2

I have a LAN with 3 machines connected to a switch. Two machines run Ubuntu 15.04, one with Apache SSL installed which works as the webserver. Another machine also running Ubuntu serves as the client. The attacker machine runs Kali 2.0.

All machines have manual assigned IP addresses:

 Client: 192.168.1.1 HW: 08:00:27:2a:ec:cc
 Server: 192.168.1.2 HW: 00:11:22:33:44:55
 Kali:   192.168.1.3 HW: 08:00:27:fa:25:8e

I executed the following commands on Kali:

 echo 1 > /proc/sys/net/ipv4/ip_forward
 iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080

And then I run sslstrip -k -l 8080.

Now I start the arpspoof:

 arpspoof -i eth0 -t 192.168.1.1 192.168.1.2
 arpspoof -i eth0 -t 192.168.1.2 192.168.1.1

The arp tables on the Client and Server have both been spoofed and contain the HW of the Kali machine.

I also have wireshark Kali running. When now accessing the website from the Server with the Client with https://192.168.1.2/test.html the website is displayed. I can see all the packets for the SSL/TLS handshake on wireshark as well. But sslstrip does not display anything!?

wasp256
  • 173
  • 1
  • 6
  • Are you using sslstrip against a browser and website with certificate pinning active? – Natanael Mar 26 '16 at 22:59
  • No I just run it like described above, do I have to change anything to make it work? – wasp256 Mar 26 '16 at 23:01
  • Wireshark shows you the MAC addresses -- do they show traffic going client <-> Kali <-> server as you want, or not? – dave_thompson_085 Mar 27 '16 at 02:10
  • Yes all the packets are redirected properly and I can see the handshake taking place in wireshark; Just sslstrip doesn't seem to do it's job!? – wasp256 Mar 27 '16 at 08:47
  • Sslstrip prevents redirections to HTTPS. You're going to an HTTPS URL, whereas sslstrip expects you to go to an HTTP URL which redirects to HTTPS. – user2313067 Mar 27 '16 at 09:12
  • Alright, so what am I doing wrong in the above execution? Shouldn't I be able to see the accessed URL in the sslstrip output since the HTTPS is stripped to an HTTP? – wasp256 Mar 27 '16 at 10:14

1 Answers1

1

This attack is still working for outdated web browser! But the reality is that most of the servers now a day have HSTS (HTTP Strict Transport Security) enabled.

So how to sslstrip even if HSTS it dose his job?

  1. If you use a virtual machine use your internet adapter on bridge mode.
  2. Use sslstrip2 or go for a MITM framework like MANA or MITMF they tend to be more stable.
  3. Be sure that if the target wants to reach as an example facebook.com to redirect the target to social.facebook.com (were HSTS security policy dosen't remember any certificate) and then you could perform an MITM SSLStrip.
  4. Be sure to use a proper Wifi adapter that also support packet injection.
Lucian Nitescu
  • 1,860
  • 1
  • 15
  • 31
  • 1
    All the above machines are VMs running in GNS3; Okay I'll try the mentioned frameworks – wasp256 Mar 27 '16 at 13:44
  • Is there a way to figure out if the HSTS flag is enabled? – wasp256 Mar 27 '16 at 15:30
  • 1
    Strict-Transport-Security: max-age=31536000 in the server header. – Lucian Nitescu Mar 27 '16 at 17:06
  • I checked the server header and there is no Strict-Transport-Security flag or the like; I also checked on the apache server and also there the module for the headers is not enabled; shouldn't that mean that the sslstrip should work? – wasp256 Mar 28 '16 at 12:23
  • Do sslstrip and mitm work together now in 2023? I wold love to see this in my lan home network – Brian Brown Mar 14 '23 at 07:42