Results 1 to 4 of 4

Thread: sslstrip & ettercap when squid authentication is enabled

  1. #1
    Just burned his ISO
    Join Date
    Apr 2010
    Posts
    3

    Default sslstrip & ettercap when squid authentication is enabled

    hello,

    Is it possible to get SSL passwords (yahoo, gmail,hotmail etc) when the traffic is through a authenticated proxy (squid with NTLM auth)?.
    My test network setup.
    victim - 192.168.1.111 ( browsing using squid proxy with authentication)
    attacker - 192.168.1.222 ( using Backtrack 4 - ettercap and sslstrip )
    gateway - 192.168.1.254 ( L3 )
    proxy - 192.168.100.10 (squid proxy on different VLAN )
    Access given - only to network
    No access - to servers ( So no option of installing sslstrip at squid)

    Things work fine when its without proxy.

    Can i use ettercap and sslstrip and sniff "ssl login username and password " even if its through proxy( authenticated).
    Or do i need to use some other proxy Man-in-the-middle attack.

    Thank you,
    Johan David.

  2. #2
    Member
    Join Date
    Jan 2010
    Location
    Helsinki, Finland
    Posts
    235

    Default Re: sslstrip & ettercap when squid authentication is enabled

    You just need to arpspoof and sslstrip. HAK5 have a good episode of sslstrip. Hak5 – Technolust since 2005 it might help you

  3. #3
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default Re: sslstrip & ettercap when squid authentication is enabled

    More accurately, sslstrip doesn't particularly care if there is a proxy server or not, you just need to redirect the correct ports in the correct ways.

    Now, as a hint, if you go to the old forum:

    sslstrip behind a proxy server - Remote Exploit Forums (BTW if someone finds that particular thread in the archive please let me know to correct it)

    You will see that the sslstrip isn't able to access the internet. Put on your sysadmin hat and figure out why the program "sslstrip" can not access the internet, and go from there.

    Note: This is speculation with a fairly good idea of how these things work. I haven't had a chance to build a VLAN based system in a while to test this kind of thing on, so I can't know for sure.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  4. #4
    Just burned his ISO
    Join Date
    Apr 2010
    Posts
    3

    Default

    Dear all,

    Thanks for reply,
    As soon as i shutdown sslstrip i get the authentication prompt for squid proxy and i will be able to browse (but no ssl username and passwords).
    From ettercap i am able to get the login id and password of the proxy authentication, but not beyond that (like browsing any ssl logins - yahoo, gmail, etc.).
    Arpsoof is working! since arp address of gateway and attacker is same.

    What happens when sslstrip is running is either "page not found" on the victim system or the below error which i found in sslstrip log file.

    Exception happened during processing of request from ('192.168.1.111' , 2855)
    traceback (most recent call last):
    File "usr/lib/python2.5/socketserver.py" line 464, in process_reqest_threadself.finish_request (request, client_address)
    File "usr/lib/python2.5/socketserver.py" line 254, in finish_request self.RequesthandlerClass (request, cleint_address, self)
    File "usr/lib/python2.5/socketserver.py" line 522, in_init_self.handle()
    File "usr/lib/python2.5/BaseHTTPServer.py" line 316, in handle self.handle-one_request()
    File "usr/lib/python2.5/BaseHTTPServer.py" line 299, in handle_one_request self.raw_requestline = self.rfile.readline()\
    File "/usr/lib/python2.5/socket.py" , line 381, in redline data =self._socket.recv(self._rbufsize)
    error: (104, 'connection reset by peer')


    Kind regards,
    johan davids.

    Dear All,

    PROXY - Man in the middle attack with SSLstrip

    Problems found when "use proxy option in browser" settings in browser settings.
    And when the proxy is enabled with authentication.

    1. SSLstrip for some reason was not able to strip HTTPS via proxy.

    2. SSLstrip - No upstream proxy option, so the attacker system should have direct internet access(http and https).

    Solution.
    On attackers system
    1. Run burp proxy on port 8080
    2. Redirect 80 traffic to 8080
    3. Redirect from burp proxy to SSLstrip (10000).
    4. options for setups with no direct internet - burp proxy has upstream proxy redirecting with authentication.

    SSLstrip minimum requirement to work.
    1. Attackers system has direct internet access.
    2. Victims with no proxy or Proxy without authentication.

    Kind regards,
    Johan David.
    Last edited by Archangel-Amael; 04-27-2010 at 06:42 PM.

Similar Threads

  1. problems with arpspoof, sslstrip, ettercap
    By username324 in forum Beginners Forum
    Replies: 9
    Last Post: 03-12-2010, 12:02 AM
  2. ettercap & sslstrip question
    By mroy1300 in forum OLD Newbie Area
    Replies: 0
    Last Post: 02-01-2010, 01:55 AM
  3. Ettercap & SslStrip (Attacking the Masses)
    By htons139 in forum OLD BackTrack3 Howtos
    Replies: 11
    Last Post: 01-11-2010, 02:16 PM
  4. sslstrip with ettercap or airspoof not capturing password
    By danielgc in forum OLD BackTrack 4 General Support
    Replies: 3
    Last Post: 08-29-2009, 10:29 PM
  5. ettercap remote_browser + SSLstrip howto
    By imported_onryo in forum OLD Wireless
    Replies: 0
    Last Post: 05-16-2009, 02:53 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •