Using SSLStrip in Kali Linux
nmap -sP 192.168.1.0/24
Modify iptablesThe object in this step is to route traffic inbound to Kali to the port that SSLStip will be running on, which is port 1000 (this port does not have to be 1000 - you can select a different one but if you do, make sure you do not select a well-known port). With our arpspoof running in two terminal windows, we need to open a third terminal. Use the following command for iptables:
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 1000Note the double dashes before destination-port and to-port. Establish a MITMNow that you know the gateway and victim IP address, you need to insert your Kali machine between the two as a man in the middle. The first step to accomplish this is to configure your Kali machine to forward ports. Run the command:
echo 1 > /proc/sys/net/ipv4/ip_forwardThis modifies ip_forward to a 1 which enables port forwarding. If you set it to 0, then Kali will not forward ports. If you set this to 0 after the following steps, you will DOS (aka “sinkhole”) any traffic originating from your victim that would need to cross a router. This includes internet requests. In a larger network, it may also include traffic that passes between subnets.The next step is to use the arpspoof utility. Arpspoof tricks your victim into believing that you are the gateway, when you're actually just another machine on the network. A Word of WarningThis should be relatively transparent to your victim because you are forwarding ports. However, a clever victim will be able to see the attack, if they're monitoring for changes in their ARP table. With no man in the middle present, a Windows user could use the command arp -a [gateway IP] to see the MAC address of their router. If a man in the middle is present, the IP address the victim is using for the gateway would not change, but the MAC address returned would be the attacker's. A clever attacker could determine the MAC address of the gateway and change their Kali interface MAC address to mimic the gateway so this would not be seen by the victim.To use arpspoof, the syntax is:
arpspoof -i eth0 -t [victim IP] [gateway IP]The -i flag indicates what network interface to send the ARP packets on. In this case, the interface is eth0, which is the norm for a LAN (ethernet) port. -t signifies the target IP address.The terminal will begin showing ARP pings continuously until you elect to end the spoofing attack by using Ctrl + C.You've completed half the man in the middle. To finish, open a second terminal window and use the same command as above, except reverse the order of the IP addresses. This will trick the router into believing that you are the device requesting internet resources. Deliver the ExploitSelect Applications → Kali Linux → Information Gathering → SSL Analysis → sslstripThis spawns a 4th terminal window.Enter the command:
sslstrip -w filename.txt -l 1000This will start SSLStrip and write the results to a file you specify. Be sure to specify the extension of the file. The -l switch identifies the port SSLStrip will be listening on, which we set as 1000 in the previous step. You're now collecting the internet traffic for websites your target visits and decrypting the HTTPS traffic on the fly while saving the results to a file for review later. The default location for the file is under Kali's Home folder.
- Your victim uses 192.168.1.1 as the default gateway and doesn't notice the MAC address change because you've poisoned the ARP table.
- The victim sends requests to the Kali machine.
- The Kali attacker runs SSLStrip on all these packets and decrypts them; then saves the results to a file.
- Decrypted packets are forwarded to the actual gateway router.
- The router makes the internet request and returns the results to the Kali attacker.
- Kali decrypts and forwards the results to the victim IP address.
- There's now an extra step in the route between your victim and the actual gateway as your attack machine is forwarding traffic back and forth between the gateway and the victim
- SSLStrip is a decrypt process and, therefore, resource-intensive on your attacker machine. Your attacker will delay the forwarded traffic in addition to it being an extra step in the route. This will be noticeable by your victim and may prompt a restart (which may change the IP address of the victim and kill the attack). Depending on the environment, this may also trigger a call to tech support or an investigation into the cause of the slowdown.