Workshop 6: SSL/TLS The HTTPS stripping attacks Zhou Peng and Daoyuan Wu 25 April 2014 SSLStrip Background • The HTTPS stripping steps – Transparently hijacking HTTP traffic – Discovering HTTPS links and redirects – Mapping HTTPS links into look-alike HTTP links • References: – http://www.thoughtcrime.org/software/sslstrip/in dex.html 2 Objectives • Provide hands-on experience on attacking HTTPS connections using sslstrip • Understand how sslstrip can steal your credentials (e.g., your Facebook username and password) 3 Overview of This Lab • Preparation Step – Step 1: Boot your system – Step 2: Configure your Firefox browser • Sslstrip Attacking Step – – – – Step 3: Download and run sslstrip Step 4: Browse HTTPS web sites Step 5: Analyze how sslstrip intercept your connections Step 6: Use sslstrip to steal your credentials • Lab Assignment 4 Step 1 (Boot your system) • • • • Reboot your computer to Mac OS Find Terminal in Launchpad. Find Firefox in Launchpad. Find Python 2.7 environment – It should be by default accessible in Terminal. An example: $ cd Documents Documents $ python sslstrip.py -h 5 Step 2 (Configure your Firefox browser) • • • • • Start Firefox via Launchpad Click Edit > Preferences Click on Advanced and Select Network Tab Click Settings… and Select Manual proxy configuration Configure HTTP Proxy as 127.0.0.1 and the Port is 8080 – Please do not enable “Use this proxy server for all protocols” • Leave other entries (including SSL Proxy, FTP Proxy and SOCKS Host) empty • Erase No Proxy For entry • Save your settings 6 Step 3 (Download and run sslstrip) • Click Terminal in Mac • Download sslstrip https://docs.google.com/file/d/0B80v2ixuaO4ObDVVUXBxVDJ1LTA/ Or http://www.thoughtcrime.org/software/sslstrip/sslstrip-0.9.tar.gz • Decompress sslstrip (to Documents directory) Use 7zip to unzip the sslstrip-0.9.zip tar -zxf sslstrip-0.9.tar.gz & cd sslstrip-0.9 • Run sslstrip with help (see what options sslstrip supports) python sslstrip.py -h • Run sslstrip python sslstrip.py -a -w log.txt -l 8080 7 Step 4 (Browser HTTPS web sites) 1. Input www.google.com in the address bar of Firefox browser 2. After www.google.com is loaded, come to your Terminal which runs sslstrip and input command “Ctrl+c” to terminate sslstrip 3. Open the file “log.txt” and search “Found secure reference” 4. How many https links have been found by sslstrip? 8 Step 5 (Analyze how sslstrip intercept your connections) 1. We use “apis.google.com” as a hint to see how sslstrip intercept your connections 2. In the file “log”, we can find I.ms="https://apis.google.com"; in the HTML document 3. Back to your Firefox browser, right click at the blank area and select View page source 4. Search “apis.google.com” in the page source, you can find I.ms="http://apis.google.com" 5. Now, Do you know how sslstrip works? 9 Step 6 (Use sslstrip to steal your credentials) 1. Run “python sslstrip.py -p -w logpw.txt -l 8080” in your Terminal 2. Visit http://www.facebook.com/ using Firefox browser 3. Input “some username” in the username entry and input “some password” in the password entry 4. Click Sign in 5. Terminate sslstrip using command “Ctrl+c” and read the file logpw.txt 6. Search “email” or “pass” in the log file. What do you find [Or simply search your email address] 10 Questions 1. Use sslstrip to intercept your traffic when you visit www.polyu.edu.hk and answer the question: How many HTTPS links have been found and what are they? (5 marks) 2. Given that sslstrip can access all your connections to the Internet. Now, you will login to your Facebook account, how do you prevent sslstrip from stealing your passwords? (5 marks) – Hint: sslstrip can only intercept HTTP connections. 11 Questions? 12