Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: sslsniff or sslstrip & transparent Squid3

  1. #1
    Senior Member Nick_the_Greek's Avatar
    Join Date
    Jan 2010
    Location
    Greece
    Posts
    181

    Default sslsniff or sslstrip & transparent Squid3

    Hi everybody.
    I setup a soft AP based WLAN at home with a Atheros based card (master mode) - dhcpd3 - transparent Squid3 and I am getting reports with SARG. I have read about squid in the middle attacks Features/SslBump - Squid Web Proxy Wiki and I am trying to do something similar with sslsniff or sslstrip. So,
    case 1. When I run sslsniff, without any proxy running and I only redirect port 443 to sslsniff' 's port 10000 all looks fine.
    Code:
    arpspoof -i .....
    iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-ports 10000
    sslsniff Targeted Mode...
    sslsniff -t -s 10000 -w ssl.log -m IPSCACLASEA1.crt -c /root/sslsniff-0.6/certs
    My browser still complains about certificates (IE), I think this is due at microsoft fix, but this is not a problem for me.
    case 2. In this case I redirect port 80 traffic to 3128 (where squid3 is running in transparent mode) and port 443 to 10000.
    Code:
    iptables -A INPUT -p tcp --dport 10000 -j ACCEPT
    iptables -A INPUT -p tcp --dport 3128 -j ACCEPT
    iptables -t nat -A PREROUTING -i ath0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.2.129:3128
    iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
    iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-ports 10000
    Output from sslsniff:
    Code:
    1253998761 INFO sslsniff : Added OCSP URL: xxxx.xxx.XX
    1253998761 INFO sslsniff : Certificate Ready: xxxx CLASEA1 Certification Authority/emailAddress=xxxxx@xxxxx.xxx
    1253998761 INFO sslsniff : Added OCSP URL: ocsp.ipsca.com
    1253998761 INFO sslsniff : Certificate Ready: *
    1253998787 DEBUG sslsniff : Read error: asio.misc:2
    1253998788 DEBUG sslsniff : Read error: asio.misc:2
    1253998789 DEBUG sslsniff : Read error: asio.misc:2
    1253998789 DEBUG sslsniff : Read error: asio.misc:2
    I think squid3 can't handle any ssl traffic, it just forwarded them to to destination server. Right?
    In this case sslniff can't read the forwarded packets from Squid? In a few words what I am trying to do is:
    client''s browser:80-->squid3:3128-->sslsniff:10000-->internet
    Maybe that I am trying to do is wrong, so any suggestions are welcome.Another question is if I can do the above with sslstrip.
    client:80-->squid3:3128-->sslstrip:10000-->Internet
    or
    client:80-->sslstrip:10000-->squid3:3128-->Internet?
    There is a way to do the above, or am I just loosing my time?
    Until now I get no results with (sslstrip or sslsniff) and squid 3, and can't find any informations similar to this.BTW is very cool to have a transparent proxied WLAN.
    Thank you.

  2. #2
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    Squid has no transparent-SSL capabilities, so anything you do has to be on the inside before you bounce to it - it can handle SSL just fine (and sarg will report on it), if the client manually connects to it).

    Side note, have you played with the upside down ternet from parrot?

    Are you trying to sniff what is inside the SSL, or do you just want to log it? It doesn't really matter, squid can be a client to a proxy as well (it can be upstream from sslstrip just fine). Make use of some simple proxy tools to chain it together: client:443 -> sslstrip -> chain -> squid -> internet. I don't recall if sslstrip will permit setting an upstream proxy, but you could just set that if necessary.

    Recap: Transparent SSL doesn't work with squid, and normally you have to get enterprise equipment to sit and MiTM the SSL chain with valid, locally signed certs. There are simpler solutions (ettercap and such) but all require a CA installed on the client, which I presume is not what you are trying to get with here.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  3. #3
    Senior Member Nick_the_Greek's Avatar
    Join Date
    Jan 2010
    Location
    Greece
    Posts
    181

    Default

    Hi, Gitsnik.
    Thank you for your quick reply. I believe its a matter of time (with a little help from you guys) to find the solution. Can you suggest me a free linux proxy chain tool? In matter a fact I am working in iptables way, which I believe the solution is. Something similar to this:
    [all variants] 8.04 with Transparent Proxy - Ubuntu Forums
    The problem is that I must to figure out *who* is sending the packets.
    Make use of some simple proxy tools to chain it together: client:443 -> sslstrip -> chain -> squid -> internet.
    sslstrip doesn't listen to port 80?So, the above will be:
    client:80 -> sslstrip:10000 -> chain -> squid:3128 -> internet?
    Are you trying to sniff what is inside the SSL, or do you just want to log it?
    Basically, I am trying both, but if I can't to do that, log will be just fine.
    Side note, have you played with the upside down ternet from parrot?
    Just did. My wife said that she will speaks to me again tomorrow morning. She is upset to me. This is very funny.
    If I got any results, I will report back.
    Thank you
    Nick

  4. #4
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    I had a massive post written here, but my cache lost out on me, which is probably an alright idea as I had a thought while I was putting an axe through my harddrive. This is entirely untested, so it could be wrong.

