This video shows that with SSL encryption, it isn't secure. Proof of this is seen by showing a web based email (Google Mail) & online bank (PayPal) password.
Watch video on-line:
Download video: http://download.g0tmi1k.com/videos_archive/SSLStrip.mp4
- Performing a 'Man In The Middle' attack therefore all the traffic flows through the attacker.
- Picks out HTTP traffic from port 80 and then packet redirection / forwarding onto a different port.
- SSLStrip is then listening on that port and removes the SSL connection before passing it back to the user.
- ettercap then picks out the username & password.
All in BackTrack 4 Pre Final
Targets IP: 192.168.1.6
Gateway : 192.168.1.1
Home Page: http://www.thoughtcrime.org/software/sslstrip/index.html
Name: arpspoof (DSniff)
Home Page: http://www.monkey.org/~dugsong/dsniff/
Download Link: http://www.monkey.org/~dugsong/dsniff/dsniff-2.3.tar.gz
Home Page: http://ettercap.sourceforge.net/
Download Link: http://prdownloads.sourceforge.net/ettercap/ettercap-NG-0.7.3.tar.gz?download
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
- You could save the packets instead, and then look through it later, in case ettercap doesn't pick up the information you need!
Song: 16 Bit Lolitas - Nobody Seems To Care
Video length: 03:55
Capture length: 4:41
Blog Post: https://blog.g0tmi1k.com/2009/07/stripping-ssl-sniffing-https/