Jump to content

Archived

This topic is now archived and is closed to further replies.

infektiv

SSLStrip not working

Recommended Posts

Hey guys,

SSLStrip is not working and I cant find any existing threads to troubleshoot this issue.

I've tried installing on SSLStrip on the USB & Internal, Rebooting the wifi pineapple but these didnt help.

I tried different settings within SSLStrip GUI - turning on Verbose, turning on Auto Refresh but still no luck.

The workstation is definitely connected to the pineapple because DNSSpoof Random Roll works.

When I navigate to facebook.com on the victim's workstation the URL still says 'https://facebook.com/?_rdr'

Version:

Wifi Pineapple Firmware version: 2.8.1

Sslstrip v2.9

Thanks in advance for any help you can provide.

Share this post


Link to post
Share on other sites

Did the victim visit facebook before? If so, HSTS would make the browser default to the https URL resulting in SSLStrip being able to perform its magic.

Share this post


Link to post
Share on other sites

Did the victim visit facebook before? If so, HSTS would make the browser default to the https URL resulting in SSLStrip being able to perform its magic.

Yes the victim did visit facebook but i had logged off prior to SSLStrip.

Is there any way around HSTS?

Share this post


Link to post
Share on other sites

Logging off doesn't matter. Because the browser saw the HSTS tag in the server response it will from that point on always default to https, probably even when the user explicitly puts "http://www.facebook.com" in the URL.

There is no way around HSTS that I know of. You're going to have to completely remove/reinstall the browser on this test machine. Either that, or simply use another browser.

Also note that you should be using ssl-strip-hsts instead of regular ssl-strip. The former also strips the HSTS header from the server response meaning that so long as you're MITM-ing this victim you're golden but once the victim accesses Facebook directly, you're screwed.

Share this post


Link to post
Share on other sites
Guest

SSLstrip is 4 years old so other people have been working on ways to improve it such is this which claims it can avoid HSTS.

Share this post


Link to post
Share on other sites

It's worth noting that nowadays browsers like Chrome and Firefox are installed with a pre-populated list of hosts for which hsts is on.

Forcing a browser to use https (which is what HSTS enables for a specific timespan relative to the timestamp of the last request to that host) means ssl stripping is impossible, no matter which version/variation of sslstrip you use.

You could try to MITM using an sslbump-enabled proxy but it requires the client to trust your server cert (which I think you needed to have achieved before you can MITM the user) and will probably still fail for DNSSEC certs (the ones where the URL bar in firefox doesn't contain the lock, but also an insert with the name of the company in question).

Share this post


Link to post
Share on other sites

Do you guys know if sslstrip2 and dns2proxy will work?

It's worth noting that nowadays browsers like Chrome and Firefox are installed with a pre-populated list of hosts for which hsts is on.

Forcing a browser to use https (which is what HSTS enables for a specific timespan relative to the timestamp of the last request to that host) means ssl stripping is impossible, no matter which version/variation of sslstrip you use.

You could try to MITM using an sslbump-enabled proxy but it requires the client to trust your server cert (which I think you needed to have achieved before you can MITM the user) and will probably still fail for DNSSEC certs (the ones where the URL bar in firefox doesn't contain the lock, but also an insert with the name of the company in question).

Share this post


Link to post
Share on other sites

Work for what, specifically?

QFE:

[using HSTS] means ssl stripping is impossible

Share this post


Link to post
Share on other sites

I'm doing some pentests on a HTTPS (443) server that DOES NOT have HSTS implemented (no HSTS headers on response and the address is not on chrome HSTS pre loaded list).

The problem is that in my scenario the user has visited the web site before, so it has the first http (80) request response cached on the browser.

So when the user types in "targetaddress.com" the browser automatically gets the cached redirect (301 - http to https) also making the first sslstrip useless.

My workaround for this was to block 443 requests so the user, not being able to connect to the target, goes and manually clear the browser cache/history in a attempt to restore connection. Then sslstrip will be effective as it now will intercept/tamper http request (301 redirect) response.

Are there any other better ways to do this, other than blocking port 443 and without using sslstrip2/dns2proxy ?

Share this post


Link to post
Share on other sites

If site has HSTS the only way to SSL Strip a user is on the user's very first visit in that browser. As they may got to the HTTP site first.

If they have visited a site with HSTS the browser will never go to the HTTP version.

If the site is in the preload list (https://code.google.com/p/chromium/codesearch#chromium/src/net/http/transport_security_state_static.json) the browser will never go the HTTP regardless. To add a site to the preload need hsts headers then to be added to https://hstspreload.appspot.com/

Given how HSTS use is growing and the preload list is also growing SSL Strip is going to become less effective. As HSTS and preload is designed to stop this. Almost got to look rolling out custom browser or some other totally new class of attack. With sites like https://www.ssllabs.com/ssltest/it is much easier for owners to valid the setup of their site.

Then to help stop rouge certs there is Host Key Pinning that pins on the public or the CA. Google has that set up in the Preload list and other sites are doing it through the headers. https://en.wikipedia.org/wiki/HTTP_Public_Key_PinningWith this if you are trying a MitM the user won't even get a self signed warning to click through the browser just want even let them in.

One attack that may work is actually going after the cipher weaknesses and decrypting the traffic. Use BEAST, POODLE, etc to attack the sites.

Share this post


Link to post
Share on other sites

I stopped doing testing on my stuff and for my friends about a year and a half ago and as I am back to trying to get my Information Systems Security degree I am back on learning how all of this works again. My oh my how things have changed in what for most things is a short time but for this stuff is a long time.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...