Urieal Posted August 29, 2014 Share Posted August 29, 2014 After reading countless threads about SSLSTRIP not working on systems such as Safari, Firefox, and Chrome I wanted to inquire about something that was released at Defcon Asia... SSLSTRIP 2 and DNS2PROXY https://github.com/LeonardoNve/sslstrip2 This is a new version of Moxie´s SSLstrip with the new feature to avoid HTTP Strict Transport Security (HSTS) protection mechanism.This version changes HTTPS to HTTP as the original one plus the hostname at html code to avoid HSTS. Check my slides at BlackHat ASIA 2014 OFFENSIVE: EXPLOITING DNS SERVERS CHANGES for more information. For this to work you also need a DNS server that reverse the changes madeby the proxy, you can find it athttps://github.com/LeonardoNve/dns2proxy. Demo video at: http://www.youtube.com/watch?v=uGBjxfizy48 The DNS Proxy I am having a really hard time following the instructions, I've tried to contact the developer for clarification but no luck.Anyone else care to chime in on how to setup dns2proxy? - > Also is there anyone willing to take on the challenge on adding this as an infusionto the pineapple? My understanding is this would allow you to compromise all browsers such as Safari, Chrome, and Firefox?The demo video interestingly enough shows quite vividly proof of concept -- just trying to figure out how to do this?I'm running a few Kali Linux machines, can someone clarify how I'm supposed to setup the DNS proxy? To the ENTIRE Hak5 Team;Thankyou for working on a device that is truly amazing and endless with opportunity. We are only limited by our creativity when it comes to deployment with this awesome device.I took it upon myself to invest in all the bells and whistles that came with the Mark 5. Lets talk about build quality - FIRST CLASS!This thing is scary - To the untrained eye you wouldn't have ANY idea what it is... To the trained idea, the only term that comes to mind is pwned and operated. PineAP: ... so thats what Dogma does -- and thats why karma doesn't work as expected anymore :D -- Soooo many questions on this forum could be answered by watching this regarding Karma..Chris Haralsonhttps://www.youtube.com/channel/UCK15ED34btB3NZznGIXQuwAThis guys videos and guides are first class - aimed at people with my skill sets I really couldn't ask for anything to be clearer.I am anxiously awaiting your future guides and videos.. (*I check back everyday*). My office :DAnd a snazzy little pic of some pineapples.... Quote Link to comment Share on other sites More sharing options...
Urieal Posted August 29, 2014 Author Share Posted August 29, 2014 http://youtu.be/40Igim3upL0?list=UUTkpeicFNBuHJCvp4LZEuvwThe PineAP Video.. Quote Link to comment Share on other sites More sharing options...
chriswhat Posted August 30, 2014 Share Posted August 30, 2014 (edited) Thanks for the shout out. I haven't done much with my channel lately because I've been extremely busy working on http://ctf365.com - our online security training platform. We provide our free users with access to several vulnerable-by-design servers and web applications, such as Metasploitable and DVWA. Our paid users get access to the main arena, which has real servers hosted by real people. The idea is to attack other servers while defending your own server, and our goal is to simulate the real world internet. We also hold weekend-long CTF competitions for our paid users. The next one starts on October 17. For now, I'm working on some new Pineapple tutorials. When I'm finished, I'll share them in the WiFi Pineapple University category. Edited August 31, 2014 by chriswhat Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted August 31, 2014 Share Posted August 31, 2014 Urieal, Thank you for the positive feedback! While we are working on the sslstripHSTS version, we are implementing the dns2proxy a little different. Because we are already the man in the middle, and we have lots of tools on the pineapple, we do not need to use this. Once it's done, it should run rather nice. Best regards, Sebkinne Quote Link to comment Share on other sites More sharing options...
johnjdoe Posted August 31, 2014 Share Posted August 31, 2014 Hi Sebkinne, While we are working on the sslstripHSTS version, we are implementing the dns2proxy a little different. Do you already know when this new feature will be available? Thank you for your precious work! Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted August 31, 2014 Share Posted August 31, 2014 No, there are a few other things on my list that take priority. Won't take too long though :) Best regards, Sebkinne Quote Link to comment Share on other sites More sharing options...
johnjdoe Posted August 31, 2014 Share Posted August 31, 2014 Won't take too long though :) :-) Quote Link to comment Share on other sites More sharing options...
