Results 1 to 10 of 10

Thread: Can't parse sslstrip logs

  1. #1
    Good friend of the forums comaX's Avatar
    Join Date
    Feb 2010
    Location
    Paris, France
    Posts
    338

    Question Can't parse sslstrip logs

    Hi everyone !

    About a week ago I started writing a script to automate mitm attacks. So far I've been doing great, always finding the answers I wanted... But this time, this is beyond my abilities it seems, and I require your help, please.

    In short, I would like to display credentials user-friendly after the attack is successful. I first used grep with some strings to search for, then tried to narrow it down as much as I could but it seems like I can't go any further in parsing the log files.

    I tried grep, sed, cut and awk, combined them together but I really can't figure it out. I still could scrub down a 94204 lines file to a 5 line output, but it still has some junk around it.

    I wish I could give you the command I am currently using, but unfortunately, when I try and post it, forums will 404 on me and ban me for half an hour... Anyway, you can find it my script's source, here. I will try and update this post with it if ever I succeed to. I must warn you, the command is ugly as f*** but it does the job !

    EDIT : Here's the (I think best) command I could come up with. (edited for readability)

    Code:
    cat $filename.txt  | awk -F "&" '!/GET/ && !/header/ && !/^[0-9]/ && !/</ && /[PpEeUuLlCc_][A-Za-z]*=[A-Za-z0-9.%_-]*/ {if (NF >= 2) print NR, "   ", NF, "   ", $0 }' | grep -i --color  "STRING1=[A-Za-z0-9.%]*\|STRING2=[A-Za-z0-9.%]*\|STRING3=[A-Za-z0-9.%]*"
    As you would have guessed, I can retrieve every desired results, but since the position of the interesting fields always change I can't use '{print $1}' for instance...

    I found only one bash script that could parse sslstrip logs, but it's not my own, I don't understand it at all and it's not very efficient ("easy-creds v3.1" ; I don't mean to diminish this script's value at all, it did what eludes me, but still, I'm not satisfied with it : it uses "definition" files, which are incomplete and that I can't edit without messing it all up). About python parser for instance, well it doesn't fit since I want it to be a single bash script...

    In a nutshell, would you please help me write a parser for sslstrip ? I literally lost sleep over it for two days


    And let this be clear; my intentions are for pure knowledge and help to the community.

    Thanks in advance for any suggestion !

    TL;DR : bash sslstrip parser anyone, please ?

    Ps to mods : If you feel like this should be in "expert forums", please move it
    (Well, I doubt that, but who knows ?!)
    Last edited by comaX; 02-10-2011 at 02:19 AM. Reason: added command

  2. #2
    Very good friend of the forum hhmatt's Avatar
    Join Date
    Jan 2010
    Posts
    660

    Default Re: Can't parse sslstrip logs

    What "junk" remains after filtering it?

    Pastebin the command you're using should work.

  3. #3
    Good friend of the forums comaX's Avatar
    Join Date
    Feb 2010
    Location
    Paris, France
    Posts
    338

    Default Re: Can't parse sslstrip logs

    I edited my post with the command, and it can be seen in context with the link I provided. Let me reboot on Backtrack and I'll paste my "final output" so that you know what junk I'm talking about.

    Edit : I tried to post it but the forum 404'd on me again. So here's the pastebin with the final output. http://pastebin.com/Za2qx0tL
    Last edited by comaX; 02-10-2011 at 01:12 AM.

  4. #4
    Very good friend of the forum hhmatt's Avatar
    Join Date
    Jan 2010
    Posts
    660

    Default Re: Can't parse sslstrip logs

    I see.

    You might want to research the command look. It can be used with a custom dictionary and that may help you to find keywords such as login or username and push those into a file.

    If I remember correctly there was another script that did something similar(search forums or google for sslstrip/mitm) and it may give some hints to help you further parse the output.

  5. #5
    Good friend of the forums comaX's Avatar
    Join Date
    Feb 2010
    Location
    Paris, France
    Posts
    338

    Default Re: Can't parse sslstrip logs

    For the other script I think I know what your are talking about. Was this sslparse or something, from "twobitsandabyte" (http://site.twobitsandabyte.com/SSLParse_6BK5.html) ? If yes, It no longer exists and I couldn't find it elsewhere... I'll keep digging the forums, maybe I missed something.

    About the look command I don't see what is your idea, could you be more precise ? In what way is it different from grep "^string" file ? Since I already have all the needed lines, how can that help parsing those lines ?

    Anyway, thanks for your hints. I'll keep digging and report back if I succeed (or fail...)

