border: 1px solid #d2d2d2; padding: 0px 8px 0px 8px; color: #a19999; font-size: 12px; height: 25px; width: 165px; border-radius: 5px; -moz-border-radius: 5px; -webkit-border-radius: 5px; margin:0px; } .submitbutton{ background:#F66303; border: 1px solid #F66303; text-shadow: 1px 1px 1px #333; box-shadow: 3px 3px 3px #666; font:bold 12px Arial, sans-serif; color: #fff; height: 25px; padding: 0 12px 0 12px; margin: 0 0 0 5px; border-radius: 5px; -moz-border-radius: 5px; -webkit-border-radius: 5px; cursor:pointer;}

Receive all updates via Facebook. Just Click the Like Button Below

You can also receive Free Email Updates:

Powered By Blogger Widgets

Related Posts Plugin for WordPress, Blogger...

Pages

Friday, July 1, 2011

Break SSL Protection Using SSLStrip Backtrack 5

Some people asks "Are you sure SSL(Secure Socket Layer) port 443 can be hacked and we know the password sent over the network?" For more information about this, you can see my previous tutorial about SSL and HTTPS. actually if you see my explanation about SSL in my previous post, when we try to break the encryption it's a little bit hard to break, but here in this tutorial I will explain how to break the SSL encryption without breaking the SSL encryption using Man in the Middle Attack


Requirement : 
1. Linux OS 
2. Arpspoof 
3. IPTables 
4. SSLStrip 
5. NetStat 


All of this requirements maybe have other dependencies with other packages, I suggest you to use Backtrack Linux for more easier to do this tutorial, because all of the requirement package already installed inside Backtrack Linux (except SSLStrip). 


Perform the Attack – Man in the Middle Attack 
1. Set your Linux box to make it can forward every incoming port (enable port forwarding). 
echo '1' > /proc/sys/net/ipv4/ip_forward 
This code will let your Linux Backtrack have ability to forward every packet that was not intended for your machine. 


2. Know your network gateway 
netstat -nr 
For example i've already know that my gateway address is 192.168.8.8 


3. Use ARP spoof to perform Man in the Middle Attack 
arpspoof -i eth0 192.168.8.8 
a. Change "eth0" to your network card that currently connected to the network. Usually it is eth0 or wlan0. 
b. Change "192.168.8.8" to your network default gateway. 
c. In this tutorial I use arpspoof to entire network. Be careful if your network have a large user connected to it, because it will crash your network and bring your network down. 


SSL Strip 
Created by Moxie Morlinspike who provides a demonstration of the HTTPS stripping attacks that presented at Black Hat DC 2009. It will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links. It also supports modes for supplying a favicon which looks like a lock icon, selective logging, and session denial. -Taken from author website


This all happens on the fly, and is practically will invisible to users. The only way to notice is by checking the URL in the address bar where normally it would display HTTPS, it will now display HTTP instead. 


Install SSL Strip (optional) 
1. Download SSL Strip 
2. tar zxvf sslstrip-0.9.tar.gz 
3. cd sslstrip-0.9 
4. python setup.py install 


Executing SSL Strip Attack 
1. We need to set up a firewall rule (using iptables) to redirect requests from port 80 to port 8080 to ensure our outgoing connections (from SSL Strip) get routed to the proper port. 
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080 


2. After finished set up iptables, the next step we need to redirect all network HTTP traffic through our computer using ARPSpoof (don't forget to enable IP forwarding) 
echo '1' > /proc/sys/net/ipv4/ip_forward arpspoof -i eth0 192.168.8.8 




3. When everything running well, you will see that ARPSpoof capturing network traffic, then the next step you need to start your SSL Strip by opening new terminal(CTRL+ALT+T) 
sslstrip -l 8080 
"-l" tells the system to listen on specified port. 
Above picture tells that SSL Strip already running and waiting for victim opening SSL URL such as (https://mail.google.com; https://mail.yahoo.com; etc) 


As a victim I will try to open https://mail.live.com. When I open the page, what I see is looks like below picture 
The URL changed into HTTP. 


4. After SSL Strip capturing enough data, to stop ARPSpoof and SSL Strip just hit CTRL + C. After you stop it, the whole network will be down and cannot be accessed for a while(it shouldn't take long time), this can happen because ARPSpoof didn't automatically repopulate the ARP tables with router proper MAC address. 


5. Inside the SSL Strip folder there will be a new file created "sslstrip.log" that stores all information that already captured over the HTTP protocol and even the HTTPS. Just take a look to the file using your favorite text editor. Below picture is the content of my sslstrip.log :that already captured victim data when they open https://mail.live.com
You can see the plain data of username and password there.   


Prevention of SSL Strip Attack 
1. If you are on public network (internet cafe, unsecured hotspot, etc) minimalize login into your personal account. 
2. Use SSH Tunneling . 
3. Keep your eyes open. 
This fake URL address:
Different with this one:


Remember This ! Be wise to use this application, and don't get shocked if this application also can help you go to jail faster if you use for an unintended purpose by law.

No comments:

Post a Comment

Follow Us

Share

Twitter Delicious Facebook Digg Stumbleupon Favorites More