Today we're going to talk about utilizing sslstrip together to steal passwords. For this i'm going to be using my WiFi Pineapple Mark IV, which is a very handy little box and I highly recommend having one for your wireless pentesting.
First we need to install sslstrip on the pineapple. For this we will use a USB thumb drive to give it the additional space needed for the installation. Fortunately for us, with the most recent firmware installing sslstrip is quite simple and can be done simply through the web interface.
Click on the Pineapple Bar and select "list available infusions (aka modules)".
Go through all the modules until you find the sslstrip module and click on the "Install" link. This will prompt you to select whether to install it on internal storage or on the USB storage.
Once sslstrip is installed it will put a new line in the pineapple bar labled "sslstrip", go ahead and navigate to it and start up sslstrip by clicking the start button.
Now that we have sslstrip running we just need to grab some passwords. I used my laptop and connected to my pineapple's wireless network. Let's use Facebook for our example.
By default Facebook defaults to HTTPS connections, but because we have sslstrip doing its magic it sends the connection from the pineapple to the victim's computer as HTTP.
Once the victim logs in they still get access and can go on with their day, but moving back to sslstrip we notice that we've grabbed the e-mail address and password.
Combining sslstrip and karma gets even more alluring as karma can advertise itself as any access point that a computer sends a request for. Taking it a step farther and adding a de-auth script in that disconnects everyone that's not connected to you and you've got a recipe for harvesting passwords from every wireless user around you. No cracking necessary.
i don't know... that pineapple looks like scriptkiddie garbage to me.
ReplyDeletesave yourself some money and get a raspberry pi, an alfa, and make this. It will be much more powerful and you will be able to do a hell of a lot more with it.
right on the money
DeleteHaters gonna hate
DeleteSaying you could do just as much with a rasp pi is a pretty retarded argument to me. For every person who is actually bold enough to try stuff and share it publicly there are 100 guys who think they're better because they could "do it better".
DeleteIf you can do all that with a pi, DO IT, write it up, and start contributing something besides retarded comments.
And for what it's worth, I have both a raspi and a pineapple. Love them both. The pineapple really is a well done project, and works GREAT.
@Fusion. you sound like a real retart, the wifi pineapple (elite) comes with a Alfa external module. If you dont know the product dont knock it.
DeleteThe Pineapple is a very good piece of technology, especially the karma feature. go and look at the videos on youtube and hak5.
the pineapple is a very good piece of hardware to use.
Do us all a favor and go to www.scriptkiddy.com and go and play there.
How would you stop from getting scammed by this? I'd be interested in hearing suggestions on how to prevent your self from falling pray to something like this.
ReplyDeleteThere are a few ways...The first is to be vigilant and make sure when you go to a website that it actually shows HTTPS:// before logging in. There's also a plugin called HTTPS everywhere that forces you to talk to certain websites only via HTTPS and won't allow it to redirect to a normal HTTP connection.
DeleteI wrote an article on this very matter just after I got my pineapple. What I came up with was to change the name of my WAP to a very unique SSID, then connect to it with my laptop, then change the SSID back to the original. Then I set that saved network as my preferred network. When my computer is out and about it sends out a broadcast beacon saying "Are you very_unique_SSID?", any nearby pineapple replies with a yes and it appears as though I am connected to that network. Then I set up a script to run every few minutes to check the SSID of the network I am currently using and if it matches my very_unique_SSID, then it pops up an alert on my screen advising me of a possible pineapple in the vicinity. Also, because you can add SSLStrip to the pineapple, SSL / HTTPS no longer works as a defence, so I recommend tunneling over SSH to be sure.
DeleteWhere does it store the email and password? In a text file?
ReplyDeleteYou can configure it so it stores logs on the USB drive.
ReplyDeleteI don't know if you can help me with this. I followed your instructions; I click on "modules", followed by install. Now when I click on SSLSTIP (it’s in the dashboard area now, not modules mind you) after installing it, it again says it’s not installed, and gives me the option to install on either the Flash drive or the Pineapple itself. When I do that, it says installing, but nothing happens.
ReplyDeleteThere isn’t much info out there on the pineapple, so it’s hard to get good help.
Have you already formatted your USB drive to EXT3/4?
DeleteNo, I have not. But I wasn’t able to install in on the Pineapple itself without the USB plugged in. So I don’t know if that is THE problem, well it may be a problem but I don’t know if it’s necessarily causing the problem I inquired about
DeleteThat could definitely be the problem. I don't remember how big SSLstrip is, but it could be bigger than the internal storage on the device. To be fair I didn't try to install it on internal storage, I did it directly on the USB from the start, so I could be wrong.
DeleteI am having the same problem. I click Install to USB and it says Loading. . . Then the screen flashes and it goes back to showing Not Installed. Same thing on 2 flash drives and on Install to Internal Storage. Any ides?
DeleteHere's a forum post where some people are having issues with their USB drives, so I'd recommend starting by checking all the basics outlined here: http://forums.hak5.org/index.php?/topic/25882-how-to-enable-usb-mass-storage-with-swap-partition/, BUT it sounds like your pineapple recognizes your USB drive (which I'm assuming is EXT4 formatted already), but won't install, right?
DeleteAccording to the other poster, they simply weren't able to use their USB stick and using their SanDisk worked. If you have a spare, I'd recommend giving that a shot.
I solved it, the type of USB drive I was using wasn’t supported by the pineapple I guess. I switched to a SanDisk and everything worked as it should
ReplyDeleteInteresting. Glad to hear you're working.
DeleteThe post is written in terribly a decent manner and it entails several helpful data on behalf of me. i'm happy to search out your distinguished manner of writing the post. currently you create it straightforward on behalf of me to know and implement the conception. many thanks for the post.
ReplyDeleterecover deleted folder in outlook
Nice post. Keep them coming!
ReplyDeleteyeah nice post i didnt know how easy it is to use sslstrip i wish i had your number so we can discuss this wifi pineapple to the teee
ReplyDeleteHow do you keep yourself from being being hacked by this
ReplyDeleteThere are a few ways. One is to make sure you're actually communicating via HTTPS. There are plugins that can help with this, such as HTTPS Everywhere. If you're trying to prevent a MITM from karma is to create an SSID on your machine that you know you don't access, such at KarmaAttackingYou and set it as your primary wireless connection (so it will connect to that SSID before any other). Then it's a matter of checking to make sure that SSID is not present.
Delete