4

I want to perform a MITM attack on my own network, and followed several tutorials on how to use sslstrip, iptables and arpspoof.

But every time I perform the attack, I lose the connection on the target device for almost every website, except google, facebook and some others. Could it be that i lose connection to websites, which are just HTTP protected and not HTTPS like the bigger websites?

The sslstrip.log file is always empty, even though sslstrip is running. Here is the command order i use:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 8080
arpspoof -i wlp3s0 -t 192.168.178.125 -r 192.168.178.1
sslstrip -l 8080

To look whats going on, i use tail -f sslstrip.log

I hope you can tell me what I'm doing wrong.

grochmal
  • 5,677
  • 2
  • 19
  • 30
fullcowl
  • 41
  • 1
  • 1
    You should post what your sslstrip.log appears like. google and facebook use HSTS, therefore the connection from to those should ignore your attempt at SSLstripping them (you should see on the target machine that google and facebook are loaded in HTTPS, that is unless you're destroying the browser cache on the target machine before the tests). The rest of the traffic is likely to be incorrectly routed, `sslstrip.log` will give some clues. – grochmal Oct 02 '16 at 20:51
  • SSLstrip is 4 years old so other people have been working on ways to improve it such is this which claims it can avoid HSTS. the [HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) header stop the SSLstrip because the preload list in the chrome and firefox browser, and google, facebook and other sites within the list so you need to use SSLstrip2 version to defeat HSTS you can use the MITMF Proxy Framework to automatically create full MITM attack [mitmf](https://github.com/byt3bl33d3r/MITMf) – androux Oct 31 '16 at 22:24

1 Answers1

1

I think you are doing good the commands... but the sslstrip technique doesn't depend only on your side. It depends of a lot of factors... if the "victim" is using bookmarks using always https://whateverpage there is nothing to do. He/she is going to ask directly always for an encrypted page.

If the "victim" is asking for pages using whateverpage.com without putting before https, he is going to ask for the http page. Even if the site has HSTS activated (which is going to receive the http request and will redirect it to https page version), you can do sslstrip because there is a request for an http page... only one, but enough for sslstrip. It is going to show the page in plain to the "victim" and it will do the ssl connection to the real site.

So many people say "HSTS is the solution to sslstrip". And this is NOT TRUE. I did sslstrip a lot of times testing access to pages with HSTS and it works... they key as I said is the victim must do the http (without "s") initial request.

Another decisive factor is that not everypage can be sslstripped if you use common browsers... I mean, if you use Chrome, Firefox or Internet Explorer for example... these browsers have an internal list of known ssl sites. That sites (like twitter or facebook for example) will never be sslstripped because the browser knows that ALWAYS must look for them using https even if the user did the "bad way request" putting facebook.com without specifying the https:// before. I guess these sites pay to the browser's companies to be in that list.

I suggest to you try against not very known ssl pages because in that way there are less possibilities to crash in your tests against a site which is in that browser internal lists.

There are more advanced techniques to do sslstrip even to pages in that lists... like Delorean attack, etc... but are more complicated.

OscarAkaElvis
  • 5,185
  • 3
  • 17
  • 48