SSLstrip 0.9

[red_snow62_10]

Hello,
I am new to this hacking stuff. I'm curious so I'm trying out new things.

One thing I came across is SSLstrip...I read about it and its use so I wanted to try it on a system.
But after doing the steps as given in the video How To: Use SSLstrip On Kali Linux by Chris Haralson on YouTube, the victim system is still opening HTTPS.

I tried using SSLstrip from BackTrack 5 r3 also...but I wasn't successful.

I know I'm missing something..Please help me.

[cooper]

What website are you trying to intercept? Are you sure your target is accessing it via HTTP (as opposed to HTTPS)?

[ZaraByte]

Most websites these days like social media sites force https by default not an expert at https but i will just say that sslstrip is pretty much out dated when it comes to trying to target websites that have https even if you were able to generate a "legit" SSL Cert i wouldn't know how to tell you how you go about decrypting the SSL traffic not like i've seen any public tools out for that.

Also thanks to HTTP Strict Transport Security (HSTS) built into all the web browsers expect IE the HTTPS is nicely cached in the browser so unles you can clear the target machines browser cache as soon as they go to a website like facebook the it's gonna load https.

[red_snow62_10]

What website are you trying to intercept? Are you sure your target is accessing it via HTTP (as opposed to HTTPS)?

Well, my main objective is to sniff passwords over the local network...so HTTPS transfers encrypted data which even if I sniff, it wont be readable...so thats why I want it to turn into HTTP so that things can get easier.

[red_snow62_10]

Most websites these days like social media sites force https by default not an expert at https but i will just say that sslstrip is pretty much out dated when it comes to trying to target websites that have https even if you were able to generate a "legit" SSL Cert i wouldn't know how to tell you how you go about decrypting the SSL traffic not like i've seen any public tools out for that.

Also thanks to HTTP Strict Transport Security (HSTS) built into all the web browsers expect IE the HTTPS is nicely cached in the browser so unles you can clear the target machines browser cache as soon as they go to a website like facebook the it's gonna load https.

okay...so how would you clear the target machine's browser cache? doing this seems a bit tough...

[cooper]

It seems you don't have a clear understanding of what sslstrip does.

Read this thread on this very forum for some additional insight.

TL;DR: Once it's https it stays https. All SSLStrip does is prevent the remote site from upgrading the existing http connection to https and having it appear to the target as if the site is secure when in fact it isn't.

The way to clear an htst entry from the target machine is to have the remote site specify a duration of 1 for its hsts header. The value is the amount of seconds after the moment the browser sees this header field that any subsequent connection attempt by the browser must be made using https, so use that, wait a second, then access via http and it will do just that.

[red_snow62_10]

It seems you don't have a clear understanding of what sslstrip does.

Read this thread on this very forum for some additional insight.

TL;DR: Once it's https it stays https. All SSLStrip does is prevent the remote site from upgrading the existing http connection to https and having it appear to the target as if the site is secure when in fact it isn't.

The way to clear an htst entry from the target machine is to have the remote site specify a duration of 1 for its hsts header. The value is the amount of seconds after the moment the browser sees this header field that any subsequent connection attempt by the browser must be made using https, so use that, wait a second, then access via http and it will do just that.

Ok...that breakdown you did on that post was really helpful.. Thanks.

So if what I understood is right..what if the victim clears all the cookies and history everything and then goes to any https website while the attacker has already started sslstrip..then he should get a http site, right?

[cooper]

Close. I've read from people (web devs mostly who experimented with HTTPS+HSTS, decided against it and then were unable to get their browsers to connect to their site using HTTP) that the most effective way to get a browser to forget about HSTS is to have the remote site say it's not wanted anymore, specifically by providing an HTST header with a really short duration. If you want the client to forget about HSTS via client-side means, it's really, *REALLY* hard. Some have gone as far as outright uninstalling the browser because simply put it's unclear where the browser stores this information and the browser provides no dialog anywhere that allows you to force the client to forget about this stuff. That makes sense because almost anything you can do with the browser can also be done from javascript, and this is one of those things you really, REALLY don't want to be alterable via javascript.

SSLStrip only works when you've never before used that very browser to access an HTTPS site. When you enter "site.com" in the URL bar, your browser goes to "http://site.com" which is what sslstrip exploits. The first thing site.com does is redirect you to the https version of its website which sslstrip, acting as a proxy to the client, does for its own connection to the remote site and not for the connection between the client and site.com which is what a regular proxy would do. This makes SSLStrip an MITM for HTTPS connections solely because the client is never made aware the connection it has with the remote site should be HTTPS but is in fact HTTP and other visual cues to the client are emulated via javascript, website icons and such. It's a clever bit of trickery and the direct result of it was the creation of HSTS.