One thing  you may have been taught if you are tech savy is to always use ssl whenever you can. Well, you may be suprised to find out that it isn’t quite as secure as you may have hoped. One of the main benifits to using SSL Strip is that all ssl encrypted user/passwords will go through as clear text. To begin, we need a couple of things, at the very least, a copy of backtrack 4 beta and a copy of SSL Strip. For a more advanced attack, before you begin, follow the MITM attack.

Now that you have all of your tools collected and your attack vector established (either a mitm established or conencted to a network with victims)  you need to extract the contents of the tar  file which you saved to root by opening a shell and typing tar xvf sslstrip-0.7.tar.gz Then in shell, cd to the directory you created, which you can find by typing ls . Once there, type kwrite to open the text editor. Then we add the following text and save it as iptable.sh

echo “1” > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port 10000

After you save the file, close kwrite, then type chmod 775 iptable.sh to make the file you made executable. The script you made allows your computer to forward specific traffic like a router.  Now type ./iptable.sh then ./sslstrip.py -k -w sslout.txt to set everything up for our attack, and put the output in the sslstrip folder in a file called sslout.txt . Now minimize the shell, letting it run in the background.

At this point, depending on how you started will decide how you choose the victim. If you did not follow the MITM attack and are just on a public network, you need to scan for your victims. To do so, open another shell and type ifconfig ath0 to see what your ip address(inet address) is for your network card ath0. if you use wlan0, replace ath0 with wlan0. Now, to scan for computers, type nmap -sP [ipaddress]/24 where [ipaddress] is the network you are on (if you are 192.168.1.x use 192.168.1.0) you can select any ip address on the list except for x.x.x.1 which is either your gateway or your router (or both).

If however you used the original MITM attack from the other page, log into the router web page, you should be at the sys-info page whcih is default. (if you are not, go to the status tab, select the sys-info sub tab) At the bottom of the page, you will see a list of all active  wirless clients with mac addresses and below that, a list of dhcp clients. All clients listed in the wireless clients tab are active and if you match those to the dhcp addresses issued, you have your list of possible victims.

Once you have your victim selected, type arpspoof -i ath0 -t 192.168.1.101 192.168.1.1 if the victim ip address is 192.168.1.101 and your network is 192.168.1.x  making sure to replace first three numbers if on a differenct network (i.e. 192.168.1.1=10.10.10.1 if your ath0 is 10.10.10.104). To insure that the arpspoof worked, the output should not have a 0:0:0:0:0:0, if your output begins with two mac addresses, congrats, you are now doing “Arp Poisoning”  You may now minimise the shell.

Last but not least, we can view the passwords as they come. To do so, open yet another shell, you should have 3 in total at this point, and type ettercap -Tq -i ath0 -L sslstrip which will find, capture, and display all passwords in cleartext that go across the network card ath0. Of course, if you use wlan0 instead of ath0 then replace as needed in the shell. If all is done correctly, you should see the user and pass of any site the victim goes to.

Advertisements