SSLStrip is a tool for executing Man-In-The-Middle attacks.  It allows you to steal HTTPS/SSL traffic, including usernames and passwords.  The only information you need to know about your victim in order to attack is their internal IP address, and the gateway address of the network you are on (which means you need to be on the same network as the victim to do this — A tutorial on hijacking wifi passwords coming soon).

I will be using backtrack linux as the attacker and windows xp as the victim.  Both are virtual machines.

First, run ifconfig and take note of what network interface you are currently using.  In the screenshot below (figure 1.1), my network interface is eth2.

Now lets make sure that ip_forwarding is enabled (need to be root).

echo 1 > /proc/sys/net/ipv4/ip_forward

and now verify that it worked.

cat /proc/sys/net/ipv4/ip_forward

should return 1.

Next, run arpspoof.  As the name suggests, it is an ARP spoofing tool.  use “-i <network interface>”, followed by “-t <target>” (your victim’s internal IP), and finally specify the internet gateway.  you will see ARP network traffic start to stream in the terminal window, as shown below (figure 1.2).

arpspoof -i eth2 -t

Now, in a new terminal window (don’t close arpspoof!) issue an iptables command.  Iptables is a tool for ipv4 maintenance.  I won’t go into any more detail for now.

iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-ports 10000

And finally, run SSLStrip.  we will use “-w <output file>” to specify somewhere to dump off the data we are redirecting.

python -w output.dmp

Everything is now set up, and any HTTPS/SSL web browsing that the victim does will be dumped to the output file we specified when we started  That’s about all you need to know! Now go out there and get hacking!

Here’s some sample output from SSLStrip, notice the username and password in plaintext at the end of the string.

Now on the victim, I went to before executing sslstrip.  once I started it, I signed in.  Very few people would notice this, or be weary if they noticed it, but traffic will now appear to the victim as HTTP.  SSLStrip will encrypt the packets before sending them to the gateway, as servers like gmail and paypal don’t allow http.

Here’s a visual representation of before and during an attack.

Illustrated in the picture below is one sign that you are being MITM’d.  While connecting to gmail, your browser will show that you are using HTTP.  It attempted HTTPS/SSL, but was unable to make the connection, so un-secure HTTP is forced.  Only a conscious and educated victim will identify this as suspicious, and of those people only the bored will care to investigate it.

Another way to tell that you are being MITM’ed is your arp address will change to the hacker’s internal IP.  Here’s a screenshot of the “arp -a” command being issued on the victim before and then during the attack.

One of the arts of SSLStrip attacks is the social engineering aspect.  You must gather recon on a potential victim and try to discern when they might be using their computer and on what networks they will be on.

Thanks for reading!