Ethical Hacking Institute Course in Pune-India
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan
The traditional network traffic (non-encrypted) can be easily captured these days by running a tool such as ettercap, which can also be found in Kali Linux. What we are going to deal with now is not about this but about the encrypted network traffic.
The SSL/TLS traffic is encrypted, and if it can be decrypted, it would be a hot topic in security circles right now. In general, when we are navigating the Internet and browsing websites, we don’t really often type a domain address by using HTTPS directly, but we almost always type HTTP. We all know it is very difficult, if not almost impossible (though nothing is impossible for IT experts) to exploit an SSL/TLS session. But we can break such protocols in an alternative way by sniffing it.
The traditional sniffers are helpless as they will get nothing but encrypted traffic and meaningless data. But if we combine traditional sniffers such as ettercap (we
have just mentioned previously) and arp with a powerful tool like sslstrip, we can definitely be successful. This action is technically called a MITM attack. The MITM is the kind of attack that intercepts communication between two systems, for example, between the client and server. The key tool here that does the magic work of exploiting the SSL traffic is sslstrip.
sslstrip is an MITM attack tool that forces the user to communicate with the other end user in plain text over HTTP. It is basically a script that automates the exploitation process where the HTTPS URLs are stripped into HTTP URLs and can therefore be captured in clear text. An SSL MITM attack using sslstrip Please note that all of the following tasks require root-equivalent privileges, so before starting, we must elevate our privileges. To start our MITM attack, we have to do some small configurations on our system and on the tools that we are going to use for this case. Because we are talking about a man-in-the-middle attack, the first thing we have to do is enable the IP forwarding option on our system as follows:
root@extremehacking:~# echo 1 > /proc/sys/net/ipv4/ip_forward
After having enabled the IP forwarding option, let’s go ahead with ettercap and its configuration. To do that, we open a shell terminal with the auxiliary of an editor vi and the etter.conf file, which is the ettercap configuration file, as follows:
root@extremehacking:~# vi /etc/etter.conf
We are interested in the iptables section and we will need to make sure that the second line of iptables in etter.conf is not commented out:
#redir_command_off = “iptables -t nat -D PREROUTING -i %iface -p tcp –dport %port -j REDIRECT –to-port %rport”
We will remove the # character by activating the iptables rule. As per the ettercap configuration, we have to create this specific rule in our iptables as follows:
root@extremehacking:~# iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-ports 10000
All we did in the preceding command is that we redirected all the incoming traffic that is usually sent to port 80/HTTP protocol onto a new port at our discretion, which in this case is port 10000. The reason why we chose a high port is to ensure that the port is not used. Also, the port 10000 didn’t require any high privileges to be started/listened. The ports up to 1024 require high privileges. Now we are ready with all of the configurations and are good to go further. We have to run three tools in parallel, so we will need at least two terminals opened at the same time in order to be able to do that. We need two terminals because we will combine two of the tools into a single command, but anyone can use a separate shell for the third tool as well. All we need is the IP address of the target machine and the gateway. Note that we are on the same network of the target machine.
So let’s assume that the IP address of the target machine is 192.168.0.117, and the gateway is 192.168.0.1 (as usual, we are not providing here the real IP addresses or any parameters that can compromise the target system). We will execute the sslstrip command as follows:
root@extremehacking:~# sslstrip -a -k -f
We will also perform the ettercap and arp commands as follows:
root@extremehacking:~# ettercap -T -q -i wlan0 -M arp:remote /192.168.0.117//192.168.0.1/
Let’s summarize what we have just performed with sslstrip:
• -a: This is used to display all logs
• -k: This is used to kill the session progress
• -f: This is used to substitute a lock favicon on a secure request
• The last command is the combination of two tools, ettercap and arp, with the following options:
°° -Tq -M: This performs the ARP poisoning attack against all the hosts in the LAN
°° -i: This option is used to specify our interface with which we are connected to the LAN
For those who are curious and want to use more options, please check the man page for the tools.
After having performed the preceding action, we shall wait for the traffic, that is, for someone to log on to their account and generate traffic. In this case, we are going to
do the victim’s part, and we will go onto another machine to try to access our account, which will use HTTPS. So we play around by logging into an account of ours, which
is SSL-enabled (nearly 99 percent of e-mail servers are SSL enabled). We proceed to sign into the account, which like in our case can be an e-mail account. Once we log in to a couple of our e-mail accounts, if we check the sslstrip/ettercap/ arp captured data, we will be able see the SSL traffic and also hopefully the login credentials with username/password in clear text.
After having performed the actions shown in the previous screenshot, all traffic will be stored in a file called sslstrip.log, where we can see a clear text of the traffic, including logins. The preceding screenshot shows that the traffic has been captured, including the part of our attempt to log in to our e-mail accounts. For HTTPS-encrypted authentication, we have been choosing the most encrypted e-mail server provided by Google, which is the Gmail service. We can clearly see the login credentials that have been captured and decrypted in clear text. We can not only capture and decrypt the login credentials, but if we pay close attention towards the end of the sslstrip.log file in the preceding screenshot, we will notice that it has also captured the content of the e-mails in the inbox (note that the e-mail arrived from LinkedIn notifies an invitation to the owner of the e-mail account).
Enjoy!!!!
www.extremehacking.org
Cyber Suraksha Abhiyan, CEHv9, CHFI, ECSAv9, CAST, ENSA, CCNA, CCNA SECURITY,MCITP,RHCE,CHECKPOINT, ASA FIREWALL,VMWARE,CLOUD,ANDROID,IPHONE,NETWORKING HARDWARE,TRAINING INSTITUTE IN PUNE, Certified Ethical Hacking,Center For Advanced Security Training in India, ceh v9 course in Pune-India, ceh certification in pune-India, ceh v9 training in Pune-India, Ethical Hacking Course in Pune-India