sslstrip
sslstrip is a tool that transparently hijacks HTTP traffic on a network, watches for HTTPS links and redirects, and maps those links into look-alike HTTP links or homograph-similar HTTPS links.
Description
sslstrip performs SSL/TLS man-in-the-middle attacks by intercepting HTTP traffic and modifying HTTPS links to appear as HTTP equivalents. This allows an attacker to strip SSL protection, capturing sensitive data that would otherwise be encrypted. It supports additional features like supplying a favicon resembling a lock icon to maintain the illusion of security.
Use cases include network interception during penetration testing to demonstrate SSL stripping vulnerabilities. It can selectively log SSL POSTs, all SSL traffic, or all SSL and HTTP traffic. Session denial mode kills ongoing sessions to force new connections through the attacker's proxy.
The tool is particularly effective against users who do not verify HTTPS indicators beyond the address bar, such as lock icons. It relies on ARP spoofing or similar techniques for traffic redirection, making it a key component in broader MITM attack chains.
How It Works
sslstrip acts as a transparent proxy listening on a specified port (default 10000). It hijacks HTTP traffic, monitors for HTTPS links and redirects, and rewrites them to HTTP or homograph-similar HTTPS versions to bypass user detection. A fake lock favicon can be injected to mimic secure connections. Logging captures POST data, SSL traffic, or all traffic based on flags. Session killing terminates existing connections to redirect them through the proxy. It operates at the application layer, modifying HTTP responses while upstreaming to real servers over HTTPS.
Installation
sudo apt install sslstripFlags
Examples
sslstrip -hsslstrip -w /tmp/sslstrip.logsslstrip -psslstrip -ssslstrip -asslstrip -l 8080sslstrip -fsslstrip -k