MiTM Demos and Tests - Help

[sharkfh]

Hello all!

I've just received a NANO from my company in order to demo MiTM to customers and how protect against these kind of attacks. I'm absolutely a newbie in these actions and was checking some kind of possible demo/attacks. I found SSLStrip and tried to test however I always get same behavior:

I click Start and I get this info from my demo client:

2021-07-23 08:31:14 UTC tcp 172.16.42.170 48644 172.217.17.16 80
2021-07-23 08:30:59 UTC ssl 172.16.42.170 39334 172.217.17.16 443 sni:storage.googleapis.com names:*.storage.googleapis.com/*.storage.googleapis.com/*.googleapis.com/commondatastorage.googleapis.com/*.commondatastorage.googleapis.com/storage.googleapis.com/storage.mtls.googleapis.com/*.appspot.com.storage.googleapis.com/*.content-storage.googleapis.com/*.content-storage-p2.googleapis.com/*.content-storage-upload.googleapis.com/*.content-storage-download.googleapis.com/*.storage-upload.googleapis.com/*.storage-download.googleapis.com sproto:TLSv1.3:TLS_AES_256_GCM_SHA384 dproto:TLSv1.3:TLS_CHACHA20_POLY1305_SHA256 origcrt:39944796DE183F4992B928389A2B957704B8881C usedcrt:ECED8067AA010B9B6CEFB71E80A621FAFBD43BC1
2021-07-23 08:30:28 UTC tcp 172.16.42.170 49666 34.104.35.123 80
2021-07-23 08:30:26 UTC tcp 172.16.42.170 39044 142.250.184.163 80

Now, If I try to browsing on device I cant as Pineapple WiFi is now shown as "Not internet". Trying to get more info on SSLStrip logs it crashes and stops automatically 🙂

I assume I'm doing something wrong and I would like to ask you for tips, help, etc...I would like to reproduce an easy MiTM attack like BurpSuite (If could be without certificate would be better however I do not know how easy it is...) or where I could use SSL Striping/Interception to advice customers about this attacks and teach them how to protect against these...

Thank you very much in advance! 🙂 If needed I could show my configuration of course.

 

[chrizree]

If your customers doesn't have an infrastructure that is stuck in the stone age, they are already protected to attacks such as SSLStrip using modern browsers with HSTS implemented. Instead of targeting general web based traffic, I would probably go for assets such as production systems (or such). Such systems are more valuable to businesses and also probably less protected. It depends on the type of client of course. And, as always, make sure to have written permissions to conduct this kind of work.

[jack.slack]

I find it very disappointing that a device like the Pineapple marketed as something that can be used to perform MITM attacks does not actually come with basic tool/modules pre-Installed to perform such attacks, even if such attacks are deemed useless taking into consideration modern browser protections etc etc. there is a good article here of the required conditions to make a HTTP downgrade attack work and workarounds - Would Silicon Valley’s Wi-Fi Pineapple Scheme Really Work?

I even found a new version of SSlstrip on Kali Linux that is supposed to avoid HTTP Strict Transport Security (HSTS) protection mechanism  New Sslstrip on kali

I find tools like Fern pro Wi-Fi with a half-decent computer running kali Linux and a wireless adapter capable of packet injection like the Panda Wireless PAU09 N600 or similar a much more practical solution than a Pineapple 😕

 

[dark_pyrro]

What success have you had with this now 7-8 year old SSLStrip+/2 variant on your Nano? Any recent statistics backing up that it is actual working in real engagements (Nano or not)? How many clients have you recently MiTM:d with FernPro/SSLStrip and Kali/Panda NIC? (Btw, finding it rather amusing that a company(?) that offers tools for MiTM doesn't use https on their own web site, I guess they are using their own product on their own web site to successfully remove https then). And, MiTM is more than just trying to obtain https traffic.

[PanicAcid]

On 1/8/2022 at 5:09 AM, jack.slack said:

I find it very disappointing that a device like the Pineapple marketed as something that can be used to perform MITM attacks does not actually come with basic tool/modules pre-Installed to perform such attacks, even if such attacks are deemed useless taking into consideration modern browser protections etc etc. there is a good article here of the required conditions to make a HTTP downgrade attack work and workarounds - Would Silicon Valley’s Wi-Fi Pineapple Scheme Really Work?

I even found a new version of SSlstrip on Kali Linux that is supposed to avoid HTTP Strict Transport Security (HSTS) protection mechanism  New Sslstrip on kali

I find tools like Fern pro Wi-Fi with a half-decent computer running kali Linux and a wireless adapter capable of packet injection like the Panda Wireless PAU09 N600 or similar a much more practical solution than a Pineapple 😕

 

I must concur with pyrro, you're reading an article from 2017 and citing it in 2022. A LOT changed from 2016 - 2018 with regards to HTTPS / HSTS etc.

You will ONLY be able to break and make an SSL connection if you can install your own trusted certificate on the client device. Something a Pineapple module isn't going to for the user nor walk them through.

[jack.slack]

Sure the attack won’t work against modern websites and unless you have control over the clients to install trusted certificates, all you can get out of the intercepted traffic are the dns lookups. So now you know which sites your target is visiting and possibly prepare a phishing email, assuming you even need something like the Pineapple to get that information. So aside from that, what good is MITM for? What is the value of getting a Pineapple AP?