Karma Working-SSLSTRIP Not-No Logs--Client Mode- Questionable

[clockworkorange]

I followed the Chris H's tutor on SSLSTRIP and using it with karma. I see other posts on SSLSTRIP and client mode having issues?? For me the following is happing. It was working well before all the UPDATES. Running 1.2.0 Version newest

I log into pineapple and pineapple is connect to my computer via cable.

I make sure my wifi router is connected in client mode

Karma AP set to "Free WIFI"

PUT my Routers MAC in Karma Blacklist

SSLSTRIP set to refresh 1 sec --

I fire up all these and nothing shows in the SSLSTRIP's logs just -------------sslstrip output_13963xxxxx.log [April 01 2014]
filter undefined

See below--I have XXXXX out any identifying infor

------------------------------------------------------

Client Mode and SSLSTRIP I was able to connect through the AP I setup with my cell phone, went to a few pages on intertnet SSLSTRIP showing NADA
KARMA: Successful association of " MY CELL PHONE "
When I try to view SSLSTRIP log it kicks me back to the Output tab--and nothing to see--WTF

-------------------------------------------------------------------

IP address HW type Flags HW address Mask Device
xxxxxxxxxxxxx 0x1 0x0 00:00:00:00:00:00 * wlan1
xxxxxxxxxxxxx 0x1 0x2 xxxxxxxxxxxxxxx * br-lan
xxxxxxxxxxxxx 0x1 0x2 xxxxxxxxxxxxxx * wlan1


KARMA: Probe Request from xxxxxxxxxx for SSID 'router 1XXXXXX'
KARMA: Probe Request from xxxxxxxx for SSID 'Router 2 XXXXXXX'
KARMA: Probe Request from xxxxxxxxx for SSID 'Router 3 XXXXXXX'
KARMA: Probe Request from xxxxxxxxxxx for SSID 'Router 4 XXXXXXX'
KARMA: ENABLED



2Network
Wlan0 Enabled. |
Wlan1 Enabled. |

Internet IP: Show

LAN: 172.16.42.1
Wlan1: 192.XXXXXXXXX
Mobile: N/A



Client Mode
Connection Information - Disconnect

Connected.

wlan1 Link encap:Ethernet HWaddr XXXXXXX
inet addr:192.XXXXXX Bcast:192.XXXXX.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:477 errors:0 dropped:12 overruns:0 frame:0
TX packets:176 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:30577 (29.8 KiB) TX bytes:17539 (17.1 KiB)

wlan1 IEEE 802.11bg ESSID:"XXXXXX"
Mode:Managed Frequency:2.417 GHz Access Point: XXXXXXXXXXXXX
Bit Rate=18 Mb/s Tx-Power=27 dBm
RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
Link Quality=70/70 Signal level=-14 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:1 Missed beacon:0

[thesugarat]

Your Karma is working and so is your Client Mode. For sslstrip, try logging into the pineapple via ssh and run 'sslstrip' from the command line; then start surfing and see if it displays errors. Let us know what it says.

[clockworkorange]

It appears that the newest update today for the client mode and karma now has SSLSTRIP and Karma working--Thanks Shannon!!! / and others

[BubbaRR]

Yes, having the same issue. I will try and see if i have an update for this as well later tonight when i try it out.

[flynn23]

I am having the exact same issue. I've got the ethernet plugged into my LAN and wlan0 acting as a honey pot AP. However, all clients that are connecting to the AP are not getting the HTTP version of the sites I am browsing to. They are getting the HTTPS versions, as if the pineapple is just bridging and sslstrip is not monitoring the traffic. This is the same whether I'm on the command line or the the web GUI. Yes, I've updated the infusion this afternoon.

[flynn23]

One thing I'll add, and I'm not sure why this should make any difference, but the Pineapple AP is on the same subnet as all the other machines. So the devices connecting to the AP are getting DHCP addresses from the router that the Pineapple AP is also getting a dhcp address from (via eth0). Not sure why this should make a difference for sslstrip, since I would think it's going to look at all traffic passing through the Pineapple, but that's it. Not sure if you have to put an interface into promiscuous mode or not. That doesn't seem right to me.

[clockworkorange]

--flynn23--your right, I also noticed the issue--even though I did the update( pineapple infusion ) that was posted for Karma and Client mode --I am not seeing decoded traffic-- Perhapes

Sebkinne and others can chime in on this , not sure if were doing something in error, but I follwed what Chris H does in the SSLSTRIP advised .

