best way to sniff http and https websites
its not tough to hijack / capture / sniff wifi traffic on almost any network as long as you are connected to it. once you apply all the correct tricks, all future traffic for wifi clients i.e. laptops, mobiles will be routed from your pc, giving you every bit of information about what others are doing on the network.

how to hijack/capture/ sniff http traffic

we will be using arp and iptables on a linux machine to accomplish most of the stuff. it’s an easy and fun way to harass your friends, family, or flatmates while exploring the networking protocols.

warning:- do not attempt to do this on a public wifi or a corporate wifi. doing so could lead you to serious consequences. in no way is taranfx or hack community responsible for any harms. this is solely intended for fun @ home.

lets take 3 pcs into reference for our activity:

* real gateway router: ip address, mac address 48:5d:34:aa:c6:aa
* fake gateway: a laptop pc called hacker-laptop, ip address, mac address c0:30:2b:47:ef2:74
* victim: a laptop on wireless called victim-laptop, ip address, mac address 00:23:6c:8f:3f:95

the gateway router, like most modern routers, is bridging between the wireless and wired domains, so arp packets get broadcast to both domains.

step 1: enable ipv4 forwarding

unless ip forwarding is enabled, hacker-laptop won’t receive all the network traffic because the networking subsystem is going to ignore packets that aren’t destined for us. so step 1 is to enable ip forwarding. to enable it, set a non zero value like:

[email protected]:~# echo 1 > /proc/sys/net/ipv4/ip_forward

step 2: set routing rules

we want to set rules so that all traffic routes through hacker-laptop, acting like a nat router. just like a typical nat, it would rewrite the destination address in the ip packet headers to be its own ip address.

this can be done as follows:

[email protected]:~$ sudo iptables -t nat -a prerouting \
> -p tcp –dport 80 -j netmap –to

the iptables command has 3 components:

* when to apply a rule (-a prerouting)
* what packets get that rule (-p tcp –dport 80)
* the actual rule (-t nat … -j netmap –to

what above command does: if you’re a tcp packet destined for port 80 (http traffic), actually make my address,, the destination, natting both ways so this is transparent to the source.”

step 3: adding ip address to interface

the networking subsystem will not allow you to arp for a random ip address on an interface — it has to be an ip address actually assigned to that interface:

[email protected]:~$ sudo ip addr add dev eth0

and verify that the original ip address, and the gateway address

[email protected]:~$ ip addr

3: eth0: mtu 1500 qdisc noqueue state unknown
link/ether c0:30:2b:47:ef2:74 brd ff:ff:ff:ff:ff:ff
inet brd scope global eth0
inet scope global secondary eth0
inet6 fe80::230:1bff:fe47:f274/64 scope link
valid_lft forever preferred_lft forever

step 4: responding to http requests
hacker-laptop would need a http server setup. it could be any damn server, i used apache for ease of use. here you can get creative, e.g. respond with random pages for specific urls or define a local url e.g.

step 5: test pretending to be the gateway

most of the things are already done and our hacker-laptop is ready to pretend as the wifi gateway, but the trouble is convincing victim-laptop that the mac address for the gateway has changed, to that of hacker-laptop.

the solution is to send a gratuitous arp, which says "i know nobody asked, but i have the mac address for”. machines that hear that gratuitous arp will replace an existing mapping from to a mac address in their arp caches with the mapping advertised in that gratuitous arp.
there are lots of command line utilities and bindings in various programming language that make it easy to issue arp packets. i used the arping tool:

[email protected]:~$ sudo arping -c 3 -a -i eth0

we’ll send a gratuitous arp reply (-a), three times (-c -3), on the eth0 interface (-l eth0) for ip address

this can be then verified on the victim’s machine using "arp -a” command

bingo! victim-laptop now thinks the mac address for ip address is 0:30:1b:47:f2:74, which is hacker-laptop’s address.if i try to browse the web on victim-laptop, i am served the resource matching the rules in hacker-laptop’s web server.

that means all of the non-http traffic associated with viewing a web page still happens as normal. in particular, when hacker-laptop gets the dns resolution requests for, the test site i visited, it will follow its routing rules and forward them to the real router, which will send them out to the internet:

the fact is that hacker-laptop has rerouted and served the request is totally transparent to the client at the ip layer and victim-laptop has no clue.

undo the changes

so, you had enough fun and wish to revert? here we go:

[email protected]:~$ sudo ip addr delete dev eth0

[email protected]:~$ sudo iptables -t nat -d prerouting -p tcp –dport 80 -j netmap –to

to get the client machines to believe the router is the real gateway, you might have to clear the gateway entry from the arp cache with arp -d, or bring your interfaces down and back up.

hacking https websites

if you want to sniff websites having https environment then you should try ssl strip it helps you to sniff https sites. like gmail yahoo and facebook.


tar zxvf sslstrip-0.9.tar.gz
cd sslstrip-0.9
(optional) sudo python ./ install
running sslstrip

flip your machine into forwarding mode. (echo "1" > /proc/sys/net/ipv4/ip_forward)

setup iptables to redirect http traffic to sslstrip. (iptables -t nat -a prerouting -p tcp --destination-port 80 -j redirect --to-port <listenport>)

run sslstrip. ( -l <listenport>)

run arpspoof to convince a network they should send their traffic to you. (arpspoof -i <interface> -t <targetip> <gatewayip>)