Script for sniffing traffic.

[comaX]

It's always interesting to demonstrate that an attacker can study your browsing habits and use that knowledge to exploit a computer/steal passwords (dns poisoning/phising/etc...).

I certainly agree with you but you'll find urlsnarf informations in sslstrip's logs... So it doesn't bring anything new, imo.

Xplico is an interesting (and powerful) tool. It's best run on a dump (live capture mode is not as useful). It's easiest used through its web GUI so I agree wouldn't integrate well with yamas - just mentioned it while we were discussing image extraction.

All right, thanks, I thought you mentionned it for yamas, not as general knwoledge. But it makes more sense this way and it sure seems to be a nice tool ! I'll try to have a go at it when I figured how to launch it

[Snayler]

I certainly agree with you but you'll find urlsnarf informations in sslstrip's logs... So it doesn't bring anything new, imo.

I'll be honest, I never looked inside a sslstrip log, so I don't know what's inside it. Have you compared the results from both tools, to check if they match?

[comaX]

Sslstrip logs contains pretty much everything that happens on the network. You'll get a load of crap, headers, requests, etc. In urlsnarf, you only get the requests like GET. So, it's a little more readable than sslstrip logs, but to obtain the same result the parsing would be easy.
urlsnarf :

192.168.1.3 - - [23/Jul/2008:15:41:52 -0700] "GET http://suggestqueries.google.com/com...=en-US&q=sguil HTTP/1.1" - - "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008071615 Fedora/3.0.1-1.fc9 Firefox/3.0.1"

sslstrip

011-11-17 15:27:50,528 Resolved host successfully: clients2.google.com -> 209.85.147.113
2011-11-17 15:27:50,529 Sending request via HTTP...
2011-11-17 15:27:50,573 HTTP connection made.
2011-11-17 15:27:50,573 Sending Request: GET /service/update2/crx?
2011-11-17 15:27:50,574 Sending header: accept-charset : windows-1252,utf-8;q=0.7,*;q=0.3
2011-11-17 15:27:50,574 Sending header: connection : keep-alive
2011-11-17 15:27:50,574 Sending header: accept-language : fr,en-US;q=0.8,en;q=0.6
2011-11-17 15:27:50,574 Sending header: host : clients2.google.com
2011-11-17 15:27:50,574 Sending header: user-agent : Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2

Ok, sslstrip logs are more verbose, but if you do something like cat sslstrip.log | grep "Resolved host successfully:", you should get the browsed websites...

Example on one of my logs with egrep -i -a -e "Resolved host successfully:" /root/sslstrip.log

2011-11-17 15:27:22,486 Resolved host successfully: safebrowsing.clients.google.com -> 173.194.67.101
2011-11-17 15:27:22,731 Resolved host successfully: safebrowsing-cache.google.com -> 209.85.227.139
2011-11-17 15:27:26,931 Resolved host successfully: whos.amung.us -> 67.202.94.93
2011-11-17 15:27:28,606 Resolved host successfully: www.facebook.com -> 69.171.242.14
2011-11-17 15:27:31,875 Resolved host successfully: 0-74.channel.facebook.com -> 66.220.145.41
2011-11-17 15:27:47,956 Resolved host successfully: whos.amung.us -> 67.202.94.93

And it wouldn't be too hard to keep only certain columns with awk or cut...

[tuxnator]

Make the Xplico run into BackTrack 5 is a real pain in the ass. When I wanted to try it, after losing some hours in vain, I only downloaded the VM from Xplico's website.

[comaX]

Hi guys ! Quick post to tell you there were updates made ! It should be easier to run it on other linux platforms, and some stuff here and there.

As stated in the "message of the day" feature, I'm dropping urlsnarf since I didn't get much positive feedback about it.
With that said, if you guys really want something that'll show the browsed websites, I can do it just like I showed you two posts before this one. Tell me what you'd like !
Cheers !

[ShadowMaster]

Hi guys ! Quick post to tell you there were updates made ! It should be easier to run it on other linux platforms, and some stuff here and there.

As stated in the "message of the day" feature, I'm dropping urlsnarf since I didn't get much positive feedback about it.
With that said, if you guys really want something that'll show the browsed websites, I can do it just like I showed you two posts before this one. Tell me what you'd like !
Cheers !

It may be a prob with my script, but when like I always do: by typing in yamas in the term, I get "No update available Script is installed", but the message of the day changes to the url snarf thing. I'm assuming that's not normal...
Also, you may want to add a -u feature in the script, because when I only want to update, not run it, I still have to go through the whole rigmarole of settings options, and cleaning up. -u would be so much more convenient. Thanks.

[comaX]

Noted for the -u option, I'll work on that !
With that said, I myself have to update the same way you guys do. And when I just need to update it, I wait for the message to be displayed and then ctrl+c.
But yeah, an update option would be better
And yeahp, it's normal that the message of the day changes without an update. It's curled from my website on launch. You can deactivate that with the silent mode (-s).

[ShadowMaster]

Noted for the -u option, I'll work on that !
With that said, I myself have to update the same way you guys do. And when I just need to update it, I wait for the message to be displayed and then ctrl+c.
But yeah, an update option would be better
And yeahp, it's normal that the message of the day changes without an update. It's curled from my website on launch. You can deactivate that with the silent mode (-s).

I get the message, that's fine. What I meant was: I got the NEW message, but NOT the NEW script...
Isn't it supposed to update?... I'm still using the last revision, and it says no update is available. feb 2.

[comaX]

Ouch... I must have **** up somewhere along the way. I'll look into it, thanks for reporting !

[ShadowMaster]

Of course I report. I love this tool, I want the newest version.
That being said I'm not clear on the syntax to use fakessl? I see the option to add the favicon, I see the option to use ettercap, but where do I add in the fake ssl? Perhaps, if -e has been selected, you could make that one of the additional options. To use sslstrip for most, but for some websites/browsers, allow for fakessl?