Jump to content

SSL Strip & Facebook


Davepheadrus
 Share

Recommended Posts

Having issues getting SSL strip to work with facebook, I've tried testing with win7 chrome and ipad Safari and dont seem to get consistent results.

Will occasionally strip the SSL but 9/10 times it doesn't do anything. Works pretty well on gmail though maybe 9/10 goes.

Anyone found a way to improve the effectiveness? Do they use a different port to put secure traffic down or something?

Cheers,

Dave

Link to comment
Share on other sites

I know HSTS use was in the works at facebook. That said, the moderators on this forum tend to frown upon illegal activity. Mentioning that you are trying to MITM Facebook and gmail passwords probably falls into that category. Lets for the sake of argument pretend you are just trying to 'hack' your own account. Unless you have permission from facebook, gmail, etc, you're violating terms of service and breaking some nifty laws in the process.

Link to comment
Share on other sites

I know HSTS use was in the works at facebook. That said, the moderators on this forum tend to frown upon illegal activity. Mentioning that you are trying to MITM Facebook and gmail passwords probably falls into that category. Lets for the sake of argument pretend you are just trying to 'hack' your own account. Unless you have permission from facebook, gmail, etc, you're violating terms of service and breaking some nifty laws in the process.

I'm not sure this violates the ToS of such sites (who reads those, lol), but, for example, when you use free WiFi and they have that little warning banner explaining "we have full control over your bandwidth and are monitoring", it's not illegal in a sense of wire-tapping.

I appreciate the usage of the report system, many thanks for that, it can be difficult to keep track of all the threads all the time. This was originally posted in the Mark IV thread, which is more-so frowned upon. We (Hak5) don't want the WiFi Pineapple to be seen as a "hack facebook" type tool, which is why it was moved from that thread.

It is a fine line with illegal activities in regards to a "hacking tool" and selling the WiFi Pineapple as such versus general questions on a tools performance. I understand that facebook, gmail, other common personal services, are used for testing out new tools, and I feel this should be allowed but with caution. If he would have said "Heyz, I w4nt t0 pwn my friend's facebook account", this would have been addressed differently ;).

SSLstrip hasn't been updated in 2 years https://github.com/moxie0/sslstrip so that could be the cause of some issue, as well as the implementation of HSTS as previously stated.

Link to comment
Share on other sites

I'm not sure this violates the ToS of such sites (who reads those, lol), but, for example, when you use free WiFi and they have that little warning banner explaining "we have full control over your bandwidth and are monitoring", it's not illegal in a sense of wire-tapping.

I appreciate the usage of the report system, many thanks for that, it can be difficult to keep track of all the threads all the time. This was originally posted in the Mark IV thread, which is more-so frowned upon. We (Hak5) don't want the WiFi Pineapple to be seen as a "hack facebook" type tool, which is why it was moved from that thread.

It is a fine line with illegal activities in regards to a "hacking tool" and selling the WiFi Pineapple as such versus general questions on a tools performance. I understand that facebook, gmail, other common personal services, are used for testing out new tools, and I feel this should be allowed but with caution. If he would have said "Heyz, I w4nt t0 pwn my friend's facebook account", this would have been addressed differently ;).

SSLstrip hasn't been updated in 2 years https://github.com/moxie0/sslstrip so that could be the cause of some issue, as well as the implementation of HSTS as previously stated.

I guess it is in how you word it. So maybe I have in fact fallen prey to the almighty assumption. I guess if you are trying to monitor your own traffic, oh well. But again, I read...and assumed (sorry), if your asking specifically how to target facebook with a tool, any tool, the endgame is targeting it's users. Hence, "I want pwn an account" without actually saying those words. Anyway, thank you for the clarification. Dave, if I misunderstood your intent, I do apologize. B)

Link to comment
Share on other sites

Knowledge for the sake of education purposes and discussion are allowed. Its when you come in stating "how do I hack my schools xyz" kind of questions where we usually draw a line in the sand. That said, try newest ettercap with ssl strip plugins.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...