Re: Script for sniffing traffic.
Quote:
It's always interesting to demonstrate that an attacker can study your browsing habits and use that knowledge to exploit a computer/steal passwords (dns poisoning/phising/etc...).
I certainly agree with you but you'll find urlsnarf informations in sslstrip's logs... So it doesn't bring anything new, imo.
Quote:
Xplico is an interesting (and powerful) tool. It's best run on a dump (live capture mode is not as useful). It's easiest used through its web GUI so I agree wouldn't integrate well with yamas - just mentioned it while we were discussing image extraction.
All right, thanks, I thought you mentionned it for yamas, not as general knwoledge. But it makes more sense this way and it sure seems to be a nice tool ! I'll try to have a go at it when I figured how to launch it :p
Re: Script for sniffing traffic.
Quote:
Originally Posted by
comaX
I certainly agree with you but you'll find urlsnarf informations in sslstrip's logs... So it doesn't bring anything new, imo.
I'll be honest, I never looked inside a sslstrip log, so I don't know what's inside it. Have you compared the results from both tools, to check if they match?
Re: Script for sniffing traffic.
Sslstrip logs contains pretty much everything that happens on the network. You'll get a load of crap, headers, requests, etc. In urlsnarf, you only get the requests like GET. So, it's a little more readable than sslstrip logs, but to obtain the same result the parsing would be easy.
urlsnarf :
sslstrip
Quote:
011-11-17 15:27:50,528 Resolved host successfully: clients2.google.com -> 209.85.147.113
2011-11-17 15:27:50,529 Sending request via HTTP...
2011-11-17 15:27:50,573 HTTP connection made.
2011-11-17 15:27:50,573 Sending Request: GET /service/update2/crx?
2011-11-17 15:27:50,574 Sending header: accept-charset : windows-1252,utf-8;q=0.7,*;q=0.3
2011-11-17 15:27:50,574 Sending header: connection : keep-alive
2011-11-17 15:27:50,574 Sending header: accept-language : fr,en-US;q=0.8,en;q=0.6
2011-11-17 15:27:50,574 Sending header: host : clients2.google.com
2011-11-17 15:27:50,574 Sending header: user-agent : Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Ok, sslstrip logs are more verbose, but if you do something like cat sslstrip.log | grep "Resolved host successfully:", you should get the browsed websites...
Example on one of my logs with egrep -i -a -e "Resolved host successfully:" /root/sslstrip.log
Quote:
2011-11-17 15:27:22,486 Resolved host successfully: safebrowsing.clients.google.com -> 173.194.67.101
2011-11-17 15:27:22,731 Resolved host successfully: safebrowsing-cache.google.com -> 209.85.227.139
2011-11-17 15:27:26,931 Resolved host successfully: whos.amung.us -> 67.202.94.93
2011-11-17 15:27:28,606 Resolved host successfully:
www.facebook.com -> 69.171.242.14
2011-11-17 15:27:31,875 Resolved host successfully: 0-74.channel.facebook.com -> 66.220.145.41
2011-11-17 15:27:47,956 Resolved host successfully: whos.amung.us -> 67.202.94.93
And it wouldn't be too hard to keep only certain columns with awk or cut...
Re: Script for sniffing traffic.
Make the Xplico run into BackTrack 5 is a real pain in the ass. When I wanted to try it, after losing some hours in vain, I only downloaded the VM from Xplico's website.
Re: Script for sniffing traffic.
Hi guys ! Quick post to tell you there were updates made ! It should be easier to run it on other linux platforms, and some stuff here and there.
As stated in the "message of the day" feature, I'm dropping urlsnarf since I didn't get much positive feedback about it.
With that said, if you guys really want something that'll show the browsed websites, I can do it just like I showed you two posts before this one. Tell me what you'd like !
Cheers !
Re: Script for sniffing traffic.
Quote:
Originally Posted by
comaX
Hi guys ! Quick post to tell you there were updates made ! It should be easier to run it on other linux platforms, and some stuff here and there.
As stated in the "message of the day" feature, I'm dropping urlsnarf since I didn't get much positive feedback about it.
With that said, if you guys really want something that'll show the browsed websites, I can do it just like I showed you two posts before this one. Tell me what you'd like !
Cheers !
It may be a prob with my script, but when like I always do: by typing in yamas in the term, I get "No update available Script is installed", but the message of the day changes to the url snarf thing. I'm assuming that's not normal...
Also, you may want to add a -u feature in the script, because when I only want to update, not run it, I still have to go through the whole rigmarole of settings options, and cleaning up. -u would be so much more convenient. Thanks.
Re: Script for sniffing traffic.
Noted for the -u option, I'll work on that !
With that said, I myself have to update the same way you guys do. And when I just need to update it, I wait for the message to be displayed and then ctrl+c.
But yeah, an update option would be better :)
And yeahp, it's normal that the message of the day changes without an update. It's curled from my website on launch. You can deactivate that with the silent mode (-s).
Re: Script for sniffing traffic.
Quote:
Originally Posted by
comaX
Noted for the -u option, I'll work on that !
With that said, I myself have to update the same way you guys do. And when I just need to update it, I wait for the message to be displayed and then ctrl+c.
But yeah, an update option would be better :)
And yeahp, it's normal that the message of the day changes without an update. It's curled from my website on launch. You can deactivate that with the silent mode (-s).
I get the message, that's fine. What I meant was: I got the NEW message, but NOT the NEW script...
Isn't it supposed to update?... I'm still using the last revision, and it says no update is available. feb 2.
Re: Script for sniffing traffic.
Ouch... I must have **** up somewhere along the way. I'll look into it, thanks for reporting !
Re: Script for sniffing traffic.
Of course I report. I love this tool, I want the newest version. :)
That being said I'm not clear on the syntax to use fakessl? I see the option to add the favicon, I see the option to use ettercap, but where do I add in the fake ssl? Perhaps, if -e has been selected, you could make that one of the additional options. To use sslstrip for most, but for some websites/browsers, allow for fakessl?
