SSL Stripping is the most used technique for hacking traffic from HTTPS website. SSL strip was found on 2009 in black hat conference and used widely by attackers for performing MITM attacks over internal local network.
In general, HTTPS websites are protected with an additional layer of security known as SSL (Secure Socket Layer).
This SSL certificates are used to encrypt the data between the server and the end user. Because of this, no attacker in the middle can hack or view your data unless they have an SSL key.
How SSL Strip Works :
Attackers found out this SSL strip where the attacker impersonates as proxy.
So,when a victim requests some data through a HTTPS site, the request would go through the men in middle who impersonated as proxy.
Yet, he wont be able to view the data since the data is encrypted. However, the server would respond the victim with an HTTPS response.
Before the response reaches the victim, it has to pass through the attacker. Here, the attacker manipulates the HTTPS request to HTTP and passes that to victim.
Now, victim will receive the HTTP response which is insecure and every data he pass now through that website goes through an insecured http request which can is visible to the attacker in plain text.
However, this method has come to end with the beginning of HSTS (HTTPS Strict Transport Security).
This is an HTTP header which enable strict https, that is, you cannot access the site which has this header in HTTP.
Though, top social networking websites has this header, most of the normal websites ignore this header. SO we can use this header to sniff data from those website.
Also, now, we have bettercap with which we can actually bypass HSTS also. Whenever a new security comes, it comes with a bug. Anyways, let’s see how to perform SSL strip in kali linux below.
How to Perform SSL Strip :
To launch a successful ssl strip attack, we depend upon three things.
- Proxy Setup
- Port Forwarding
- ARP Spoofing
- SSL Strip
First, open up your terminal and type
iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port 1337
This will route all the data that from the port 80 to port 1337 of your network. Instead of 1337, you can use any port number of your choice.
It’s better to use uncommon ports because some one on your port may use common ports for some other purposes.
Next,we have to enable port forwarding to make the changes we have made in iptables become active. For this, type
echo 1 > /proc/sys/net/ipv4/ip_forward
This will set the Ipforward function of linux to 1 which means true/enable. By default, the ip_forward value will be 0 (disabled)
Now that we have done with the prerequisites, let’s get into action. We have to perform ARP spoofing to spoof the ARP tables of the router.
The ARP tables are used to link physical address (MAC) with Network address (IP).
Here, we are spoofing the arp table by linking our mac address with the victim’s IP address.
Thus, we can now receive all the data inside the network that are intended to the victim. Inorder to perform arp spoofing, type
arpspoof -i wlan0 -t 192.168.0.44 192.168.0.1
Where 192.168.0.44 is victim’s IP address and 192.168.0.1 is router’s IP address.
To find your victim’s IP address, you can use nmap or ettercap to scan for all the host available in your network.
Replace wlan0 with eth0 incase if you’re using ethernet. To check your wireless interface, type ifconfig.
Launching a successful arpspoof attack will send spoofed arp messages to the router messing the arp tables of them.
We have to keep sending arp messages to poison the arp cache table. If we stop sending messages, the router will receive victim’s arp response and reassign the Ip with orginal mac.
Thus, we have to keep this command running in a separate terminal until the attack ends.
Well, after setting up all these, now comes the main part. We have to launch SSL Strip tool which comes pre-installed in kali linux.
If not, go to this Github directory and download yourself. https://github.com/moxie0/sslstrip
Now, to begin ssl strip, type
sslstrip -w sslstrip.log -l 1337
where 1337 is the port which he have routed to receive the traffic and sslstrip.log is the file which is intended to save all the http traffic.
Now after finishing, open the sslstrip.log file to see all the traffic which your victim has browsed including his email, usernames and passwords.