|
|
Post by Anonymous on Nov 18, 2016 12:55:48 GMT
I'm not the greatest hacker, hence why I'm using scripts like Intercepter-NG. I'm just playing around with pentesting.
I'm wondering why SSLSTRIP doesn't seem to appear to strip anything. When I use the tool I can properly extract username and passwords on the local LAN from insecure sites such as forumotion.
However, when I attempt to use SSLSTRIP I cannot obtain even encrypted jargon. Requests sent to sites such as paypal and facebook never show up in the sniffer. I also noticed that those websites do not have HTTPS removed and stay HTTPS.
I could of course use DNS spoofing or set up a fake site with phishing, use an XSS attack, there are other methods, but my goal is to get SSLSTRIP to work.
With knowledge on Network+, CCNA, and A+, I'm still not sure what HSTS is. I know it's an added layer of security from HTTPS. I figured using that would help but it did not.
My other question was to know if Intercepter-NG captures cookies. I did a simple Javascript: document.cookie on a website and searched around for it in successful sniff results but never saw any cookie related information. I know that cookie killer can expire cookies in order to force logins and capture login information (arguably better than session hijacking) but I'm not sure if cookie capturing exists in terms of sniffing.
TL;DR
1. SSLSTRIP is not successfully capturing encrypted traffic nor forcing HTTP port 80 auth
2. Does cookie capturing exist in terms of sniffing (and not XSS)? And if so, does Intercepter-NG have the capabilities to do so?
|
|
|
|
Post by Admin on Nov 18, 2016 12:59:58 GMT
1. you should read about HSTS one more time, that's the reason. in a few words it forces to browser to connect to the common resources such as Gmail or Facebook ONLY via SSL. sslstrip won't help this time. Try Fake Site from last version or HSTS spoofing.
2. of course it sniffs cookies.
watch youtube channel for demos.
|
|
|
|
Post by Anonymous on Nov 18, 2016 19:10:50 GMT
I took a look at the demo and the methods did not work. I assume that something had been patched and the vulnerability does not exist anymore under the circumstances. The demo is almost 2 years old and does not properly address the conditions for HSTS spoofing I'm assuming. Such is the nature of the computer security industry. For reference, this demo demonstrated the use of HSTS spoofing and was attempted step by step: youtu.be/wVLD2iT6ADo?t=1m3sI was able to reconstruct the scenario and did not reproduce the same results. The path diverged when I noticed that Intercepter-NG didn't do anything interesting when I visited google or facebook, and the URL stayed the same. The video specifically shows Intercepter-NG in action after the URL changes to XWWW.facebook.com. I know the developer is russian or something but DNS results come up with nothing on it. What worried me more than the URL is the lock still showing and the "this connection is private" notice next to the URL on chrome, as well as messages "Spoofing HSTS host for xxx.xx.x.xx: xwww.facebook.com -> xx.xxx.xxx.x" being absent and not showing up on the MITM screen. Nothing showed up in the password tab and Intercepter-NG was defeated it seems. Is there some explanation for what's at work here? I'm willing to accept a misconfiguration or some absence of knowledge for what's going on behind the scenes, but from the outside in it looks like it's one of two things. Either security has evolved and the method was patched, either protocol-wide or at least for this specific website, or the circumstances with the methods and equipment being used are preventing this attack from working. Also, my question for cookies was asked to find out how to see and specifically capture or look for cookies. There are only the password and RAW TAB for captured data and cookies were not displayed on the password tab in a capture. I'm assuming I have to go in RAW mode to filter and look specifically for cookies. It looks like Csploit has the edge when it comes to cookies and session hijacking, as it already has scripts that do that. In my first post, I meant to say that I attempted using HSTS spoofing and it did not work. This is why I said "I figured using that would help but it did not." In english though, I can understand why you might have misunderstood that statement, as it's incorrect grammar and refers to HSTS itself instead of HSTS spoofing. Sorry about that. I tried again in order to gather as much information as possible about the process, because that allows for efficient troubleshooting. I appreciate the response, I'm always willing to learn more about how things work. If it does turn out to be facebook's security, I wonder what else HSTS spoofing is good for? I heard there was some other security protocol that was to rise up above even HSTS. Though, I can't really remember anything about it right now. |
|
|
|
Post by Admin on Nov 18, 2016 20:50:55 GMT
1. HSTS spoofing works in pair with sslstrip. to get facebook as an example you have to visit some http:// address that will contain a link to the facebook so it can redirect it to the fake domain, in the demo it's http://google, not https. some builtin domains are stored at misc\hsts.txt and yeah, this technique isn't perfect.
2. in the password tab you have to turn on showing cookies by right mouse.
|
|
|
|
Post by Anonymous on Nov 18, 2016 22:15:53 GMT
I've got the cookie problem down. I did some research on HSTS and figured out that I can troubleshoot the issue via chrome's network tab by looking at headers. From what I understand, hsts.txt is a list of websites specifically made to redirect one URL to another. I think HSTS spoofing confuses DNS with the URL and allows for an HTTP connection. Specifically regarding facebook, the output from hsts.txt is facebook.com:wwww.facebook.com
www.facebook.com:xwww.facebook.com
so facebook.com -> wwww.facebook.com and www.facebook.com -> xwww.facebook.com I am not exactly sure how to produce what you described, However, I was able to extract information from the methods I was using to help further understand the issue. I'd like to believe that I reproduced what you described perfectly still without getting results. When I was on a regular website that contained a redirect to www.facebook.com (google shows httpS://www.facebook.com in the green text under the blue hyperlink, apparently. I'm not sure what you mean by google.com though, as that's https as well and I'm not sure how to force it to http.) Clicking the link gave me a status code 307 Internal redirect.
Request URL:http://www.facebook.com/
Request Method:GET
Status Code:307 Internal Redirect
Response Headers
Location:https://www.facebook.com/
Non-Authoritative-Reason:HSTS
Request Headers
Provisional headers are shown
Referer:http://regularhttpsite.hostproviderforpoorpeople.com/xxx-xxxx
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36Troy hunt's page on HSTS cites that the status code 307 means “I’m not even going to issue that request, instead I’m going to change it to HTTPS then try again”
It is indeed confirmed by the response headers "strict-transport-security:max-age=15552000; preload"Facebook is one of those preloaded HSTS sites and I'm not sure if that has anything to do with it. I gave a read on troy hunt's page about it though and it looks like it's the culprit behind the issue I'm having though. I think my error was in describing the http:// protocol when posting the link on my website, since, well, nobody usually links to facebook, people either google it or type in the address directly in the URL bar. I guess the method is deprecated. I tried typing in the xwww. url manually while sniffing with HSTS spoofing and I just get a DNS error. manually typing in the wwww url gives me this output before giving me the internal redirect Request URL:http://wwww.facebook.com/
Request Method:GET
Status Code:301 Moved Permanently (from disk cache)
Remote Address:31.13.77.6:80
Response Headers
Content-Length:0
Content-Type:text/html
Date:Fri, 18 Nov 2016 21:58:46 GMT
Location:http://www.facebook.com/
P3P:CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
X-FB-Debug:eESr4LUVLzJwSw2aiXvDLiUnTrz+A21xTeIbRr6+OVLzCSoa3xKn9lM6xdECtWWK+cZTSiCcgTvTigmWXIVMsg==
Request Headers
Provisional headers are shown
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36I'm not really getting results. I think DNS spoofing is a better solution at this point. I'd still like to understand the issue, though. |
|
|
|
Post by Admin on Nov 19, 2016 4:42:09 GMT
you'd better forget about HSTS spoofing and use the latest feature Fake Site.
|
|
|
|
Post by bbzAscema on Sept 28, 2019 17:21:53 GMT
У нас вы найдете Обслуживание очистных сооружений, а также блок биологической загрузки ббз 45, мы можем произвести Обустройство скважин под ключ. Бурение артезианских скважин, Инженерные изыскания, Водоснабжение частного дома. В компании вы можете купить КОЛОДЦЫ , Отстойники для воды, Лопастные мешалки, Сжигание осадков сточных вод, Водоприемный колодец, Плавающая загрузка (ПЗ), Канализационные насосные станции (КНС), ОДЪЕМНЫЕ УСТРОЙСТВА И МЕТАЛЛОКОНСТРУКЦИИ Шнековые конвейеры, ВОДООЧИСТНОЕ ОБОРУДОВАНИЕ Гидроэлеватор, ПОДЪЕМНЫЕ УСТРОЙСТВА И МЕТАЛЛОКОНСТРУКЦИИ Шнеки из конструкционной и нержавеющей стали, ОЧИСТКА ЛИВНЕВЫХ СТОЧНЫХ ВОД КПН (комбинированный песко-нефтеуловитель), НАСОСНОЕ И КОМПРЕССОРНОЕ ОБОРУДОВАНИЕ (Грунфос, КСБ, Вило, КИТ, Взлёт, ТВП) Погружные канализационные насосы, ВОДОПОДГОТОВКУ Мембраны и реагенты для осмоса, а также все для автомойки Автомойки на базе флотации. У нас диагностирует скважины, производит Ремонт систем водоснабжения. механическое обезвоживание осадков сточных вод и еще блок биологической загрузки купить <a href=https://bbzspb.ru>блок биологической загрузки купить</a> |
|
|
|
Post by alexdri on Sept 29, 2019 8:48:55 GMT
cialis for prostatitis <a href=" cialisfavdrug.com ">cialis coupon</a> cialis online american pharmacy <a href=https://cialisfavdrug.com>cialis</a> cialis forum |
|
|
|
Post by alexdri on Sept 29, 2019 16:37:38 GMT
cialis dosing <a href=" cialisfavdrug.com ">cialis 20 mg best price</a> cialis lasts how long <a href=https://cialisfavdrug.com>cialis generic</a> is cialis a prescription drug |
|
|
|
Post by alexdri on Sept 29, 2019 19:33:12 GMT
viagra or cialis which is stronger <a href=" cialisfavdrug.com ">cialis generic tadalafil for sale</a> cialis eye problems <a href=https://cialisfavdrug.com>generic cialis walmart price</a> cost of cialis per pill |
|
|
|
Post by alexdri on Sept 30, 2019 0:25:34 GMT
cialis lilly coupon <a href=" cialisfavdrug.com ">generic cialis</a> cialis 20 mg online <a href=https://cialisfavdrug.com>cialis generic vs brand name</a> cut cialis in half |
|
|
|
Post by alexdri on Sept 30, 2019 3:22:41 GMT
how long does liquid cialis last <a href=" cialisfavdrug.com ">buy cialis</a> cialis cost at cvs <a href=https://cialisfavdrug.com>buy cialis</a> buy liquid cialis online |
|
|
|
Post by alexdri on Sept 30, 2019 4:21:56 GMT
other name for cialis <a href=" cialisfavdrug.com ">cialis xtl</a> comprar cialis <a href=https://cialisfavdrug.com>buy cialis</a> free cialis by mail |
|
|
|
Post by alexdri on Sept 30, 2019 18:21:43 GMT
buying generic cialis online safe <a href=" cialisfavdrug.com ">generic cialis</a> cost of generic cialis <a href=https://cialisfavdrug.com>cialis prices</a> buy cheap cialis discount online |
|
|
|
Post by alexdri on Sept 30, 2019 20:20:44 GMT
prescription cialis online <a href=" cialisfavdrug.com ">buy cialis</a> price comparison levitra viagra cialis <a href=https://cialisfavdrug.com>cialis xtl</a> lilly icos cialis |
|
