lol), but, for example, when you use free WiFi and they have that little warning banner explaining "we have full control over your bandwidth and are monitoring", it's not illegal in a sense of wire-tapping. I appreciate the usage of the report system, many thanks for that, it can be difficult to keep track of all the threads all the time. This was originally posted in the Mark IV thread, which is more-so frowned upon. We (Hak5) don't want the WiFi Pineapple to be seen as a "hack facebook" type tool, which is why it was moved from that thread. It is a fine line with illegal activities in regards to a "hacking tool" and selling the WiFi Pineapple as such versus general questions on a tools performance. I understand that facebook, gmail, other common personal services, are used for testing out new tools, and I feel this should be allowed but with caution. If he would have said "Heyz, I w4nt t0 pwn my friend's facebook account", this would have been addressed differently ;). SSLstrip hasn't been updated in 2 years https://github.com/moxie0/sslstrip so that could be the cause of some issue, as well as the implementation of HSTS as previously stated. I guess it is in how you word it. So maybe I have in fact fallen prey to the almighty assumption. I guess if you are trying to monitor your own traffic, oh well. But again, I read...and assumed (sorry), if your asking specifically how to target facebook with a tool, any tool, the endgame is targeting it's users. Hence, "I want pwn an account" without actually saying those words. Anyway, thank you for the clarification. Dave, if I misunderstood your intent, I do apologize. B) Quote Link to comment Share on other sites More sharing options...
digip Posted June 8, 2013 Share Posted June 8, 2013 Knowledge for the sake of education purposes and discussion are allowed. Its when you come in stating "how do I hack my schools xyz" kind of questions where we usually draw a line in the sand. That said, try newest ettercap with ssl strip plugins. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.