Wifi Pineapple vs HSTS

[THCMinister]

There are more uses of the Wi-Fi pineapple than stripping secure traffic...

[ZaraByte]

The only thing i know of and i don't believe it works on the pineapple but their is a script called sslstrip2 and you need dns2proxy that is supposed to be the new way to defeat HSTS

[DataHead]

while I don't know the feature set of the project, Seb has mentioned a few times about the MITM proxy he's been working on for the pineapple. So lets see what's in store with that feature wise before we start canceling out ability to strip secure traffic :-)

[cheeto]

correct me if im wrong, but even if there happens to be a fix for HSTS, won't we need to also erase the victim's history or cache?

[jackendra]

correct me if im wrong, but even if there happens to be a fix for HSTS, won't we need to also erase the victim's history or cache?

I thought about that after I read what the first poster said.

You would think so because thats how HSTS works, but maybe not.

[ZaraByte]

People use the Mark V for other things decides stripping SSL like i said if you wanna strip ssl you can still strip ssl on users who are connected to the pineapple anyone connected the the pineapple for that matter can strip ssl using ssl strip2 and dns2proxy

[fringes]

@THCMinister and @ZaraByte, I've seen several posts today that made me want to reply that the pinapple isn't just a one-trick-pony. Thanks!

[DataHead]

People use the Mark V for other things decides stripping SSL like i said if you wanna strip ssl you can still strip ssl on users who are connected to the pineapple anyone connected the the pineapple for that matter can strip ssl using ssl strip2 and dns2proxy

Well, can also sslstrip with the pineapple connected to a different ap, and the clients connected to the external ap.

Thanks to ettercaps arp poisoning and sslstrip :-)

[THCMinister]

I mainly use mine to allow my coffee pot to have connectivity to my network.

[ZaraByte]

I use mine for a few things using it right now to collect SSID's from phones and devices in cars that pass by the house to look the SSID up online for other things i won't mention :3

[bytedeez]

The key to breaking the HSTS cycle is to force the client device to delete all web cache and browsing history and maybe cookies.

My brilliant idea is to construct a captive portal that works in 1 of 3 ways.

1. Once "login" is clicked it clears all the cache in the background before proceeding.

2. Checks to see if the cache is cleared and if its not instructs the user to clear cache before allowing access.

3. Gives a Security warning to user advising the user to clear all cache.

I'm not a dev of any kind so not sure if ways 1 and 2 are possible with the current features of the pineapple.

The 3rd is the easiest option but at the same time its a hit or miss.... and more times a miss because its

an optional extra step the user will have to take and since its optional most will opt out.

[johnsteiner]

To be honest python on the mk5 is a pain in the a** ;-) So to get dns2proxy and sslstrip+ (or as they call it now sslstrip2) running i think the pineapple supergods have to jump in....;-)

[Armbar2]

No, there are a few other things on my list that take priority.

Won't take too long though :)

Best regards,

Sebkinne

Six months on, is this any closer to implementation as an infusion?

[Blacksquid66]

There are more uses of the Wi-Fi pineapple than stripping secure traffic...

Can you tell me a couple. I just recently bought a wifi pineapple and I don't many infusions to use besides ssl strip.

[jeble]

Any updates on the sslstrip2 Infusion for the Pineapple?