I gave MITM a serious go over the weekend. Ultimately I was not able to decrypt SSL traffic as intended but I post in details the steps I took in the hopes to encourage others to give it a shot and perhaps find a way to get it working. I think I'm close but perhaps need a different tool for SSL stripping.
NOTE: One of the most important things I learned is it's not necessary to have a hub to monitor your network traffic, since ARP poisoning can take care of making sure you can see all your switched activity from your PC.
NOTE: I also don't have linux installed at home so I used a linux installation on a thumb drive (4GB thumb drive in my case). The nice thing about that approach is if you currently have only Windows or Mac you can just install and run everything from a thumb drive without interfering at all with your Windows or Mac installation. It's better if you have a more permanent linux installation to play with, but steps below don't require that.
STEP 1 - INSTALL LINUX ON A THUMB DRIVE
(You can use Ubuntu if you want, but that means some hacking tools missing you would have to install. Backtrack 5 has most of the hacking tools needed already installed)
a. Download Backtrack Linux iso file from:
Release = BackTrack 5
WM Flavor = GNOME
Arch = 32 bit
Image = ISO
Download = Direct
(This gets you iso file BT5-GNOME-32.iso)
b. Download and install UNetbootin (to install iso file to thumb drive)
c. Install iso on thumb drive.
1. Insert your thumb drive in USB slot
2. Start UNetbootin and select Diskimage = ISO and browse to the BT5-GNOME-32.iso
3. Leave Space used to preserve... as 0 unless you are using Ubuntu ISO instead
4. Make sure Type = USB drive and Drive is the correct thumb drive volume
STEP 2 - BOOT LINUX FROM THUMB DRIVE
a. Make sure thumb drive is in a USB slot and reboot/start your PC
b. During boot up go to your boot options screen. For my laptop running Windows I press Esc during bootup and then F9 to choose which device to boot from. Here I then choose the thumb drive
STEP 3 - GET LINUX UP AND RUNNING WITH NETWORKING ENABLED
a. At prompt type the following to start x-windows:
b. Start networking as follows:
Applications-Internet-Wicd Network Manager
- If you have wired network then simply choose connect on 1st entry.
- If you have wireless network then choose "Properties" and in "Key" field enter you WPA2 password under (or whichever protection you are using). Then click on "Connect".
STEP 4 - DOWNLOAD AND INSTALL sslstrip
a. Start firefox: Applications-Internet-Firefox
b. Download sslstrip from:
c. Simply choose to save sslstrip-0.9.tar.gz to root folder
d. Unpack and install it:
gunzip -c sslstrip-0.9.tar.gz | tar xvf -
python setup.py install
STEP 5 - COLLECT NECESSARY NETWORK INFORMATION
a. Determine the IP addresses of your Premieres on your home network. For me this is:
192.168.10.196 = LR Premiere (This is my MRS host)
192.168.10.199 = Premiere (This is my MRS client)
b. Determine name of your network interface device.
If using wired this is "eth0"
If using wireless this is "wlan0"
STEP 6a - SETUP AND RUN THE MITM ATTACK USING ettercap
a. Start a new shell by clicking on the terminal icon to the right of System
b. Install ettercap:
apt-get install ettercap
c. Edit the /etc/etter.conf file. I usually use "vi" as editor but you can use xedit graphical editor:
d. Scroll down to section entitled "Linux" and then uncomment (remove the leading #) from the following 2 entries under "# if you use iptables"
redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
e. Click on Save and then Quit
f. Now we are ready to start ettercap (Use wlan0
interface according to wireless or wired, and replace the IP names with your Premiere IPs):
ettercap -Tqdi wlan0 -w etter.pcap -M arp:remote /192.168.10.196/ /192.168.10.199/
g. The traffic is now logged to etter.pcap
file which can then be viewed using wireshark:
NOTE: Stop ettercap by pressing 'q' in the ettercap window.
STEP 6b - MORE COMPLEX ALTERNATIVE TO 6a: SETUP AND RUN THE MITM ATTACK USING arpspoof & sslstrip
a. Enable ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
b. Use iptables to setup forwarding of port 443 traffic to port 8080:
iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-port 8080
c. arp poison traffic on your network so that it routes through your PC. Specifically I choose to poison my 2 Premieres:
1. Start a new shell by clicking on the terminal icon to the right of System
2. Execute following command in that shell (use eth0
if wired, wlan0
if wireless which is my case):
arpspoof -i wlan0 -t 192.168.10.196 192.168.10.199
(Obviously substitute the 2 IPs above for whatever your 2 Premiere IPs are)
d. Start sslstrip monitoring port 8080 and logging to file strip.log:
1. Start a new shell by clicking on the terminal icon to the right of System
2. Execute following command in that shell:
sslstrip -a -k -l 8080 -w strip.log
3. Now on your client Premiere browse to your other Premiere and push inside of show details of your host Premiere. That is enough to generate traffic on port 443 (without actually starting MRS).
4. If you want to monitor the strip.log file you can open another shell and execute the following:
tail -f strip.log
- Ideally if this worked properly at this point strip.log would contain unencrypted traffic.
- You can use the following iptables command to actually check if any traffic is being port forwarded:
iptables -t nat -L -v
(Even though for me this shows there is some traffic on port 443 sslstrip is not doing anything with it)
- Use Ctrl-C to stop arpspoof and/or ssltrip
- If instead of 443 I repeat the above with port 80 then I do see all the traffic using sslstrip (kind of interesting to see). In order to remove forwarding you simply use -D instead of -A in the iptables command. i.e. To remove the 443 forwarding:
iptables -t nat -D PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-port 8080
Then to add port 80 forwarding instead use:
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
VIEWING TRAFFIC WITH WIRESHARK
After you setup the arpspoof poisoning you can actually start wireshark to monitor network traffic as follows:
1. From command prompt start wireshark:
2. Choose the appropriate network interface, in my case wlan0
3. Confirm there is a bunch of traffic generated between your 2 Premiere units when browsing remote Premiere and pushing inside of show details. Specifically you should look for SSLv3 and "Server Hello" which is the SSL handshaking that happens when you push into show details on remote Premiere.
4. NOTE: Click on the red 'x' to stop capturing network traffic.
In my case the arp poisoning is working fine since I can see all the traffic using wireshark. But unfortunately sslstrip is not doing what I expected which is to decrypt https traffic. I think this is probably because it was designed for web based ssl decryption (clients using web browsers) as opposed to SSL between 2 local LAN machines.
If using Backtrack 5 thumb drive remember that because there is no perpetual file store defined as soon as you shutdown then any and all changes you made to the linux installation will be lost and need to be repeated. I made a script that does most of the above tasks for me so I don't have to repeat every time. I save the script as part of an email attachment so I can get to the script through Firefox while in Backtrack 5. i.e. A permanent linux install would be better if you have an available machine to do it or if you setup dual boot or VMWare instead.