    * Use iptables prerouting to intercept BOTH port 80 and port 443, send them both to the squid port.
    * Use iptables postrouting to intercept outgoing 443 traffic and send it to sslstrip.
    * iptables ACCEPT outgoing from the user that sslstrip is running under to port 443 (yes, unless something very recent has changed, iptables can do policy based on local user/ident).

    Be mean to your wife tomorrow - set her up with the blurry-net and just leave it on a light setting - a slight blur will not look to suspect and you could just do it to her computer like the screen was going.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  5. #5
    Senior Member Nick_the_Greek's Avatar
    Join Date
    Jan 2010
    Location
    Greece
    Posts
    181

    Default

    Gitsnik, you are my hero.
    I got it working!!!!
    Transparent squid3 and sslstrip. Your suggestions are close enough to the solution. The trick is to get port 80 and 443 traffic from the client and forward them to sslstrip port 10000. Then sslstrip sends encrypted or not data to squid3 and squid3 to inet. Something like this:
    client 80:443-->sslstrip:10000-->squid3:3128-->Inet
    So, a encrypted packet can travel without problems. When arrives the respond from a ssl packet from inet..
    inet:https-->squid3:https-->sslstrip:https-->client:http.
    Here are the iptables: (squid and sslstrip is running in 192.168.2.129 and I am connecting to the internet through ppp0,$INETIP=the dynamic IP that I am receiving from my ISP.)
    * Use iptables prerouting to intercept BOTH port 80 and port 443, send them both to the squid port.
    Code:
    ptables --table nat --append PREROUTING -i ppp0 -p tcp -m tcp -m multiport --dports 80,443 -j DNAT --to-destination 192.168.2.129:10000
    Not to squid but in to sslstrip
    * Use iptables postrouting to intercept outgoing 443 traffic and send it to sslstrip.
    Code:
    iptables -t nat -A POSTROUTING -d $INETIP -p tcp -m tcp -m tcp -m multiport --dports 80,443 -j SNAT --to-source 192.168.2.129:3128
    Postrouting to intercept outgoing 443 and 80 traffic to squid3:3128
    * iptables ACCEPT outgoing from the user that sslstrip is running under to port 443
    Code:
    iptables -t nat -A OUTPUT -p tcp --dport 443 -m owner --uid-owner root -j ACCEPT
    Not needed and I am getting an error:
    Code:
    iptables: No chain/target/match by that name
    The last rule that is needed is to redirect traffic from internet back to squid3:3128
    Code:
    iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
    These is it. No arpspoof no nothing. My client has access to internet (http & https), squid3 cashes http, https traffic is sniffed from sslstrip and I am getting reports with sarg.I am SO happy now.
    Here is the a full list of my iptables:
    Code:
    # Generated by iptables-save v1.4.0 on Tue Sep 29 00:26:18 2009
    *nat
    :PREROUTING ACCEPT [371:45329]
    :POSTROUTING ACCEPT [127:8758]
    :OUTPUT ACCEPT [1126:69316]
    -A PREROUTING -p udp -m udp --dport 53 -j DNAT --to-destination xxx.xxx.xxx.xxx 
    -A PREROUTING -i ath0 -p tcp -m tcp -m multiport --dports 80,443 -j DNAT --to-destination 192.168.2.129:10000 
    -A PREROUTING -i ppp0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 
    -A POSTROUTING -o ppp0 -j MASQUERADE 
    -A POSTROUTING -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp -m tcp -m multiport --dports 80,443 -j SNAT --to-source 192.168.2.129:3128 
    COMMIT
    # Completed on Tue Sep 29 00:26:18 2009
    # Generated by iptables-save v1.4.0 on Tue Sep 29 00:26:18 2009
    *filter
    :INPUT ACCEPT [3911:2424675]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [3786:1058052]
    -A FORWARD -i ath0 -j ACCEPT 
    COMMIT
    # Completed on Tue Sep 29 00:26:18 2009
    You show me the way and I follow the path my friend Gitsnik. I will do some testing in these days (got to work for living and my work is not computer related) and I will share my script here.
    Thank you again.
    (Sorry for my English)
    Nick
    PS My wife believes that she need to see an oculist.

  6. #6
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    Quote Originally Posted by Nick_the_Greek View Post
    Gitsnik, you are my hero.
    I got it working!!!!
    Transparent squid3 and sslstrip. Your suggestions are close enough to the solution.
    This is where I go all mysterious and claim I knew the answer all along In reality I just had a fairly good idea of how I did it. Look forward to seeing the scripts.

    Just don't send your wife to Aus ok? I have enough people wanting to throw things at me over here for my blurrynet
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  7. #7
    Junior Member
    Join Date
    Jan 2010
    Posts
    55

    Default

    great work nick... now I need to digest what you did and try to replicate on my backtrack box at home.

    Any way you can lay out a quick howto with clear steps? If I get it working on my end I'll post it myself. Thanks!

