DarkPringles Posted September 17, 2014 Share Posted September 17, 2014 @cheeto This is correct. Another problem: After shutting down SSLstrip all clients loose internet connection because the ip table rule for SSLstrip is not correctly deleted. I put the following content to the actions.php in the SSLstrip infusion: File: /pineapple/components/infusions/sslstrip/includes/actions.php after: "if (isset($_GET['stop']))" insert: "exec("iptables -t nat -D PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000");" to ensure that the this route is deleted correctly. now the clients get internet access. maybe the Hak5 Team can add this in the next version ? Cheers, DarkPringles Quote Link to comment Share on other sites More sharing options...
Whistle Master Posted September 18, 2014 Share Posted September 18, 2014 (edited) The infusion is already deleting the rules when you hit the stop button, so you don't need to change anything yourself. However, I will make sure that it's still working correctly in latest version of the firmware. As a general matter of fact, I recommend, to avoid changing infusions yourself, otherwise it's getting very difficult for infusion dev to provide any support ! I suggest to get in contact with the dev by PM and suggest the modifications, which could then be integrated into next version. EDIT: I've checked again and it's working correctly, the rules are correctly deleted by the infusion: root@Pineapple:~# iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000 root@Pineapple:~# iptables -t nat --line-numbers -n -L | grep 80 | grep 10000 2 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 10000 root@Pineapple:~# iptables -t nat -D PREROUTING 2 root@Pineapple:~# iptables -t nat --line-numbers -n -L | grep 80 | grep 10000 | awk {'print $1'} root@Pineapple:~# Edited September 18, 2014 by Whistle Master Quote Link to comment Share on other sites More sharing options...
DarkPringles Posted September 27, 2014 Share Posted September 27, 2014 Thanks for response. I am sure that the infusion should delete the rule, but it did not work for me for some reason. Every time i stop sslstrip the route is still available. I will reflash my pinapple =) Quote Link to comment Share on other sites More sharing options...
Crypiehef Posted September 29, 2014 Share Posted September 29, 2014 Whistle Master, Any chance on upgrading to the new version of sslstrip. It now supports HSTS stripping!! YAY. Quote Link to comment Share on other sites More sharing options...
Whistle Master Posted September 29, 2014 Share Posted September 29, 2014 The sslstrip version used by the infusion is the one available on the MK5 repository. The "new" version is a kind of fork of Moxie's version, but tor this to work you also need a DNS server that reverse the changes made by the proxy, which is a bit tricky then. Quote Link to comment Share on other sites More sharing options...
mykrowyre Posted October 20, 2014 Share Posted October 20, 2014 (edited) Hi, I'm having constant problems with sslstrip on my MKV. I did notice that the stop action did not remove the rules from iptables.. not sure why, I don't see anything wrong with the the script. I added a line to remove them as mentioned above and that fixed it. However, I'm still having issues. When it's running, all traffic from port 80 is redirected, but any traffic which is forwarded to the SSL page and stripped by sslstrip, is not forwarded correctly. Instead the browser hangs until timeout. Here is what I see in the log.. using facebook as the example, but this happens on all websites forwarding to the ssl version. I've cleared the cache and cookies as well. 2014-10-20 18:20:52,297 Resolving host: www.facebook.com 2014-10-20 18:20:52,299 Host cached. 2014-10-20 18:20:52,303 Resolved host successfully: www.facebook.com -> 31.13.73.145 2014-10-20 18:20:52,306 Sending request via SSL... 2014-10-20 18:20:52,340 HTTP connection made. 2014-10-20 18:20:52,343 Sending Request: GET / 2014-10-20 18:20:52,346 Sending header: accept-language : en-us 2014-10-20 18:20:52,349 Sending header: host : www.facebook.com 2014-10-20 18:20:52,352 Sending header: accept : text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 2014-10-20 18:20:52,355 Sending header: user-agent : Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_1 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D201 Safari/9537.53 2014-10-20 18:20:52,359 Sending header: dnt : 1 2014-10-20 18:20:52,362 Sending header: connection : keep-alive (times out here) Hitting CTRL-C immediately serves a blank page to the browser... so I know it's SSL strip waiting for a response. Also, after running for awhile, I see a massive amount of virtual memory used by sslstrip. See screenshot. Edited October 20, 2014 by mykrowyre Quote Link to comment Share on other sites More sharing options...
mykrowyre Posted October 27, 2014 Share Posted October 27, 2014 nobody else having this issue? Quote Link to comment Share on other sites More sharing options...