Edited April 2, 2014 by clockworkorange

[thesugarat]

Not sure why you think an update to Karma or Client mode should impact how sslstrip works.... But, what you guys are seeing is not something that hasn't been seen before. So I used the forum search function and found what I was looking at before I suggested you ssh in and type sslstrip. Not a guaranteed fix but hopefully it points you in the right direction.

https://forums.hak5.org/index.php?/topic/31011-sslstrip-works-just-for-https-pages-but-blocks-http-pages/?hl=sslstrip

[BubbaRR]

Is it possible to use Karma and SSLStrip on a WEP or WPA2 network that I have my Pineapple attached too? Or should I only be attempting this on Open networks? So far I have only attempted this on WEP and WPA2 so that could be a problem if I can only use Open. So far I have had no luck with SSLStrip as of yet. I will attempt the posted fix link later today again.

[thesugarat]

You're getting things mixed up I think... Karma and sslstrip do different things.

Karma- You just turn it on... it is only going to work on Open (unprotected) nets. It pretends to be that AP. If it tried to pretend to be an encrypted network your device has seen before it won't work because it doesn't know what that Key is. Your device does but Karma does not....

sslstrip - Again, you just turn it on, but it doesn't care what kind of setup you have as far as networking. It just cares if it can see the traffic. So sslstrip can be used while your pineapple is using wifi or Ethernet.

[BubbaRR]

Got it. Thanks for the clarification on that. I have been trying to do so many things with my new mark v and being that I am new to all of this I have fried my own brain.

[clockworkorange]

Well-new issue--I tried the setup---- tried to login into a pages HTTPS like Gmail and then went over to yahoo mail all from a seperate laptop per Chris's tutor on SSLSTRIP

It did show data coming across--but now when I go to the log files foe SSLSTRIP it does not allow me to see the logs or download. same issue as before, click on VIEW, boots me back to Tab for output

Try to download logs --broswers opens--with below link--blank http://172.16.42.1:1...9648767562----- dot log

Not seeing decrypted info either-very interesting though, not sure what to think. ******* if anyone else can post their steps and results it just might be interesting to see what other get!

[thesugarat]

The reason you are getting booted back to the output Tab is because that is where it displays the log.... If you have the auto update turned on and you try to look at a log it will of course blank the output screen (log) you're looking at after 1 sec or whatever you've set.

[flynn23]

Well, that's not the behavior I'm seeing. I'm seeing nothing being logged at all. SSLstrip is obviously not parsing the traffic going over the interfaces. I've tested this multiple times and can repeat it. Log files are created but empty using cat at the CLI. In fact, I know it's not working because the 'victim' machine is still able to see the target website as HTTPS, including a valid certificate. So SSLstrip is not MITM.

[clockworkorange]

I concur with what Flynn23 is seeing, something is not right with SSLSTRIP and the Traffic not being converted!

[thesugarat]

I don't disagree with what you are seeing. Not logging anything/not working at all is also not a new problem... It's been seen many times before. You can try to install the Strip and Inject infusion and see if that clears up your issues with sslstrip. At one point that Infusions install did something different with I believe the twistedweb packages and cleared up a few users issues with sslstrip. It's a longshot though...

[BubbaRR]

I was able to get SSLStrip working last night. I believe I was just trying the wrong type of websites. I kept trying to log into google. So I finally tried yahoo, then pinterest (my wife's). I was able to see usernames and passwords fine. Works like a charm.

I do have a question though. I want my macbook to have wifi access to the internet and have my pineapple have access to the internet. As of right now, I have to have my wifi on my computer turned off to go into my pineapple interface. Is this normal. So the only one having the internet access is the pineapple. Is this right?

[thesugarat]

Well that's a different subject but what you are describing is not even ICS or Internet Connection Sharing. Which is difficult with OSX...

Sounds like you have:

MacBook wifi connected to your Home router on say 192.168.1.X range... And MacBook's Ethernet port manually set to 172.16.42.42 connected to the Pineapple's eth0 port. Make sure you go into your Network settings and Prioritize your WiFi above your ehternet port. In that configuration your laptop will get it's internet from the WiFi connection but you should still be able to get to the management page of the Pineapple. But that configuration is very limiting.

Try:

MacBook Wifi connected to Pineapple's AP (wlan0) with Pineapples Client Mode (wlan1) connected to an internet connected Access Point. That way you're all on the same system.

[BubbaRR]

OK. So connect macbook wifi to pineapple AP. I just need to ensure that I am on the blacklist. I did notice last night that when computers connected to my pineapples wifi, it was very very slow. Is that because its trying to redirect to a non https site or something or is the transfer through the pineapple just slow?

[thesugarat]

Blacklist for what program? If you're using Karma then yes you might want to Blacklist... Since you're already on the Pineapple by choice it doesn't make much difference but the Pineapple can ignore your MacBook and not waste it's time.

[BubbaRR]

Yes, I was referring to Karma. Thanks