Jump to content
Hak5 Forums
Whistle Master

[Official] SSLsplit

Recommended Posts

Module: SSLsplit

Version: 1.0

Features:

  • Install dependencies
  • Generate certificate
  • Manage firewall rules
  • Live output with filter options
  • Run History
  • Autostart on boot

iawadchkcnirdqh4g.jpg

Edited by Whistle Master
  • Upvote 1

Share this post


Link to post
Share on other sites

I have tryed with multiple modules and have reset the NANO a couple times and formatted my sdcard.

I can download from the module manager to sdcard but when I try to install the dependency file it will sit at installing for a couple of mins and then go back to "not installed". I have done a reboot after this and still not installed. I have experienced this with SSLsplit, Randomroll, nmap. That is all i have tryed right now.

im running 1.0.5 with Sebs updates installed first.

Update: I just reset the Nano again and installed every module and there dependencies. The only one that failed this time was SSLsplit. Seems to be a hit and miss. Ive had other modules not install dependencies and after a couple resets they will work but others wont.

Has anybody else experienced this?

Edited by b0N3z

Share this post


Link to post
Share on other sites

I have tryed with multiple modules and have reset the NANO a couple times and formatted my sdcard.

I can download from the module manager to sdcard but when I try to install the dependency file it will sit at installing for a couple of mins and then go back to "not installed". I have done a reboot after this and still not installed. I have experienced this with SSLsplit, Randomroll, nmap, and get. That is all i have tryed right now.

im running 1.0.5 with Sebs updates installed first.

Same here, but with SSLsplit

I feel that every time a new module comes out, the repository breaks somehow.

Share this post


Link to post
Share on other sites

Try installing to internal memory. If I remember right, some of the dependencies don't like the sd card install.

Share this post


Link to post
Share on other sites

thanks for the clarification Seb,

Can you or Whistle Master please post in this thread when the fix is ready, as I would rather wait for a working version than go through install and await a new patch or fixed version.

:-)

Share this post


Link to post
Share on other sites

Hi, i am having issues seeing any traffic with SSLStrip. I installed it without any issues but after i turn it on and i connect with my device (iPad) the the PineAP and start surfing, i don't see any traffic.

It just says "No connections log..." all the time. I am starting it with the default settings.

Any idea what the problem could be? I can't configure the interface for SSLStrip to use. Is it using eth0?

Share this post


Link to post
Share on other sites

I have installed SSLstrip on the SD Card. It starts properly, and also seems to collect some data in the log. But I have never been able to see the data afterwards in one of the History logs. Whenever I try to View or Download it, it is always EMPTY. Is there something I have missed?

I seem to have the same problem with tcpdump.

Even though these Modules seem to be easy to use, I would like to see some detailed manuals for them.

Can they be found somewhere?

Edited by skib

Share this post


Link to post
Share on other sites

SSLstrip is not automatically starting though "Start on boot" = ON. Any thoughts on how to debug this? TIA

Share this post


Link to post
Share on other sites

I'll have a look at it. Could you please post here the result of the following command:

cat /etc/rc.local

PS: By the way, it's sslsplit, not sslstrip ;)

Edited by Whistle Master

Share this post


Link to post
Share on other sites

Wishlist for SSLsplit:

After having played with this Module for a few hours, I have a wishlist. Maybe someone can help?

1. Have it starting on Boot.

2. Understand what the purpose of the History "View" Button is meant for. Or have it fixed it if it is a bug.

(It never seems to work or do anything).

(The "Download" Button works however, and transfers the History file to my Android, where I can study it using a Text Viewer app.)

(The "Delete" Button also works.)

3. Get a better understanding on how this Module works.

(E.g. it sometimes stops by itself. Why? Is it because the current History File is "full"?)

4. Get a better understanding of the data/text that is collected in the History File.

5. Get better names on the History files, which better reflect the Dates shown on the WiFi Pineapple SSLsplit Module page.

6. Understand how to use the "Log Filter"/"Piped Comm".

7. Understand how to Clear the Log (if possible?).

There are a few descriptions of this "Modul"e on Internet, but none related to the WiFi Pineapple (as far as I have seen.).

Skib

Share this post


Link to post
Share on other sites

1. To have it start on boot, you just have to click on the "ON/OFF" button and then the state of the button is green, which means that sslsplit will be started on boot.

2. The view button will show you the content of the log, what have been captured, etc. Working fine on my side by the way.

3. SSLsplit is a tool for man-in-the-middle attacks against SSL/TLS encrypted network connections. Connections are transparently intercepted through a network address translation engine and redirected to SSLsplit. SSLsplit terminates SSL/TLS and initiates a new SSL/TLS connection to the original destination address, while logging all data transmitted. SSLsplit is intended to be useful for network forensics and penetration testing.

4. Well, the history files show what was captured (output) when sslsplit was running.

5. The log files names are the date when sslsplit was run. I'm not sure giving "better" names would help in this matter...