BeNe Posted October 27, 2014 Share Posted October 27, 2014 Of course! I still have the issues that the clients recieve a timeout with sslstrip. The Load on the pineapple is growing > 10 and then the pineappe reboots. That's the main problem of the whole Pineapple concept that it does not have enough CPU/RAM to handle all the services. Quote Link to comment Share on other sites More sharing options...
BeNe Posted October 28, 2014 Share Posted October 28, 2014 I tested sslstrip again. After I enabled the infusion the client ends in timeout and can't surf anymore. Load was ~1.80 and should not be the problem. Sslstrip process used 25% CPU. I need to restart the pineapple to get internet working. To disable the infusion only does not help. Will check the iptables before and after. Quote Link to comment Share on other sites More sharing options...
mykrowyre Posted November 1, 2014 Share Posted November 1, 2014 I tested sslstrip again. After I enabled the infusion the client ends in timeout and can't surf anymore. Load was ~1.80 and should not be the problem. Sslstrip process used 25% CPU. I need to restart the pineapple to get internet working. To disable the infusion only does not help. Will check the iptables before and after. The ip tables del does not work in the stop script, not sure why, the command is correct. Once I added my own iptables delete it fixed the problem with the internet not working after sslstrip is stopped, but sslstrip still overloads the pineapple. Quote Link to comment Share on other sites More sharing options...
reaper_666 Posted November 1, 2014 Share Posted November 1, 2014 Helo, i activated karma and SSL strip but ssl strip does not show me any data. It shows only sslstrip output_1414865630.log [November 01 2014 15:13:57]. Must i enable PineAP, too? When i try to login with my mobile phone to amazon, facebook or so on, there is nothing show in the sslstrip output. Can anyone explain me why? Quote Link to comment Share on other sites More sharing options...
THCMinister Posted November 2, 2014 Share Posted November 2, 2014 Sites that force SSL with HSTS will not work with SSLStrip. Quote Link to comment Share on other sites More sharing options...
anode Posted November 2, 2014 Share Posted November 2, 2014 Has anyone played with SSLStrip2? https://github.com/LeonardoNve/sslstrip2.git "This is a new version of Moxie´s SSLstrip with the new feature to avoid HTTP Strict Transport Security (HSTS) protection mechanism." Quote Link to comment Share on other sites More sharing options...
THCMinister Posted November 2, 2014 Share Posted November 2, 2014 For this to work you also need a DNS server that can reverse the changes from the proxy. Quote Link to comment Share on other sites More sharing options...
Aprex Posted November 3, 2014 Share Posted November 3, 2014 For this to work you also need a DNS server that can reverse the changes from the proxy. People keep saying this but does this mean that this is going to be impossible to work on the Pineapple? Is not one working on porting it? Quote Link to comment Share on other sites More sharing options...
reaper_666 Posted November 11, 2014 Share Posted November 11, 2014 Helo is there a way to start sslstrip automatic with the DIP switches? Quote Link to comment Share on other sites More sharing options...
