This tutorial will teach you how to use SSLStrip in Kali Linux. SSLStrip is used to hijack secured HTTPS traffic and sniff the contents of this traffic.You'll need to download Kali Linux, which contains the SSLStrip utility in the standard image. Kali can be installed in a hypervisor, as a stand-alone OS or can be run as a live OS.
Find the Gateway IP Address
Start Kali Linux and open the terminal. You'll need to identify the IP address of both the gateway router and the victim machine. You can easily identify the gateway IP address by running the command, route -n, which returns the gateway IP address under the Gateway column.
Find the Victim IP Address
If you don't already know the IP of your victim, you can find live hosts on the network using nmap. You may want to use the IP class of the gateway as a guide to determine what IP format to pass to nmap (if you're connected to the network, you can also use your own IP to determine the type of address you need).In this example, we'll use a gateway IP that begins with 192.168, which is a standard APIPA address for a Class C network running on a /24 subnet. This nmap scan will run through all possible host IP addresses and return only the IP and MAC address of live hosts:
nmap -sP 192.168.1.0/24
The object in this step is to route traffic inbound to Kali to the port that SSLStip will be running on, which is port 1000 (this port does not have to be 1000 - you can select a different one but if you do, make sure you do not select a well-known port). With our arpspoof running in two terminal windows, we need to open a third terminal. Use the following command for iptables:
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 1000
Note the double dashes before destination-port and to-port.Establish a MITMNow that you know the gateway and victim IP address, you need to insert your Kali machine between the two as a man in the middle. The first step to accomplish this is to configure your Kali machine to forward ports. Run the command:
echo 1 > /proc/sys/net/ipv4/ip_forward
This modifies ip_forward to a 1 which enables port forwarding. If you set it to 0, then Kali will not forward ports. If you set this to 0 after the following steps, you will DOS (aka “sinkhole”) any traffic originating from your victim that would need to cross a router. This includes internet requests. In a larger network, it may also include traffic that passes between subnets.The next step is to use the arpspoof utility. Arpspoof tricks your victim into believing that you are the gateway, when you're actually just another machine on the network.
A Word of Warning
This should be relatively transparent to your victim because you are forwarding ports. However, a clever victim will be able to see the attack, if they're monitoring for changes in their ARP table. With no man in the middle present, a Windows user could use the command arp -a [gateway IP] to see the MAC address of their router. If a man in the middle is present, the IP address the victim is using for the gateway would not change, but the MAC address returned would be the attacker's. A clever attacker could determine the MAC address of the gateway and change their Kali interface MAC address to mimic the gateway so this would not be seen by the victim.To use arpspoof, the syntax is:
arpspoof -i eth0 -t [victim IP] [gateway IP]
The -i flag indicates what network interface to send the ARP packets on. In this case, the interface is eth0, which is the norm for a LAN (ethernet) port. -t signifies the target IP address.The terminal will begin showing ARP pings continuously until you elect to end the spoofing attack by using Ctrl + C.You've completed half the man in the middle. To finish, open a second terminal window and use the same command as above, except reverse the order of the IP addresses. This will trick the router into believing that you are the device requesting internet resources.
Deliver the Exploit
Select Applications → Kali Linux → Information Gathering → SSL Analysis → sslstrip
This spawns a 4th terminal window.
Enter the command:
sslstrip -w filename.txt -l 1000
This will start SSLStrip and write the results to a file you specify. Be sure to specify the extension of the file. The -l switch identifies the port SSLStrip will be listening on, which we set as 1000 in the previous step. You're now collecting the internet traffic for websites your target visits and decrypting the HTTPS traffic on the fly while saving the results to a file for review later. The default location for the file is under Kali's Home folder.
- Your victim uses 192.168.1.1 as the default gateway and doesn't notice the MAC address change because you've poisoned the ARP table.
- The victim sends requests to the Kali machine.
- The Kali attacker runs SSLStrip on all these packets and decrypts them; then saves the results to a file.
- Decrypted packets are forwarded to the actual gateway router.
- The router makes the internet request and returns the results to the Kali attacker.
- Kali decrypts and forwards the results to the victim IP address.
Another Word of Warning
The moment you launch SSLStrip in the previous command, your victim's internet browsing will become extremely slow for two reasons:
- There's now an extra step in the route between your victim and the actual gateway as your attack machine is forwarding traffic back and forth between the gateway and the victim
- SSLStrip is a decrypt process and, therefore, resource-intensive on your attacker machine. Your attacker will delay the forwarded traffic in addition to it being an extra step in the route. This will be noticeable by your victim and may prompt a restart (which may change the IP address of the victim and kill the attack). Depending on the environment, this may also trigger a call to tech support or an investigation into the cause of the slowdown.
I've also seen this attack trigger 403 errors on the victim's machine, which will alert the target that something's wrong (this seems to occur when a remote server forces a higher-grade TLS connection). You may be able to capture a username and password, nonetheless. Usually the pertinent information is located at the bottom of the entry in the file you save the date to. It can be seen with a parameter, such as user= and passwd=. Thanks!