[Video] How to: Snifff SSL / HTTPS (sslstrip)

Thanks for all your tutorials and the time your spending 4 it , its all useful best regards

Quote:

---

Originally Posted by ch0k|t0

Hello. I don't understand some sitiations.

Why are you using --destination port 80 if https work on port 443?.
On my case, change the value in ip_forward is not working; I just can use the forwarding capabilities when use fragrouter but the sniffer don't work, no one decripted data I can get.

I have tried make the attack on my test room and I can't get it work.

iptables -t nat A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000

---

What value does this return?
cat /proc/sys/net/ipv4/ip_forward
SSLStrip I believe does stuff to the port, and redirects the ports

Quote:

---

Originally Posted by mastodongle

can this be done with the mon0 interface simply while sniffing the network with airmon-ng or does wlan0 have to actually be connected to the wireless network in order to use arpspoof and sslstrip?

---

You need to be connected to the network.
mon0 = monitor mode. Your not connected.

Quote:

---

Originally Posted by joker5bb

you need to be on the gateway for the attack

---

Yep

Quote:

---

Originally Posted by proisr

Thank you so much man!
I didn't know how to bypass the SSL security.

BTW: I think someone on my net (200+ PCs on the net) tried to sniff my brother's passwords...(firefox blocked it like in your video).

Is there any way which I can track the attacker / block the attacks?

edit: I wasn't able to sniff the whole network.
How can I sniff (with ettercap) range of IPs?
Because putting 192.168.0.255 didn't work (it's just 1 computer)

---

Yes, check the ARP cache - see if there are dups!
and there are many different tuts on how to use ettercap, this isnt one!

Quote:

---

Originally Posted by nicksiz

you are perfect m8! and i have a question


we use cyberoam to enter the internet @ my school. When you connect to school wireless, its redirect you http://192.168.150.1:8090/httpclient.html and you have to enter your username and password to use internet connection..

1. should i enter my pass and user name to sniff? Or being connected to wireless enough?
2. when i use ifconfig it says Bcast:192.168.62.255 do i use this instead of 192.168.1.1?

---

1.) It depends on how the network/router are setup.
2.) This is also sounding illegal

Quote:

---

Originally Posted by WolverineOD

As tempting as it may be to try arpspoofing your school network, You should first realize that its illegal to do without explicit consent from your school (Which i doubt they will give) and that we don't support or condone this kind of activity in these forums. Besides which this will totally kill all the network traffic(because all the traffic is being routed through the attackers pc, downside of arpspoofing) and your system admins will likely notice if they know what they are doing. Its not worth it. Take care mate.

However if anybody else is confused about this:


Yes this is the case. If you have a different broadcast address, use it. The addresses given by g0tmi1k are only example addresses, which apply to the network he was using. Addresses will likely be different for your own network. Hope that helps.

---

Thanks for the reply!

Quote:

---

Originally Posted by nicksiz

thanks m8 for your answer. its not illegal because i have doing it with my teacher for his pc only but we didnt done it . thanks 4 your help this forum is perfect

---

The teacher doesn't have the permission btw.

Quote:

---

Originally Posted by coolkaveh

Thanks for all your tutorials and the time your spending 4 it , its all useful best regards

---

Thanks for the thanks

ahm, guys, i have a question.. when i try to do this tutorial on HTTPS sniffing, google mail didn't redirect..when i logged in, it stays on the form page even if i refresh it. also, paypal returns an unsecured certificate even if i run ssltrip -a -k -f.. help guys..I've done every single thing in this how to. :confused: :confused:

Im using Backtrack 4 Live USB.

Thanks.

Quote:

---

Originally Posted by mamen0330

ahm, guys, i have a question.. when i try to do this tutorial on HTTPS sniffing, google mail didn't redirect..when i logged in, it stays on the form page even if i refresh it. also, paypal returns an unsecured certificate even if i run ssltrip -a -k -f.. help guys..I've done every single thing in this how to. :confused: :confused:

Im using Backtrack 4 Live USB.

Thanks.

---

Is the targets, ARP' spoof?
If its windows:
Start -> run -> cmd -> arp -a
check that the gateway MAC and the attackers MAC is the same.
Did you do the port forwarding bit too?

Quote:

---

Originally Posted by g0tmi1k

Is the targets, ARP' spoof?
If its windows:
Start -> run -> cmd -> arp -a
check that the gateway MAC and the attackers MAC is the same.
Did you do the port forwarding bit too?

---

Here's the setup:

Target: 192.168.1.2
GW: 192.168.1.1 (my subnetmask BTW is 255.255.255.240. will this affect this?)

################################################## ###
nano /etc/etter.conf #I've uncomment the redir_command in iptables for linux ##
##
echo 1 > /proc/sys/net/ipv4/ip_forward #I've setup ip forward ##
##
arpspoof -i eth0 -t 192.168.1.2 192.168.1.1 #my int is eth0 ##

iptables -t nat -A PREROUTING -p tcp --destination-port 80
-j REDIRECT --to-ports 10000 #I've set this up for the packets will redirect to sslstrip

sslstrip -a -k -f # I've run sslstrip with these parameters. ##
##
ettercap -T -q -i eth0 #then lastly I've run ettercap to test it. ##
################################################## ###

that's the whole set of commands that I've used. as I said, I still got certificate error for paypal and
It's a looping scheme for gmail. I'm not redirected to my mail content.

Thanks for the help . :o

Quote:

---

Originally Posted by mamen0330

Here's the setup:

Target: 192.168.1.2
GW: 192.168.1.1 (my subnetmask BTW is 255.255.255.240. will this affect this?)

################################################## ###
nano /etc/etter.conf #I've uncomment the redir_command in iptables for linux ##
##
echo 1 > /proc/sys/net/ipv4/ip_forward #I've setup ip forward ##
##
arpspoof -i eth0 -t 192.168.1.2 192.168.1.1 #my int is eth0 ##

iptables -t nat -A PREROUTING -p tcp --destination-port 80
-j REDIRECT --to-ports 10000 #I've set this up for the packets will redirect to sslstrip

sslstrip -a -k -f # I've run sslstrip with these parameters. ##
##
ettercap -T -q -i eth0 #then lastly I've run ettercap to test it. ##
################################################## ###

that's the whole set of commands that I've used. as I said, I still got certificate error for paypal and
It's a looping scheme for gmail. I'm not redirected to my mail content.

Thanks for the help . :o

---

Looks like you didnt listen to be the first time, so Ill say it again.
Can you check to see if your target has been ARP spoofed.
If the target machine is running windows: Start -> run -> cmd -> arp -a
Check that the gateway MAC and the attackers MAC is the same.

Nope, the subnet shouldn't make a difference.

Quote:

---

Originally Posted by g0tmi1k

Looks like you didnt listen to be the first time, so Ill say it again.
Can you check to see if your target has been ARP spoofed.
If the target machine is running windows: Start -> run -> cmd -> arp -a
Check that the gateway MAC and the attackers MAC is the same.

Nope, the subnet shouldn't make a difference.

---

Yup. the victim has been arpspoofed. gateway MAC is the same as my eth0 MAC. if i don't run sslstrip, it works fine. but if i run sslstrip, that's where the problem starts.

is the ec_uid and ec_gid line in etter.conf = 0 for root? Maybe that will help.

I am having the same issue. When I click login on the gmail page it just seems to refresh the page. I have verified that I followed all steps and that the gateway mac is the attackers.

Any ideas?

I heard from a guy on the #backtrack-linux channel that the "big" companys have fixed this issue by forcing SSL. Its just what he told me when i tryed to fix it.
I would also like to get this confirmed?

//zlate