Man in the middle attack against Windows Xp SP3 with Backtrack 4 R1 - problem

[hakermania]

Hello all, I am using backtrack 4 R1 and when I did man in the middle attack using sslstrip against Ubuntu 10.04 LTS worked really fine. I logged in to a gmail account from the "victim's" PC and the passwd was there, in the log file.
I noticed that until I give to the terminal sslstrip -l 8080 the "vixtim" hadn't got access to the net. After giving sslstrip -l 8080 the network was back. Then I logged on into the gmail account and the pass was mine.
Unfortunately, when I tried to do this against a machine running win xp sp3, the network was gone even when I gave sslstrip -l 8080. The victim hadn't got access neither at the network nor at the modem. this means that pinging 192.168.1.1 from the victim PC did nothing. After stopping the attack the log file was empty

I followed the procedure I did against the Ubuntu machine... What happened?

[sickness]

I mean really, do you know what a MITM actually does ? Or do you just copy and paste the commands from a tutorial.
Check ip forwarding.
And if you are using arpspoof with sslstrip did you make the iptables rule ?

[hakermania]

Yes, I mainly know what MITM is. And yes, I used arpspoof and I gave the iptables rule.!
I firstly read what MITM is and then I followed a tut.

[Snayler]

BTW, what tutorial are you following?

[sickness]

Could you please post your exact steps and commands here ? And explain a bit the environment ?

[hakermania]

Code:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
arpspoof -i eth0 -t 192.168.1.4 192.168.1.1 [here network at victim is disabled]
(in new terminal) sslstrip -l 8080 [here is enabled again]

[sickness]

Hmmm how about your router ? or switch it might have some protection. I recommend you do the next:
1. Turn off victim firewall
2. Try sniffing using ettercap and see if that works
3. If ettercap simple does not work, try to arp poison only one way.
4. If you have any firewall or stuff like that turn it off

[aerokid240]

Knowing how to use wireshark and interpret its network captures would be an invaluable asset in solving such problems. I would start by monitoring the network when things go wrong and when things go right so at least you would have an idea on what is supposed to work and when it doesn't you can see which machine isn't responding appropriatly .

[Encrypted_Soldier]

Hmmmm...
As I remember SSLstrip's default port is 10000 not 8080 so maybe try that.

[hakermania]

Hmmm how about your router ? or switch it might have some protection. I recommend you do the next:
1. Turn off victim firewall
2. Try sniffing using ettercap and see if that works
3. If ettercap simple does not work, try to arp poison only one way.
4. If you have any firewall or stuff like that turn it off

Well, as I said before, this method (with sslstrip) worked against ubuntu 10.04, so it hasn't to do with the router.
Ettercap works but it does not capture passwords from encryption-protected websites (like gmail or facebook) but it does from some un-protected (like some forums) and websites that prompt for passwd (like ftp logins or login at modem at 192.168.1.1).
However the method with sslstrip did capture these passwords from "encrypted" sites.
So ettercap semi-worked.