6. As in command lines, you can pipe command to filter the output. (e.g. grep "password" | grep "example.com" | awk '{ print $2}') <- Just an example.

7. For the moment, the output log cannot be cleared.

  • Upvote 1

Share this post


Link to post
Share on other sites

WM, maybe this is a stupid question, but is an active internet connection required for this to "work", or does the SSL data still get pushed through? I guess this is more about how SSL/TLS works? In other words, a two-way exchange required for the log to be filled with any connections or data?

I'm wondering because I tested this out without having internet sharing enabled and it never showed any connections despite running a few SSL-based requests through it.

Thanks for keeping this alive with all your modules, great work all around :)

Edited by purrball

Share this post


Link to post
Share on other sites

Thank you, Whistle Master.

But (once again),

1. The "Start on boot" function does not work on my PA. I have seen another user saying the same. And I have the latest version of everything.

2. The view button does not work on my PA. It has never shown anything. Could it be that the file is too large?

3. Thank you for your explanation. Why does SSLsplit sometimes stop on its own?

4. Thank you for your explanation. Now I understand that it is the data transmitted.

5. When I download a History file for Date (on SSLsplit History) 2016-04-07 13-41-47, a file named output_1460036506.log is downloaded. So what is the correspondence between the file name and the SSLsplit History date?

6. Thank you for your explanation. Seems quite useful.

7. I hope a "Clear Log" function will be available soon.

BTW; I am also eagerly waiting for the SSLstrip to be available as a Module.

Thanks again. Hope you will follow up.

Best, skib

Edited by skib

Share this post


Link to post
Share on other sites

5. When I download a History file for Date (on SSLsplit History) 2016-04-07 13-41-47, a file named output_1460036506.log is downloaded. So what is the correspondence between the file name and the SSLsplit History date?

Unix timestamp / epoch time. If you google it, you can find a conversion to readable time in the format youre familiar with.

Example from unixtimestamp.com:

1460036506

Is equivalent to:

04/07/2016 @ 1:41pm (UTC)

2016-04-07T13:41:46+00:00 in ISO 8601

Thu, 07 Apr 2016 13:41:46 +0000 in RFC 822, 1036, 1123, 2822

Thursday, 07-Apr-16 13:41:46 UTC in RFC 2822

2016-04-07T13:41:46+00:00 in RFC 3339

Edited by purrball

Share this post


Link to post
Share on other sites
1. The "Start on boot" function does not work on my PA. I have seen another user saying the same. And I have the latest version of everything.

Could you please post here the result of the following command:

cat /etc/rc.local
2. The view button does not work on my PA. It has never shown anything. Could it be that the file is too large?

Indeed. If the file is too large, then the webserver times out and nothing is display. Can't do much about that unfortunately.

3. Thank you for your explanation. Why does SSLsplit sometimes stop on its own?

Should not stop. Maybe an SSLsplit issue.

Edited by Whistle Master

Share this post


Link to post
Share on other sites

i've been having it stop as well, in under 5 hours of low use, just quits. is there anything in the logs that we can look for to indicate what could be causing it? i've also noticed that when this happens pine ap will show the client with no ip and no hostname, it seems to be causing a larger system crash - or the larger system crash is causing this? need to figure out how to track it down!

Edited by purrball

Share this post


Link to post
Share on other sites

Is there certain browser this works better with than others? I got the module installed, and it's capturing connections and displaying them, but I can't get a single sniffed credential. Facebook, Gmail, Hotmail. Tried on safari and chrome with no avail. Even if I click through all the certificate warnings and proceed to the site. Safari won't even let me access https sties regardless.

Share this post


Link to post
Share on other sites

I'm having trouble capturing credentials as well. It does work to an extent but stops after a few minutes. Probably just needs to be tweaked.

Share this post


Link to post
Share on other sites

Noticed some odd behavior with the logging when using WiFi Client Mode, if you view it sometimes there will be traffic from an IP that is not connected to pineAP, typically it's *.*.*.111 and I am trying to figure out what / why this might happen. None of the IP's in Networking tab are anything even close. Anybody got ideas?

Share this post


Link to post
Share on other sites

And I figured out what was causing the above problem - though I cant fix it.

When controlling the NANO through the Management interface it starts trying to process the data coming through it. Dont know if that's causing any problems using the module, but it's definitely grabbing stuff that isn't necessary. Might even be causing crashing?

Is there any way we could have an interface selection option or possibly force it to only pull info from the AP / bridged interface and not the management AP?

I was only able to find this because of the Connected Client module, when I noticed that management AP was going through wlan0-1 and that's where the IP was - but it never shows in the default devices section (for obvious reasons I guess)

Edited by purrball

Share this post


Link to post
Share on other sites

Unfortunately, you can't specifiy the interface used by SSLsplit BUT you can use some NAT rules to redirect the traffic where you want.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.

×