SSLStrip Tool For fighting HTTPS
So you have just arp spoofed your friend’s computer and eagerly waiting for the password of his hotmail account.But oh wait! you were not able to get his password no matter how many times you go through the sniffed data.Why did that happen?
The answer is because he entered his password in the HTTPS version of hotmail.We are familiar with the fact that HTTP is the way of communication between web servers,but very few of us know that it is actually a very insecure form of commuinication because whatever data or information is being transmitted i.e. the packets ,they are all in plain text and unencrypted.So anyone can intercept the traffic and read through the data.The data can be super important stuff such as passwords and what not.Even worse,you can be open to modification of packets as now its child’s play to do it as you can read every request and response.
To tackle this came HTTPS, a variarion of HTTP everything being same just that the data which was once in plain readable text became unreadable when transmitted in the air.When I say unreadble it means that the text in HTTPS made sense only to the source and destination.It was immediately implemented in many websites and now you can see most popular websites using HTTPS instead of HTTP.This was considered as a huge landmark in web security and the good news is till now no one has decrypted it succesfully.
In around 2012 ,an ethical hacker named Moxie Marlinspike found a way to bypass HTTPS.Note I used the term bypass and not decrypt because even though the end result of both is more or less the same.Basically it downgrades your HTTPS connection to HTTP.Since the connection is now HTTP ,now packets can be easily sniffed or modified using wireshark or any other sniffing tool.Let us see how this tool is used in a man-in-the-middle-attack scenaario.
Assume you have arp spoofed your victim using perhaps ettercap.So that would mean all your victim’s traffic now passes through your pc. Now would be the ideal scenario to use sslstrip.But first in order to know how sslstrip we need to first open up its help menu.So type:-
We can see that the only thing we really need to do is just set any port (usually 10000) on listen mode so that sslstrip can do its magic.But before that we should first redirect all networking traffic to that port.We know that by default networking traffic use the port 80.Now since we have arp spoofed our victim so that means all the traffic of our victim is going through port 80 and all we need to do is just redirect that traffic to the port on which sslstrip is running.Let us assume we have used the port 10000 for sslstrip .So type the following commands:-
The first line writes 1 into the ip_forward file which means that now our device can allow redirection of packets.By default if we arp spoof using any open source tool like ettercap or mitmf ,it should be allowed, but its a good practice to to do it manually as well.
The second line uses iptables.Iptables is basically the firewall in linux.Now as we know the function of a firewall is to control packet flow of a device.This line simply means that we are redirecting all networking traffic from port 80 to port 10000 where we plan to run our sslstrip.
And now all that’s left is to activate sslstrip on port 10000.So to do that ,type:-
Now ssltrip will be ready and any HTTPS website your victim visits shall be degraded to a HTTP website and we can easily sniff logins,etc.
Note-Although it is a great tool,but still we haven’t defeated HTTPS completely.Very popular websites like gmail,facebook,paypal,etc use a new updated security measure called as HSTS.An HSTS website is a website hardcoded into a web browser (mostly recent and updated ones) which just wont degrade to its HTTP version no matter what.Chrome and firefox have this functionality.Unfortunately internet explorer doesen’t support HSTS and thats why we should avoid using it.Also another security measure is to use an add-on in chrome and firefox called HTTPS everywhere which makes the website you visit behave exactly like an HSTS website.