Armaal Posted September 3, 2014 Share Posted September 3, 2014 Hello everybody Here a script (python) to perform a fast check if a website have or not a HSTS header.It could be very usefull. For example Lastpass using a HSTS Header with 32 months max age Also you can check with Chrome : <a href="http://imgur.com/dZGq03u"><img src="http://i.imgur.com/dZGq03u.jpg" title="Hosted by imgur.com" /></a> see ya armaal Quote Link to comment Share on other sites More sharing options...
Urieal Posted September 3, 2014 Author Share Posted September 3, 2014 Another method for those of you who enjoy metasploit can be found.. https://www.mattandreko.com/2013/02/21/hsts-metasploit-module/ msf > use auxiliary/scanner/http/http_hsts msf auxiliary(http_hsts) > show options Module options (auxiliary/scanner/http/http_hsts): Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no Use a proxy chain RHOSTS yes The target address range or CIDR identifier RPORT 443 yes The target port SSL true yes Negotiate SSL for outgoing connections THREADS 1 yes The number of concurrent threads VHOST no HTTP server virtual host msf auxiliary(http_hsts) > msf auxiliary(http_hsts) > set rhosts www.paypal.com, www.google.com, www.yahoo.com, www.wikipedia.org rhosts => www.paypal.com, www.google.com, www.yahoo.com, www.wikipedia.org msf auxiliary(http_hsts) > msf auxiliary(http_hsts) > run Quote Link to comment Share on other sites More sharing options...
johnjdoe Posted September 19, 2014 Share Posted September 19, 2014 Won't take too long though :) Sorry for beeing annoying, but do you have perhaps news about this features? Thanks in advance! Quote Link to comment Share on other sites More sharing options...
slyd0g Posted September 29, 2014 Share Posted September 29, 2014 Hey everyone, As I am sure most of you know, ssl-strip is basically useless on any modern browser or operating system since all have been updated to use HSTS. The guys at Sensepost were able to defeat HSTS using a modified version of ssl-strip as part of their MANA Rogue-AP system. https://github.com/sensepost/mana/tree/master/sslstrip-hsts Any chance of this getting implemented on the Pineapple? As of now I am barely picking up any credentials unless people are submitting via unencrypted HTTP posts. Quote Link to comment Share on other sites More sharing options...
daniboy92 Posted September 29, 2014 Share Posted September 29, 2014 Seb says they are working implementing this feauture or one similar. I don't know how much time we will wait for this, but without a effective tool against ssl we lose an important capacity for pentesting. Quote Link to comment Share on other sites More sharing options...
Armaal Posted September 29, 2014 Share Posted September 29, 2014 (edited) If the clients navigator is modern & go to pre-load HSTS (facebook, lastpass, gmail, etc...) -> fail So alternative tips is the following : ->Generate a EvilAP ->Host a twin facebook into /www folder ->Remake the HTML (twin-facebook) original code to call a PHP action with a .txt or sql->Dnsspof the 172.16.42.1 *.facebook.* (excellent tuto found here hak5 : http://goo.gl/qe4jkx ) ->Check your txt or sql databaseBut I remember that facebook detect an abnormality & say to change the password of the client. Edited September 29, 2014 by Armaal Quote Link to comment Share on other sites More sharing options...
daniboy92 Posted September 29, 2014 Share Posted September 29, 2014 If the clients navigator is modern & go to pre-load HSTS (facebook, lastpass, gmail, etc...) -> fail So alternative tips is the following : ->Generate a EvilAP ->Host a twin facebook into /www folder ->Remake the HTML (twin-facebook) original code to call a PHP action with a .txt or sql ->Dnsspof the 172.16.42.1 *.facebook.* (excellent tuto found here hak5 : http://goo.gl/qe4jkx ) ->Check your txt or sql database But I remember that facebook detect an abnormality & say to change the password of the client. Unfortunately dnsspoof it's a little bit outdated and it can't spoof a Web if it's cached or it's ssl's Web.With dnsspoof+evilportal it's a little bit harder to get credentials due to SSL and previously cached webs. Quote Link to comment Share on other sites More sharing options...
aibos Posted October 10, 2014 Share Posted October 10, 2014 Can we just copy SSLStrip+ code over the older infusion one Quote Link to comment Share on other sites More sharing options...
daniboy92 Posted October 10, 2014 Share Posted October 10, 2014 Can we just copy SSLStrip+ code over the older infusion oneNo, we can't. Quote Link to comment Share on other sites More sharing options...
