alphan3 Posted May 14, 2014 Share Posted May 14, 2014 I understand the principle and theory of a TRUE HTTPS MITM attack (not SSLstrip's degrading from HTTPS to HTTP). However does Pineapple have any components to perform true HTTPS attacks, so that even if you personally type HTTPS into a web site URL, the tool can still decrypt your traffic? Let's assume you can NOT steal the web site's credentials. I don't need much detail but just wanted to verify the capability. Thanks in advance for any clarification....Deeply appreciated!! Quote Link to comment Share on other sites More sharing options...
cooper Posted May 14, 2014 Share Posted May 14, 2014 To do this you need to achieve the following things: 1. You need to perform a dns poison attack so that trustedsite.org resolves to Pineapple_IP. 2. Your victim should then try to connect to trustedsite.org (which, because of step 1, will be the pineapple). We will assume the victim directly went to https://trustedsite.org which means ssl strip can't do its usual trick. 3. The pineapple will be asked to deliver a certificate that is valid for trustedsite.org 4. Profit. At this stage the secure connection is made but the pineapple is MITM and can see the unencrypted traffic. Obviously, step 3 is going to be difficult. You won't be able to present a valid cert for trustedsite.org so that's a problem. One solution is to provide the user with the url to connect to, using similar-looking glyphs so that it appears the victim is really accessing trustedsite.org even though he's not. Ssl strip should be capable of this, however when the victim typed the url in manually, this again won't work. A different approach is to create your own CA, dynamically create a cert for trustedsite.org and present this to the user. He'll be notified that the CA isn't trusted and be nagged about what to do about it: deny (=default), accept temporarily or accept forever. Most users will simply try to get the warning out of their face asap so they'll click ok=deny=problem. The less clever users will just want to get it over with, accept the cert and be happy. This can be useful when the initial connection was, like, a secure connection to google (the search engine, not the other shit they provide). Something people don't typically consider very neccessary to secure. You could use a secure welcome splash screen that they need to get through before you allow internet access. Inform them that they must click here, accept SuperSecureCA, LLC as a CA and from that point on you're golden. This concept is used on the internal networks of corporations where they don't want you to access secure stuff because of liability issues, security (siphoning off their intellectual propery) and performance (you can't cache what you can't see). I think Burp cat do this. Squid might also. Can't think of any other ways right now. Much of this shouldn't be hard for the pineapple to handle. It's not particularly cpu-heavy except for maybe the cert gen which is a one-time hit anyways. Quote Link to comment Share on other sites More sharing options...
alphan3 Posted May 15, 2014 Author Share Posted May 15, 2014 Thank you Cooper for such a detailed explanation! Now I feel much more on the ground. :) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.