SSLstrip is not working in the local network

Question

My issue is the SSL stripping is not working in my LAN, but it works if I try to attack a HTTPS website with no HSTS. I am not using any domain name just the IP address of the server. Is there any difference between a local attack and a remote one? Maybe my application redirection prevent the SSLstrip?

Edit:

I use a CodeIgniter PHP framework and I created a simple blog application. I set my web server up in this way. It's a local environment, my host has an apache2 web server and I try to attack it with a virtual machine (Kali Linux). I followed this video, and it worked, when I attacked a remote webpage on the internet. I also set the base url up like this:

$config['base_url'] = "https://192.168.1.5/myblog

Answer 1

I would guess because you are arp spoofing the gateway IP address.

Therefore when your victim navigates to https://192.168.1.5, their traffic is going directly to 192.168.1.5 and not via the spoofed internet gateway (local traffic does not require the gateway).

With ARP spoof, enter 192.168.1.5 as the last command argument intead of the gateway IP, and it should work. Make sure you set target (-t) correctly, otherwise you might end up spoofing the IP to your attacking box (I'm not sure if it's clever enough to not target itself if -t is not specified).

Good luck!

Answer 2

HSTS is there to prevent users from acessing specific webpages without SSL for a specified time. Also there is a list maintained by google where website owners can add their website. Webpages that are listed there will never be contected using HTTP even if the server never requested the client to use SSL by HSTS.

You can anyway prevent HSTS from working by sending fake Responses to NTP requests of that client. This will put you in a position to tell the client that the period of time he was told to use SSL by HSTS is over. This attack can be migrated by using a tool like Delorean.