Jump to content

sslstrip and karma not working correctly.


BadB
 Share

Recommended Posts

I have two issues.

The first is Karma. It is working, however once clients connect, though it shows the columns, no data is listed for the clients. I can still see the details in the log, but...

The second issue is sslstrip. I am experimenting using my Android and Chrome on several sites (specifically trying to spot the attack).

However it seems that I am still getting HTTPs in Chrome, and I get no output from sslstrip.

I also get no output if I stop the infusion and run the command by had:

root@Pineapple:/sd/infusions/sslstrip/includes# sslstrip -kfas

sslstrip 0.9 by Moxie Marlinspike running...

I have also tried IE8 on a notebook with no luck.

I am using a brand new Mark V.

Firmware Version: 1.0.4

Link to comment
Share on other sites

I'm able to get sslstrip to function, but entering addresses via the omnibar in chrome will default to the https version if available.

Chrome connects initially to the https link, so there is no 'link on a page' for sslstrip to replace with a http version.

Can you provide a list of sites you are testing, and the method of connecting? I'll test on my device to compare.

Link to comment
Share on other sites

.. Yes, I want to go to the HTTPs version of a site, otherwise there is nothing to strip. The sslstrip will then re-direct my clients request to a “fake” HTTP version, no?

If simply bookmarking the HTTPs version of a site is all that is needed, then I don’t have too much to worry about.

That is unless I have miss-understanding the process.

Link to comment
Share on other sites

SSLstrip substitutes all HTTPS requests with HTTP links. This functions because requests originating in an HTTP session are insecure, and we are able to see the destination of the HTTPS request.

However, if you directly connect to a HTTPS page, there is no substitution to take place, as the HTTPS session is not initiated from an insecure session, and we are not able to see the information needed to make the substitution.

What chrome tends to do is take the omnibar input of 'facebook.com', and connects the user directly to https://www.facebook.com, rather than the insecure destination. This way, users are not affected, but are taken to the secure versions of pages seamlessly, directly countering our usage of SSLstrip.

What would work, for example, is a user on http://www.google.com searching 'facebook'. All the HTTPS link results are substituted by SSLstrip for HTTP links, and the connection to facebook is made through our insecure MiTM attack.

Hopefully that makes a bit more sense. There may be some things that are not perfectly accurate about this, but it is a good overview.

Link to comment
Share on other sites

Ok, well that means I have less to worry about then. :)

I am adding in some detection into a site I work on.

However, even going to a search engine (using HTTP only) and searching for facebook I do not get a replaced link. :/

I tried several combinations and methods (including making my own HTML page on a local server), no go...

I also tried both from my Android and Chrome book. I get taken to an HTTPs page right away.

Link to comment
Share on other sites

  • 2 weeks later...

Ok, to revive this topic.

Here is my process, and still no luck.

  1. Create a local HTTP server with a test HTML.
  2. Add a link to https://www.facebook.com
  3. Start SSL Strip.
  4. Load the test page using in the victim browser.
  5. Check the link, it still reports HTTPs.

Now from my understanding this should be replaced with an HTTP link.

Link to comment
Share on other sites

  • 2 weeks later...

Any one else having any luck with SSL Strip ?

I am running current ver 1.5 and can only get it to work with Ebay and Hotmail in my tests ! I can not get it to work with Facebook or Gmail ? any one else experiencing the same or is it my config ?

Remember that SSLstrip isn't guaranteed to work on all sites. Look up "HSTS" and you'll see that there are measures in place to thwart SSLstrip-based compromising.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...