MitM HTTPS in 2022?

[drcall2]

Hello is it possbile do sniff passwords and usernames etc using MITM on HTTPS in 2020?

Sorry newb here

Will you be able to do SSL stripp without the browser blocking the request even if the have the cookie that protects them

[drcall2]

aka the HSTS cookie

[PanicAcid]

On 1/16/2022 at 10:52 AM, drcall2 said:

Hello is it possbile do sniff passwords and usernames etc using MITM on HTTPS in 2020?

Sorry newb here

Will you be able to do SSL stripp without the browser blocking the request even if the have the cookie that protects them

Only if you can install your own certificate on the device beforehand which unless you have complete control of the device, is basically a no.

Edited January 26, 2022 by PanicAcid

[Srb321]

Hi hack5, I was bought mark7 pineapple, I am interested to try MITM attack with this device. Is there any application for mark7 with complete MITM attack?

[dark_pyrro]

What do you mean when saying "complete MITM attack"?

[Srb321]

I need more mitm module for mark7 with ssl strip, is there anyone?

[dark_pyrro]

lol, this is the most frequently asked question here and on Discord. What are you going to do with it? There's no such module available since it's obsolete (unless you are trying to red team Fred Flintstone).

[0x000001F]

That's just to filter "harmful" content. 😁

[Salacryl]

In order to not just answer "no", I want to provide why the answer is "no" and where we coming from. Although, I will not go into the details of HTTPS

• SSL Strip: this is - possible - the most famous method for Mitm-Attacks. This is just a downgrade from HTTPS to HTTP. There shouldn't be interesting Sites online, which have HTTP-only connections. SSL-Strip is just done.
• Proxy-Connections. You take the request and send it further. Everything goes through your device. What is the problem here? You need the private key to decrypt the traffic. Two ways possible: 1.) You have the server and just want to fiddle around, then you have the private, load it up in wireshark, sip your coffe and go for it. 2.) You need a new certificate where you also own the private key. Problem here: you just can't get a signed certificate for a foreign domain. So you need to install a self-signed certificate and force trust it on the target. This is what Fiddler 4 does. But of course it is highly visible to do so. You need access to the target and if you have: you don't don't mitm-attacks anymore, you just grep data before it is encrypted. 

I hope, this answer helps to spare your and our time to search into dead ends.

Greetings,
Salacryl

[Irukandji]

And this thread was last commented on ten months ago..

Please don't bump old posts.

[Simone]

 

I need module for mark7 with ssl strip, DWall, urlsnarf is there anyone help me.

[dark_pyrro]

If you want the modules and they aren't available, then you need to develop them yourself. If it was me, I wouldn't spend many minutes trying to get those work since the methods are deprecated/useless in an absolute majority of cases nowadays.

[Jays_Gone_By]

On 1/28/2023 at 6:56 AM, Salacryl said:

hope, this answer helps to spare your and our time to search into dead ends.

Greetings,
Salacryl

moments later

thank you

+Karma