I have written this post about SSL Stripping for newbies and tried my best to explain the intricate details required to fully understand the technique.
First, I want to give you a brief background about the creator of this vulnerability, a well-known computer security researcher Moxie Marlinspike (@moxie). In 2009 he presented this flaw in Black Hat when he was the Chief Technical Officer and co-founder of Whisper Technologies acquired by Twitter in late 2011.
So buckle up guys and let’s get started. In general, SSL Strip is a technique in which a website is downgraded from https to http.
HTTP and HTTPS are the application-layer protocols in TCP/IP model, as illustrated in Fig. 1. HTTP stands for Hypertext Transfer Protocol. A protocol is a set of rules that are defined by a standard committee like ANSI and IEEE. On the other hand, HTTPS uses a secure tunnel to transfer and receive data. This secure tunnel is commonly called as SSL (Secure Socket Layer) and therefore the suffix ‘S’ is added to HTTPS. Both HTTP and HTTPS are illustrated in Fig. 2 where you can see SSL on top of HTTP.
In SSL Strip, all the traffic from the victim’s machine is routed via a proxy created by the hacker and can be thought of as a Man-In-the-Middle (MITM) attack.
So, let us assume that you are an attacker and able to establish a connection between the victim and server. This means that all the traffic from the victim’s machine will flow via your computer that serves as a proxy server and will either result in a certificate error or the encrypted traffic will be captured, which is of no use to us.
How is SSL Strip different from attacks like MITM?
Let’s take a scenario in which there is a victim machine (A), an attacker machine (B) and a server(C) (Fig. 3). SSL Strip is running on the attacker machine, which is a proxy server; hence, there is no direct connection between the victim and server.
The real beauty of SSL Stripping is that your browser won’t display any SSL Certificate errors and the victims have no clue that such an attack is occurring. This attack is also known as HTTP-downgrading attacks, where the connection established by the victim's browser is downgraded from HTTPs to HTTP.Victim A wants to transfer money from his account using an online banking service and enters the following URL in the address bar of the browser: www.foobank.com/online_banking. In the background, the victim browser connected to the attacker’s machine waits for a response from the server. Attacker B forwards the victim A’s request and waits for the response from the bank server. The connection between B and C is secure, which means that all the traffic that is transferred between them (B & C) goes through the SSL tunnel.
Subsequently the bank’s server responds with the login page that has the following URL: https://www.foobank.com/online_banking. At this stage, the attacker has access to the login page and can modify the response from the server from https to http. Once this is done the attacker sends the http address to victim (A), which results in the browser now being addressed to http://www.foobank.com/online_banking.
At this point, the victim has access to the internet banking login page with an unsecure connection. From this point onwards, all the victim’s requests go out in the plain text format and the attacker can access the data and collect the credentials. While the server thinks it has successfully established the connection, which in this scenario is between the attacker and the server (i.e. between B & C), and the victim (A) also thinks that it is a legitimate server (C).
Setup of the Attack Environment:
SSL Strip attacks can be implemented in a number of ways. Three of the most common methods are:
- Manually set the proxy of the browser to route all traffic
- ARP Poisoning
- Create a Hotspot and allow people to connect to it
I will explain the third one in which my hotspot will act as the proxy server.
For this attack, all you need is a Kali Linux machine with a WiFi Adapter that is able to work in the Promiscuous  mode. Most of the latest laptop NIC cards will work and you also need to download a shell script that will perform the configuration and download the required tools.
So let us begin the hack:
- Download the bash script which makes your life easier as it will perform the configuration and download all the dependencies required for this attack. Navigate to the home folder and run this command in the terminal:
$ cd ~
$ git clone https://github.com/brav0hax/easy-creds.git
- Navigate to easy-creds folder, change the executable permission and run the installer.sh$cd easy-creds
$sudochmod +x installer.sh
- The script will run and ask for the OS you are using. Select the Debian/Ubuntu and press Enter.
- Provide the path where you want to install easy-creds. I am using /opt. You can also choose /usr/bin or add your own path in $PATH environment variable. For the sake of simplicity, just type /opt.
- Next, easy-creds will download and install all the dependencies as below:
- SSLstrip: For downgrading request https to http
- airodump-ng: To start WLAN in promiscuous mode
- airbase-ng: To create a hotspot
- ettercap: For sniffing data
- urlsniff: For authentic real-time display of request from the victim’s machine
- DHCP server and more
- After easy-creds is successfully installed, run it by typing easy-creds. Undue attention to other attacks isn’t necessary. Just choose the 3 FakeAP Attacks, which is relevant to this article.
