Project 21: Hijacking HTTPS Sessions with SSLstrip (15 pts.)

What You Need for This Project

Goal

The Attacker will serve as a proxy, converting secure HTTPS sessions to insecure HTTP ones. This will not be obvious to the user.

Get Firefox

If you don't have firefox, go here and install it:

http://getfirefox.com

Opening Bing on the Target Machine

On your Target machine, open Firefox and go to

http://bing.com

On the top right, click "Sign in". Click "Microsoft account".

The page moves to an HTTPS page, as shown below. It's still vulnerable to this attack because the first step is not secure.

Starting the Linux Attacker Machine

Start a Linux virtual machine. That will be your Attacker machine. Use Bridged networking mode.

Open a browser on your Attacker machine and make sure you can connect to the Internet.

Open a Terminal on your Attacker machine, type this command, and press Enter:

ifconfig
Write your IP address down--you will need it later.

Testing Networking

On the Target machine, open a Command Prompt and ping the Attacker Linux machine. If you get replies, everything is OK. If not, you will need to troubleshoot your network settings before proceeding.

Downloading SSLstrip

On the Attacker Linux machine, in a Terminal window, type these commands, pressing Enter after each one:
cd

curl https://moxie.org/software/sslstrip/sslstrip-0.9.tar.gz > sslstrip-0.9.tar.gz

tar xzf sslstrip-0.9.tar.gz

cd sslstrip-0.9

more README

Troubleshooting

If the thoughtcrime link doesn't work, use these commands to get a copy from my server:
curl -k https://samsclass.info/123/proj10/sslstrip-0.9.tar.gz > sslstrip-0.9.tar.gz

tar xvf sslstrip-0.9.tar.gz

cd sslstrip-0.9

more README

Read through the instructions—that's a quick summary of what we are doing here. When you are done, press Ctrl+Z to close "more".

Starting IP Forwarding on the Attacker Machine

On the Attacker Linux machine, in a Terminal window, type these commands, pressing Enter after each one:
cp /etc/sysctl.conf /etc/sysctl.conf.bak

nano /etc/sysctl.conf

This opens the sysctl.conf file in the pico editor.

Scroll down and find the line that says "#Uncomment the next line to enable packet forwarding for IPv4". Remove the # at the start of the next line, as shown below on this page:

Press Ctrl+X, Y, Enter to save the file.

Setting iptables to redirect HTTP requests

On the Attacker Linux machine, in a Terminal window, type this command. Then press the Enter key:
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080

iptables -t nat -L

You should see one rule in the PREROUTING chain, as shown below on this page:

Check it carefully. If you find any mistake, use this command to delete the rule: iptables -t nat -D PREROUTING 1 and then repeat the commands above to re-create it without the error.

Starting sslstrip

On the Attacker Linux machine, in a Terminal window, type this commands, and then press Enter:
python sslstrip.py -h
A help message appears, showing the options. There aren't many of them.

On the Attacker Linux machine, in a Terminal window, type this command. Then press the Enter key.

python sslstrip.py -p -l 8080
This starts sslstrip collecting data. It writes the data into a file named sslstrip.log. Leave this Terminal window open.

Starting the Logfile Scanner

On your Attacker machine, open a new Terminal window. Execute these commands:
cd

cd sslstrip-0.9

tail -f sslstrip.log

This command shows the passwords and other data captured by sslstrip. For now, it shows an empty window, as shown below:

Leave this Terminal window open.

Setting the Target Machine to Use a Proxy Server

In a real attack, we would redirect traffic by ARP poisoning. But for this project, we'll just set the proxy within Firefox. That makes the project easier to do, because it won't affect other machines in the lab.

On the Target machine, in Firefox, at the top right, click the icon with three horizontal lines.

Click Preferences.

On the left side, click Advanced.

On the right side, at the top, click Network.

Click the Settings... button.

Click the "Manual proxy configuration" button. In the "HTTP Proxy" line, enter the IP address of your Kali machine and port 8080, as shown below. Then click OK.

Opening the Bing Page Again on the Target Machine

In Firefox, go to

http://bing.com

On the top right, click "Sign in". Click "Microsoft account".

The page won't load, because Microsoft finally fixed the problem, on or around May 1, 2017.

Opening Barracuda Networks

Barracudanetworks.com is still vulnerable, however.

In Firefox, go to

http://barracudanetworks.com

On the top right, click "Customer Login", as shown below.

The login page opens over HTTP, as shown below.

Notice that Firefox now warns the user that this is insecure, as of 10-5-17

Capturing a Password

Log in with these credentials:

YOURNAME
YOURNAME-SECRET-PASSWORD

(Replace YOURNAME with your own name.)

You won't be able to log in, but your password will be exposed to theft.

Viewing the Stolen Passsord

On the Attacker machine, in the logfile scanner window, press Ctrl+C. Find the captured username and password and highlight them, as shown below. You may have to scroll up.

Troubleshooting

Websites seem to change their security settings every few days, so this attack works one day, and fails the next day. If Salesforce isn't vulnerable, try these sites, which were vulnerable when I tested them on 10-5-17:

Other Vulnerable Sites

Constant Contact

http://constantcontact.com

Apache

http://donate.apache.org

ADP

http://adp.com

Find a page that is secure normally, but that loads over HTTP in Firefox when proxying through SSLstrip. Steal a password from that page and take a screen shot.

Saving a Screen Image

Make sure the Terminal window is visible, showing at a captured password.

Save a whole-desktop image with the filename "Your Name Proj 21".

Turning in Your Project

Email the image to cnit.123@gmail.com as an attachment to an e-mail message. Use a subject line of "Proj 21 From Your Name", replacing "Your Name" with your own first and last name. Send a Cc to yourself.

Removing the Proxy Server on the Target Machine

On the Target machine, in Firefox, at the top right, click the icon with three horizontal lines.

Click Preferences.

On the left side, click Advanced.

On the right side, at the top, click Network.

Click the Settings... button.

Click the "No proxy" button. Then click OK.

Credits

I am grateful to Moxie Marlinspike for writing sslstrip and presenting it at Black Hat.

Last revised 10-5-17 by Sam Bowne