dustbyter Posted November 17, 2014 Share Posted November 17, 2014 Hey WM, I was able to reproduce the following today as well. The rule was removed, but it wasn't. Let me explain below.... The infusion is already deleting the rules when you hit the stop button, so you don't need to change anything yourself. However, I will make sure that it's still working correctly in latest version of the firmware. As a general matter of fact, I recommend, to avoid changing infusions yourself, otherwise it's getting very difficult for infusion dev to provide any support ! I suggest to get in contact with the dev by PM and suggest the modifications, which could then be integrated into next version. EDIT: I've checked again and it's working correctly, the rules are correctly deleted by the infusion: root@Pineapple:~# iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000 root@Pineapple:~# iptables -t nat --line-numbers -n -L | grep 80 | grep 10000 2 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 10000 root@Pineapple:~# iptables -t nat -D PREROUTING 2 root@Pineapple:~# iptables -t nat --line-numbers -n -L | grep 80 | grep 10000 | awk {'print $1'} root@Pineapple:~# 1. I dumped my info from iptables prior to starting sslstrip infusion. Everything looks ok. root@Pineapple:~# iptables -t nat --line-numbers -n -L Chain PREROUTING (policy ACCEPT) num target prot opt source destination 1 delegate_prerouting all -- 0.0.0.0/0 0.0.0.0/0 Chain INPUT (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain POSTROUTING (policy ACCEPT) num target prot opt source destination 1 MASQUERADE all -- 172.16.42.0/24 0.0.0.0/0 2 delegate_postrouting all -- 0.0.0.0/0 0.0.0.0/0 Chain delegate_postrouting (1 references) num target prot opt source destination 1 postrouting_rule all -- 0.0.0.0/0 0.0.0.0/0 /* user chain for postrouting */ 2 zone_lan_postrouting all -- 0.0.0.0/0 0.0.0.0/0 3 zone_wan_postrouting all -- 0.0.0.0/0 0.0.0.0/0 4 zone_usb_postrouting all -- 0.0.0.0/0 0.0.0.0/0 5 zone_wan2_postrouting all -- 0.0.0.0/0 0.0.0.0/0 Chain delegate_prerouting (1 references) num target prot opt source destination 1 prerouting_rule all -- 0.0.0.0/0 0.0.0.0/0 /* user chain for prerouting */ 2 zone_lan_prerouting all -- 0.0.0.0/0 0.0.0.0/0 3 zone_wan_prerouting all -- 0.0.0.0/0 0.0.0.0/0 4 zone_usb_prerouting all -- 0.0.0.0/0 0.0.0.0/0 5 zone_wan2_prerouting all -- 0.0.0.0/0 0.0.0.0/0 Chain postrouting_lan_rule (1 references) num target prot opt source destination Chain postrouting_rule (1 references) num target prot opt source destination Chain postrouting_usb_rule (1 references) num target prot opt source destination Chain postrouting_wan2_rule (1 references) num target prot opt source destination Chain postrouting_wan_rule (1 references) num target prot opt source destination Chain prerouting_lan_rule (1 references) num target prot opt source destination Chain prerouting_rule (1 references) num target prot opt source destination Chain prerouting_usb_rule (1 references) num target prot opt source destination Chain prerouting_wan2_rule (1 references) num target prot opt source destination Chain prerouting_wan_rule (1 references) num target prot opt source destination Chain zone_lan_postrouting (1 references) num target prot opt source destination 1 postrouting_lan_rule all -- 0.0.0.0/0 0.0.0.0/0 /* user chain for postrouting */ Chain zone_lan_prerouting (1 references) num target prot opt source destination 1 prerouting_lan_rule all -- 0.0.0.0/0 0.0.0.0/0 /* user chain for prerouting */ Chain zone_usb_postrouting (1 references) num target prot opt source destination 1 postrouting_usb_rule all -- 0.0.0.0/0 0.0.0.0/0 /* user chain for postrouting */ 2 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 Chain zone_usb_prerouting (1 references) num target prot opt source destination 1 prerouting_usb_rule all -- 0.0.0.0/0 0.0.0.0/0 /* user chain for prerouting */ Chain zone_wan2_postrouting (1 references) num target prot opt source destination 1 postrouting_wan2_rule all -- 0.0.0.0/0 0.0.0.0/0 /* user chain for postrouting */ 2 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 Chain zone_wan2_prerouting (1 references) num target prot opt source destination 1 prerouting_wan2_rule all -- 0.0.0.0/0 0.0.0.0/0 /* user chain for prerouting */ Chain zone_wan_postrouting (1 references) num target prot opt source destination 1 postrouting_wan_rule all -- 0.0.0.0/0 0.0.0.0/0 /* user chain for postrouting */ 2 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 Chain zone_wan_prerouting (1 references) num target prot opt source destination 1 prerouting_wan_rule all -- 0.0.0.0/0 0.0.0.0/0 /* user chain for prerouting */ 2. I start sslstrip and then check the iptables again. We can see the redirect added by sslstript. root@Pineapple:~# iptables -t nat --line-numbers -n -L | grep 80 2 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 10000 3. I clicked stop through the infusion, it should have removed all redirects of tcp port 80 to 10000. But it has not. Instead the number has just changed to 1 from 2. root@Pineapple:~# iptables -t nat --line-numbers -n -L | grep 80 1 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 10000 4. I had to run in command line "root@Pineapple:~# iptables -t nat -D PREROUTING 1" to remove the record. Hope this helps for you to figure out the issue. Quote Link to comment Share on other sites More sharing options...
