BollywoodFan101 Posted April 1, 2014 Share Posted April 1, 2014 Hello guys I'm fairly new to this world of knowledge :) I recently installed tcpdump and Karma. I intend to log traffic flowing through karma. I successfully connected the pineapple to my wifi as client and can use the internet through it. Now I need to know how to log through tcpdump ?? Do I log wlan0 or wlan1 ? I'm not sure which wlan i'm using to connect the pineapple to wifi. Lets just say it's on stock settings. So which one would it be ? Which one do I log ? what about monitor mode setting alongside ? Please help Quote Link to comment Share on other sites More sharing options...
thesugarat Posted April 1, 2014 Share Posted April 1, 2014 Best advice is to search these forums. Your questions have been asked many times before... wlan0 = Pineapples Access Point wlan1 = Client Mode/Jamming br-lan = a bridge between wan and lan If you are using karma to bring users onto the pineapple and you want to log all traffic you'll want to use tcpdump on br-lan. Monitor Mode is used for wireless purposes like Jamming/reaver/bully/packet injection etc. You won't need to set that for Karma or tcpdump. Quote Link to comment Share on other sites More sharing options...
BollywoodFan101 Posted May 7, 2014 Author Share Posted May 7, 2014 Hey guys I'm trying to run Karma and SSLStrip. I can successfully get clients to connect to my device. However SSLStrip apparently doesn't seem to be working as I just checked and HTTPS indeed is working. Any ideas guys ? Quote Link to comment Share on other sites More sharing options...
TYTechnolust Posted May 7, 2014 Share Posted May 7, 2014 MarkV and all tiles updated? How are you verifying if SSLStrip is working or not? Quote Link to comment Share on other sites More sharing options...
BollywoodFan101 Posted May 7, 2014 Author Share Posted May 7, 2014 yes it's on the latest 1.3 firmware. All tiles updated. I've Karma'ed myself and continue to browse HTTPS websites and HTTPS isn't being removed, that's how i'm sure SSL Strip isn't working. Quote Link to comment Share on other sites More sharing options...
TYTechnolust Posted May 8, 2014 Share Posted May 8, 2014 Are you trying multiple https sites? Some that work as of late are eBay, Wordpress, aol. If those don't work....try uninstalling sslstrip and reinstall. Quote Link to comment Share on other sites More sharing options...
BollywoodFan101 Posted May 12, 2014 Author Share Posted May 12, 2014 Yes, Facebook and the likes, in particular. Uninstalled and install many times. I can get cookies dump and everything, just the ssl won't get stripped. I continue to browse with SSL even with SSLStrip running. Quote Link to comment Share on other sites More sharing options...
BollywoodFan101 Posted May 12, 2014 Author Share Posted May 12, 2014 sslstrip output_1399901190.log [May 12 2014 13:43:04] 2014-05-12 13:42:54,349 Host resolution error: [Failure instance: Traceback (failure with no frames): <class 'twisted.internet.error.DNSLookupError'>: DNS lookup failed: address '192.168.1.1:80' not found: [Errno -2] Name or service not known. ] 2014-05-12 13:43:04,594 Host resolution error: [Failure instance: Traceback (failure with no frames): <class 'twisted.internet.error.DNSLookupError'>: DNS lookup failed: address '192.168.1.1:80' not found: [Errno -2] Name or service not known. ] Quote Link to comment Share on other sites More sharing options...
cooper Posted May 12, 2014 Share Posted May 12, 2014 It looks to me like you ARP-poisoned yourself. What's the IP addresses of your victim, yourself and your gateway? Quote Link to comment Share on other sites More sharing options...
BollywoodFan101 Posted May 12, 2014 Author Share Posted May 12, 2014 Well i'm just running SSLStrip with Karma. I don't know the IP address of the victim, I just need to log all the traffic on it. How can I NOT ARP-Poison myself, just btw ? I tried doing it without Karma aswell, I seem to get some log from just one shitty website i was browsing, nothing else. I still continue to browse facebook with https. Quote Link to comment Share on other sites More sharing options...
cooper Posted May 12, 2014 Share Posted May 12, 2014 (edited) Well, you're MITM for this. Two network adapters, two networks. One network is being ARP-poisoned, the other not. Seems on your setup BOTH are. Scratch that. This is some uninformed bullshit on my part. Edited May 12, 2014 by Cooper Quote Link to comment Share on other sites More sharing options...
overwraith Posted May 12, 2014 Share Posted May 12, 2014 I see no mention of him using arp cache poisoning executables. Usually you have to actually run something in order to use it, unless karma, ssl strip, or wifi jammer use this somewhere in the code? Quote Link to comment Share on other sites More sharing options...
