1

I was trying SSLstrip on my Windows PC as a target since Internet Explorer seems to be the only browser vulnerable to this attack.

I deleted all my browsing history and when the site gets stripped to HTTP the browser just sits there waiting for the connection but never makes it, i.e a DOS of some sort. Is this a result of the site using HSTS; I though if the browser's history was cleared HSTS didn't work? Why does this happen?

And when it does work I get this error message :

exception.runtimeerror : request.write called on a request after request.finish was called

dylan7
  • 747
  • 1
  • 9
  • 18
  • I think you'll need to clarify your question and provide some details on the problem. What happens if you try to access insecure sites (i.e. http://example.com/)? Is sslstrip listening on the correct port? And what makes you think IE is the only browser vulnerable to sslstrip? Regarding HSTS, I strongly suppose you would be presented with an error message within the browser if there was a problem with cached Strict-Transport-Security headers. – zinfandel Aug 01 '15 at 10:08
  • @zinfandel I believe I have everything setup correctly because I see the url getting stripped, but sometimes the site then never loads (DOS). And when it does, it work sometimes and only works for certain sites (i.e. facebook.com) but some websites get stripped then go right back to https. I've deleted all browser history. The only browser errors I've rescinded are that the connection just times out – dylan7 Aug 01 '15 at 14:06

1 Answers1

1

since Internet Explorer seems to be the only browser vulnerable to this attack.

That is the false assumption which is largely responsible of your situation because on February 2015, Microsoft already released HTTP Strict Transport Security in Internet Explorer 11. It is clear, regarding the error message you got, that your IE version is 11 or higher.

i.e a DOS of some sort

No, SSL stripping has nothing to do with DoS.

exception.runtimeerror : request.write called on a request after request.finish was called

It is normal you got that error since you know the purpose of HSTS and which not not only makes your connection fails, but can also, in case you attempt your MITM on other users, inform them (your potential victims) that they have been tampered by a third party.

And when it does work I get this error message :

Now you can guess you misinterpreted the events: since the error message by itself warns you that the connection failed.

Now, a question you may ask: is this the end of SSLstrip ? Luckily (or unluckily, depending on the colors you wear), there is an other opensource tool that uses an updated version of SSLstrip called mana. If you are running Ubuntu, Kali or any other Debian distro, you can install it by runnin:

apt-get install mana-toolkit

So in addition to HSTS limitations, mana overcomes and tricks HSTS.

  • So even if I clear my browser's history SSLStrip may work sometimes then not work due to HSTS? Because it will randomly work then stop working even though I clear my history and then go back to the same site? – dylan7 Aug 06 '15 at 01:56