Replay pcap file and use sslstrip

[creepykrawler]

I have not experimented with this yet, but has anyone tried to replay a pcap file with tcpreplay or airtun-ng through loopback or other and redirect to sslstrip? Thanks!

Perhaps just a change in the iptables:

iptables -t nat -A OUTPUT -p tcp --destination-port 80 -j REDIRECT --to-port <listenPort>
from
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port <listenPort>

I guess I have something to play with tomorrow.

[Gitsnik]

Perhaps just a change in the iptables:

iptables -t nat -A OUTPUT -p tcp --destination-port 80 -j REDIRECT --to-port <listenPort>
from
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port <listenPort>

I guess I have something to play with tomorrow.

Off the top of my head I'd suggest it's not going to work - a capture file will continue to replay with non-stripped packets each time, which kind of defeats what I think you are trying to do.

The name of the tool has escaped me (stupid non-operational vm system makes it hard to check), but there are tools available to crack SSL if you have the start of the keystream - the part where the user first connected.

By all means though, check it out, I'd be extremely interested if it actually worked.

[Lucifer]

I been wondering the same thing, replaying captured packets through sslstrip an ettercap, but I'm not sure if that would work..? please let me know what the result was.

thanks, .L

[100%digital]

Replaying your .cap via sslstrip will not work. SSLstrip requires the client to be passed a certificate that you've rooted (you know the private key, in the keypair)...

This is interesting regarding the comments of ssl decryption, so long as you have the initial key/pki negotiation... older versions of ethereal/wireshark had options for ssl traffic decryption, as opposed to the "rsa key list", and "debug" file. Does anyone have information/tools they'd like to share with respect to "off-line" ssl decryptions?

best,

J

[dustyboner]

Try ssldump