daniboy92 Posted August 15, 2014 Share Posted August 15, 2014 (edited) Hello everyone, I was playing with sslsplit, trying to get some passwords with my phone as a victim. I have two little problems... 1) How to generate a valid ssl cert to avoid Browser's warning... 2) How can i sniff my whatsapp? I've read that sslsplit can do something with Whatsapp, but i was trying and nothing happends. Sorry if i am doing stupids questions. Thanks for advance. One more thing... 3) Webs doesn't show properly, it only shows words, but not images, Edited August 15, 2014 by daniboy92 Quote Link to comment Share on other sites More sharing options...
cooper Posted August 15, 2014 Share Posted August 15, 2014 A quick google yielded this walkthrough. Hope that helps. Quote Link to comment Share on other sites More sharing options...
ZaraByte Posted August 17, 2014 Share Posted August 17, 2014 A quick google yielded this walkthrough. Hope that helps. Uhh! The Pineapple already generates a ssl cert does it not? because i clearly see the cert in the crt folder :B Quote Link to comment Share on other sites More sharing options...
daniboy92 Posted August 17, 2014 Author Share Posted August 17, 2014 Yes, pineapple ? do it, but generate a cert that it's detect like fake cert... Tried that other method but it doesn't work... And... What about WhatsApp sniffing? Someone knows how to get a working sslsplit for this? Quote Link to comment Share on other sites More sharing options...
Whistle Master Posted August 18, 2014 Share Posted August 18, 2014 (edited) Are you talking about the infusion ? If you are talking about the sslsplit infusion, yes, the infusion will generate a self-signed certificate at the installation of the infusion. And in the configuration, I put a rule to redirect WhatsApp traffic to sslsplit Now that's said, if you want to avoid the browser warning due to the self-signed certificate, you will have to buy a real ssl certificate and put it in the infusion's folder where are stored the certificate. Edited August 18, 2014 by Whistle Master Quote Link to comment Share on other sites More sharing options...
pats Posted August 18, 2014 Share Posted August 18, 2014 Are you talking about the infusion ? If you are talking about the sslsplit infusion, yes, the infusion will generate a self-signed certificate at the installation of the infusion. And in the configuration, I put a rule to redirect WhatsApp traffic to sslsplit Now that's said, if you want to avoid the browser warning due to the self-signed certificate, you will have to buy a real ssl certificate and put it in the infusion's folder where are stored the certificate. Offtopic, but the whatsapp data is stored in a log file, but it is still jibberish. Quote Link to comment Share on other sites More sharing options...
daniboy92 Posted August 18, 2014 Author Share Posted August 18, 2014 And... We can not falsificate a valid cert? (Stupid question, sorry) Quote Link to comment Share on other sites More sharing options...
Whistle Master Posted August 18, 2014 Share Posted August 18, 2014 No Quote Link to comment Share on other sites More sharing options...
commdogg Posted August 18, 2014 Share Posted August 18, 2014 I've been trying to find a way to get a "rouge CA" cert to install on a "victim" trust center. However, it looks like unless you are on a domain and you have admin access to the DC to push a cert via GPO, clever trickery with social engineering is the best I can come up with. I've been researching (when I have time) if there any cool client side attack payloads I can use to do that. But so far, Nada. You can't falsify a valid cert, but certain proxies will do an SSL MITM and re sign their own cert to make it appear to the client browser it came from the site and not the proxy. However, the CA for the proxy needs to be trusted by the client, hence my problem above. The Squid3-dev package does this pretty smoothly. I just don't have several thousand dollars and a good reason to give verisign as to why I need an intermediate CA certificate from them. Its pretty pointless from the academic standpoint anyway. It would only be useful if I was actually going to use it, which I won't because jail sucks. Me thinks this infusion will be ultra cool for phone apps. I'll betcha many of them don't actually check the SSL cert presented to it. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.