czepeda Posted December 14, 2014 Share Posted December 14, 2014 Hey guys, Just got my Mark V and I definitely have watched a ton of tutorials. My question is does the SSL strip feature even work? When I connect a client to the Pineapple AP on Chrome and Mozilla it don't budge every connection stays htttps:\\ On Internet Explorer some connections do change to http:\\ but Facebook won't even load and some connections take decades to load? If you guys can help me out, because in all the youtube tutorials it seems that even mozilla loads so seemless. Or is it that chrome, mozilla fight against SSL strip attacks. I was looking so forward to getting it, but if this is the case it really sucks. Thanks for the responses!!! Quote Link to comment Share on other sites More sharing options...
THCMinister Posted December 14, 2014 Share Posted December 14, 2014 Search the forums for HSTS and the other sslstrip posts, they pretty much cover it. Quote Link to comment Share on other sites More sharing options...
czepeda Posted December 14, 2014 Author Share Posted December 14, 2014 Do you have any specific posts you personally recommend? Quote Link to comment Share on other sites More sharing options...
Smart-Aswood Posted December 14, 2014 Share Posted December 14, 2014 Most websites have changed their implementation of SSL. sslstrip no longer works on them. And they changed that implementation in a way that there's no simple fixes for sslstrip to make it work. Good for them. That was something sslstrip did well - it forced sites like Twitter and Facebook and Amazon and eBay, as well as banking sites to fix their security. There are obviously people working on breaking SSL again. About the time they break it and the sites fix it again, us non-professionals will get access to whatever replaces sslstrip. By the time we get it, it won't work either. There's things they can't fix, which is why things like the Rubber Ducky scare the crap out of them. Quote Link to comment Share on other sites More sharing options...
czepeda Posted December 14, 2014 Author Share Posted December 14, 2014 Makes complete sense and that it what I figured. I usually run Cain and Able and have been extremely successful with for emails and people running IE, so I'll stick with that. What are the basic attacks or things you recommend I start at for the Pineapple? It is just so overwhelming how much stuff it has, I just need some guidance on where to start and what I can be successful doing. Thanks Quote Link to comment Share on other sites More sharing options...
Smart-Aswood Posted December 15, 2014 Share Posted December 15, 2014 Well, Karma still works on a lot of devices, and PineAP seems like it's pulling in connections. evilportal - nodogsplash with dnsspoof can yield the same results as sslstrip and that's something they can never *fix* because 90-something percent of people believe something that looks like Facebook IS Facebook. Same with any other login page. For pen testing, security audits it doesn't matter how you penetrate as long as you do. (that's besides it being fun) Takes some practice and a little coding to use those methods, but once you've built your evil versions of those website front ends and the scripts to utilize them, you're going to pull in credentials often enough to make it worth the trouble. Takes some practice, but learning stuff is what hacking is supposed to be about. All this is, of course, just my opinion. Look for stuff they can't secure. Like human nature. Quote Link to comment Share on other sites More sharing options...
Smart-Aswood Posted December 15, 2014 Share Posted December 15, 2014 Also, if you don't want to go through the trouble of Karma and PineAP, a honey pot AP still works and always will. All that takes is a good name. I've used "Free Fast and Private WiFi" and that brings in more connections than Karma and PineAP. People just don't use their noggins. "McDonald's #2" and "Starbucks Open" are a bit of a risk. Unnecessary too. "Free WiFi" works, and you aren't using anyone else's name. Quote Link to comment Share on other sites More sharing options...
Smart-Aswood Posted December 15, 2014 Share Posted December 15, 2014 Search engines are a good spoof too. Just remember that there will be stuff you can't unsee. Quote Link to comment Share on other sites More sharing options...
czepeda Posted December 15, 2014 Author Share Posted December 15, 2014 Ok dope. Thanks a million I have been working on my Phising sites and so far they load up great. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.