- Choose the option 1 FakeAP Attack Static.
- Type N for side-jacking attack. This isn’t necessary right now.
- Choose the Interface that is connected to the internet.
- Choose the NIC card or USB adapter interface name that is used for creating a hotspot.
- ESSID field is used to set a name (such as FreeWifi, MacDwifi and Companyname, etc.) for the hotspot.
- Select the channel. I usually choose channel 11.
- You can see the monitor interface created by airmon-ng. Choose the one which you want to use, for example, mon0.
- You can change the MAC address of the Wi-Fi hotspot as you like. For purposes of this discussion we are not required to do it.
- Select the tunnel interface created by airbase-ng usually it is at0.
- To assign the IP address automatically, we need to configure the DHCP server in our machine. Provide the IP range and subnet along with the DNS server to be used.
Now around five small windows will open and our attacker’s hotspot (AttackWIFI) is waiting for the victim to connect to it. Once connected, an IP address will be assigned and all the traffic will forward to the attacker’s machine.
Wait until the victim fills in the login form credentials. The ettercap will sniff the data and display them in a readable clear text form. You can also check the Logs from ettercap and sslstrip for later analysis.
Protection: SSLstrip is a difficult attack to prevent in a web app, but there are several steps that can be taken to mitigate this risk.
How can users be aware of this attack?
- Install either HTTPS Everywhere or ForceTLS (HTTPS Everywhere is easier to use). This tells your browser to use the SSL versions of web sites, where possible.
- SSL Strip does not display a certificate error, but if it does, then do not bypass the warning and stop browsing that website.
- For critical sites, like online banking, go to the HTTPS (SSL) version of the site from your machine while using a secure network, and then bookmark that page. Then, always open the site by accessing the bookmark.
- Always check the URL for critical websites with https in the address bar or in hyperlinks.
What can organizations do to protect their applications against such attacks?
- Enable SSL site wide (i.e., use HTTPS only)
- Enable HSTS  (HTTP Strict Transport Security)
- Enable Cert Pinning. 
- Enable secure cookies, i.e., ensure that all cookies are served with the secure attribute, so that your user's browsers will only send those cookies back over SSL-protected connections and never disclose them over any non-SSL (HTTP) link
- Disable HTTP (non-SSL) access, or redirect users to the SSL version of the website
 Promiscuous Mode: In a Local Area Network (LAN), promiscuous mode is a mode of operation in which every data packet transmitted can be received and read by a network adapter. Promiscuous mode must be supported by each network adapter as well as by the input/output driver in the host operating system. Promiscuous mode is often used to monitor network activity.
HSTS: HSTS tells the browser to only communicate with the server via HTTPS. The browser remembers the HSTS header from the server from the first time it was seen. When the user visits the site again, the browser ensures that all communication is done via HTTPS. This will work as long as the attacker doesn't strip the header on the first visit to the site.
How does HSTS aid in preventing attacks like SSL Strip?
Below are the steps by which HSTS is enabled in the header:
- The client creates a clear-text connection to the server
- The server responds with a redirect to the HTTPS address, with the HSTS header set
- The client and server communicate over SSL
- The session ends
- The client comes back later. The browser has stored the HSTS flag for this domain.
- The attacker attempts to perform SSL-strip attack and serves clear-text to the client.
- The client recognizes that the HSTS policy disallows this, and alerts the user.
Cert Pining: Typically certificates are validated by checking the signature hierarchy; MyCert is signed by IntermediateCert, which is signed by RootCert, and RootCert is listed in any Computer's "Certificates to Trust" store.
Certificate Pinning is where you ignore the bigger picture, and perhaps say “Trust this certificate only” or perhaps “Trust only certificates signed by this certificate”.
So, for example, if you go to google.com, your browser will trust the certificate if it is signed by VeriSign, Digicert and Thawte. However, if you use (on newer versions) Microsoft Windows Update, it will ONLY trust certificates signed by Microsoft, not VeriSign or Digicert.
Also, some newer browsers (Chrome, for example) will do a variation of certificate pinning using the HSTS mechanism. They preload a specific set of public key hashes into this the HSTS configuration, which limits the valid certificates to only those who indicate the specified public key.
Google has built in "preloaded" fingerprints for the known public keys in the certificate chains of Google properties, thereby exposing the false *.google.com certificate DigiNotar and Comodo Signed.
I hope you enjoyed it. Thanks for reading. All feedback and questions are welcome.Speak to our application security experts