Jump to content

Recommended Posts

After reading countless threads about SSLSTRIP not working on systems such as Safari, Firefox, and Chrome

I wanted to inquire about something that was released at Defcon Asia...

SSLSTRIP 2 and DNS2PROXY

https://github.com/LeonardoNve/sslstrip2

This is a new version of Moxie´s SSLstrip with the new feature to avoid HTTP Strict Transport Security (HSTS) protection mechanism.
This version changes HTTPS to HTTP as the original one plus the hostname at html code to avoid HSTS. Check my slides at BlackHat ASIA 2014
OFFENSIVE: EXPLOITING DNS SERVERS CHANGES for more information. For this to work you also need a DNS server that reverse the changes made
by the proxy, you can find it at
https://github.com/LeonardoNve/dns2proxy. Demo video at: http://www.youtube.com/watch?v=uGBjxfizy48

The DNS Proxy I am having a really hard time following the instructions, I've tried to contact the developer for clarification but no luck.
Anyone else care to chime in on how to setup dns2proxy? - > Also is there anyone willing to take on the challenge on adding this as an infusion
to the pineapple?

My understanding is this would allow you to compromise all browsers such as Safari, Chrome, and Firefox?
The demo video interestingly enough shows quite vividly proof of concept -- just trying to figure out how to do this?

I'm running a few Kali Linux machines, can someone clarify how I'm supposed to setup the DNS proxy?

To the ENTIRE Hak5 Team;
Thankyou for working on a device that is truly amazing and endless with opportunity. We are only limited by our creativity when it comes to deployment with this awesome device.
I took it upon myself to invest in all the bells and whistles that came with the Mark 5.


Lets talk about build quality - FIRST CLASS!
This thing is scary - To the untrained eye you wouldn't have ANY idea what it is...
To the trained idea, the only term that comes to mind is pwned and operated.

PineAP:


... so thats what Dogma does -- and thats why karma doesn't work as expected anymore :D -- Soooo many questions on this forum could be answered by watching this regarding Karma..

Chris Haralson
https://www.youtube.com/channel/UCK15ED34btB3NZznGIXQuwA
This guys videos and guides are first class - aimed at people with my skill sets I really couldn't ask for anything to be clearer.
I am anxiously awaiting your future guides and videos.. (*I check back everyday*).

My office :D
And a snazzy little pic of some pineapples....

post-48383-0-35876700-1409331153_thumb.j

post-48383-0-66035800-1409331169_thumb.j

Link to comment
Share on other sites

Thanks for the shout out. I haven't done much with my channel lately because I've been extremely busy working on http://ctf365.com - our online security training platform. We provide our free users with access to several vulnerable-by-design servers and web applications, such as Metasploitable and DVWA. Our paid users get access to the main arena, which has real servers hosted by real people. The idea is to attack other servers while defending your own server, and our goal is to simulate the real world internet. We also hold weekend-long CTF competitions for our paid users. The next one starts on October 17.

For now, I'm working on some new Pineapple tutorials. When I'm finished, I'll share them in the WiFi Pineapple University category.

Edited by chriswhat
Link to comment
Share on other sites

Urieal,

Thank you for the positive feedback!

While we are working on the sslstripHSTS version, we are implementing the dns2proxy a little different.

Because we are already the man in the middle, and we have lots of tools on the pineapple, we do not need to use this. Once it's done, it should run rather nice.

Best regards,

Sebkinne

Link to comment
Share on other sites

Hi Sebkinne,

While we are working on the sslstripHSTS version, we are implementing the dns2proxy a little different.

Do you already know when this new feature will be available?

Thank you for your precious work!

Link to comment
Share on other sites

Hello everybody

Here a script (python) to perform a fast check if a website have or not a HSTS header.
It could be very usefull.

For example Lastpass using a HSTS Header with 32 months max age

EHYzOMC.jpg

Also you can check with Chrome :

<a href="http://imgur.com/dZGq03u"><img src="http://i.imgur.com/dZGq03u.jpg" title="Hosted by imgur.com" /></a>

see ya

armaal

Link to comment
Share on other sites

Another method for those of you who enjoy metasploit can be found..

https://www.mattandreko.com/2013/02/21/hsts-metasploit-module/

msf > use auxiliary/scanner/http/http_hsts
msf auxiliary(http_hsts) > show options
Module options (auxiliary/scanner/http/http_hsts):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no Use a proxy chain
RHOSTS yes The target address range or CIDR identifier
RPORT 443 yes The target port
SSL true yes Negotiate SSL for outgoing connections
THREADS 1 yes The number of concurrent threads
VHOST no HTTP server virtual host
msf auxiliary(http_hsts) >
msf auxiliary(http_hsts) > set rhosts www.paypal.com, www.google.com, www.yahoo.com, www.wikipedia.org
rhosts => www.paypal.com, www.google.com, www.yahoo.com, www.wikipedia.org
msf auxiliary(http_hsts) >
msf auxiliary(http_hsts) > run
Link to comment
Share on other sites

  • 3 weeks later...
  • 2 weeks later...

