Jump to content

Other than SSLstrip, can Pineapple perform true HTTPS MITM attacks?


Recommended Posts

I understand the principle and theory of a TRUE HTTPS MITM attack (not SSLstrip's degrading from HTTPS to HTTP).

However does Pineapple have any components to perform true HTTPS attacks, so that even if you personally type HTTPS into a web site URL, the tool can still decrypt your traffic?

Let's assume you can NOT steal the web site's credentials. I don't need much detail but just wanted to verify the capability.

Thanks in advance for any clarification....Deeply appreciated!!

Link to comment
Share on other sites

To do this you need to achieve the following things:

1. You need to perform a dns poison attack so that trustedsite.org resolves to Pineapple_IP.

2. Your victim should then try to connect to trustedsite.org (which, because of step 1, will be the pineapple). We will assume the victim directly went to https://trustedsite.org which means ssl strip can't do its usual trick.

3. The pineapple will be asked to deliver a certificate that is valid for trustedsite.org

4. Profit. At this stage the secure connection is made but the pineapple is MITM and can see the unencrypted traffic.

Obviously, step 3 is going to be difficult. You won't be able to present a valid cert for trustedsite.org so that's a problem.

One solution is to provide the user with the url to connect to, using similar-looking glyphs so that it appears the victim is really accessing trustedsite.org even though he's not. Ssl strip should be capable of this, however when the victim typed the url in manually, this again won't work.

A different approach is to create your own CA, dynamically create a cert for trustedsite.org and present this to the user. He'll be notified that the CA isn't trusted and be nagged about what to do about it: deny (=default), accept temporarily or accept forever. Most users will simply try to get the warning out of their face asap so they'll click ok=deny=problem. The less clever users will just want to get it over with, accept the cert and be happy. This can be useful when the initial connection was, like, a secure connection to google (the search engine, not the other shit they provide). Something people don't typically consider very neccessary to secure. You could use a secure welcome splash screen that they need to get through before you allow internet access. Inform them that they must click here, accept SuperSecureCA, LLC as a CA and from that point on you're golden.

This concept is used on the internal networks of corporations where they don't want you to access secure stuff because of liability issues, security (siphoning off their intellectual propery) and performance (you can't cache what you can't see). I think Burp cat do this. Squid might also.

Can't think of any other ways right now. Much of this shouldn't be hard for the pineapple to handle. It's not particularly cpu-heavy except for maybe the cert gen which is a one-time hit anyways.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...