Whistle Master Posted October 10, 2014 Share Posted October 10, 2014 The new version of SSLstrip is a kind of fork of Moxie's version, but tor it to work you also need a DNS server that reverse the changes made by the proxy, which is why you can't "just" replace it in the infusion. It won't simply work. Quote Link to comment Share on other sites More sharing options...
daniboy92 Posted October 10, 2014 Share Posted October 10, 2014 (edited) The new version of SSLstrip is a kind of fork of Moxie's version, but tor it to work you also need a DNS server that reverse the changes made by the proxy, which is why you can't "just" replace it in the infusion. It won't simply work. What about new fw what Seb mentions with new features again this limitations? Do you know something about that Whistlemaster? Edited October 18, 2014 by daniboy92 Quote Link to comment Share on other sites More sharing options...
johnjdoe Posted October 23, 2014 Share Posted October 23, 2014 Did you saw https://gist.github.com/xaitax/03601c36be8e22207b94 ? Could perhaps help? Just an answer but is there a roadmap for this feature? Quote Link to comment Share on other sites More sharing options...
bytedeez Posted October 24, 2014 Share Posted October 24, 2014 (edited) The problem with sslstrip2 is porting dns2proxy to the pineapple as well as sites being cached in the targets browser. I imagine to fully get the magic of the original sslstrip back it will take a combination of not only exploiting vunilbilities in the ssl protocol but also in the broswer as well. Edited October 24, 2014 by bytedeez Quote Link to comment Share on other sites More sharing options...
wirehack7 Posted November 25, 2014 Share Posted November 25, 2014 Sorry for beeing annoying, but do you have perhaps news about this features? Thanks in advance! Yeah, waiting to for this to be implented in a proper way. Any news for us? Quote Link to comment Share on other sites More sharing options...
honolulu6969 Posted December 7, 2014 Share Posted December 7, 2014 Bump Also waiting for the realese of sslstrip2 on mkv :) That would be a awsome feature Quote Link to comment Share on other sites More sharing options...
jackendra Posted February 21, 2015 Share Posted February 21, 2015 (edited) I'm hoping to get some help on this. I posted on HF but got no replies... I know about HSTS, and last I checked browsers are pretty secure with it in use.I heard there was a modified or updated version of ssl-strip from a guy at Sensepost that was used for defeating HSTS.So what I want to know, is since then, has this been implemented in the most recent versions of the Wifi Pineapple? Also, whether or not it is updated on the WiPi, how useful of a tool is the WiPi if HSTS is in the way? What major sites (I guessing depending on your browser) are vulnerable to MITM like attacks?Thanks :)Good day. Edited February 21, 2015 by jackendra Quote Link to comment Share on other sites More sharing options...
cooper Posted February 21, 2015 Share Posted February 21, 2015 The way HSTS works is that the website response includes a header that says "We're on HTTPS, and you should use that from now on when accessing this domain, no matter what the user typed in the URL". The modified ssl-strip (I think it's simply called ssl-strip-hsts) does nothing more than drop those headers on the floor before passing on the server response to the client. What this means is that if the client went to the site at some point in the past, every connection (s)he'll make to that site will be via HTTPS and unless you have a way to break that, MITM isn't going to happen, no matter what tool you use. Quote Link to comment Share on other sites More sharing options...
jackendra Posted February 21, 2015 Share Posted February 21, 2015 (edited) The way HSTS works is that the website response includes a header that says "We're on HTTPS, and you should use that from now on when accessing this domain, no matter what the user typed in the URL". The modified ssl-strip (I think it's simply called ssl-strip-hsts) does nothing more than drop those headers on the floor before passing on the server response to the client. What this means is that if the client went to the site at some point in the past, every connection (s)he'll make to that site will be via HTTPS and unless you have a way to break that, MITM isn't going to happen, no matter what tool you use. Alright, I guess I misunderstood: https://forums.hak5.org/index.php?/topic/33770-defeating-hsts-with-updated-sslstrip/ Really then the wifi pineapple is going to die if that cant be bypassed, when more web browsers and more sites start using HSTS. (At least for MITIM) Just to confirm then, because someone else gave me this link: https://cyberarms.wordpress.com/2014/10/16/mana-tutorial-the-intelligent-rogue-wi-fi-router/ Edited February 21, 2015 by jackendra Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.