Whistle Master Posted November 27, 2014 Share Posted November 27, 2014 (edited) Thanks for the report. I will investigate to understand the issue. EDIT: I can't reproduce the issue but I will upload a new version with a different way of deleting the rules. EDIT2: Done ! New version out ! Edited November 27, 2014 by Whistle Master Quote Link to comment Share on other sites More sharing options...
dustbyter Posted November 27, 2014 Share Posted November 27, 2014 Great! Hopefully my report helped out! Can you describe what you fixed? Quote Link to comment Share on other sites More sharing options...
Exploit112 Posted December 13, 2014 Share Posted December 13, 2014 I tested sslstrip again. After I enabled the infusion the client ends in timeout and can't surf anymore. Load was ~1.80 and should not be the problem. Sslstrip process used 25% CPU. I need to restart the pineapple to get internet working. To disable the infusion only does not help. Will check the iptables before and after. I'm also having this issue everything works fine until I start sslstrip. The internet connection becomes really slow and falls away after a while. Then the pineapple just restarts for some reason. Quote Link to comment Share on other sites More sharing options...
DataHead Posted December 14, 2014 Share Posted December 14, 2014 Maybe edit the infusion to start sslstrip with a lower priority? Also the infusion writes its output to a log, and if it bemoes rather large especially with verbose logging enabled, it becomes a hassle to manage it as such and pineapple slows down. In my tests, using it via CLI greatly increases in performance for me anyways Quote Link to comment Share on other sites More sharing options...
pr0digal Posted December 26, 2014 Share Posted December 26, 2014 I'm also having this issue everything works fine until I start sslstrip. The internet connection becomes really slow and falls away after a while. Then the pineapple just restarts for some reason. Just got my MKV and was interested in trying out this infusion and ran into the same issue. Start sslstrip and go to a website to test it. Website refuses to load and then the Pineapple restarts, same issue as Exploit. It's a shame because the demo Darren did with this infusion made it seem really interesting and useful. The logs show that the HTTP connection is made but nothing is shown to the browser. Quote Link to comment Share on other sites More sharing options...
cheeto Posted December 26, 2014 Share Posted December 26, 2014 Correct me if im wrong, but sslstrip is not really worth using anymore because of HSTS. Until there is some kind of workaround, we might as well wait. Of course there are some old websites still out that are still using http. (instead of https) cheers. Quote Link to comment Share on other sites More sharing options...
Exploit112 Posted December 27, 2014 Share Posted December 27, 2014 Correct me if im wrong, but sslstrip is not really worth using anymore because of HSTS. Until there is some kind of workaround, we might as well wait. Of course there are some old websites still out that are still using http. (instead of https) cheers. Internet explorer? Quote Link to comment Share on other sites More sharing options...
cheeto Posted December 27, 2014 Share Posted December 27, 2014 It's my understanding that Hsts is on the servers. So regardless of the browser (chrome, firefox, opera, IE etc..) you're faced with HSTS. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.