In this post I'm going to xplain sniffing HTTPs Packets which is not for N00BS but is a HIGH LEVEL HACKING..
HTTPs which is most secure network running packets that is used for online banking like paypal, banksite,etc. Also in email accounts like gmail and even facebok, now can be sniff by any hacker which have the eligible tools for that.
A new tool presented at the Black Hat DC 2009 conference by Moxie Marlinspike proves to be a formidable foe against secure login schemes. Always trying to stay on top of the game, Click Death Squad decides to give this tool a whirl and see what the buzz is all about. This attack is particularly crafty because it acts as a Man in the Middle, keeping an eye on HTTPS requests and then mapping them to HTTP look alike setups. If a person were operating on a wireless access point that had been broken into, the results can be devastating. You have a box running sslstrip which has port forwarding enabled and is actively spoofing ARP on a LAN. This computer is the jump off point, which will fake out the wireless router into redirecting HTTPS requests, modifying them and passing them on to the victim. Features include a fake “lock” icon and selective logging capabilities, which provide great flexibility when sniffing traffic.
The firewall rules on your box have been set to forward all traffic on port 80 (HTTP) which might be received by the victim. The key is passing the victim’s traffic through your box to sslstrip, which will modify any HTTPS login requests and forward them to the correct destination. By doing so, the login information can be captured.
Step 3: ARP spoof the target traffic to redirect to your machine .
Step 4: Run sslstrip and capture some passwords.
It Looks like the victim logged into “secure.myspace.com” to check their page out…
Now we can see , we were able to capture a password from a modified request. So now before implementing HTTPS now again you have to think twice.
HTTPs which is most secure network running packets that is used for online banking like paypal, banksite,etc. Also in email accounts like gmail and even facebok, now can be sniff by any hacker which have the eligible tools for that.
A new tool presented at the Black Hat DC 2009 conference by Moxie Marlinspike proves to be a formidable foe against secure login schemes. Always trying to stay on top of the game, Click Death Squad decides to give this tool a whirl and see what the buzz is all about. This attack is particularly crafty because it acts as a Man in the Middle, keeping an eye on HTTPS requests and then mapping them to HTTP look alike setups. If a person were operating on a wireless access point that had been broken into, the results can be devastating. You have a box running sslstrip which has port forwarding enabled and is actively spoofing ARP on a LAN. This computer is the jump off point, which will fake out the wireless router into redirecting HTTPS requests, modifying them and passing them on to the victim. Features include a fake “lock” icon and selective logging capabilities, which provide great flexibility when sniffing traffic.
Tools you will need to accomplish this task :
- A wireless network that you have access to and can test
- A “victim” computer acting as the client being sniffed
- A Linux box with sslstrip installed
- Basic Linux networking skills and command line capabilities
Your box will be acting as the intermediary between the victim and the intended destination. You must enable IP forwarding so that packets can be passed through your machine. This is pretty simple, just pass a value to the kernel that tells it to enable forwarding for packets.
Step 2: Set an iptables firewall rule that fowards HTTP traffic from the victim to your box for modification.“sudo echo 1 > /proc/sys/net/ipv4/ip_forward” ### enable IP forwarding in the Linux kernel.
As the victim is actively browsing websites, your computer needs to act as a middle man so that when the user is directed to an HTTPS login, your computer modifies the data and passes it along. By setting up an iptables rule, you can have the traffic get passed to your computer, modify it using sslstrip and then pass the “faked out” version to the victim and capture login information.
“sudo iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port 666″ ### iptables will forward port 80 to our box, running sslstrip on port 666.
The firewall rules on your box have been set to forward all traffic on port 80 (HTTP) which might be received by the victim. The key is passing the victim’s traffic through your box to sslstrip, which will modify any HTTPS login requests and forward them to the correct destination. By doing so, the login information can be captured.
Step 3: ARP spoof the target traffic to redirect to your machine .
Using arpspoof, you can redirect all the victim’s traffic to your machine. After you enabled your iptables firewall rule to pass HTTP traffic and modify it, you need to redirect the traffic to your box. Use arpspoof to direct traffic to your machine so that HTTP requests can be modified for hijacking.
sudo “arpspoof -i wlan0 192.168.1.121 192.168.1.1″ ### where 192.168.1.121 is the target and 192.168.1.1 is the wireless access point ip address.All the steps are in place. Iptables is setup to redirect HTTP requests to sslstrip, ARP spoofing is redirecting traffic from the victim to our box and your machine is forwarding requests. The last step is to actually run sslstrip and start hijacking some sessions.
Step 4: Run sslstrip and capture some passwords.
Start the sslstrip server running on your machine and watch what happens. A victim loads a website, and because you’re ARP spoofing, the request is directed to your machine first. The request is modified by sslstrip, then iptables forwards the modified traffic to the intended destination.
Here we can see that the server is startedsudo “python sslstrip.py -l 666 -f lock.ico” ### load sslstrip and use the provided lock.ico icon as a replacement if need be.
It Looks like the victim logged into “secure.myspace.com” to check their page out…
Now we can see , we were able to capture a password from a modified request. So now before implementing HTTPS now again you have to think twice.