Error when running Ettercap -G and sslstrip together

[kalinoob1]

Hi,

I am trying to use Ettercap -G with sslstrip to see if I can get passwords from a computer on my home network.

I am using Kali 1.0.9. I am using the NIC that is on the laptop. I have an Alfa NHA, but I have not tried it with this yet. The NIC is wlan0.

I have a router (192.168.1.1) with 2.4 and 5 Ghz bands on it (2.4 is 1 and 5 is 2). Signal is bad in another part of the house so I have an extender (192.168.1.110) which has 2.4 and 5 Ghz bands also (1a and 2a).

The computer I am trying to run it on is a desktop in the other room (192.168.1.118).

These are my commands:
In terminal A:
[echo '1' > /proc/sys/net/ipv4/ip_forward]
[iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port 10000]
[sslstrip -l 10000]

Open another terminal:
ettercap -G

In Ettercap -G these are my settings:
I put it in promiscuous mode
I select unified sniff
I choose wlan0 (my interface)
Under host, I scan for hosts then I chose Host List
I out my router as Target 1
I put my desktop (the one I am trying to run it on(192.168.1.118)) as Target 2
Under Manage Plugins, I choose dns_spoof
Under MITM I choose Arp poisoning
I then select sniff remote poisoning
Then I start the sniff

Nothing seems to happen in Ettercap -G, but in the sslstrip terminal I get a runtime error. I tried to open the sslstrip.log and there is nothing in it. This is the error:
root@kali:~# sslstrip -l 10000

sslstrip 0.9 by Moxie Marlinspike running...
Unhandled Error
Traceback (most recent call last):
File "/usr/bin/sslstrip", line 105, in main
reactor.run()
File "/usr/lib/python2.7/dist-packages/twisted/internet/base.py", line 1169, in run
self.mainLoop()
File "/usr/lib/python2.7/dist-packages/twisted/internet/base.py", line 1181, in mainLoop
self.doIteration(t)
File "/usr/lib/python2.7/dist-packages/twisted/internet/pollreactor.py", line 167, in doPoll
log.callWithLogger(selectable, _drdw, selectable, fd, event)
--- <exception caught here> ---
File "/usr/lib/python2.7/dist-packages/twisted/python/log.py", line 84, in callWithLogger
return callWithContext({"system": lp}, func, *args, **kw)
File "/usr/lib/python2.7/dist-packages/twisted/python/log.py", line 69, in callWithContext
return context.call({ILogContext: newCtx}, func, *args, **kw)
File "/usr/lib/python2.7/dist-packages/twisted/python/context.py", line 118, in callWithContext
return self.currentContext().callWithContext(ctx, func, *args, **kw)
File "/usr/lib/python2.7/dist-packages/twisted/python/context.py", line 81, in callWithContext
return func(*args,**kw)
File "/usr/lib/python2.7/dist-packages/twisted/internet/posixbase.py", line 599, in _doReadOrWrite
self._disconnectSelectable(selectable, why, inRead)
File "/usr/lib/python2.7/dist-packages/twisted/internet/posixbase.py", line 263, in _disconnectSelectable
selectable.connectionLost(f)
File "/usr/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 433, in connectionLost
Connection.connectionLost(self, reason)
File "/usr/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 277, in connectionLost
protocol.connectionLost(reason)
File "/usr/lib/python2.7/dist-packages/twisted/web/http.py", line 455, in connectionLost
self.handleResponseEnd()
File "/usr/share/sslstrip/sslstrip/ServerConnection.py", line 119, in handleResponseEnd
HTTPClient.handleResponseEnd(self)
File "/usr/lib/python2.7/dist-packages/twisted/web/http.py", line 466, in handleResponseEnd
self.handleResponse(b)
File "/usr/share/sslstrip/sslstrip/ServerConnection.py", line 133, in handleResponse
self.client.write(data)
File "/usr/lib/python2.7/dist-packages/twisted/web/http.py", line 898, in write
raise RuntimeError('Request.write called on a request after '
exceptions.RuntimeError: Request.write called on a request after Request.finish was called]

I have been reading tutorials and watching videos and I do exactly what they do in the videos and the tutorials, but I am having no luck.

At first I did not have the' around the 1 on the echo command with sslstrip. I also saw that instead of port 10000, sometimes port 8080 is used. I am not sure if I should use a different one or not, or if I should remove the ' around the 1 in the echo command.

