[Official] SSLsplit

[zer0-labs]

Dear TEam, I have the following problem: Wifi pineapple Tetra - SSLsplit

I got the module installed, and it's capturing connections and displaying them, but I can't get a single sniffed credential. 

Testing Web Browser: Twitter, Facebook, Gmail, Hotmail. Tried on safari and GoogleChrome, Opera, Iexplorer, Safari, Firefox with no avail. Even if I click through all the certificate warnings and proceed to the site.  Any recommendation ? Apologies for the bad english

[zer0-labs]

Dear TEam, I have the following problem: Wifi pineapple Tetra - SSLsplit

I got the module installed, and it's capturing connections and displaying them, but I can't get a single sniffed credential. Testing Web Browser: Twitter, Facebook, Gmail, Hotmail. Tried on safari and GoogleChrome, Opera, Iexplorer, Safari, Firefox with no avail. Even if I click through all the certificate warnings and proceed to the site.  Any recommendation ?

• https://security.stackexchange.com/questions/91092/how-does-bypassing-hsts-with-sslstrip-work-exactly - NotWorking 

Apologies for the bad english

 

[b0N3z]

with websites using HSTS it makes sure that even if ssl is stripped that you can steal creds.

this might help https://blog.stackpath.com/glossary/hsts/

[Zylla]

On 12.4.2017 at 8:53 PM, zer0-labs said:

Dear TEam, I have the following problem: Wifi pineapple Tetra - SSLsplit

I got the module installed, and it's capturing connections and displaying them, but I can't get a single sniffed credential. Testing Web Browser: Twitter, Facebook, Gmail, Hotmail. Tried on safari and GoogleChrome, Opera, Iexplorer, Safari, Firefox with no avail. Even if I click through all the certificate warnings and proceed to the site.  Any recommendation ?

• https://security.stackexchange.com/questions/91092/how-does-bypassing-hsts-with-sslstrip-work-exactly - NotWorking 

Apologies for the bad english

 

That article is about SSLstrip, not SSLsplit.
There is a working copy of sslstrip+ and dns2proxy for the Pineapples you can get, which tries to bypass HSTS.
It has higher success-rate compared to regular sslstrip. Some browsers have now implemented fixes against sslstrip+, but not everyone uses an updated version of chrome/firefox. ;)

[drakorg]

Hi, I just tried this module for the first time today, and it's working fine out of the box. The only issue I've found is that it leaves your iptables rules trashed after you stop it. The original idea was fine (clear everything before setting the new rules, and clear the rules after it stops running), but that kinda falls short for leaving a working pineapple after that. To fix this I've added an iptables-save before any modification to the iptables rules, and an iptables-restore after the rules cleanup, that way (if there were no modifications between the start/stop cycle) it will leave the pineapple exactly as it was before starting the sslsplit module. Maybe the cleanup itself is not even necessary anymore if we are going to run a restore anyways, but it's working fine this way all the same.

I'm attaching the final scripts, in case you'd like to ship them as a new version of the module.

Thanks.

Regards.

/pineapple/modules/SSLsplit/scripts/autostart_sslsplit.sh

#!/bin/sh
#2015 - Whistle Master

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/sd/lib:/sd/usr/lib
export PATH=$PATH:/sd/usr/bin:/sd/usr/sbin

MYTIME=`date +%s`

killall sslsplit

echo '1' > /proc/sys/net/ipv4/ip_forward
iptables-save > /pineapple/modules/SSLsplit/rules/saved
iptables -X
iptables -F
iptables -t nat -F
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

sh /pineapple/modules/SSLsplit/rules/iptables

iptables -t nat -A POSTROUTING -j MASQUERADE

sslsplit -D -l /pineapple/modules/SSLsplit/connections.log -L /pineapple/modules/SSLsplit/log/output_${MYTIME}.log -k /pineapple/modules/SSLsplit/cert/certificate.key -c /pineapple/modules/SSLsplit/cert/certificate.crt ssl 0.0.0.0 8443 tcp 0.0.0.0 8080

/pineapple/modules/SSLsplit/scripts/sslsplit.sh

#!/bin/sh
#2015 - Whistle Master

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/sd/lib:/sd/usr/lib
export PATH=$PATH:/sd/usr/bin:/sd/usr/sbin

MYTIME=`date +%s`

killall sslsplit

if [ "$1" = "start" ]; then

        echo '1' > /proc/sys/net/ipv4/ip_forward
        iptables-save > /pineapple/modules/SSLsplit/rules/saved
        iptables -X
        iptables -F
        iptables -t nat -F
        iptables -P INPUT ACCEPT
        iptables -P FORWARD ACCEPT
        iptables -P OUTPUT ACCEPT

        sh /pineapple/modules/SSLsplit/rules/iptables

        iptables -t nat -A POSTROUTING -j MASQUERADE

        sslsplit -D -l /pineapple/modules/SSLsplit/connections.log -L /pineapple/modules/SSLsplit/log/output_${MYTIME}.log -k /pineapple/modules/SSLsplit/cert/certificate.key -c /pineapple/modules/SSLsplit/cert/certificate.crt ssl 0.0.0.0 8443 tcp 0.0.0.0 8080

elif [ "$1" = "stop" ]; then

        rm -rf /pineapple/modules/SSLsplit/connections.log

        iptables -F
        iptables -X
        iptables -t nat -F
        iptables -t nat -X
        iptables -t mangle -F
        iptables -t mangle -X
        iptables -P INPUT ACCEPT
        iptables -P FORWARD ACCEPT
        iptables -P OUTPUT ACCEPT

        iptables-restore < /pineapple/modules/SSLsplit/rules/saved

fi

 

[iHaveBlueHair]

When I turn off SSLsplit, the internet for both my computers (one connected to the management AP and the other to the rogue AP) seems to shut off.  Seemingly the only way to restore internet is to reboot the Pineapple.  Also, when SSLsplit is on, the computer connected to the management AP also registers HSTS errors in addition to the "victim" computer.

Are these actions normal, and if so, how do I fix it?

 

Thank you for your time,

-iHaveBlueHair

[Forkish]

SSLsplit apparently guns up the iptables and doesnt restore after turning off.  Check out 

 

[Whistle Master]

Thanks for reporting it, I will include @drakorg hack in the next version.

[pwna5aurus]

I cannot seem to load images on the victim device when SSLSplit is active.  Is this a "feature" ?

[Elvis]

yes bro , no load images :/

[redm0squit0]

Hello all, 

I have been at this for a good 8 -10 hours now where I have read forum after forum, watched video after video and read troubleshooting to the point my eyes are about to bleed. The main issue is that since i have had the pineapple nano (little over a year now) my SSLsplit has yet to work properly even once.  I have tried to use this module time and time again, and though it is set to autostart, well nothing happens. Then when I turn the autostart off and hit start, the button goes red and says running but down below in the output log it either says that it is not in fact running or even worse, sometimes says that it is not even installed! I mean, as far as i can begin to know, this is sort of the meat and potatoes of the pineapple, thus only being a small piece of what can be used, but a crucial one especially when learning about pen testing. 

I have tried installing through ssh, spent hours on that, but i end up with one single annoying message every time. "sslsplit: can't load library 'libevent_openssl-2.0.so.5'". There is absolutely no hope from running it from the command line, so I have reached the point where I just need to flat out ask for help. I have read on some other threads where some people are having a similar issue, however I just don't understand this at all! 

Am i wrong to assume that this is a downloadable module or infusion for the pineapple gui and that once downloaded to internal storage (from what i have read) and then installed the dependencies that it is supposed to work without further intervention? I assume that when i ssh into the pineapple is the way to fine tune things, but shouldn't this just flat out be working ? Or is there some kind of invisible step that I am missing here? I don't mind using the command line to work this out, however I am not a superstar and I am a windows user, however i use Bitvise ssh client to ssh in and go from there but again I am not command line guru. Is there anyone who can help me? I have factory reset this thing a bunch of times, though i would rather not  but have done so as i am hoping that something will change. I guess that after a year of playing with this thing I should without doubt had the success of being able to get the sslsplit infusion to work so i could see what everyone is always talking about when they've successfully had several connected clients to work with. Please help, there is so much to read and I end up with 40 open tabs trying to figure out what's going on, but ultimately forget where i even began. 

In the below picture shows how sslsplit says that it is running but it is clearly not. I do believe that this is the least of the issues at hand. 

 

-Thanks

[Just_a_User]

7 hours ago, redm0squit0 said:

Is there anyone who can help me?

I use sslsplit over terminal and it works reasonably OK within its limitations (its an older tool now approx 2 years since active development). Maybe the module itself needs an update. If you ssh in to your pineapple you can run things from there.

here a guide (there are many online) to help walk you through the process https://blog.heckel.xyz/2013/08/04/use-sslsplit-to-transparently-sniff-tls-ssl-connections/

From your error message you may also need to install libevent2-openssl from opkg, you can check its existence in /usr/lib/

Be warned most modern sites and browsers defend against this form of mitm now (this is not the fault of the module maker or the sslsplit tool itself) but there are still occasional uses where this can be useful. Test in your lab before deploying as it will most likely alert targets to skulduggery :)

BUT if you were able to combine this with a bashbunny or rubber ducky HID attack that was to somehow import your pineapple certificate into the targets browser trusteed certs then you might get further than without it.

[i8igmac]

These attacks don't work anymore... big companies are securing there products.

[redm0squit0]

With that being said, does that mean that the wifi pineapple module doesn't work or that big companies are just securing their product? I don't necessarily see how that would have any affect on whether or not the module decides to start? For example, if i use this in a place where there is a high variable of receiving clients using karma, I will see traffic blink for a freak second at the bottom of the screen, and then nothing. Not even a log! Also, regardless of the way websites use technology to deter this type of attack nowadays, in my view, this thing should still turn on and not just be a pretty looking picture for me to look at and get frustrated with. I would rather it at least turn on and say something like, "no traffic available", so at least I knew it wasn't a malfunction. Using this thing is definitely not as easy as appears. It definitely is not download and off to the races. There is a hell of a lot of knowledge and skill involved in getting any one of these modules to successfully work. It still doesn't appear that anyone can offer any actual way to get this thing to give me some results!

[Just_a_User]

3 hours ago, redm0squit0 said:

does that mean that the wifi pineapple module doesn't work or that big companies are just securing their product?

The 3rd party GUI module has issues, and big companies are securing their products. The pineapple works and the SSLsplit program works within its limitations from the terminal.

3rd party being the operative words, these are modules made by community members for free and are not made by hak5 directly. When released they worked well and since then have had Pineapple firmware updates that cause some issues with there operation. Either the original developer is busy, or they see no real benefit in updating an older module that can be used by terminal that has relatively no effect against major companies sites and modern browsers.

If you really need to try SSLsplit switch to terminal, if you don't then maybe move onto another module to test/learn with.

[i8igmac]

If a exploit is released to the public, any one can create a user friendly module but most venders will have patched the exploit. 

 

the lifespan of the exploit is limited. Now days this lifespan is even shorter.

 

There will always be outdated hardware/software. I still see Samsung S3's walking around.

 

It is always recommended you learn to use the console app's/tools. boot up kali and start exploring tutorials for tools that  interest you.

[redm0squit0]

On 10/9/2017 at 2:33 AM, Just_a_User said:

The 3rd party GUI module has issues, and big companies are securing their products. The pineapple works and the SSLsplit program works within its limitations from the terminal.

3rd party being the operative words, these are modules made by community members for free and are not made by hak5 directly. When released they worked well and since then have had Pineapple firmware updates that cause some issues with there operation. Either the original developer is busy, or they see no real benefit in updating an older module that can be used by terminal that has relatively no effect against major companies sites and modern browsers.

If you really need to try SSLsplit switch to terminal, if you don't then maybe move onto another module to test/learn with.

I cannot begin to explain how much time i have spent working with the terminal. In fact i prefer it. The problem is of course, the error message i mentioned above  "sslsplit: can't load library 'libevent_openssl-2.0.so.5'". This happens if i install from module or if i install from the command line. Just frustrated, but keep trying.....hoping one day something will click or I might happen to see some ray of light as dumb as that sounds.

[Just_a_User]

1 minute ago, redm0squit0 said:

I cannot begin to explain how much time i have spent working with the terminal. In fact i prefer it. The problem is of course, the error message i mentioned above  "sslsplit: can't load library 'libevent_openssl-2.0.so.5'". This happens if i install from module or if i install from the command line. Just frustrated, but keep trying.....hoping one day something will click or I might happen to see some ray of light as dumb as that sounds.

Did you check the lib file?

"From your error message you may also need to install libevent2-openssl from opkg, you can check its existence in /usr/lib/ "

[redm0squit0]

19 hours ago, i8igmac said:

If a exploit is released to the public, any one can create a user friendly module but most venders will have patched the exploit. 

 

the lifespan of the exploit is limited. Now days this lifespan is even shorter.

 

There will always be outdated hardware/software. I still see Samsung S3's walking around.

 

It is always recommended you learn to use the console app's/tools. boot up kali and start exploring tutorials for tools that  interest you.

I enjoy using Kali, and it's endless tools. I have one machine that I have Kali installed on and 2 others running windows. I've always been a windows user but using linux is much more interesting. I just really like the idea of being able to have a portable device which is small enough to fit in my pocket, which is essentially a tiny linux box as it is and be able to get lost in my own world trying different things out. It might sound elementary but i am playing around and learning at the same time.  With that being said,  i know that I have much more knowledge now that i did just a year ago. 

[redm0squit0]

5 minutes ago, Just_a_User said:

"From your error message you may also need to install libevent2-openssl from opkg, you can check its existence in /usr/lib/ "

I have been to many different sites where others seem to have a similar issue. In fact something i read had exactly the same thought as you did and mentioned several libevent filels that needed to be downloaded.  The article pointed to openwrt.org, (i believe) and  there were all 5 libevent files in a list of about 10,000 other files. I Downloaded them to the pineapple and opkg'd them from there. Everything seemed to work nicely from what i can remember until I tried running the actual sslsplit. It was that point that i received the error message.I have successfully got wifite to run from the command line on the pineapple, it works great but i think sslsplit is given up the ghost at least for me, for now.

[Just_a_User]

10 minutes ago, redm0squit0 said:

it works great but i think sslsplit is given up the ghost at least for me, for now.

I think that the reason it worked for me and not you is possibly tied to the fact i have installed the mana toolkit. It uses sslsplit as part of its attack and includes things like newer libpcap version. Worth a look.

 

[Galactic Empire]

I installed the SSLsplit Pineapple module, however I am still getting an SSL warning on the "victim" laptop after installing the CA certificate on it (the one located at /pineapple/modules/SSLsplit/cert). The SSL error appears to be caused by a known issue with SSLsplit issuing SSL certificates with SHA1 hashing (instead of SHA256) according to the SSLstrip GitHub page. This was resolved in version 0.5.0, however the Pineapple NANO has version 0.4.11 installed.

Has anyone been successfully been able to upgrade their version of SSLstrip on the Pineapple NANO or find some other work around for the internal CA to issue SSL certificates with SHA256 hashing instead? There was a mention of upgrading the Pineapple earlier in this thread, but that was over a year ago ad could not find any updates.

[Whistle Master]

On 10/10/2017 at 9:11 AM, redm0squit0 said:

[...] The problem is of course, the error message i mentioned above  "sslsplit: can't load library 'libevent_openssl-2.0.so.5'". This happens if i install from module or if i install from the command line. Just frustrated, but keep trying.....hoping one day something will click or I might happen to see some ray of light as dumb as that sounds. [...]

The issue is not with the module itself but with SSLsplit dependencies when installed on USB. I'll have a look but in the meantime, this could help:

 

[Jasper]

Google Chrome tells me that the network connection isn't private whenever I try to visit a website.

Is it just me or does this module need a fix? Please help.

[Galactic Empire]

6 hours ago, Jasper said:

Google Chrome tells me that the network connection isn't private whenever I try to visit a website.

Is it just me or does this module need a fix? Please help.

Hi Jasper,

The module does do what is was designed to do, however there are a couple of issues which would explain why you are seeing the SSL errors:

• The target system does not trust this tool's Certificate Authority - This tool basically acts as a proxy/Certificate Authority (CA) and replaces the SSL certificate received from the original web server with another one created by itself. If you do not install the tool's own CA certificate into the target machine, you will receive an SSL warning referencing an invalid Certificate Authority. The "victim" may or may not be able to click through this warning, especially if the site implements HSTS (i.e. Google, Facebook).
• The version of the SSLSPLIT tool used on the Pineapple issues SSL certificates with SHA1 hashing -  Internet browsers no longer accept SSL certificates with SHA1 hashing for some time now. You will still see this SSL error no matter what on the Pineapple, but in most cases it can be clicked through by the user. I have tried looking on the internet for the pre-complied version of SSLSPLIT 0.5.0 (supports SHA256 hashing) which would be compatible with the Pineapple, but could not find it. Perhaps I didn't look hard enough, and I'm definitely too busy to learn how compile/port this to OpenWRT/Pineapple myself (source code available on Github).. and also pray that there is no dependency hell.

Of course I'm no expert, so please someone correct me if I'm wrong with any of this. What I ended up doing was sending the traffic from the Pineapple to my laptop (Kali Linux), and run SSLSPLIT from Kali instead. The CA cert is installed on all the target machines, and I have no SSL errors now.

It still kinda blows that the decrypted traffic from SSLSPLIT gets dumped into log files which are difficult to comb through manually, and have yet to find any good parsing tools or a more welcoming GUI front end. In my opinion it is better to use Burp Suite and install the Burp Suite CA cert into the target machine(s)... It is much easier to manipulate and/or find the data that you are looking for without having to write scripts, or dig through log files yourself.