Login

MITM Attack Using

SSLSTRIP

Username

Password

What is MITM attack?

Remember Me
Log In

| Forgot Password?

Contact
open in browser PRO version

Man in the Middle Attack popularly known as MITM is a network attack in

which an attacker eavesdrop in the communication channel between victim
and another machine (could be server as well). In this attack, attacker machine
sits between victim and server machine and relays message between them.
So the victim is fooled to believe that he is directly communicating to server or
another victim machine when in reality communication flows through attackers
machine. As a result, attacker can easily monitor all the communication that is
flowing IN and OUT of the victim machine.

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

Email:
raj@securitybuzz.net
Phone: 1.972.510.5912

Subscribe me
Email:

Send

What is SSL?
Secure Socket Layer (SSL) is a secured network protocol that provides
communications between computers using proper encryption so that no one
can intercept the communication by just eavesdropping on the channel. So it
makes communication secure , hence you will find critical sites like your
banking site , Gmail ,Facebook make use of this SSL channel i.e. (https) .
Https is a secure channel (SSL protocol) of http. The ultimate goal is to create
secure channels over insecure networks.
How HTTPS communication takes place between Client and Server?
HTTPS ensures the client that visited site is trustworthy. Now consider client
wants to connect to its bank site ABCbank which ensures HTTPS connection.
So clients browser goes through following steps.
1. The client browser connects to http://ABCbank.com on port 80 using
2.
3.
4.
5.
6.
7.

open in browser PRO version

HTTP.
The server redirects the client HTTPS version of this site using an HTTP
code 302 redirect.
The client connects to https://ABCbank.com on port 443.
The server provides a certificate to the client containing its digital
signature. This certificate is used to verify the identity of the site.
The client takes this certificate and verifies it against its list of trusted
certificate authorities.
Once verification is completed, secure communication channel bridges
between server and client.
If client could not find the certificate amongst the list of trusted one ,
certificate validation error will be presented and you will be asked to
either stay off from this untrusted site or if you still trust the source of the

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

site , you can Add Exception and proceed at your own risk.

IS HTTPS COMMUNICATION MEANS YOU ARE SAFE FROM MITM

ATTACK?
HTTPS is a secured means of communication over Internet. However Man in
the middle attack is still possible, this does not means you are defeating
HTTPS protocol. Attacker takes advantage of the transition process that takes
place from unsecured (HTTP) channel to secured (HTTPS) channel. It defeats
this bridge between non-encrypted and encrypted communications.
SSLstrip uses the following steps to defeat the bridge.
1. Intercepts traffic between client and server.
2. SSLstrip replaces HTTPS link with HTTP and keeps a mapping of this

changes.
3. The attacking machine supplies certificates to the web server and
impersonates the client.
4. Traffic is received back from the secure website and provided back to
the client.
IS THERE ANY VISIBLE DIFFERENCE AT SERVER SIDE OR CLIENT
SIDE WHEN ATTACK IS PERFORMED?
This attack tricks the server to believe that an attacker machine is itself the
client. Well, it works quiet well for the server because as far as server is
concerned it is still receiving SSL traffic it wants from attackers machine. Thus
server wont see any difference when attack is performed.
open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

The difference could be judged only at client side because now the URL at
client side wont be HTTPS instead it will receive HTTP communication
channel which is coming from attackers machine and not from server directly
.Hence an alert user might get an alarm from the URL that something is fishy .
To perform this attack you need SSLstrip which can be download from here . It
only runs on Linux system another option is to download Backtrack5 which has
SSLstrip preinstalled in it.
Steps to Attack
I am using Backtrack Linux to perform this attack. Open the shell and type the
command.
Echo 1 > > /proc/sys/net/ipv4/ip_forward
Using this command we are configuring it for IP forwarding.
Fig: Enabling IP Forwarding

Next step is to modify the IPtables Firewall configuration. For this we need to
intercept all HTTP traffic and route it back to the port on which SSLstrip is
ready to listen. Command is as below
IPtables -t nat -A PREROUTING -p tcp destination-port 80 -j REDIRECT toport <listenPort>
Here you need to specify Port of your choice in place of <listenPort> in above
command
Fig: Configuring IPtables to properly route HTTP traffic
open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

Next step is to let SSLstrip listen on the port specified in the above command.
Command is as below
SSLstrip -l <listenPort>
Fig: Using SSLstrip

The last step in this process is to configure ARP spoofing to intercept the
traffic of the target host.
Arpspoof -i <interface> -t <targetIP> <gatewayIP>
Fig: Configuring ARP Spoofing

In the above command substitute

<Interface> with your network interface (eth0,eth1 etc)
<TargetIP> with IP address of victim
<GatewayIP> with IP address of gateway router that victim is using.
Once this is done you have successfully implemented MITM attack and now
you can actively hijack any SSL connections established by the victim
machine. Now you can use any packet sniffer (like Wireshark) to capture all
informations passed from victim machine. Imagine the informations you can
obtain including various passwords, credit card numbers and other
confidential informations that no one would like to share with others.
open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

How to protect yourself from MITM attack on SSL connections???

The only way to check is always make sure that the site youre on is having
https in the URL.

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

0 Comments

hackingdemystified

Sort by Best

Start the discussion

Be the first to comment.

ALSO ON HACKINGDEMYSTIFIED

PList

SSH LOGIN

1 comment a year ago

1 comment a year ago

ohdowload honestly you video is so great sir, but the

Furqaan Why would

audio is a little bit to hear. i

open in browser PRO version

Subscribe

Add Disqus to your site

Are you a developer? Try out the HTML to PDF API

Privacy

pdfcrowd.com

open in browser PRO version

2015 Hacking Demystified

Are you a developer? Try out the HTML to PDF API

Back to top

pdfcrowd.com