daniboy92 Posted August 15, 2014 Posted August 15, 2014 (edited) Hello everyone, I was playing with sslsplit, trying to get some passwords with my phone as a victim. I have two little problems... 1) How to generate a valid ssl cert to avoid Browser's warning... 2) How can i sniff my whatsapp? I've read that sslsplit can do something with Whatsapp, but i was trying and nothing happends. Sorry if i am doing stupids questions. Thanks for advance. One more thing... 3) Webs doesn't show properly, it only shows words, but not images, Edited August 15, 2014 by daniboy92 Quote
cooper Posted August 15, 2014 Posted August 15, 2014 A quick google yielded this walkthrough. Hope that helps. Quote
ZaraByte Posted August 17, 2014 Posted August 17, 2014 A quick google yielded this walkthrough. Hope that helps. Uhh! The Pineapple already generates a ssl cert does it not? because i clearly see the cert in the crt folder :B Quote
daniboy92 Posted August 17, 2014 Author Posted August 17, 2014 Yes, pineapple ? do it, but generate a cert that it's detect like fake cert... Tried that other method but it doesn't work... And... What about WhatsApp sniffing? Someone knows how to get a working sslsplit for this? Quote
Whistle Master Posted August 18, 2014 Posted August 18, 2014 (edited) Are you talking about the infusion ? If you are talking about the sslsplit infusion, yes, the infusion will generate a self-signed certificate at the installation of the infusion. And in the configuration, I put a rule to redirect WhatsApp traffic to sslsplit Now that's said, if you want to avoid the browser warning due to the self-signed certificate, you will have to buy a real ssl certificate and put it in the infusion's folder where are stored the certificate. Edited August 18, 2014 by Whistle Master Quote
pats Posted August 18, 2014 Posted August 18, 2014 Are you talking about the infusion ? If you are talking about the sslsplit infusion, yes, the infusion will generate a self-signed certificate at the installation of the infusion. And in the configuration, I put a rule to redirect WhatsApp traffic to sslsplit Now that's said, if you want to avoid the browser warning due to the self-signed certificate, you will have to buy a real ssl certificate and put it in the infusion's folder where are stored the certificate. Offtopic, but the whatsapp data is stored in a log file, but it is still jibberish. Quote
daniboy92 Posted August 18, 2014 Author Posted August 18, 2014 And... We can not falsificate a valid cert? (Stupid question, sorry) Quote
commdogg Posted August 18, 2014 Posted August 18, 2014 I've been trying to find a way to get a "rouge CA" cert to install on a "victim" trust center. However, it looks like unless you are on a domain and you have admin access to the DC to push a cert via GPO, clever trickery with social engineering is the best I can come up with. I've been researching (when I have time) if there any cool client side attack payloads I can use to do that. But so far, Nada. You can't falsify a valid cert, but certain proxies will do an SSL MITM and re sign their own cert to make it appear to the client browser it came from the site and not the proxy. However, the CA for the proxy needs to be trusted by the client, hence my problem above. The Squid3-dev package does this pretty smoothly. I just don't have several thousand dollars and a good reason to give verisign as to why I need an intermediate CA certificate from them. Its pretty pointless from the academic standpoint anyway. It would only be useful if I was actually going to use it, which I won't because jail sucks. Me thinks this infusion will be ultra cool for phone apps. I'll betcha many of them don't actually check the SSL cert presented to it. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.