Bypassing HSTS SSL with the Mana Toolkit

Anyone who’s attempted to use Moxie Marlinspike’s SSLstrip against recent browsers has no doubt run into HTTP Strict Transport Security (HSTS), a mechanism by which a website is able to inform the browser if it’s supposed to be secured with SSL. This fixes the key problem with previous SSL implementations (and what made SSLstrip possible); the fact that the user had to know ahead of time if the site they were visiting was using encryption.

When a user running a recent version of Chrome or Firefox visits an SSL secured site which has been forced down to plain HTTP with SSLstrip, it not only fails, but goes as far as informing the user their current Internet connection is potentially being tampered with by a third party.

But thanks to the recently released “Mana Toolkit”, the SSLstrip technique is once again viable on modern operating systems and browsers. Combining an updated version of SSLstrip, some DNS trickery, and a turn-key rogue AP, Mana is an extremely effective solution for covertly capturing WiFi traffic.

 

Running Mana

Mana has just recently been added to the Kali Linux repositories, which means it’s automatically available to Pwnie devices running Pwnix by simply running:

 

apt-get install mana-toolkit

 

This will pull in quite a few dependencies required to get Mana running, and will drop you back to the command line once finished.

From there, navigate to the Mana directory located at /usr/share/mana-toolkit, and then enter the directory named run-mana. Here you’ll find a number of scripts used to control how Mana operates.

Mana

 

Of the available scripts, the following will be the most useful under normal circumstances:

start-nat-full.sh

Starts the rogue AP, routes client requests to the Ethernet network, and enables all of the tools included in Mana will. This is the script you want to get Mana working as quickly as possible.

start-nat-simple.sh

Starts the rogue AP, but none of the tools. Use this script if you want to deploy your own tools against targets.

start-noupstream.sh

Starts roque AP without Internet connection, complete with fake captive portal login for attempting to capture victim credentials even if you’re offline.

The most common usage will be to run the full Mana suite, so we’ll look at that. While you can manually edit the configuration files under /etc/mana-toolkit, it isn’t necessary to get Mana up and running. Running the “start-nat-full.sh” script will launch Mana and start flooding the terminal with status info:

Mana2

 

Mana will now be advertising a wireless network named “Internet”, as well as attempting to spoof other networks as it sees SSID broadcasts from clients searching for previously connected access points.

 

Compatible Sites

Mana includes the necessary configuration files to capture credentials on a number of popular sites, but of course not all are currently supported. Browsing the source via their official GitHub page shows Mana is already setup to capture login credentials from Facebook, Google, and Apple:

https://github.com/sensepost/mana/tree/master/apache/etc/apache2/sites-available

As Mana is still in development, additional sites and services are still being added. In the meantime, the developers suggest using the already available code as a template to customize your Mana installation for your specific needs and targets.

 

Reviewing Captured Data

The main Mana script dumps out a rather overwhelming amount of continually updating information, and it can be very difficult to interpret it as everything goes by. It’s therefore easier to manually check the SSLstrip logs to look for captured credentials than trying to read them from the script’s output.

The main SSLstrip log file is located at /var/lib/mana-toolkit/sslstrip.log, which holds all the previously SSL protected data that Mana managed to capture. Searching this file for usernames and passwords (try using grep to search for terms such as “pass”) can uncover some extremely interesting information.



New Call-to-action

6 replies
  1. Azzarin
    Azzarin says:

    Hey, when i try using the mana-toolkit and connects to it. It does not bypass HCTS. when i type in for.ex facebook.com. it just says: could not accsess a safe website for facebook.com. same with Yahoo.

    Reply
    • Sara Kantor
      Sara Kantor says:

      We’ve seen that this certainly doesn’t work for all sites, but can’t give you a definitive answer – definitely let the mana guys know.

      Reply
  2. M
    M says:

    Hi,

    Any chance someone has seen the below error and can assist?

    File “/usr/share/mana-toolkit/firelamb/firelamb.py”, line 106, in process
    ip_src=pkt.getlayer(IP).src
    AttributeError: ‘NoneType’ object has no attribute ‘src’

    Reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *