SSL sniffing with sslstrip

SSL sniffing with sslstrip
By Click Death Squad (C.D.S.)
Revision 1.0

A new tool presented at the Black Hat DC 2009 conference by Moxie Marlinspike proves to be a formidable foe against secure login schemes. Always trying to stay on top of the game, Click Death Squad decides to give this tool a whirl and see what the buzz is all about. This attack is particularly crafty because it acts as a Man in the Middle, keeping an eye on HTTPS requests and then mapping them to HTTP look alike setups. If a person were operating on a wireless access point that had been broken into, the results can be devastating. You have a box running sslstrip which has port forwarding enabled and is actively spoofing ARP on a LAN. This computer is the jump off point, which will fake out the wireless router into redirecting HTTPS requests, modifying them and passing them on to the victim. Features include a fake "lock" icon and selective logging capabilities, which provide great flexibility when sniffing traffic. The example we use shows how a MySpace "secure" login can be easily captured using this attack. Props to Moxie Marlinspike for making this tool available to the public.

In this example, we are using a wireless router with a connected client running Windows (Firefox 3) and sslsniff to hijack login sessions. All the commands issued are given in quotes, with the result of the commands being listed in grey. After each step, a screenshot is given so you may compare your output to what should be happening. Please note that not all the screenshots contain the exact same data which is given in the example, they are merely for reference purposes.

Tools you will need to accomplish this task:
  • A wireless network that you have access to and can test
  • A "victim" computer acting as the client being sniffed
  • A Linux box with sslstrip installed
  • Basic Linux networking skills and command line capabilities
  • A cold beer

Step 1: Tell the kernel to enable IP forwarding.
Your box will be acting as the intermediary between the victim and the intended destination. You must enable IP forwarding so that packets can be passed through your machine. This is pretty simple, just pass a value to the kernel that tells it to enable forwarding for packets.

"sudo echo 1 > /proc/sys/net/ipv4/ip_forward" ### enable IP forwarding in the Linux kernel.

Done deal. This takes place immediately, and you are ready to setup iptables so that traffic is redirected to your machine for modification.

Step 2: Set an iptables firewall rule that fowards HTTP traffic from the victim to your box for modification.
As the victim is actively browsing websites, your computer needs to act as a middle man so that when the user is directed to an HTTPS login, your computer modifies the data and passes it along. By setting up an iptables rule, you can have the traffic get passed to your computer, modify it using sslstrip and then pass the "faked out" version to the victim and capture login information.

"sudo iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 666" ### iptables will forward port 80 to our box, running sslstrip on port 666.

The firewall rules on your box have been set to forward all traffic on port 80 (HTTP) which might be received by the victim. The key is passing the victim's traffic through your box to sslstrip, which will modify any HTTPS login requests and forward them to the correct destination. By doing so, the login information can be captured.

Step 3: ARP spoof the target traffic to redirect to your machine.
Using arpspoof, you can redirect all the victim's traffic to your machine. After you enabled your iptables firewall rule to pass HTTP traffic and modify it, you need to redirect the traffic to your box. Use arpspoof to direct traffic to your machine so that HTTP requests can be modified for hijacking.

sudo "arpspoof -i wlan0" ### where is the target and is the wireless access point ip address.

All the steps are in place. Iptables is setup to redirect HTTP requests to sslstrip, ARP spoofing is redirecting traffic from the victim to our box and your machine is forwarding requests. The last step is to actually run sslstrip and start hijacking some sessions.

Step 4: Run sslstrip and capture some passwords.
Start the sslstrip server running on your machine and watch what happens. A victim loads a website, and because you're ARP spoofing, the request is directed to your machine first. The request is modified by sslstrip, then iptables forwards the modified traffic to the intended destination.

sudo "python -l 666 -f lock.ico" ### load sslstrip and use the provided lock.ico icon as a replacement if need be.

The server is started...

Looks like the victim logged into "" to check their page out...

Looks like we were able to capture a password from a modified request. It's game over.