sslstrip and karma not working correctly.

[BadB]

I have two issues.

The first is Karma. It is working, however once clients connect, though it shows the columns, no data is listed for the clients. I can still see the details in the log, but...

The second issue is sslstrip. I am experimenting using my Android and Chrome on several sites (specifically trying to spot the attack).

However it seems that I am still getting HTTPs in Chrome, and I get no output from sslstrip.

I also get no output if I stop the infusion and run the command by had:

root@Pineapple:/sd/infusions/sslstrip/includes# sslstrip -kfas

sslstrip 0.9 by Moxie Marlinspike running...

I have also tried IE8 on a notebook with no luck.

I am using a brand new Mark V.

Firmware Version: 1.0.4

[BadB]

Additional note, I have tried installing sslstrip both on the internal and external storage. Is it installed on the SD card at this time.

[utopia39]

Hi there,

same error and same problem

[BadB]

I found another post talking about similar issues in an other firmware. It seems for them the new firmware fixed the issue. I started on the new firmware and have the issue. :/

Hmm....

[Ingsoc]

I'm able to get sslstrip to function, but entering addresses via the omnibar in chrome will default to the https version if available.

Chrome connects initially to the https link, so there is no 'link on a page' for sslstrip to replace with a http version.

Can you provide a list of sites you are testing, and the method of connecting? I'll test on my device to compare.

[BadB]

.. Yes, I want to go to the HTTPs version of a site, otherwise there is nothing to strip. The sslstrip will then re-direct my clients request to a “fake” HTTP version, no?

If simply bookmarking the HTTPs version of a site is all that is needed, then I don’t have too much to worry about.

That is unless I have miss-understanding the process.

[Ingsoc]

SSLstrip substitutes all HTTPS requests with HTTP links. This functions because requests originating in an HTTP session are insecure, and we are able to see the destination of the HTTPS request.

However, if you directly connect to a HTTPS page, there is no substitution to take place, as the HTTPS session is not initiated from an insecure session, and we are not able to see the information needed to make the substitution.

What chrome tends to do is take the omnibar input of 'facebook.com', and connects the user directly to https://www.facebook.com, rather than the insecure destination. This way, users are not affected, but are taken to the secure versions of pages seamlessly, directly countering our usage of SSLstrip.

What would work, for example, is a user on http://www.google.com searching 'facebook'. All the HTTPS link results are substituted by SSLstrip for HTTP links, and the connection to facebook is made through our insecure MiTM attack.

Hopefully that makes a bit more sense. There may be some things that are not perfectly accurate about this, but it is a good overview.

[BadB]

Ok, well that means I have less to worry about then. :)

I am adding in some detection into a site I work on.

However, even going to a search engine (using HTTP only) and searching for facebook I do not get a replaced link. :/

I tried several combinations and methods (including making my own HTML page on a local server), no go...

I also tried both from my Android and Chrome book. I get taken to an HTTPs page right away.

[Mr-Protocol]

It depends on the site. This may be the culprit http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

[BadB]

Well, that looks interesting! Thanks. :)

I will continue my testing another day.

Thanks everyone, enjoy the holidays!

[BadB]

Ok, to revive this topic.

Here is my process, and still no luck.

1. Create a local HTTP server with a test HTML.
2. Add a link to https://www.facebook.com
3. Start SSL Strip.
4. Load the test page using in the victim browser.
5. Check the link, it still reports HTTPs.

Now from my understanding this should be replaced with an HTTP link.

[Elliot#]

Any one else having any luck with SSL Strip ?

I am running current ver 1.5 and can only get it to work with Ebay and Hotmail in my tests ! I can not get it to work with Facebook or Gmail ? any one else experiencing the same or is it my config ?

[awskier08]

you could try running a wireshark and see if you do pages from the pineapple with http and not https

[Lockon]

Any one else having any luck with SSL Strip ?

I am running current ver 1.5 and can only get it to work with Ebay and Hotmail in my tests ! I can not get it to work with Facebook or Gmail ? any one else experiencing the same or is it my config ?

Remember that SSLstrip isn't guaranteed to work on all sites. Look up "HSTS" and you'll see that there are measures in place to thwart SSLstrip-based compromising.

[hidemyip]

when doing the karma over wifi from acesspoint to victim i got problem, do i have to change from br-lan to wlan0 or wlan1 ?
and how to do it whit a usb internet stick in the pineapple i mean br-lan or wlan0 . wlan1 ?
im confused

[pr0metheus]

hi guys, when it comes to SSLstrip on the pineapple, certain caveats notwithstanding, i think you need to set your sights on less lofty targets as facebook, gmail, et al.