Download sslstrip - attack ssl and tls

Moxie Marlinspike had already developed sslsniff in 2002. Based on certificate chaining, the client proxy tool intercepts HTTPS traffic from the server and switches the certificate with its own. Assuming a correct configuration and current browser, the result of its use removes any associated attack opportunities. But, asks Marlinspike, what if the client browser doesn't do any SSL queries?

That's why the San Franciscan developed a further proxy named sslstrip (see his presentation slides). The sslstrip tool searches for embedded links, such as https://.../login.php, originating from server webpages and replaces all HTTPS links with like-named HTTP links, such as http://.../login.php, while remembering the original HTTPS target. When the user clicks the modified URL, the sslstrip proxy recognizes it and opens an SSL connection with the server, which sends the webpage, albeit over a nonsecure connection.

In this way the man-in-the-middle (MITM) attacker can access all information from the connection. Such a scenario has an obvious application for online banking where only an HTTP start page might appear, but with visible SSL links and icons that give at least a visual sense of security. Often users ignore warning dialogs and click through them. In the case of an sslstrip intervention, the user doesn't even get the warning dialogs, because no apparent invalid HTTPS connection is created. His browser simply doesn't create a secure connection. The kind of MITM attacks this can provide, and how users might be totally unaware of them, is clearly indicated in Marlinspike's "New Tricks for Defeating SSL in Practice" slides.

After some wide-ranging debate last week about sslstrip, the tool is now available for download. It comprises about 1,000 lines of Python code and is under GLPv3 licensing.

#linux-magazine

Defeating SSL/TLS - Blackhat-09 Video

Marlinspike release SSLStrip tool to automate this attack. Using the SSLStrip tool Marlinspike was able to retreive over 130 usernames and passwords over a Tor network. These credentials were from sites such as Gmail, Yahoo, Linkedin, Paypal etc.

The way the SSLStrip tool works by:

• Does an MITM on the HTTP connection

• Replaces all the HTTPS links with HTTP ones but remembers the links which were changed

• Communicates with the victim client on an HTTP connection for any secure link

• Communicates with the legitimate server over HTTPS for the same secure link

• Communication is transparently proxied between the victim client and the legitimate server

• Images such as the favicon are replaced by images of the familiar "secure lock" icon, to build trust

• As the MITM is taking places all passwords, credentials etc are stolen without the Client knowing

This is the full video of the SSL attack demonstrated by Moxie at Blackhat this year.

"This presentation will demonstrate some new tools and techniques that allow attackers to silently alter, inject, and log traffic intended for secure transmission by SSL/TLS in common web applications such as online banking or secure webmail logins. It builds off of the SSL exploit tools and research on the failure of browsers to validate BasicConstraints that I published in 2002, and will include demonstrations of a new tool for exploiting current use patterns as well as some data gathered from field testing in the real world."

http://securitytube.net/Defeating-SSL-using-SSLStrip-(Marlinspike-Blackhat)-video.aspx