sslstrip does nothing

[ocdocdocd]

I have no idea what I'm doing wrong here. Everyone else on the internet seems to get this thing to work first try no problem, but I've been at this thing for two nights now, followed dozens of subtly different directions, and the end result is always the same: Gmail, facebook, etc. still have the HTTPS links intact and sslstrip log files are empty which proves that nothing was captured.

The commands I use are all taken directly from the sslstrip website:

echo 1 > /proc/sys/net/ipv4/ip_forward (for the record I've tried the variants where you put the 1 in "" and '')
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000 (also tried 8080)
python sslstrip.py -w filenamehere.log (also tried it with the -a and -k commands, and -l 8080 when I used 8080 as the redirect port; I've also done it where I ran the setup.py file first)
arpspoof -i wlan0 -t 192.168.1.2 192.168.1.1 (also tried it without a target, and tried every single address I found on my network with no results; and yes, I'm sure wlan0 is my wireless adapter and that 192.168.1.1 is the router address since that's listed as the gateway when I do a route command, and it's the address I have to type in to get to the router administration page)

I've tried using my own machine as the victim machine and my phone (hooked up via wifi). In both cases every SSL page I visited still had SSL.

[sickness]

Tell me how you are browsing the page from which you want to sniff credentials. Do you type the address directly in the address bar like https://site.com ?

[ocdocdocd]

No, I type in the index page and browse to the log in from there. So for example if I want to login to gmail I'll type in "gmail.com". If I want to go to facebook I'll type in "facebook.com". Both redirect to the https:// address.

[M00kaw]

When you type: gmail.com your browser connects to http://gmail.com:80 and you then get re-directed to https://gmail.com:443
Thats where sslstrip comes into the big picture.. You write: iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000

You dont write iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-port 10000

So try and write gmail.com facebook.com paypal.com etc. Just dont manually write https :-)

edit:

to clear things out - sslstrip listens to port 80 and when there's a redirect to https on port 443, it will strip the ssl...
If you want to learn more about ssl-strip and how it works etc. there's a nice video from Blackhat 2009 with Moxie Marlinspike (the author of ssl-strip), telling a lot about his script..

look under Randomized Videos
http://teh-geek.com/?page_id=475

[ocdocdocd]

So I do write gmail.com, facebook.com, etc. without the http(s)://www. bit, and they always redirect to the SSL pages. And as you can see in m original post, I do have iptables redirecting port 80 traffic, not port 443 traffic so that's not the problem either.

[sickness]

Have you installed sslstrip correctly ?

[ocdocdocd]

I'm using the liveUSB version of BT5 so I would assume sslstrip is installed correctly unless there's a problem with the way it was installed by default in BT5. I actually tried running it two ways too. First was running "python sslstirp.py". The second was running "python setup.py" in the sslstrip directory so that I didn't have to use "python sslstrip.py" each time.

[sickness]

Code:

cd /pentest/web/sslstrip/
python setup.py install
sslstrip -h

[ocdocdocd]

Code:

cd /pentest/web/sslstrip/
python setup.py install
sslstrip -h

Tried that, same result as before. All pages still SSL encrypted.

[ocdocdocd]

So I tried this on another network I have access to and now SSLstrip does successfully strip SSL encryption from webpages. It also does successfully capture usernames/passwords. So now I'm curious as to what was so special about the other network that made it immune to sslstrip...

Unfortunately, however, I have a new problem. Once I try to submit a username/password combo on, say, gmail SSLstrip spits out a flood of errors and takes the whole network down with it.