[Video+Tutorial] How to: Crack snifff SSL / HTTPS (sslstrip)

[Snayler]

Hi g0tmi1k! Thank's for the tutorial, it works great!

[MixIt]

Thanks for the great tutorial! Looking forward to trying this after work. Has anyone found a way to avoid the network slowdown that so many people are reporting?

[VillageIdiot]

Didn't work for me, but the target machine was running Ubuntu 9.04. It appears as if Ubuntu simply didn't accept the ARP spoof. However if I reversed the arp spoof (arpspoof -i wlan0 -t 192.168.1.1 192.168.1.100), the target machine couldn't reach the network (obviously, since the router attempted to route traffic from the target to my attacking machine).

Is Ubuntu just not susceptible to this type of attack, or am I doing something wrong?

[Gitsnik]

Quote:

Originally Posted by VillageIdiot

Didn't work for me, but the target machine was running Ubuntu 9.04. It appears as if Ubuntu simply didn't accept the ARP spoof. However if I reversed the arp spoof (arpspoof -i wlan0 -t 192.168.1.1 192.168.1.100), the target machine couldn't reach the network (obviously, since the router attempted to route traffic from the target to my attacking machine).

Is Ubuntu just not susceptible to this type of attack, or am I doing something wrong?

Sounds like you didn't pass the packet forward through your machine.

Try typing "arp -a" on your ubuntu machine to see if the MAC changes before and then during the spoof.

[MixIt]

Thanks for the great tutorial! Followed this tutorial exactly and it worked seamlessly. No error messages appeared on the target computers and there was very little network slowdown. Also i tried setting 192.168.1.255 as the target and i was able to retrieve passwords from the entire network.

The target machines I tested against included a Vista laptop with Mozilla 3.0 and an XP desktop sp3 with Mozilla 3.0

[sylvestor2002]

Cool tutorial !!

Now I'm worried. I go to internet cafes often.

1. Is there anyway to detect if someone is arp spoofing my traffic (assuming I'm the victim) ?
2. As suggested in a previous post, can someone capture all wifi traffic and later decrypt, replay on i lo and get the username and passwords ? If so, does the victim have any tools to prevent this ?

[Snayler]

Quote:

Originally Posted by sylvestor2002

Cool tutorial !!

Now I'm worried. I go to internet cafes often.

1. Is there anyway to detect if someone is arp spoofing my traffic (assuming I'm the victim) ?
2. As suggested in a previous post, can someone capture all wifi traffic and later decrypt, replay on i lo and get the username and passwords ? If so, does the victim have any tools to prevent this ?

1. yes, i use "cc get mac address", but on windows. it scans the network for mac's and IP's, and if a mac associated to an IP changes, it changes color. It's an automatic scanner, so you don't have to push "scan" every time. But it won't warn you with messages, pop ups or ring sounds, you have to watch it now and then. Haven't tried it yet, so I don't know if it works.

2. yes, you can use airodump-ng to capture packets and airdecap-ng to decrypt them later if the network is protected, but it will only catch unencrypted usernames and passwords, not ssl encrypted ones. There's nothing you can do to prevent this if you connect to a insecure/WEP protected network. And even on a WPA network, if the attacker have access to the network, he can sniff data with airodump-ng. But normally, only unimportant sites have insecure logins.

Hope it helps

[Snakerdlk]

Ettercap already has mitm attack features(arp,icmp,dns,etc),
no need to use arpspoof for this.

Code:

ettercap -T -i INTERFACE -M arp:remote /TARGET1/ /TARGET2/

or sth similar to 'redirect' connections between TARGET1 and TARGET2 to pass through you. (If you leave TARGET1 and TARGET2 empty it will try to spoof the whole network)
Perhaps it is interesting to use the "-P autoadd" argument so that the autoadd plugin is loaded automatically. This adds any new host on the network to the spoofing list. /n/

To save the packets run ettercap with the -w or -L mode to log or just check the damn documentation using

Code:

man ettercap

@sylvestor2002
ettercap has various plugins to see if someone has a interface running in promiscuous mode(capturing packets), spoofing address or any other conspicuous network activity.

Note:
One of my experiment was to execute a DHCP spoof attack(you become the networks DHCP server) to set my machine as the local DNS server, which reroutes requests to the original DNS server.

With this you can run metasploit in fakeDNS mode and use various information capturing techniques and try SMBrelay attacks.

[Snayler]

Quote:

Originally Posted by Snakerdlk

@sylvestor2002
ettercap has various plugins to see if someone has a interface running in promiscuous mode(capturing packets), spoofing address or any other conspicuous network activity.

Yes, agreed. But i wouldn't rely too much on that plugin. There is also arpwatch, although i've never tried it. To download it:

#apt-get install arpwatch

And XArp for windows, google for it.

EDIT: Found an interesting threat on Detection and prevention of arp spoofing

Quote:

Detecting/Preventing ARP Spoofing:

We have several options on how to detect this type of attack. First you can manually set the MAC address so that when your computer receives an ARP packet it will ignore it. Manually setting is a pain but is probably the easiest method. You can add an static entry by typing 'arp -s IP address MAC address' in Windows or Linux.

You could also run a program by Irongeek called DecaffeinatID. What this program does is monitor’s your ARP cache and notifies you of any additions and any changes. If it detects an ARP spoofing attack it will alert you. DecaffeinatID is a windows based program.
Linux has several programs that you can use to detect ARP spoofing on your computer, one being ARPon. I couldn’t get this to work on my machine, but it says it does more then detection, it will prevent it from happening. You can also use Ettercap to detect ARP spoofing (both on Linux and Windows), and ARPWatch.

A few other solutions would be to encrypt all traffic on your network with IPSec or something similar. You could also implement DHCP spoofing; with it you can configure your switches to only allow certain MAC address to have access to the network, not the best solution because MAC address can be changed, but it added another layer of complexity. And finally install an IDS/IPS system like Snort.
If your network happens to have Cisco equipment you can turn on ARP Inspection. [...]

ARP spoofing is not a major problem with large companies, mainly because in order to perform this attack you must have physical access to their network, either via wired or wireless. It can be a problem with home users who have a laptop and bring it to their local coffee shop and surf the internet.

[fbi_mohd]

Hi
when I try the arpspoof I getting an error messege
arpspoof: couldn't arp for host 192.168.1.71
I put my own IP (I'm using vmware)
I tried to put another host on my network and got the same message
any help??