Script for sniffing traffic.

[ShadowMaster]

@ComaX If the FakeSSL is active, all packets forwarded THROUGH you would be decrypted. Also, people clicking through the warnings happens way more often than is comforting.

@khaos What browser are you using? Some browsers (Chrome...) do not allow non-ssl connections to certain sites.

[ShadowMaster]

Why has this site been so screwy lately? Mods please delete...

[comaX]

Maybe I have not understand how sslstrip works. I think that sslstrip removes the ssl and the site will be http://gmail.com and not givint a fake ssl certificate to the victim (as cain and abel). So what I have wrong?

what did you type in to get to the site ?
If you typed https://... then sslstrip can't do anything. Now if you only typed "gmail.com", then refer tio ShadowMaster's post : in deed chrome will kinda force you to the secrured version.

If the FakeSSL is active, all packets forwarded THROUGH you would be decrypted. Also, people clicking through the warnings happens way more often than is comforting.

That's a damn shame for "standard users"... But anyway, it does mean that both sslstrip and ssl dissecting can't be run at the same time, right ? Again, I'm only assuming since I haven't had the chance to test it myself yet

[ShadowMaster]

I don't know why you would want both to run at the same time. If you get all unencrypted traffic saved, why bother stripping? And even if for some reason you would want the two running, why would they not be able to run concurrently? SSlStrip will take gmail.com and return http. SSL spoofing will(should? maybe test this out?) take https gmailcom and, with the acceptance of the user, return all unencrypted traffic to you. The user still should see HTTPS gmail. Refer to the SE toolkit for similar attacks. The pentesting with metasploit book clearly shows a user with https getting all his traffic read.
Incidentally, on the other side of the fence, check this out. Any help would be greatly appreciated. http://www.backtrack-linux.org/forum...ad.php?t=46564

[blackRock]

In lines 413 & 422 you have hardcoded "wlan0".

Is it right?

[comaX]

I'll check, but if it's the case, it surely is yet again another dev mistake, forgot to replace my interface by the variable... Thanks for reporting !

You were right, it's now fixed !

[blackRock]

With script running, sites load much much slower. Is it "normal"?

Also, I can't login to drupal based sites (e.g. drupal.org), but I can login to Joomla ones. Does it has to do with sslstrip or something else?

[khaos]

Hmm I used chrome. So Ok. But I have a question: If our victim goes directly to https://gmail.com (e.g. he types https://) and we set the rule in iptables to get 443-->port of sslstrip... can we sslstrip the victim? Because port 80 is only for HTTP requests. Why we use that port and not 443? Thanks

[comaX]

Because a request to https is made through port 80, while in standard navigation. But if the request is made through port 443, it's already to late.
As the name sslstrip indicates, it strips the s from https.

I hope that answers the question, if not, tell and I'll try to be more precise.

[khaos]

I understood. Thanks for the help. Do you know if the problems with ettercap+sslstrip are fixed?