I was going to try it with my Alfa and see if it may be the NIC that is in the laptop. My Alfa shows up as wlan1 so I was going to put wlan0 down.

I also noticed when I do it, I seem to cut off the internet connection for the whole house. I think it may be the ports I am using.

[in10se]

I am having the same issue. re installed ssl strip, and re installed python 2.7, also pyOpenSSL, service identity and the twisted module. Anything seems to work. Any expirenced users with some input? thank you!

[repzeroworld]

I am having the same issue. re installed ssl strip, and re installed python 2.7, also pyOpenSSL, service identity and the twisted module. Anything seems to work. Any expirenced users with some input? thank you!

having same issue here..sslstrip gaves error but it is still working (it is issuing a fake certificate)!...however i used arpspoof (the older version) to do my arp poisoning..one thing i like with the OLD arpspoof is that it sends out fake Address Resolution Protocal (ARP) messages to ALL targets instead of 2 targets. Also, if you are on a network and carrying out this MITM attack you will find that the true gateway will be sending out authentic arp messages requesting client's to send their data...some tcp packets will be sent to the true gateway while some tcp packets will be sent to you..it's all luck and chance.... this type of mitm can break a network down also!...hmmm..i cannot say how the python codes are written in sslstrip (this could be the solution ...the codes?..i will investigate as i increase my pythonic knowledge)...can anyone add some explanation to sslstrip behaviour?

[in10se]

Mine does not issue the fake cetificate. When ever I use sslstrip my networks ssl connections over https drop.

[Nick_the_Greek]

having same issue here..sslstrip gaves error but it is still working (it is issuing a fake certificate)!...

repzeroworld can you please explain at what fake certificate referring to? I don't get that.

As for the rest I haven't investigate (deeply) the behavior of sslstrip but I thing it's a common behavior.
I know that sslstrip will not work when:
1) The site use HSTS. (HTTP Strict Transport Security)
2) An https address is typed.
3) An application is used to do SSL connection. (Android device).

In mater of fact I gave up with sslstrip. Maybe I'm wrong but I thing that sslstrip can't handle correctly SSL v3 certificates. 2 months ago, I tried to proxychain sslsplit (which it's a wonderful program) and sslstrip and sslplit report something like wrong ssl v3 certificate or something like that. I can't remember right now.

BTW does someone 'played' with LeonardoNve's sslstrip 2 version? (defeat HSTS)?

[repzeroworld]

repzeroworld can you please explain at what fake certificate referring to? I don't get that.

As for the rest I haven't investigate (deeply) the behavior of sslstrip but I thing it's a common behavior.
I know that sslstrip will not work when:
1) The site use HSTS. (HTTP Strict Transport Security)
2) An https address is typed.
3) An application is used to do SSL connection. (Android device).

In mater of fact I gave up with sslstrip. Maybe I'm wrong but I thing that sslstrip can't handle correctly SSL v3 certificates. 2 months ago, I tried to proxychain sslsplit (which it's a wonderful program) and sslstrip and sslplit report something like wrong ssl v3 certificate or something like that. I can't remember right now.

BTW does someone 'played' with LeonardoNve's sslstrip 2 version? (defeat HSTS)?

repzeroworld can you please explain at what fake certificate referring to? I don't get that.

As for the rest I haven't investigate (deeply) the behavior of sslstrip but I thing it's a common behavior.
I know that sslstrip will not work when:
1) The site use HSTS. (HTTP Strict Transport Security)
2) An https address is typed.
3) An application is used to do SSL connection. (Android device).

In mater of fact I gave up with sslstrip. Maybe I'm wrong but I thing that sslstrip can't handle correctly SSL v3 certificates. 2 months ago, I tried to proxychain sslsplit (which it's a wonderful program) and sslstrip and sslplit report something like wrong ssl v3 certificate or something like that. I can't remember right now.

BTW does someone 'played' with LeonardoNve's sslstrip 2 version? (defeat HSTS)?

