A few years ago now, Moxie Marlinspike made an awesome tool called sslstrip. today I will show you one way in which to use this on a wifi network to strip out password information from a victim’s browser traffic. There are more things you can do with sslstrip, and at some point I will write about those too, but some of them require more bandwidth than you can muster on most wireless cards.
**DISCLAIMER: This tutorial is meant as an educational tool only, I am not responsible if you use this in an illegal manner and get arrested!**
This attack I have done in many Lab environments and also a few Live hacks & pen tests. You have to execute a man in the middle attack by fooling the victim into thinking you are the gateway, and tell the gateway you are the victim.
The first step is to prepare your wireless card to handle the traffic, then spoof the ARP requests with arpspoof. (one thing to note with arpspoof, is it makes a lot of noise, there are better ways to do this, but I’m teaching for lab environment purposes. If you do this on a network with IDS, or other alerts you WILL be caught, and could be in serious trouble)
the syntax for the Man-in-the-Middle attack via arpspoof is:
arpspoof -i -t
arpspoof -i -t
this will send ARP packets to both the gateway and victim telling them to send you the packets first, you will then pass it to the intended recipient (after you play with their packets).
since earlier when you were preparing your network card, you needed to set the listening port for sslstrip, so you start sslstrip by typing:
and in another terminal windows to view your live captures just “tail -f sslstrip.log”.
This will strip out their https requests and force them back to http making all “post” actions plain text. I have seen some websites that do not seem to work this way and before the POST the username/password were encrypted but everything else contained was plaintext.
Using this method while on a wireless network will allow you to grab passwords without alerting your victim (unless they happen to notice the URL is “http://” not “https://”) and there are many ways around this attack if it’s happening, but the average user will not know they are even being watched.