Hey everyone,

As I am sure most of you know, ssl-strip is basically useless on any modern browser or operating system since all have been updated to use HSTS. The guys at Sensepost were able to defeat HSTS using a modified version of ssl-strip as part of their MANA Rogue-AP system.

https://github.com/sensepost/mana/tree/master/sslstrip-hsts

Any chance of this getting implemented on the Pineapple? As of now I am barely picking up any credentials unless people are submitting via unencrypted HTTP posts.

Link to comment
Share on other sites

If the clients navigator is modern & go to pre-load HSTS (facebook, lastpass, gmail, etc...) -> fail

So alternative tips is the following :

->Generate a EvilAP
->Host a twin facebook into /www folder

->Remake the HTML (twin-facebook) original code to call a PHP action with a .txt or sql
->Dnsspof the 172.16.42.1 *.facebook.* (excellent tuto found here hak5 : http://goo.gl/qe4jkx )
->Check your txt or sql database

But I remember that facebook detect an abnormality & say to change the password of the client.

Edited by Armaal
Link to comment
Share on other sites

If the clients navigator is modern & go to pre-load HSTS (facebook, lastpass, gmail, etc...) -> fail

So alternative tips is the following :

->Generate a EvilAP

->Host a twin facebook into /www folder

->Remake the HTML (twin-facebook) original code to call a PHP action with a .txt or sql

->Dnsspof the 172.16.42.1 *.facebook.* (excellent tuto found here hak5 : http://goo.gl/qe4jkx )

->Check your txt or sql database

But I remember that facebook detect an abnormality & say to change the password of the client.

Unfortunately dnsspoof it's a little bit outdated and it can't spoof a Web if it's cached or it's ssl's Web.

With dnsspoof+evilportal it's a little bit harder to get credentials due to SSL and previously cached webs.

Link to comment
Share on other sites

  • 2 weeks later...

The new version of SSLstrip is a kind of fork of Moxie's version, but tor it to work you also need a DNS server that reverse the changes made by the proxy, which is why you can't "just" replace it in the infusion. It won't simply work.

What about new fw what Seb mentions with new features again this limitations? Do you know something about that Whistlemaster?

Edited by daniboy92
Link to comment
Share on other sites

  • 2 weeks later...

The problem with sslstrip2 is porting dns2proxy to the pineapple as well as sites being cached in the targets browser.

I imagine to fully get the magic of the original sslstrip back it will take a combination of not only exploiting vunilbilities in the ssl protocol but also in the broswer as well.

Edited by bytedeez
Link to comment
Share on other sites

  • 1 month later...

Sorry for beeing annoying, but do you have perhaps news about this features? Thanks in advance!

Yeah, waiting to for this to be implented in a proper way. Any news for us?

Link to comment
Share on other sites

  • 2 weeks later...
  • 2 months later...

I'm hoping to get some help on this.

I posted on HF but got no replies...

I know about HSTS, and last I checked browsers are pretty secure with it in use.
I heard there was a modified or updated version of ssl-strip from a guy at Sensepost that was used for defeating HSTS.

So what I want to know, is since then, has this been implemented in the most recent versions of the Wifi Pineapple?

Also, whether or not it is updated on the WiPi, how useful of a tool is the WiPi if HSTS is in the way? What major sites (I guessing depending on your browser) are vulnerable to MITM like attacks?

Thanks :)
Good day.

Edited by jackendra
Link to comment
Share on other sites

The way HSTS works is that the website response includes a header that says "We're on HTTPS, and you should use that from now on when accessing this domain, no matter what the user typed in the URL".

The modified ssl-strip (I think it's simply called ssl-strip-hsts) does nothing more than drop those headers on the floor before passing on the server response to the client.

What this means is that if the client went to the site at some point in the past, every connection (s)he'll make to that site will be via HTTPS and unless you have a way to break that, MITM isn't going to happen, no matter what tool you use.

Link to comment
Share on other sites

The way HSTS works is that the website response includes a header that says "We're on HTTPS, and you should use that from now on when accessing this domain, no matter what the user typed in the URL".

The modified ssl-strip (I think it's simply called ssl-strip-hsts) does nothing more than drop those headers on the floor before passing on the server response to the client.

What this means is that if the client went to the site at some point in the past, every connection (s)he'll make to that site will be via HTTPS and unless you have a way to break that, MITM isn't going to happen, no matter what tool you use.

Alright, I guess I misunderstood:

https://forums.hak5.org/index.php?/topic/33770-defeating-hsts-with-updated-sslstrip/

Really then the wifi pineapple is going to die if that cant be bypassed, when more web browsers and more sites start using HSTS.

(At least for MITIM)

Just to confirm then, because someone else gave me this link:

https://cyberarms.wordpress.com/2014/10/16/mana-tutorial-the-intelligent-rogue-wi-fi-router/

Edited by jackendra
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...