Wednesday, June 13, 2012

You just can't trust wireless: covertly hijacking wifi and stealing passwords using sslstrip

NOTE: The following post (and all post on hakinthebox) are for educational purposes only. Do not perform any of these activities unless you have permission to do so.

Today we're going to talk about utilizing sslstrip together to steal passwords. For this i'm going to be using my WiFi Pineapple Mark IV, which is a very handy little box and I highly recommend having one for your wireless pentesting.

First we need to install sslstrip on the pineapple. For this we will use a USB thumb drive to give it the additional space needed for the installation. Fortunately for us, with the most recent firmware installing sslstrip is quite simple and can be done simply through the web interface.

Click on the Pineapple Bar and select "list available infusions  (aka modules)".


Go through all the modules until you find the sslstrip module and click on the "Install" link. This will prompt you to select whether to install it on internal storage or on the USB storage.

Once sslstrip is installed it will put a new line in the pineapple bar labled "sslstrip", go ahead and navigate to it and start up sslstrip by clicking the start button.


Now that we have sslstrip running we just need to grab some passwords. I used my laptop and connected to  my pineapple's wireless network. Let's use Facebook for our example.

By default Facebook defaults to HTTPS connections, but because we have sslstrip doing its magic it sends the connection from the pineapple to the victim's computer as HTTP.

Once the victim logs in they still get access and can go on with their day, but moving back to sslstrip we notice that we've grabbed the e-mail address and password.


Combining sslstrip and karma gets even more alluring as karma can advertise itself as any access point that a computer sends a request for. Taking it a step farther and adding a de-auth script in that disconnects everyone that's not connected to you and you've got a recipe for harvesting passwords from every wireless user around you. No cracking necessary.

23 comments:

  1. i don't know... that pineapple looks like scriptkiddie garbage to me.

    save yourself some money and get a raspberry pi, an alfa, and make this. It will be much more powerful and you will be able to do a hell of a lot more with it.

    ReplyDelete
    Replies
    1. right on the money

      Delete
    2. Haters gonna hate

      Delete
    3. Saying you could do just as much with a rasp pi is a pretty retarded argument to me. For every person who is actually bold enough to try stuff and share it publicly there are 100 guys who think they're better because they could "do it better".
      If you can do all that with a pi, DO IT, write it up, and start contributing something besides retarded comments.

      And for what it's worth, I have both a raspi and a pineapple. Love them both. The pineapple really is a well done project, and works GREAT.

      Delete
    4. @Fusion. you sound like a real retart, the wifi pineapple (elite) comes with a Alfa external module. If you dont know the product dont knock it.

      The Pineapple is a very good piece of technology, especially the karma feature. go and look at the videos on youtube and hak5.
      the pineapple is a very good piece of hardware to use.

      Do us all a favor and go to www.scriptkiddy.com and go and play there.

      Delete
  2. How would you stop from getting scammed by this? I'd be interested in hearing suggestions on how to prevent your self from falling pray to something like this.

    ReplyDelete
    Replies
    1. There are a few ways...The first is to be vigilant and make sure when you go to a website that it actually shows HTTPS:// before logging in. There's also a plugin called HTTPS everywhere that forces you to talk to certain websites only via HTTPS and won't allow it to redirect to a normal HTTP connection.

      Delete
    2. I wrote an article on this very matter just after I got my pineapple. What I came up with was to change the name of my WAP to a very unique SSID, then connect to it with my laptop, then change the SSID back to the original. Then I set that saved network as my preferred network. When my computer is out and about it sends out a broadcast beacon saying "Are you very_unique_SSID?", any nearby pineapple replies with a yes and it appears as though I am connected to that network. Then I set up a script to run every few minutes to check the SSID of the network I am currently using and if it matches my very_unique_SSID, then it pops up an alert on my screen advising me of a possible pineapple in the vicinity. Also, because you can add SSLStrip to the pineapple, SSL / HTTPS no longer works as a defence, so I recommend tunneling over SSH to be sure.

      Delete
  3. Where does it store the email and password? In a text file?

    ReplyDelete
  4. You can configure it so it stores logs on the USB drive.

    ReplyDelete
  5. I don't know if you can help me with this. I followed your instructions; I click on "modules", followed by install. Now when I click on SSLSTIP (it’s in the dashboard area now, not modules mind you) after installing it, it again says it’s not installed, and gives me the option to install on either the Flash drive or the Pineapple itself. When I do that, it says installing, but nothing happens.
    There isn’t much info out there on the pineapple, so it’s hard to get good help.

    ReplyDelete
    Replies
    1. Have you already formatted your USB drive to EXT3/4?

      Delete
    2. No, I have not. But I wasn’t able to install in on the Pineapple itself without the USB plugged in. So I don’t know if that is THE problem, well it may be a problem but I don’t know if it’s necessarily causing the problem I inquired about

      Delete
    3. That could definitely be the problem. I don't remember how big SSLstrip is, but it could be bigger than the internal storage on the device. To be fair I didn't try to install it on internal storage, I did it directly on the USB from the start, so I could be wrong.

      Delete
    4. I am having the same problem. I click Install to USB and it says Loading. . . Then the screen flashes and it goes back to showing Not Installed. Same thing on 2 flash drives and on Install to Internal Storage. Any ides?

      Delete
    5. Here's a forum post where some people are having issues with their USB drives, so I'd recommend starting by checking all the basics outlined here: http://forums.hak5.org/index.php?/topic/25882-how-to-enable-usb-mass-storage-with-swap-partition/, BUT it sounds like your pineapple recognizes your USB drive (which I'm assuming is EXT4 formatted already), but won't install, right?

      According to the other poster, they simply weren't able to use their USB stick and using their SanDisk worked. If you have a spare, I'd recommend giving that a shot.

      Delete
  6. I solved it, the type of USB drive I was using wasn’t supported by the pineapple I guess. I switched to a SanDisk and everything worked as it should

    ReplyDelete
  7. The post is written in terribly a decent manner and it entails several helpful data on behalf of me. i'm happy to search out your distinguished manner of writing the post. currently you create it straightforward on behalf of me to know and implement the conception. many thanks for the post.
    recover deleted folder in outlook

    ReplyDelete
  8. Nice post. Keep them coming!

    ReplyDelete
  9. yeah nice post i didnt know how easy it is to use sslstrip i wish i had your number so we can discuss this wifi pineapple to the teee

    ReplyDelete
  10. How do you keep yourself from being being hacked by this

    ReplyDelete
    Replies
    1. There are a few ways. One is to make sure you're actually communicating via HTTPS. There are plugins that can help with this, such as HTTPS Everywhere. If you're trying to prevent a MITM from karma is to create an SSID on your machine that you know you don't access, such at KarmaAttackingYou and set it as your primary wireless connection (so it will connect to that SSID before any other). Then it's a matter of checking to make sure that SSID is not present.

      Delete