Using SSLStrip in Kali Linux

September 8, 2015 | Views: 60716

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

This tutorial will teach you how to use SSLStrip in Kali Linux. SSLStrip is used to hijack secured HTTPS traffic and sniff the contents of this traffic.

You’ll need to download Kali Linux, which contains the SSLStrip utility in the standard image. Kali can be installed in a hypervisor, as a stand-alone OS or can be run as a live OS.

 

Find the Gateway IP Address

Start Kali Linux and open the terminal. You’ll need to identify the IP address of both the gateway router and the victim machine. You can easily identify the gateway IP address by running the command, route -n, which returns the gateway IP address under the Gateway column.

 

Find the Victim IP Address

If you don’t already know the IP of your victim, you can find live hosts on the network using nmap. You may want to use the IP class of the gateway as a guide to determine what IP format to pass to nmap (if you’re connected to the network, you can also use your own IP to determine the type of address you need).

In this example, we’ll use a gateway IP that begins with 192.168, which is a standard APIPA address for a Class C network running on a /24 subnet. This nmap scan will run through all possible host IP addresses and return only the IP and MAC address of live hosts:

nmap -sP 192.168.1.0/24

Modify iptables

The object in this step is to route traffic inbound to Kali to the port that SSLStip will be running on, which is port 1000 (this port does not have to be 1000 – you can select a different one but if you do, make sure you do not select a well-known port). With our arpspoof running in two terminal windows, we need to open a third terminal. Use the following command for iptables:

iptables -t nat -A PREROUTING -p tcp  –destination-port 80 -j REDIRECT –to-port 1000

Note the double dashes before destination-port and to-port.

 

Establish a MITM

Now that you know the gateway and victim IP address, you need to insert your Kali machine between the two as a man in the middle. The first step to accomplish this is to configure your Kali machine to forward ports. Run the command:

echo 1 > /proc/sys/net/ipv4/ip_forward

This modifies ip_forward to a 1 which enables port forwarding. If you set it to 0, then Kali will not forward ports. If you set this to 0 after the following steps, you will DOS (aka “sinkhole”) any traffic originating from your victim that would need to cross a router. This includes internet requests. In a larger network, it may also include traffic that passes between subnets.

The next step is to use the arpspoof utility. Arpspoof tricks your victim into believing that you are the gateway, when you’re actually just another machine on the network.

 

A Word of Warning

This should be relatively transparent to your victim because you are forwarding ports. However, a clever victim will be able to see the attack, if they’re monitoring for changes in their ARP table. With no man in the middle present, a Windows user could use the command arp -a [gateway IP] to see the MAC address of their router. If a man in the middle is present, the IP address the victim is using for the gateway would not change, but the MAC address returned would be the attacker’s. A clever attacker could determine the MAC address of the gateway and change their Kali interface MAC address to mimic the gateway so this would not be seen by the victim.

To use arpspoof, the syntax is:

arpspoof -i eth0 -t [victim IP] [gateway IP]

The -i flag indicates what network interface to send the ARP packets on. In this case, the interface is eth0, which is the norm for a LAN (ethernet) port. -t signifies the target IP address.

The terminal will begin showing ARP pings continuously until you elect to end the spoofing attack by using Ctrl + C.

You’ve completed half the man in the middle. To finish, open a second terminal window and use the same command as above, except reverse the order of the IP addresses. This will trick the router into believing that you are the device requesting internet resources.

 

Deliver the Exploit

Select Applications → Kali Linux → Information Gathering → SSL Analysis → sslstrip

This spawns a 4th terminal window.

Enter the command:

sslstrip -w filename.txt -l 1000

 

This will start SSLStrip and write the results to a file you specify. Be sure to specify the extension of the file. The -l switch identifies the port SSLStrip will be listening on, which we set as 1000 in the previous step. You’re now collecting the internet traffic for websites your target visits and decrypting the HTTPS traffic on the fly while saving the results to a file for review later. The default location for the file is under Kali’s Home folder.

  1. Your victim uses 192.168.1.1 as the default gateway and doesn’t notice the MAC address change because you’ve poisoned the ARP table.
  2. The victim sends requests to the Kali machine.
  3. The Kali attacker runs SSLStrip on all these packets and decrypts them; then saves the results to a file.
  4. Decrypted packets are forwarded to the actual gateway router.
  5. The router makes the internet request and returns the results to the Kali attacker.
  6. Kali decrypts and forwards the results to the victim IP address.

 

Another Word of Warning

The moment you launch SSLStrip in the previous command, your victim’s internet browsing will become extremely slow for two reasons:

  1. There’s now an extra step in the route between your victim and the actual gateway as your attack machine is forwarding traffic back and forth between the gateway and the victim
  2. SSLStrip is a decrypt process and, therefore,  resource-intensive on your attacker machine. Your attacker will delay the forwarded traffic in addition to it being an extra step in the route. This will be noticeable by your victim and may prompt a restart (which may change the IP address of the victim and kill the attack). Depending on the environment, this may also trigger a call to tech support or an investigation into the cause of the slowdown.

I’ve also seen this attack trigger 403 errors on the victim’s machine, which will alert the target that something’s wrong (this seems to occur when a remote server forces a higher-grade TLS connection). You may be able to capture a username and password, nonetheless. Usually the pertinent information is located at the bottom of the entry in the file you save the date to. It can be seen with a parameter, such as user= and passwd=.

 

Thanks!

Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Ready to share your knowledge and expertise?
3 Comments
  1. Its not working on kali Rolling 2016.1
    All the commands execute properly but when i run the final exploit delivery command neither it shows anything nor make any logs…
    What should i do..??

  2. excellent,
    thank you

  3. To mitigate this, you can use HSTS. Using Strict-Transport-Security header, you can’t forward this traffic through HTTP protocol.

    E.g.

    Apache: Inside VirtualHost tags:

    Header always set Strict-Transport-Security “max-age=63072000; includeSubdomains; preload”

    Redirect permanent / https://example.com/ # 301

    If you can’t use 301, you can use rewrite module as follow:

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

    Nginx:

    add_header Strict-Transport-Security “max-age=63072000; includeSubdomains; preload”;

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel