Can't parse sslstrip logs

[comaX]

Hi everyone !

About a week ago I started writing a script to automate mitm attacks. So far I've been doing great, always finding the answers I wanted... But this time, this is beyond my abilities it seems, and I require your help, please.

In short, I would like to display credentials user-friendly after the attack is successful. I first used grep with some strings to search for, then tried to narrow it down as much as I could but it seems like I can't go any further in parsing the log files.

I tried grep, sed, cut and awk, combined them together but I really can't figure it out. I still could scrub down a 94204 lines file to a 5 line output, but it still has some junk around it.

I wish I could give you the command I am currently using, but unfortunately, when I try and post it, forums will 404 on me and ban me for half an hour... Anyway, you can find it my script's source, here. I will try and update this post with it if ever I succeed to. I must warn you, the command is ugly as f*** but it does the job !

EDIT : Here's the (I think best) command I could come up with. (edited for readability)

Code:

cat $filename.txt  | awk -F "&" '!/GET/ && !/header/ && !/^[0-9]/ && !/</ && /[PpEeUuLlCc_][A-Za-z]*=[A-Za-z0-9.%_-]*/ {if (NF >= 2) print NR, "   ", NF, "   ", $0 }' | grep -i --color  "STRING1=[A-Za-z0-9.%]*\|STRING2=[A-Za-z0-9.%]*\|STRING3=[A-Za-z0-9.%]*"

As you would have guessed, I can retrieve every desired results, but since the position of the interesting fields always change I can't use '{print $1}' for instance...

I found only one bash script that could parse sslstrip logs, but it's not my own, I don't understand it at all and it's not very efficient ("easy-creds v3.1" ; I don't mean to diminish this script's value at all, it did what eludes me, but still, I'm not satisfied with it : it uses "definition" files, which are incomplete and that I can't edit without messing it all up). About python parser for instance, well it doesn't fit since I want it to be a single bash script...

In a nutshell, would you please help me write a parser for sslstrip ? I literally lost sleep over it for two days


And let this be clear; my intentions are for pure knowledge and help to the community.

Thanks in advance for any suggestion !

TL;DR : bash sslstrip parser anyone, please ?

Ps to mods : If you feel like this should be in "expert forums", please move it
(Well, I doubt that, but who knows ?!)

[hhmatt]

What "junk" remains after filtering it?

Pastebin the command you're using should work.

[comaX]

I edited my post with the command, and it can be seen in context with the link I provided. Let me reboot on Backtrack and I'll paste my "final output" so that you know what junk I'm talking about.

Edit : I tried to post it but the forum 404'd on me again. So here's the pastebin with the final output. http://pastebin.com/Za2qx0tL

[hhmatt]

I see.

You might want to research the command look. It can be used with a custom dictionary and that may help you to find keywords such as login or username and push those into a file.

If I remember correctly there was another script that did something similar(search forums or google for sslstrip/mitm) and it may give some hints to help you further parse the output.

[comaX]

For the other script I think I know what your are talking about. Was this sslparse or something, from "twobitsandabyte" (http://site.twobitsandabyte.com/SSLParse_6BK5.html) ? If yes, It no longer exists and I couldn't find it elsewhere... I'll keep digging the forums, maybe I missed something.

About the look command I don't see what is your idea, could you be more precise ? In what way is it different from grep "^string" file ? Since I already have all the needed lines, how can that help parsing those lines ?

Anyway, thanks for your hints. I'll keep digging and report back if I succeed (or fail...)

[purehate]

Easy Creds was written by a friend of mine and off all the "MITM Scripts" there are I have found it works the best, however, I understand wanting to learn and a bash script for auto wifi cracking or MITM seems to be step one for most people. My suggestion would be to go ahead and abandon bash right now and pick up perl,python or ruby. In the long run those are going to be much more valuable to you. I use bash often buts its more a language for quick and dirty hacks, admin tasks and cronjobs. There are much better parsers and libs all ready included in the higher level scripting languages.

[comaX]

Easy Creds was written by a friend of mine and off all the "MITM Scripts" there are I have found it works the best, however, I understand wanting to learn and a bash script for auto wifi cracking or MITM seems to be step one for most people. My suggestion would be to go ahead and abandon bash right now and pick up perl,python or ruby. In the long run those are going to be much more valuable to you. I use bash often buts its more a language for quick and dirty hacks, admin tasks and cronjobs. There are much better parsers and libs all ready included in the higher level scripting languages.

I totally agree with you and for me the only downside of easy-creds was the parsing of the file. The rest is just great.
As you said, I'm just beginning, hence the bash language for mitm, but I'll try and learn one of the languages you mentioned as soon as I feel I'm ready for it. Thanks for the hints !

About the parsing, I have now got rid of most of the junk and I think it's user friendly enough to stay the way it is. I'll edit this post with the current command in case people were interested in it.

Thanks for the answers !

[killadaninja]

Unsure If I am understanding you completely, but when piping back and forth etc, Python would be a much smarter road to take.....
ANYWAY this code

Code:

grep -oP '(?<=&pwd=)[^&]*(?=&)'

would grep any value between "&pwd=" and "&".

Lets take a look at the example below the echo`d line is actually from your output.

Code:

echo 'blah blah blah loads of junk &pwd=PASSWORD&'| grep -oP '(?<=&pwd=)[^&]*(?=&)'

If you were to write the above code in bash, only the word "PASSWORD" would be displayed.
The string "&pwd=" only appears once in your final output so my above grep code would suffice.

Hope I helped and did not misunderstand what you was asking.

PS I may have made a mistake, (highly unlikely), as I didn`t test the code out.

[comaX]

I'll be damned if that was this simple ! I'll try it right away. Meanwhile, my final command that outputs like this :
Login = LOGIN
Password = PASSWORD

Etc.

Code:

cat $1  | 
awk -F "&" '!/GET/ && !/if/  !/header/ && !/^[0-9]/ && !/</ && /[PpEeUuLlCc_][A-Za-z]*=[A-Za-z0-9.%_-]*/ {if (NF >= 2) print $0}' |
awk -F "&" '{for(i=1;i<=NF;i++) print $i }' |
egrep -a "credstring1|credstring2|..." |
awk -F "=" '{if (length($2) < 3) print "\b"; else if ($1 ~/[Pp]/) print "Password = " $2"\n"; else print "Login =", $2}'

[Unhumanje]

I'm really interested in your script, but I can't get it to work? I'm still new to backtrack as a whole and I don't understand how exactly should this be run ( the script from ur last post). Tried creating it in a file and running it with bash/sh but neither worked,it just opens a blank line