MARK V - Delorean + SSLStrip Configuration

[krnl]

Hello guys, I'm trying out the pineapple mark v, trying to use delorean and sslstrip infusions to get private data, but it seems to be not working properly.

The delorean infusion is working as it should, but when the user do a request to a non ssl url (e.g: http://twitter.com) the request that is showed as output of the sslstrip interface is:

016-01-06 20:26:04,822 Resolving host: mobile.twitter.com

2016-01-06 20:26:04,825 Host cached.

2016-01-06 20:26:04,831 Resolved host successfully: mobile.twitter.com -> 199.16.156.107

2016-01-06 20:26:04,834 Sending request via SSL...

2016-01-06 20:26:05,099 HTTP connection made.

2016-01-06 20:26:05,102 Sending Request: GET /

2016-01-06 20:26:05,107 Sending header: accept-language : en-US,en;q=0.8

2016-01-06 20:26:05,111 Sending header: host : mobile.twitter.com

2016-01-06 20:26:05,115 Sending header: accept : text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8,image/webp

2016-01-06 20:26:05,119 Sending header: user-agent : Mozilla/5.0 (iPad; CPU OS 9_2 like Mac OS X) AppleWebKit/601.1 (KHTML, like Gecko) CriOS/47.0.2526.107 Mobile/13C75 Safari/601.1.46

2016-01-06 20:26:05,124 Sending header: connection : keep-alive

The problem is that the connection is not finished, the user's browser shows just to be loading until it gets connection timed out error.

Does someone knows what would be the problem? or how to solve that?

The firmware version that I'm using is 2.4.0. The only thing that I changed from the default configuration was the addition of the following iptables's rule (that is for delorean):

iptables -t nat -A PREROUTING -p udp --dport 123 -j DNAT --to-destination 172.16.42.1

# iptables -L -t nat

Chain PREROUTING (policy ACCEPT)

target prot opt source destination

REDIRECT tcp -- anywhere anywhere tcp dpt:www redir ports 10000

DNAT udp -- anywhere anywhere udp dpt:ntp to:172.16.42.1

In any case, thank you!

[krnl]

Reading more about the problems involving bypassing hsts, I decide to do another approach, that worked for me and should not be a problem to replicate. I started the delorean as usual in the pineapple so I can break the certs, but to strip the ssl connection, I used my notebook as proxy, as first try, (default configuration wp5.sh) , so I could use the sslstrip+ and the dns2proxy. It worked well, but in order to achieve more flexibility and exploiting, I'm going to test a remote host with SET of metasploit and changing the dns directly in the pineapple, to try to exploit the vulnerabilities of the devices connect through the network.

Hopefully it may help another people that is starting with pineapple as well.

Regards

[datajumper]

this sounds wonderful but could you give more specific instructions for us not so talented people lol thanx i really want to know how to do this is there a tutorial or something ?

i dont mean to sound so dumb but i probabally dont know everything that i should please help

[krnl]

No problem at all, sorry for not putting a detailed instruction set. I didn't find a tutorial, I came with this by reading different opinions and techniques to bypass https.

Initially I set a sharing connection with the pineapple, which instructions can be found here: http://wiki.wifipineapple.com/#!ics.md.

The default route is set to be the wired connection, so for me it was necessary to set a default route, so the packets of my system would go through the right interface,you may use: route add default gw GATEWAY INTERFACE , e.g: the interface with internet was my wlan0, wich the gateway of the network was 192.168.1.1. Then the command was: route add default gw 192.168.1.1 wlan0

Researching about HSTS and how to bypass it, I found this paper: https://www.blackhat.com/docs/eu-14/materials/eu-14-Selvi-Bypassing-HTTP-Strict-Transport-Security-wp.pdf, which contains a full explanation of the delorean, and is good for a better understanding of the process. You can just install the infusion as usually via the pineapple's web interface, and after have access to its shell (ssh), and start the delorean, which is installed at (/sd/infusions/delorean/).

Don't forget to insert the following rule into the iptables, so the delorean can intercept the NTP requests:

$iptables -t nat -A PREROUTING -p udp --d port 123 -j DNAT --to-destination 172.16.42.1

Afterwards you need the sslstrip+ and dns2proxy to handle and correct the changes that the sslstrip+ do to the hostnames.

You can use the following mirrors of the original project:

https://github.com/byt3bl33d3r/sslstrip2/archive/master.zip

https://github.com/singe/dns2proxy/

As all the packets coming from the users connected into the pineapple network are passing through your system, you can just use both.

Their use are pretty simple, but I found this tutorial that may helps you:

http://jackktutorials.com/forums/showthread.php?tid=824

Btw, the use of sslstrip+ and dns2proxy and its documentation says and are demonstrated in some tutorials and videos, that they should work without the use of any other software, as delorean, but the sslstrip+ seemed to not handle the requests and bypass the HSTS automatically, that is why I used delorean to enforce the timeout of the https connections.

Hope that this is helpful to you. :)