Is this a sslstripping attack?

asked 2021-01-30 12:15:48 +0000

Phato02 gravatar image

updated 2021-01-30 12:16:56 +0000

I was having connection problems with my laptop so i captured some packets. I'm having RST ACK's on port 443. What can cause this? I'm just curious..

Packet Capture File 1: https://easyupload.io/dwlf2v Packet Capture File 2: https://easyupload.io/9mb5wu Screenshot: https://prnt.sc/xv59ai

edit retag flag offensive close merge delete

Comments

This is not an SSL stripping attack because in this case you would not see TLS connections.

Your client sends a FIN to the server to close the connection. This happens at different points in the captured conversations. All following packets from the servers are answered with an RST. It looks like that only conversations to Google services/servers are affected.

Indeed, this happens really often in your captures. Due to the DNS requests it seems that you're using HTTPS Everywhere. Could you try if it helps when you disable it temporary?

Could you give us some more details about your connection problems?

JasMan gravatar imageJasMan ( 2021-01-31 13:43:10 +0000 )edit

First of all thanks for answering, i've disabled Https Everywhere and tried capturing some packets. Here are the results . What my problem is those RST packets happen so often that i can't even connect to the internet..

Phato02 gravatar imagePhato02 ( 2021-01-31 19:58:32 +0000 )edit

Hey, Your second captures look completly different.

Your client sends the RST in answer to an SYN-ACK from the server. And that's OK because there's no SYN from your client in the captures. Looks like your client tried to open the connection over another interface, or you're having another client in your network with the same IP address.

The TTL to some destinations varies too. Not sure what's causing this, but it could be a hint that something with your routing is wrong.

Where and how have you captured the packets? Could you provide us the output of traceroute from your client to e.g. 8.8.8.8?

JasMan gravatar imageJasMan ( 2021-02-01 08:46:12 +0000 )edit

I captured the packets while connecting to google on wlan0 interface and we've checked from DHCP list there aren't any clients on local network with the same ip address.

Also i'm having so much keepalive requests too - Image , Capture

Here are the output results - https://filebin.net/0aff3do9y3zsbuo1

Phato02 gravatar imagePhato02 ( 2021-02-01 12:09:08 +0000 )edit

The keepalives are OK. They're just an info from your client or the server, that he's still there to prevent closing of the session due to a timeout. To be honest I've no more ideas what causes this. I would suggest to isolate the issue.

  • Does it happen to all of your clients in your network? If yes there must be a common reason. Router?
  • Have you tried it with different browsers? Are they all affected?
  • I saw an connection to parrotsec.org. Are you using Parrot OS and have played arround with the security tools? If yes, maybe a reset of all settings or a fresh installation will help to resolve the issue.
JasMan gravatar imageJasMan ( 2021-02-04 20:47:31 +0000 )edit
see more comments