In my previous post I've discussed how user's session is hijacked and how SSL/TLS is incorporated for secure communication. But still the hackers can sniff the user credentials by breaking the SSL/TLS. This technique is referred to SSLstrip which was released by Moxie Marlinspike to demonstrate the vulnerabilities he spoke about at Black Hat Technical Security Conference: USA 2009.
In this scope I'll be using BackTrack, a Penetration Testing Distribution integrated with the below tools to scan the Network, set up Firewall rules, MIMA, monitor client-server HTTP connection and sniff packets.
- NMAP
- IPTABLES
- ARPSPOOF
- SSLSTRIP
- ETTERCAP
SSLstrip strips out HTTPS links from unencrypted webpages, replaces them with HTTP links and sends the altered pages to the client. The client never sees an HTTPS link to click on, only the unencrypred HTTP version.
- Techniques:
1. First Scan your network and find the target using NMAP, a Network Scanner. In this case i got 192.168.1.5 as the Target.
2. Next I need to start the IP Forwarding which enables my machine to forward any network traffic it receives from the target to the router.
3. Next Set up port redirection using IPtables.
4. Next Man-In-The-Middle-Attack (MIMA) is begun by exploiting ARP Cache Poisoning to intercept network traffic between the target and the router.
5. Start the SSLstrip tool and make it listen to default port 10000.
6. Start Ettercap to sniff the packets to fetch user credentials.
Once this setup is up and running perfectly, let the victim login the Facebook. In particular, the victim's HTTP traffic will be redirected to our port 10000, where SSLstrip is listening. After this we will be able to eavesdrop and steal all of the victim's passwords sent supposedly over SSL/TLS.
- Protection:
1. Force-TLS add-on allows web sites to tell Firefox that they should be served via HTTPS in the future; this helps secure you from accidentally negotiating an insecure session with certain sites.
2. HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL)
Happy Hacking...Enjoy...
For educational purpose only...Do not misuse it...