  6. #6
    Developer
    Join Date
    Mar 2007
    Posts
    6,124

    Default Re: Can't parse sslstrip logs

    Easy Creds was written by a friend of mine and off all the "MITM Scripts" there are I have found it works the best, however, I understand wanting to learn and a bash script for auto wifi cracking or MITM seems to be step one for most people. My suggestion would be to go ahead and abandon bash right now and pick up perl,python or ruby. In the long run those are going to be much more valuable to you. I use bash often buts its more a language for quick and dirty hacks, admin tasks and cronjobs. There are much better parsers and libs all ready included in the higher level scripting languages.

  7. #7
    Good friend of the forums comaX's Avatar
    Join Date
    Feb 2010
    Location
    Paris, France
    Posts
    338

    Default Re: Can't parse sslstrip logs

    Quote Originally Posted by purehate View Post
    Easy Creds was written by a friend of mine and off all the "MITM Scripts" there are I have found it works the best, however, I understand wanting to learn and a bash script for auto wifi cracking or MITM seems to be step one for most people. My suggestion would be to go ahead and abandon bash right now and pick up perl,python or ruby. In the long run those are going to be much more valuable to you. I use bash often buts its more a language for quick and dirty hacks, admin tasks and cronjobs. There are much better parsers and libs all ready included in the higher level scripting languages.
    I totally agree with you and for me the only downside of easy-creds was the parsing of the file. The rest is just great.
    As you said, I'm just beginning, hence the bash language for mitm, but I'll try and learn one of the languages you mentioned as soon as I feel I'm ready for it. Thanks for the hints !

    About the parsing, I have now got rid of most of the junk and I think it's user friendly enough to stay the way it is. I'll edit this post with the current command in case people were interested in it.

    Thanks for the answers !

  8. #8
    Very good friend of the forum killadaninja's Avatar
    Join Date
    Oct 2007
    Location
    London, United Kingdom.
    Posts
    526

    Default Re: Can't parse sslstrip logs

    Unsure If I am understanding you completely, but when piping back and forth etc, Python would be a much smarter road to take.....
    ANYWAY this code
    Code:
    grep -oP '(?<=&pwd=)[^&]*(?=&)'
    would grep any value between "&pwd=" and "&".

    Lets take a look at the example below the echo`d line is actually from your output.
    Code:
    echo 'blah blah blah loads of junk &pwd=PASSWORD&'| grep -oP '(?<=&pwd=)[^&]*(?=&)'
    If you were to write the above code in bash, only the word "PASSWORD" would be displayed.
    The string "&pwd=" only appears once in your final output so my above grep code would suffice.

    Hope I helped and did not misunderstand what you was asking.

    PS I may have made a mistake, (highly unlikely), as I didn`t test the code out.
    Last edited by killadaninja; 02-11-2011 at 07:19 PM.
    Sometimes I try to fit a 16-character string into an 8–byte space, on purpose.

  9. #9
    Good friend of the forums comaX's Avatar
    Join Date
    Feb 2010
    Location
    Paris, France
    Posts
    338

    Default Re: Can't parse sslstrip logs

    I'll be damned if that was this simple ! I'll try it right away. Meanwhile, my final command that outputs like this :
    Login = LOGIN
    Password = PASSWORD

    Etc.

    Code:
    cat $1  | 
    awk -F "&" '!/GET/ && !/if/  !/header/ && !/^[0-9]/ && !/</ && /[PpEeUuLlCc_][A-Za-z]*=[A-Za-z0-9.%_-]*/ {if (NF >= 2) print $0}' |
    awk -F "&" '{for(i=1;i<=NF;i++) print $i }' |
    egrep -a "credstring1|credstring2|..." |
    awk -F "=" '{if (length($2) < 3) print "\b"; else if ($1 ~/[Pp]/) print "Password = " $2"\n"; else print "Login =", $2}'

  10. #10
    Just burned his ISO
    Join Date
    Apr 2011
    Posts
    15

    Default Re: Can't parse sslstrip logs

    I'm really interested in your script, but I can't get it to work? I'm still new to backtrack as a whole and I don't understand how exactly should this be run ( the script from ur last post). Tried creating it in a file and running it with bash/sh but neither worked,it just opens a blank line

Similar Threads

  1. vnc connection logs
    By prelate in forum OLD Pentesting
    Replies: 0
    Last Post: 03-19-2010, 10:17 PM
  2. [Videotutorial] Borrado de logs - Clearev
    By Progresive Death in forum BT Videos - ES
    Replies: 0
    Last Post: 02-12-2010, 08:11 AM
  3. Parse messages.....
    By >Dart> in forum OLD General IT Discussion
    Replies: 1
    Last Post: 04-16-2009, 03:46 PM
  4. new user logs into....slackware!?
    By stagger in forum OLD BT3final Support
    Replies: 6
    Last Post: 09-16-2008, 02:50 PM
  5. Help Figuring out Router Logs
    By montag in forum OLD Newbie Area
    Replies: 1
    Last Post: 04-09-2008, 05:09 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •