Sign in to follow this  
Followers 0
phr34kc0der

SSLStrip

11 posts in this topic

Im sure most of you have read about sslstrip. I was trying to play with it earlier but well, my iptables skills are very lacking. I understand that the documentation was probably on the sparse side for a reason (keep script kiddies away) but if someone can give me some pointers i'd be grateful.

And please dont point me to google. I do plan on playing with iptables in depth but at a later date. ATM im interested in wifi attacks and want to play with a few before moving on.

BTW, i could not find any blog posts, guides or tutorials. If someone wrote one it would probably get to the top of google quite quickly (although you would have to deal with the guilt of helping skiddies steal facebook passwords :P)

0

Share this post


Link to post
Share on other sites

After a very confusing mistake, I've gotten this running.

I'm doing something a little different. I just want to try this on localhost, so I'm not doing any ARP spoofing. Instead, I'm just forwarding requests to port 80 to port 10000. Of course, this created a very confusing error. My test curl request was redirected to port 10000, and sslstrip got it. It then tried to connect to the server on port 80, which was then redirected to itself. It sat there making new threads until it dies. I was debugging python before I realized what was going on.

Anyway, here's my iptables command line.

sudo iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner test --destination-port 80 -j REDIRECT --to-port 10000

The easiest way was to just make a user called test and filter only connection requests made by the test user.

I'm about to play with this further, I haven't even begun to start doing any ssl testing.

0

Share this post


Link to post
Share on other sites

And it is working. Running firefox as the test user (using the ssh trick), I just captured my own gmail password.

ssh test@localhost firefox

0

Share this post


Link to post
Share on other sites

Thanks Ohm. Havent had a chance to play some more but i will do.

0

Share this post


Link to post
Share on other sites

This sounds interesting! Thanks for letting me in on this (surprised I hadn't heard about it) but yea I'm definitely going to learn more about the inner workings :D

0

Share this post


Link to post
Share on other sites

Oops, I made a mistake in the ssh thing.

ssh -X test@localhost firefox

This is still not perfect. My previous advice of opening up https://gmail.google.com/ still protects you (but only on gmail). This relies on having cleartext HTTP to mangle URLs to HTTPS form submissions. If the connection was initiated as HTTPS to begin with, there's nothing it can do.

0

Share this post


Link to post
Share on other sites

It seems version 0.2 has been released (not sure which version you were using Ohm). This one has a MUCH better readme.

0

Share this post


Link to post
Share on other sites

I was using 0.1, but I'm done playing with it now. I figured it out myself anyway :P

0

Share this post


Link to post
Share on other sites

They make it sound like it was some epic hack or the URL was "sniffed" while he accessed it or something. Someone just guessed the URL is all.

Also, I got this running with ettercap with no problems at all. In all it only took me about 5 minutes, including figuring out how to use ettercap (which I'd never used before :P). The iptables command was definitely easier as well, since I didn't have to weed out unwanted traffic from my own computer.

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 10000

0

Share this post


Link to post
Share on other sites

Hi

Trying this on mac, I tried using the ipfw command (as osx doesn't support iptables). My ipfw add fwd 127.0.0.1,80 tcp from any to any 10000. If anyone is familiar with ipfw in osx, could you please advise? I think this must be the issue, as I got arpspoof working (downloaded macports and dsniff), also the kernel sysctl forwarding to 1, and this was the remaining step.

Nothing also contained in the secret file as my other laptop I signed onto yahoo.

Thank you very much for any osx information.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0