Let’s say you are already a Man-In-The-Middle for example based on ARP-Spoofing or a Rogue AP. Now you are sniffing the traffic, but the problem is that most of the web servers just communicate via HTTPS. Then it’s time to try SSL-Stipping.
General overview:
The concept was introduced by Moxie Marlinspike and shown by him at the Black Hat DC 2009. Afterwards he has developed a tool which executes his concept and it’s called sslstrip.
If your victim requests a website via HTTP we are able to setup an HTTPS request to the web server. It’s not gonna work if the victim requests it via HTTPS. As soon as we got a response from the web server we bring all links from “https://…” to “http://…” and sending it via HTTP back to the victim.
Example (arpspoof):
$ echo "1" > /proc/sys/net/ipv4/ip_forward $ iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port <listenPort> $ sslstrip -l <listenPort> $ arpspoof -i <interface> -t <targetIP> <gatewayIP>
Website from Moxie Marlinspike
Countermeasures:
– Change you browsers settings to just communicate when SSL is active
– Set up you own or use a trusted VPN service for your web communication