Jump to content

SSLSTRIP[?] Question


Declined

Recommended Posts

If your interested in seeing if an application is vulnerable to SSLStrip, fire up an HTTP proxy (like burp) and check the HTTP Response headers. If the respond contains a Strict-Transport-Security header, then the application is not going to work with SSLStrip.

As mentioned above, most applications are now setting the HSTS header and thus this attack is not a viable one anymore.

Link to comment
Share on other sites

Most browsers today use HSTS so SSLstrip is pretty much useless.

If your interested in seeing if an application is vulnerable to SSLStrip, fire up an HTTP proxy (like burp) and check the HTTP Response headers. If the respond contains a Strict-Transport-Security header, then the application is not going to work with SSLStrip.

As mentioned above, most applications are now setting the HSTS header and thus this attack is not a viable one anymore.

I see, is there other methods I should be aware of that are more modern?

What infusions do you think are a must-have?

Link to comment
Share on other sites

You can use something like DNS2Proxy and SSLStrip2 i've heard and seen it works to get around HSTS

Link to comment
Share on other sites

Interesting, did not know it got deleted due to a Spanish gag law. No idea what the gov thought they could achieve by doing so.

"Cause the new gag law which criminalized the publication of 'offensive' security tools/techniques I have to delete this repository. You can find good forks on MITMf framework (https://github.com/byt3bl33d3r/MITMf) or MANA rogue AP (https://github.com/sensepost/mana)."

On a side note, MITMf's dev is pretty active, and has plans for additional features (https://github.com/byt3bl33d3r/MITMf/issues) , and he also just did a presentation at Black Hat Asia. I posted a ticket to his repo to see if he was interested in porting to the MKV back in December. He seemed very interested and also by chance, had a MKV already. Some libs were missing that would need to be included, and some functionality would have to be scaled back due to being too resource intensive, but the main parts could work.

He is currently waiting for feedback from Seb/Darren, but they may very well be well along with their own version, or some other problem with officially incorporating such thing legally, commercially, or maybe limitations of the CPU/RAM to get it right, I don't know. I also posted a ticket on Sebs suggestion tracker last month, but no news yet.

I know both Darren and Seb have been traveling a bunch over the past few months, as well as working on the show, so fingers crossed we get some feedback on a new proxy one way or another. :)

Links: MITMf blog: http://sign0f4.blogspot.it/

GitHub: https://github.com/byt3bl33d3r/MITMf

MITMf ticket: https://github.com/byt3bl33d3r/MITMf/issues/31 (Closed pending feedback )

Wifi pineapple ticket: https://www.wifipineapple.com/index.php?portal&bugs&action=view&id=291

Edited by mw3demo
Link to comment
Share on other sites

I can confirm that MITMf works fine against some SSL targets. When HSTS is used it depends on the browser too, but I can confirm that with an older version of Chrome an SSLStrip attack against mail.google.com accomplished his objectives.

I hope that Seb will include a working MITM proxy in the Pineapple as promised ...

Link to comment
Share on other sites

  • 4 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...