drcall2 Posted January 16, 2022 Share Posted January 16, 2022 Hello is it possbile do sniff passwords and usernames etc using MITM on HTTPS in 2020? Sorry newb here Will you be able to do SSL stripp without the browser blocking the request even if the have the cookie that protects them Quote Link to comment Share on other sites More sharing options...
drcall2 Posted January 16, 2022 Author Share Posted January 16, 2022 aka the HSTS cookie Quote Link to comment Share on other sites More sharing options...
Solution PanicAcid Posted January 26, 2022 Solution Share Posted January 26, 2022 (edited) On 1/16/2022 at 10:52 AM, drcall2 said: Hello is it possbile do sniff passwords and usernames etc using MITM on HTTPS in 2020? Sorry newb here Will you be able to do SSL stripp without the browser blocking the request even if the have the cookie that protects them Only if you can install your own certificate on the device beforehand which unless you have complete control of the device, is basically a no. Edited January 26, 2022 by PanicAcid 1 Quote Link to comment Share on other sites More sharing options...
Srb321 Posted February 28, 2022 Share Posted February 28, 2022 Hi hack5, I was bought mark7 pineapple, I am interested to try MITM attack with this device. Is there any application for mark7 with complete MITM attack? Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted February 28, 2022 Share Posted February 28, 2022 What do you mean when saying "complete MITM attack"? Quote Link to comment Share on other sites More sharing options...
Srb321 Posted February 28, 2022 Share Posted February 28, 2022 I need more mitm module for mark7 with ssl strip, is there anyone? Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted February 28, 2022 Share Posted February 28, 2022 lol, this is the most frequently asked question here and on Discord. What are you going to do with it? There's no such module available since it's obsolete (unless you are trying to red team Fred Flintstone). 2 1 Quote Link to comment Share on other sites More sharing options...
0x000001F Posted January 28 Share Posted January 28 That's just to filter "harmful" content. 😁 Quote Link to comment Share on other sites More sharing options...
Salacryl Posted January 28 Share Posted January 28 In order to not just answer "no", I want to provide why the answer is "no" and where we coming from. Although, I will not go into the details of HTTPS SSL Strip: this is - possible - the most famous method for Mitm-Attacks. This is just a downgrade from HTTPS to HTTP. There shouldn't be interesting Sites online, which have HTTP-only connections. SSL-Strip is just done. Proxy-Connections. You take the request and send it further. Everything goes through your device. What is the problem here? You need the private key to decrypt the traffic. Two ways possible: 1.) You have the server and just want to fiddle around, then you have the private, load it up in wireshark, sip your coffe and go for it. 2.) You need a new certificate where you also own the private key. Problem here: you just can't get a signed certificate for a foreign domain. So you need to install a self-signed certificate and force trust it on the target. This is what Fiddler 4 does. But of course it is highly visible to do so. You need access to the target and if you have: you don't don't mitm-attacks anymore, you just grep data before it is encrypted. I hope, this answer helps to spare your and our time to search into dead ends. Greetings, Salacryl Quote Link to comment Share on other sites More sharing options...
Irukandji Posted January 28 Share Posted January 28 And this thread was last commented on ten months ago.. Please don't bump old posts. Quote Link to comment Share on other sites More sharing options...
Simone Posted June 10 Share Posted June 10 I need module for mark7 with ssl strip, DWall, urlsnarf is there anyone help me. Quote Link to comment Share on other sites More sharing options...
dark_pyrro Posted June 10 Share Posted June 10 If you want the modules and they aren't available, then you need to develop them yourself. If it was me, I wouldn't spend many minutes trying to get those work since the methods are deprecated/useless in an absolute majority of cases nowadays. Quote Link to comment Share on other sites More sharing options...
Jays_Gone_By Posted July 25 Share Posted July 25 On 1/28/2023 at 6:56 AM, Salacryl said: hope, this answer helps to spare your and our time to search into dead ends. Greetings, Salacryl moments later thank you +Karma Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.