Mark V newbie - Please help

[BollywoodFan101]

Hello guys

I'm fairly new to this world of knowledge :)

I recently installed tcpdump and Karma.

I intend to log traffic flowing through karma.

I successfully connected the pineapple to my wifi as client and can use the internet through it.

Now I need to know how to log through tcpdump ??

Do I log wlan0 or wlan1 ? I'm not sure which wlan i'm using to connect the pineapple to wifi. Lets just say it's on stock settings. So which one would it be ?

Which one do I log ? what about monitor mode setting alongside ?

Please help

[thesugarat]

Best advice is to search these forums. Your questions have been asked many times before...

wlan0 = Pineapples Access Point

wlan1 = Client Mode/Jamming

br-lan = a bridge between wan and lan

If you are using karma to bring users onto the pineapple and you want to log all traffic you'll want to use tcpdump on br-lan.

Monitor Mode is used for wireless purposes like Jamming/reaver/bully/packet injection etc. You won't need to set that for Karma or tcpdump.

[BollywoodFan101]

Hey guys

I'm trying to run Karma and SSLStrip.

I can successfully get clients to connect to my device. However SSLStrip apparently doesn't seem to be working as I just checked and HTTPS indeed is working.

Any ideas guys ?

[TYTechnolust]

MarkV and all tiles updated? How are you verifying if SSLStrip is working or not?

[BollywoodFan101]

yes it's on the latest 1.3 firmware.

All tiles updated.

I've Karma'ed myself and continue to browse HTTPS websites and HTTPS isn't being removed, that's how i'm sure SSL Strip isn't working.

[TYTechnolust]

Are you trying multiple https sites? Some that work as of late are eBay, Wordpress, aol. If those don't work....try uninstalling sslstrip and reinstall.

[BollywoodFan101]

Yes, Facebook and the likes, in particular.

Uninstalled and install many times. I can get cookies dump and everything, just the ssl won't get stripped. I continue to browse with SSL even with SSLStrip running.

[BollywoodFan101]

sslstrip output_1399901190.log [May 12 2014 13:43:04]

2014-05-12 13:42:54,349 Host resolution error: [Failure instance: Traceback (failure with no frames): <class 'twisted.internet.error.DNSLookupError'>: DNS lookup failed: address '192.168.1.1:80' not found: [Errno -2] Name or service not known.

]

2014-05-12 13:43:04,594 Host resolution error: [Failure instance: Traceback (failure with no frames): <class 'twisted.internet.error.DNSLookupError'>: DNS lookup failed: address '192.168.1.1:80' not found: [Errno -2] Name or service not known.

]

[cooper]

It looks to me like you ARP-poisoned yourself. What's the IP addresses of your victim, yourself and your gateway?

[BollywoodFan101]

Well i'm just running SSLStrip with Karma. I don't know the IP address of the victim, I just need to log all the traffic on it.

How can I NOT ARP-Poison myself, just btw ?

I tried doing it without Karma aswell, I seem to get some log from just one shitty website i was browsing, nothing else.

I still continue to browse facebook with https.

[cooper]

Well, you're MITM for this. Two network adapters, two networks. One network is being ARP-poisoned, the other not. Seems on your setup BOTH are.

Scratch that. This is some uninformed bullshit on my part.

Edited May 12, 2014 by Cooper

[overwraith]

I see no mention of him using arp cache poisoning executables. Usually you have to actually run something in order to use it, unless karma, ssl strip, or wifi jammer use this somewhere in the code?

[cooper]

I listened to the (online) speech Moxie gave about ssl strip. It requires that you're MITM. You get there by either being the entry point for people to get on the network (you're AP) or by getting your victims to willingly route their traffic to your machine when they actually want to go to the network. The latter is achieved using ARP spoofing/poisoning. You execute it by identifying your victim by IP address, and you send it ARP responses that identify your machine as the one with the IP address of the intended recipient. The result is that when the target wants to talk to the intended recipient, that data gets sent to you and all you have to do is send it on to the legitimate target (and maybe eavesdrop a little).

This process should not cause trouble for your own machine since the arp poisoning is targeted. Only the intended victim receives the ARP responses and acts upon them.

Again, this is needed ONLY when YOU are NOT in the path to the intended destination. When you reenact an AP that your victim chooses to connect to (Jasager anyone?), you're already in the appropriate position for some ssl stripping and really don't need to do any ARP poisoning at all.

[overwraith]

If you were just running karma, would you ever need to arp cache poison then? If you were sniffing the wired network through the wireless AP, then yes, but otherwise? Does SSL Strip have any code in it that preforms arp cache poisoning? Unless BollywoodFan101 has been using one of the built in executables for arp poisoning, or SSL strip has it built in, then I don't think that's the problem.

[cooper]

Then I guess my question would be "Who is 192.168.1.1, why are you doing a DNS lookup for him and, worse, why is the port number included as it has nothing to do with a DNS lookup?"

[BollywoodFan101]

192.168.1.1 would be the WLAN 1.

I am NOT doing a DNS lookup lol, i have no idea why that stuff is coming up.

[cooper]

It's ssl strip that does the lookup. On its download page it says it uses the twisted-web module which is what is reporting the problem.

[BollywoodFan101]

So whats the reason ?

[cooper]

Without looking at the code itself (feel free to do that part yourself) ssl strip acts as a proxy. You connect to it asking for a page on a.b.com and it wants to go out and fetch that for you. First step to doing just that is to perform a DNS lookup for a.b.com but it would appear that instead ssl strip is looking up its own IP address with a port tacked onto it.

Looks to me like a misconfiguration involving that string.

[BollywoodFan101]

Well then how do I configure it?

[cooper]

Did you enter that ip:80 as a string somewhere? That's the bit of configuration that's not supposed to be there. Where it's set? I donno. I own a pineapple since last weekend but aside from turning it on I haven't done anything with it yet.

[BollywoodFan101]

Nope, didn't touch anything. Just turn on sslstrip, that's all.

[BollywoodFan101]

sslstrip output_1400114399.log [May 15 2014 00:40:24]

2014-05-15 00:40:13,687 Host resolution error: [Failure instance: Traceback (failure with no frames): <class 'twisted.internet.error.DNSLookupError'>: DNS lookup failed: address 'https' not found: [Errno -2] Name or service not known.

]

2014-05-15 00:40:13,946 Host resolution error: [Failure instance: Traceback (failure with no frames): <class 'twisted.internet.error.DNSLookupError'>: DNS lookup failed: address 'https' not found: [Errno -2] Name or service not known.

]

2014-05-15 00:40:24,495 Host resolution error: [Failure instance: Traceback (failure with no frames): <class 'twisted.internet.error.DNSLookupError'>: DNS lookup failed: address 'http' not found: [Errno -2] Name or service not known.

]

2014-05-15 00:40:24,724 Host resolution error: [Failure instance: Traceback (failure with no frames): <class 'twisted.internet.error.DNSLookupError'>: DNS lookup failed: address 'http' not found: [Errno -2] Name or service not known.

]