  8. #8
    Senior Member Nick_the_Greek's Avatar
    Join Date
    Jan 2010
    Location
    Greece
    Posts
    181

    Default Working at 50%

    Well, after testing I found out that it's working at 50%. I only got transparent sslstrip. I believed that it's working because I was previously (before running sslstrip) running transparent squid and access.log has data. Forgot to clear it up.Traffic doesn't go through squid...
    clients-->sslstrip-->inet. or clients-->squid-->inet
    My iptables rules are wrong and I need some help (again) here.
    I need to do (I think):
    clients:80&443-->sslstrip:10000-->forward-->squid3:3128-->inet and then
    inet:80&443-->squid3:3128-->forward-->sslstrip-->clients.Right? Since I am a self learning person and my knowledge is very limited any help are welcome.
    Here are my Iptables:
    $IFACE=internet interface
    $INETIP=Internet IP
    $ATFACE=Wireless card interface
    squid and sslstrip are running at 192.168.2.129 at ports 3128 & 10000
    Code:
    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables --flush
    iptables --table nat --flush
    iptables --delete-chain
    iptables --table nat --delete-chain
    iptables -P INPUT ACCEPT
    iptables -P FORWARD ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables --table nat --append POSTROUTING --out-interface $IFACE -j MASQUERADE
    iptables --append FORWARD --in-interface $ATFACE -j ACCEPT
    iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to $INETIP
    iptables --table nat --append PREROUTING -i $ATFACE -p tcp -m tcp -m multiport --dports 80,443 -j DNAT --to-destination 192.168.2.129:10000
    iptables -t nat -A POSTROUTING -d $INETIP -p tcp -m tcp -m multiport --dports 80,443 -j SNAT --to-source 192.168.2.129:3128
    iptables -t nat -A PREROUTING -i $IFACE -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
    * iptables ACCEPT outgoing from the user that sslstrip is running under to port 443 (yes, unless something very recent has changed, iptables can do policy based on local user/ident).
    Every time I try to do a policy based on local user/ident I am getting :
    iptables -t nat -A OUTPUT -p tcp --dport 443 -m owner --uid-owner root -j ACCEPT
    iptables: No chain/target/match by that name
    or iptables -t nat -A OUTPUT -p tcp --dport 443 -m owner --uid-owner squid -j ACCEPT
    Bad OWNER UID value `squid'
    And I believe that Gitsnik is right. I must do a policy based on user/ident, so I am not getting into a loop.
    @yeehawjared
    When I finish it I will post it here.
    Thanks
    Nick
    PS Also when I manually configure clients to use squid3 I have access to http pages and when try to connect to a secure page sslstrip complains that it can't be read headers or bad request, can't remember, which is telling me that it receives encrypted data from squid.(I think again)

  9. #9
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    If it were me, I would not be redirecting port 80 traffic to sslstrip first - I would be sending it via squid, that is to say: straight to squid.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  10. #10
    Senior Member Nick_the_Greek's Avatar
    Join Date
    Jan 2010
    Location
    Greece
    Posts
    181

    Default

    Quote Originally Posted by Gitsnik View Post
    If it were me, I would not be redirecting port 80 traffic to sslstrip first - I would be sending it via squid, that is to say: straight to squid.
    Gitsnik my friend thank you for "wasting" your time with me.You know the prob is that if (I did it allready) I redirect port 80 to squid and then squid to sslstrip the answer from a ssl page to squid (passing through sslstrip) will be plain text, not encrypted. Sslstrip listens at port 80, not to 443. Sslstrip communicates with clients with http only and with targeted servers with http or https. If we have a ssl connection, sslstrip communicates with the server normally but it sends to the clients clear text. I figure it out how to do which is something like this:
    So, I must (A)
    (source)clients:80,443 FRWD to (destination)sslstrip:10000 then
    (source)sslstrip:10000 FRWD (destination)squid3:3128 and
    (source)squid3:3128 to (destination)inet
    (B)
    Now,when the answer arrives we have to do:
    (source)inet-->(destination)squid3:3128
    (source)squid3:3128 FRWD (destination)sslstrip:10000 then
    (source)sslstrip:10000 FRWD to (destination)clients
    But what we got here? A loop? Both sslstrip and squid are running in the same box.So in case (A) we send 10000 to 3128 and in case (B) 3128 to 10000. Now, all I have to do is a policy based on user/ident, (as you already mentioned) so to let only sslstrip sends data from 10000 to 3128 and squid from 3128 to 10000,BUT I CANT. Dont know why,yet. UID or PID can't getting to work with iptables. According to some sites people miss a couple iptables modules while configuring the kernel. But My kernel is intact. Haven't recompiled or upgrade.As matter a fact I run it in non persistent mode now. In lib/iptables I see..
    libipt_owner.so
    libipt_policy.so
    libip6t_owner.so
    Do I need more reading?
    You can try your self with no rules in iptables type:
    Code:
    iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner root -j ACCEPT
    You will get iptables:
    No chain/target/match by that name
    I am so confused. So now THE question is:
    How can I use iptables --uid or --pid in BT4PF?
    PS.Any conclusions in this threat may be wrong,so any correction are welcome.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •