Jump to content

Does SSL Stripping still work?


YetAnotherAnon

Recommended Posts

Hello everyone. I'm new here. I watch the Youtube channel from time to time and I decided to get an account with the forums due to how recent SSL threads were on this board. I'm still a bit new to this. Most of my knowledge comes from a series of tutorials but it's starting to come together. Anyways, Google isn't turning up answers for my concern but then I remember that a lot of the threads I was reading were outdated. To my understanding, SSL strip used to work but the invention of HSTS prevented that. Yet things like "Bettercap and SSLStrip2 should work"-Forum posters: 1 year ago. Keep in mind I do not own a Pineapple. What I do have is two computers hardwired to a Belkin N300 router. One of them is the attacker and the other is the target.

 

Since a year has past I'm not sure if these techniques still work. I have tried sslstrip2 and bettercap, but each time I try to strip my windows 8.1 target machine, I keep getting the classic 404. It says http:// can not be found so at least I know the attacker is actively TRYING to do it's job. Are these outdated methods that no longer work or am I just doing it wrong? I feel that I can't be THAT far off since I'm getting the same results with both Bettercap and sslstrip2. My target computer is running an older Core 2 Quad and an older motherboard so it might just be too slow. But even then i doubt it since it's not THAT slow. Any suggestions?

 

If I am doing it wrong, then here is what I am working with

 

Machine(Attacker) 192.168.2.6

>Windows 10 (Latest)

>Virtual Box Version: 5.1.0r108711 running Kali 2016.1

>Hardwired ethernet to onboard port. set to Bridge mode in virtual box

>Using dns2proxy

>using sslstrip2

Machine(Target)  192.168.2.5

>Windows 8.1

>Logging into my personal Facebook with Internet Explorer

>Logging into my personal Facebook with Google Chrome

>Hardwired ethernet to onboard port.

Router: Belkin N300 192.168.2.1

>Generic setup. Inly change I made was using Google's DNS

 

Steps Taken for sslstrip2

> wrote 1 to ip_forward. cat'd the file to ensure that it wrote.

>flushed IP tables

>flushed ip tables with -t nat

>redirected TCP traffic from port 80 to 8080

>redirected udp traffic from port 53 to port 53

>Ran iptables -t nat -L PREROUTING TCP and UDP have the source and destination set to "anywhere" so it should work... right?

>Have 5 terminal tabs open.

>One for running dns2proxy.py

>One for running sslstrip with -a

>One for running arpspoof -i eth0 -t 192.168.2.5 192.168.2.1

>One for running arpspoof -i eth0 -t 192.168.2.1 192.168.2.5

>One for tailing the sslstrip.log file

>attempted to log into facebook, gmail, xfinity, and yahoo with IE, chrome and firefox. All of them return 404.

 

Steps Taken for Bettercap

> wrote 1 to ip_forward. cat'd the file to ensure that it wrote.

>flushed IP tables

>flushed ip tables with -t nat

>redirected TCP traffic from port 80 to 8080

>ran Bettercap. Same results as when I was running sslstrip2

Link to comment
Share on other sites

The problem with sslstrip (any of them) is that browsers these days are being equipped with a pre-populated list of hosts that the browser must only connect to via HTTPS. This is a problem because even sslstrip2 relies on the first attempt to connect being via http.

Read this

Using bettercap the idea is that you *somehow* get the user to access the wrong url for which bettercap will produce the correct url but while being in the middle and while using either http or https but in case of https producing its own certificate which is valid for this specific domain. Like IinkedIn.com (notice that the first character is a capital i instead of the expected l). If the user ends up going to the correct url by its own accord there's nothing you can do.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...