ALL packets are have different layers. The secure socket layer (SSL) is the encryption layer of the data... when a client is loggin in to a mail server..it ususally request a certificate to start a tcp connection, the server sends a certificate signed by verisign or some authentic body...
in your web browser they are many AUTHENTIC add on certificates. this certificate is simply saying that the website is authentic..... the server also sends a key to encrypt the http data to https. if the certificate is invalid you will get a warning and won't be able to visit the site.sslstrip modifies and issue fake certificates SIGNED by an AUTHENTIC body and also have private and public keys to encrypt the data (making the victim think that he is transmitting securely with a 'padlock on the url' (an option when using sslstrip). the errors generated by sslstrip are python code errors...so i am assuming it could be the codes?

[Nick_the_Greek]

ALL packets are have different layers. The secure socket layer (SSL) is the encryption layer of the data... when a client is loggin in to a mail server..it ususally request a certificate to start a tcp connection, the server sends a certificate signed by verisign or some authentic body...
in your web browser they are many AUTHENTIC add on certificates. this certificate is simply saying that the website is authentic..... the server also sends a key to encrypt the http data to https. if the certificate is invalid you will get a warning and won't be able to visit the site.sslstrip modifies and issue fake certificates SIGNED by an AUTHENTIC body and also have private and public keys to encrypt the data (making the victim think that he is transmitting securely with a 'padlock on the url' (an option when using sslstrip). the errors generated by sslstrip are python code errors...so i am assuming it could be the codes?

Hi repzeroworld!

I thing you misunderstood how sslstrip works. sslstrip doesn't establish any secure connection wirh the MITM clients. It can establish a secure (or not) connection with the requested URL by the clients but it returns only an non secure page to them. That's why it's called sslstrip and that's why we don't redirect port 443 (only port 80 is redirected) when we are using sslstrip.

[repzeroworld]

Hi repzeroworld!

I think you misunderstood how sslstrip works. sslstrip doesn't establish any secure connection wirh the MITM clients. It can establish a secure (or not) connection with the requested URL by the clients but it returns only an non secure page to them. That's why it's called sslstrip and that's why we don't redirect port 443 (only port 80 is redirected) when we are using sslstrip.

i suppose you haven't been reading much about sslstrip....there are many website that explains the favicon lock, that is, sslstrip have keys to secure the connection BETWEEN THE ATTACKER AND CLIENT ONLY.... for example try

http://sectools.org/tool/sslstrip/

or you can try infosec website (this does not explain the key aspect)

Yes you are right in a sense that the connection is unsecured but what i am saying that sslstrip have its own keys to make strip the https to http. It therefore means that the connection between attacker and the client can be secured WHILE THE CONNECTION BETWEEN THE CLIENT AND THE SERVER IS UNSECURED BECAUSE WE ARE IN THE MIDDLE OF THE ATTACK. I think you are wrong that this is the reason that sslstrip is redirecting information from port 80....no no no..the reason why you need to redirect all trafic from port 80 is because all traffic from port 80 are TCP traffic not http.WE ARE INTERESTED IN TCP HERE NOT HTTP....THERE ARE THREE IMPORTANT LAYERS..SSL PROTECTING TCP AND TCP IS LAYERED OVER HTTP THAT IS WHY THEY CALL HTTP DATA "HTTP(S)" BECAUSE IT IS ENCRYPTED......ONCE WE REDIRECT THESE PACKETS TO SSLSTRIP..SSLSTRIP STRIP THE "S" FROM HTTPS AND OBTAIN THE INFORMATION AND THEN PROXY THE DATA TO OUR WEB BROWSER TO TRANSMIT TO THE REAL WEBSITE..it seems we have our differences with sslstrip...

[Nick_the_Greek]

.....it seems we have our differences with sslstrip...

Here in Greece we have an expression which is:
"Half knowledge is worse than ignorance."
and I think thats my case!

As you already notice my English are terrible and therefore I understand things in an wrong way. (my may/wrong way).

Thank you for taking the time to clarifying this subject.
repzeroworld, I really appreciate it.

[repzeroworld]

Here in Greece we have an expression which is:
"Half knowledge is worse than ignorance."
and I think thats my case!

As you already notice my English are terrible and therefore I understand things in an wrong way. (my may/wrong way).

Thank you for taking the time to clarifying this subject.
repzeroworld, I really appreciate it.

You are welcome.... i do have partial knoweldge in some aspects of wifi science...I have learnt additional information from your post such as " How to Set Your Wi-FI Card Tx Power Higher Than 30dbm"..great work!