10 replies to this topic

[phr34kc0der]

Im sure most of you have read about sslstrip. I was trying to play with it earlier but well, my iptables skills are very lacking. I understand that the documentation was probably on the sparse side for a reason (keep script kiddies away) but if someone can give me some pointers i'd be grateful.

And please dont point me to google. I do plan on playing with iptables in depth but at a later date. ATM im interested in wifi attacks and want to play with a few before moving on.

BTW, i could not find any blog posts, guides or tutorials. If someone wrote one it would probably get to the top of google quite quickly (although you would have to deal with the guilt of helping skiddies steal facebook passwords )

[Ohm]

After a very confusing mistake, I've gotten this running.

I'm doing something a little different. I just want to try this on localhost, so I'm not doing any ARP spoofing. Instead, I'm just forwarding requests to port 80 to port 10000. Of course, this created a very confusing error. My test curl request was redirected to port 10000, and sslstrip got it. It then tried to connect to the server on port 80, which was then redirected to itself. It sat there making new threads until it dies. I was debugging python before I realized what was going on.

Anyway, here's my iptables command line.

sudo iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner test --destination-port 80 -j REDIRECT --to-port 10000

The easiest way was to just make a user called test and filter only connection requests made by the test user.

I'm about to play with this further, I haven't even begun to start doing any ssl testing.

[Ohm]

And it is working. Running firefox as the test user (using the ssh trick), I just captured my own gmail password.

ssh test@localhost firefox

[phr34kc0der]

Thanks Ohm. Havent had a chance to play some more but i will do.

[Cryptik Hex]

This sounds interesting! Thanks for letting me in on this (surprised I hadn't heard about it) but yea I'm definitely going to learn more about the inner workings

[Ohm]

Oops, I made a mistake in the ssh thing.

ssh -X test@localhost firefox

This is still not perfect. My previous advice of opening up https://gmail.google.com/ still protects you (but only on gmail). This relies on having cleartext HTTP to mangle URLs to HTTPS form submissions. If the connection was initiated as HTTPS to begin with, there's nothing it can do.

[phr34kc0der]

It seems version 0.2 has been released (not sure which version you were using Ohm). This one has a MUCH better readme.

[Ohm]

I was using 0.1, but I'm done playing with it now. I figured it out myself anyway

[duper]

http://djtechnocrat....acked-then.html

Didn't know the author was forced to release because they got hacked.. How ironic.

[Ohm]

They make it sound like it was some epic hack or the URL was "sniffed" while he accessed it or something. Someone just guessed the URL is all.

Also, I got this running with ettercap with no problems at all. In all it only took me about 5 minutes, including figuring out how to use ettercap (which I'd never used before ). The iptables command was definitely easier as well, since I didn't have to weed out unwanted traffic from my own computer.

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 10000

[SUMMERZFUN]

Hi
Trying this on mac, I tried using the ipfw command (as osx doesn't support iptables). My ipfw add fwd 127.0.0.1,80 tcp from any to any 10000. If anyone is familiar with ipfw in osx, could you please advise? I think this must be the issue, as I got arpspoof working (downloaded macports and dsniff), also the kernel sysctl forwarding to 1, and this was the remaining step.
Nothing also contained in the secret file as my other laptop I signed onto yahoo.

Thank you very much for any osx information.