Clearly there are uses for this program far beyond merely harvesting credit card numbers and Facebook passwords, as most users of sslstrip will probably do. Imagine there's a password for, say, a secure network containing information that may be useful to people facing persecution. And imagine that some users of that network are lazy, unaware, and apt to sign-in to the secure network at Starbucks. Well, if you're in the right place at the right time, sslstrip will allow you to get the log-in info for such a network.
Is that a little too vague? Here's a concrete example: an FBI agent logs-in to his network from a laptop at a coffeeshop. An sslstrip user harvests his password, then logs-in to the network to see whatever information is there. Or imagine the victim is an employee of a multinational corporation that does naughty things to trees or beagles. Or works for a private military firm. Or whatever.
Now imagine that those people are too cautious to log-in at Starbucks. So instead of sitting in an overstuffed armchair while stealing their passwords, the attacker uses an antenna to access the wireless network in their building, cracks the code to their secure wireless network, and then harvests their password.
Or imagine the intended victim doesn't use a wireless network at all. Then the attacker has to put a piece of hardware between the target computer and the network. Which means they may need to use some social engineering to access the building within which the victim uses the computer, perhaps by posing as an electrician who has to fumble with a bunch of wires. And so on and so forth.
Those are just some of the possible scenarios. Of course using sslstrip in those ways is completely illegal and the C.S.A. strongly discourages and condemns such uses, along with illegal activity of any kind."
For researching and educational purposes, you can locate sslstrip here.ORIGINAL SOURCE: Center For Strategic Anarchy
No comments:
Post a Comment