cooper Posted May 12, 2014 Share Posted May 12, 2014 I listened to the (online) speech Moxie gave about ssl strip. It requires that you're MITM. You get there by either being the entry point for people to get on the network (you're AP) or by getting your victims to willingly route their traffic to your machine when they actually want to go to the network. The latter is achieved using ARP spoofing/poisoning. You execute it by identifying your victim by IP address, and you send it ARP responses that identify your machine as the one with the IP address of the intended recipient. The result is that when the target wants to talk to the intended recipient, that data gets sent to you and all you have to do is send it on to the legitimate target (and maybe eavesdrop a little). This process should not cause trouble for your own machine since the arp poisoning is targeted. Only the intended victim receives the ARP responses and acts upon them. Again, this is needed ONLY when YOU are NOT in the path to the intended destination. When you reenact an AP that your victim chooses to connect to (Jasager anyone?), you're already in the appropriate position for some ssl stripping and really don't need to do any ARP poisoning at all. Quote Link to comment Share on other sites More sharing options...
overwraith Posted May 12, 2014 Share Posted May 12, 2014 If you were just running karma, would you ever need to arp cache poison then? If you were sniffing the wired network through the wireless AP, then yes, but otherwise? Does SSL Strip have any code in it that preforms arp cache poisoning? Unless BollywoodFan101 has been using one of the built in executables for arp poisoning, or SSL strip has it built in, then I don't think that's the problem. Quote Link to comment Share on other sites More sharing options...
cooper Posted May 12, 2014 Share Posted May 12, 2014 Then I guess my question would be "Who is 192.168.1.1, why are you doing a DNS lookup for him and, worse, why is the port number included as it has nothing to do with a DNS lookup?" Quote Link to comment Share on other sites More sharing options...
BollywoodFan101 Posted May 13, 2014 Author Share Posted May 13, 2014 192.168.1.1 would be the WLAN 1. I am NOT doing a DNS lookup lol, i have no idea why that stuff is coming up. Quote Link to comment Share on other sites More sharing options...
cooper Posted May 13, 2014 Share Posted May 13, 2014 It's ssl strip that does the lookup. On its download page it says it uses the twisted-web module which is what is reporting the problem. Quote Link to comment Share on other sites More sharing options...
BollywoodFan101 Posted May 13, 2014 Author Share Posted May 13, 2014 So whats the reason ? Quote Link to comment Share on other sites More sharing options...
cooper Posted May 13, 2014 Share Posted May 13, 2014 Without looking at the code itself (feel free to do that part yourself) ssl strip acts as a proxy. You connect to it asking for a page on a.b.com and it wants to go out and fetch that for you. First step to doing just that is to perform a DNS lookup for a.b.com but it would appear that instead ssl strip is looking up its own IP address with a port tacked onto it. Looks to me like a misconfiguration involving that string. Quote Link to comment Share on other sites More sharing options...
BollywoodFan101 Posted May 14, 2014 Author Share Posted May 14, 2014 Well then how do I configure it? Quote Link to comment Share on other sites More sharing options...
cooper Posted May 14, 2014 Share Posted May 14, 2014 Did you enter that ip:80 as a string somewhere? That's the bit of configuration that's not supposed to be there. Where it's set? I donno. I own a pineapple since last weekend but aside from turning it on I haven't done anything with it yet. Quote Link to comment Share on other sites More sharing options...
BollywoodFan101 Posted May 14, 2014 Author Share Posted May 14, 2014 Nope, didn't touch anything. Just turn on sslstrip, that's all. Quote Link to comment Share on other sites More sharing options...
BollywoodFan101 Posted May 15, 2014 Author Share Posted May 15, 2014 sslstrip output_1400114399.log [May 15 2014 00:40:24] 2014-05-15 00:40:13,687 Host resolution error: [Failure instance: Traceback (failure with no frames): <class 'twisted.internet.error.DNSLookupError'>: DNS lookup failed: address 'https' not found: [Errno -2] Name or service not known. ] 2014-05-15 00:40:13,946 Host resolution error: [Failure instance: Traceback (failure with no frames): <class 'twisted.internet.error.DNSLookupError'>: DNS lookup failed: address 'https' not found: [Errno -2] Name or service not known. ] 2014-05-15 00:40:24,495 Host resolution error: [Failure instance: Traceback (failure with no frames): <class 'twisted.internet.error.DNSLookupError'>: DNS lookup failed: address 'http' not found: [Errno -2] Name or service not known. ] 2014-05-15 00:40:24,724 Host resolution error: [Failure instance: Traceback (failure with no frames): <class 'twisted.internet.error.DNSLookupError'>: DNS lookup failed: address 'http' not found: [Errno -2] Name or service not known. ] Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.