Workshop 6: SSL/TLS
The HTTPS stripping attacks
Zhou Peng and Daoyuan Wu
25 April 2014
SSLStrip Background
• The HTTPS stripping steps
– Transparently hijacking HTTP traffic
– Discovering HTTPS links and redirects
– Mapping HTTPS links into look-alike HTTP links
• References:
– http://www.thoughtcrime.org/software/sslstrip/in
dex.html
2
Objectives
• Provide hands-on experience on attacking
HTTPS connections using sslstrip
• Understand how sslstrip can steal your
credentials (e.g., your Facebook username and
password)
3
Overview of This Lab
• Preparation Step
– Step 1: Boot your system
– Step 2: Configure your Firefox browser
• Sslstrip Attacking Step
–
–
–
–
Step 3: Download and run sslstrip
Step 4: Browse HTTPS web sites
Step 5: Analyze how sslstrip intercept your connections
Step 6: Use sslstrip to steal your credentials
• Lab Assignment
4
Step 1 (Boot your system)
•
•
•
•
Reboot your computer to Mac OS
Find Terminal in Launchpad.
Find Firefox in Launchpad.
Find Python 2.7 environment
– It should be by default accessible in Terminal.
An example:
$ cd Documents
Documents $ python sslstrip.py -h
5
Step 2 (Configure your Firefox
browser)
•
•
•
•
•
Start Firefox via Launchpad
Click Edit > Preferences
Click on Advanced and Select Network Tab
Click Settings… and Select Manual proxy configuration
Configure HTTP Proxy as 127.0.0.1 and the Port is 8080
– Please do not enable “Use this proxy server for all protocols”
• Leave other entries (including SSL Proxy, FTP Proxy and
SOCKS Host) empty
• Erase No Proxy For entry
• Save your settings
6
Step 3 (Download and run sslstrip)
• Click Terminal in Mac
• Download sslstrip
https://docs.google.com/file/d/0B80v2ixuaO4ObDVVUXBxVDJ1LTA/
Or http://www.thoughtcrime.org/software/sslstrip/sslstrip-0.9.tar.gz
• Decompress sslstrip (to Documents directory)
Use 7zip to unzip the sslstrip-0.9.zip
tar -zxf sslstrip-0.9.tar.gz & cd sslstrip-0.9
• Run sslstrip with help (see what options sslstrip
supports)
python sslstrip.py -h
• Run sslstrip
python sslstrip.py -a -w log.txt -l 8080
7
Step 4 (Browser HTTPS web sites)
1. Input www.google.com in the address bar of
Firefox browser
2. After www.google.com is loaded, come to
your Terminal which runs sslstrip and input
command “Ctrl+c” to terminate sslstrip
3. Open the file “log.txt” and search “Found
secure reference”
4. How many https links have been found by
sslstrip?
8
Step 5 (Analyze how sslstrip intercept
your connections)
1. We use “apis.google.com” as a hint to see how
sslstrip intercept your connections
2. In the file “log”, we can find
I.ms="https://apis.google.com"; in the HTML
document
3. Back to your Firefox browser, right click at the
blank area and select View page source
4. Search “apis.google.com” in the page source,
you can find I.ms="http://apis.google.com"
5. Now, Do you know how sslstrip works?
9
Step 6 (Use sslstrip to steal your
credentials)
1. Run “python sslstrip.py -p -w logpw.txt -l 8080” in
your Terminal
2. Visit http://www.facebook.com/ using Firefox
browser
3. Input “some username” in the username entry and
input “some password” in the password entry
4. Click Sign in
5. Terminate sslstrip using command “Ctrl+c” and read
the file logpw.txt
6. Search “email” or “pass” in the log file. What do you
find  [Or simply search your email address]
10
Questions
1. Use sslstrip to intercept your traffic when you
visit www.polyu.edu.hk and answer the
question: How many HTTPS links have been
found and what are they? (5 marks)
2. Given that sslstrip can access all your
connections to the Internet. Now, you will login
to your Facebook account, how do you prevent
sslstrip from stealing your passwords? (5 marks)
– Hint: sslstrip can only intercept HTTP connections.
11
Questions?
12