Page 2 of 2 FirstFirst 12
Results 11 to 18 of 18

Thread: sslsniff or sslstrip & transparent Squid3

  1. #11
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    Ignoring the uid iptables thing (I haven't gotten to testing it, so I won't comment on it yet).

    You have to think of of the redirections in two parts (you are thinking of it as one). Your first proxy is sniffing port 80 traffic. Your second proxy is sniffing port 443 traffic.

    You already have transparent sslstrip, so you need to strip out the non-ssl stuff (split your iptables into two commands rather than the multiport) and do it something like thus:

    client-to-prt80 -->redirect[squid:3128]-->(and-so-on)
    client-to-prt443 -->redirect[sslstrip:10000]-->(and-so-on)

    There is no reason to run port 80 traffic through sslstrip.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  2. #12
    Senior Member Nick_the_Greek's Avatar
    Join Date
    Jan 2010
    Location
    Greece
    Posts
    181

    Default

    Hi Gitsnik,
    I split the traffic in 2. 80 to squid and 443 to sslstrip. Now I can access any http page but I can't access https page because sslstrip complains ( I can't blame it ) about Bad request syntax:
    192.168.2.130 - - [02/Oct/2009 00:03:02] code 400, message Bad request syntax ('
    \x16\x03\x01\x00A\x01\x00\x00=\x03\x01J\xc5\x19\x1 6\x17Y\xed\xba\xda\x88e\xc0\xb
    5\xf4\x8dOw\x98\xdbA\xf5\x9e\x02\xb1]\xc6\x1d\xb2\x91"\x10\x92\x00\x00\x16\x00\x 04\x00\x05\x00')
    192.168.2.130 - - [02/Oct/2009 00:03:02] "A=J�Y��ڈe���Ow��A��]Ʋ�"�" 400 -
    192.168.2.130 - - [02/Oct/2009 00:03:14] code 400, message Bad request syntax (' \x16\x03\x01\x00a\x01\x00\x00]\x03\x01J\xc5\x19"\xc9\x12\x8f\x97h\xb1\xce\x9a\x1 f$\xcdH\'\xfc\xb8P$\x0cX\xbe\xad\xb1\x92\x04t0\xc9 \x8d \x82\x1a\x00\x00\xbbc\xbb \xe3{c\xa1\r\x95\xcb+\x10\xd5.6t\x90t\x01w\x011wx\ xa0a\xb1v\x00\x16\x00\x04\x00\
    You know, maybe you are misunderstanding the fact that sslstrip doesn't establish any ssl connection with clients.So, it can't read any ssl requests from clients at port 443. (Sslsniff does that with \0. or *\x00 certificates.) It does as it says. It strips out ssl "from" and "to" the clients. But it can communicates with servers in ssl. Or maybe I misunderstanding the whole thing.

  3. #13
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    Quote Originally Posted by Nick_the_Greek View Post
    You know, maybe you are misunderstanding the fact that sslstrip doesn't establish any ssl connection with clients.
    Nope, you're right, I was thinking of sslsniff and saying sslstrip the entire time. Wow, now that you've pointed it out it's so glaringly obvious that I was doing that.

    Proxychains sslstrip, configure the conf file to connect to squid, configure port redirection to intercept port 80 traffic for sslstrip.

    Apologies for the confusion.

    I also had to edit this twice to remove instances of sslsniff when I meant to say sslstrip. Go figure.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  4. #14
    Senior Member Nick_the_Greek's Avatar
    Join Date
    Jan 2010
    Location
    Greece
    Posts
    181

    Default My project is working ! ! !

    Apologies for the confusion.
    No worries Gitsnik. We are humans. And to make your day I can inform you that I finally got it working now.
    Proxychains sslstrip, proxychains.conf to listen squid and iptables 80(clients) to 10000 (sslstrip). I got some minor problems but in general I have a transparent proxyed sslstriped wlan, based on a fake AP with very good speeds I must say. Credits go to you. In a few days it will be finished and posted.
    Have a nice day.
    BTW. Have you ever tried sslsniff (not sslstrip ) with positive results? It will be a good idea to make a dual mode wlan (sslstriped or sslsniffed).

  5. #15
    Junior Member
    Join Date
    Jan 2010
    Posts
    55

    Default

    Quote Originally Posted by Nick_the_Greek View Post
    based on a fake AP with very good speeds
    Interested to try myself. Arp poisoning is just waaaay too slow, as is other software FakeAP methods.

    You mind posting a quick howto with your final solution? I've played with both sslstrip and sslsniff. Sniff is very cool, no cert warnings whatsoever. Moxie's presentation at blackhat explaining it is well done too.

    I found it somewhere on securitytube.net. Good work, looking forward to a quick / easy write up! Thanks!

  6. #16
    Senior Member Nick_the_Greek's Avatar
    Join Date
    Jan 2010
    Location
    Greece
    Posts
    181

    Default

    Quote Originally Posted by yeehawjared View Post
    You mind posting a quick howto with your final solution? I've played with both sslstrip and sslsniff. Sniff is very cool, no cert warnings whatsoever. Moxie's presentation at blackhat explaining it is well done too.
    I hope until this weekend my script will be posted. This is a very busy week for my. About 99% is finished. I will do some further testing and I will post it. For your information , arpspoof no needed to use sslstrip. All you have to do is to forward traffic coming out from clients to sslstrip. Lets say you are running sslstrip at :192.168.0.1 at port 10000 and you are broadcasting through mon0 with airbase-ng and you are connected to inet through eth0.You have to add this rules:
    Code:
    iptables -t nat -A PREROUTING -i mon0 -p tcp -m tcp -m multiport --dports 80,443 -j DNAT --to-destination 192.168.0.1:10000
    iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp -m multiport --dports 80,443 -j REDIRECT --to-ports 10000
    About sslsniff, I can't getting to work at all. Maybe I will need some help from you. When I am ruuning it, I am getting all the time
    1253998787 DEBUG sslsniff : Read error: asio.misc:2
    Don't know what the hell is that, but I hope I will solve it.
    As for high data speed, I am getting high data rates only when I install madwifi-ng drivers (revision 4073) in master and even in monitor mode+airbase-ng. With ath5k data rates are extremely slow.
    Anyway. Please be patient until this weekend.
    Nick

  7. #17
    Senior Member Nick_the_Greek's Avatar
    Join Date
    Jan 2010
    Location
    Greece
    Posts
    181

  8. #18
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    14

    Default

    why you want to do all that?

    isn`t sslstrip enough for you to decrypt the ssl ?

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •