130 likes | 357 Vues
Workshop 6: SSL/TLS The HTTPS stripping attacks. Zhou Peng and Daoyuan Wu 25 April 2014. SSLStrip Background. The HTTPS stripping steps Transparently hijacking HTTP traffic Discovering HTTPS links and redirects Mapping HTTPS links into look-alike HTTP links References:
E N D
Workshop 6: SSL/TLSThe HTTPS stripping attacks Zhou Peng and Daoyuan Wu 25 April 2014
SSLStrip Background • The HTTPS stripping steps • Transparently hijacking HTTP traffic • Discovering HTTPS links and redirects • Mapping HTTPS links into look-alike HTTP links • References: • http://www.thoughtcrime.org/software/sslstrip/index.html
Objectives • Provide hands-on experience on attacking HTTPS connections using sslstrip • Understand how sslstrip can steal your credentials (e.g., your Facebook username and password)
Overview of This Lab • Preparation Step • Step 1: Boot your system • Step 2: Configure your Firefox browser • Sslstrip Attacking Step • Step 3: Download and run sslstrip • Step 4: Browse HTTPS web sites • Step 5: Analyze how sslstrip intercept your connections • Step 6: Use sslstrip to steal your credentials • Lab Assignment
Step 1 (Boot your system) • Reboot your computer to Mac OS • Find Terminal in Launchpad. • Find Firefox in Launchpad. • Find Python 2.7 environment • It should be by default accessible in Terminal. An example: • $ cd Documents • Documents $ python sslstrip.py -h
Step 2 (Configure your Firefox browser) • Start Firefox via Launchpad • Click Edit > Preferences • Click on Advanced and Select Network Tab • Click Settings… and Select Manual proxy configuration • Configure HTTP Proxy as127.0.0.1and the Port is8080 • Pleasedo not enable “Use this proxy server for all protocols” • Leave other entries (including SSL Proxy, FTP Proxy and SOCKS Host) empty • EraseNo Proxy For entry • Save your settings
Step 3 (Download and run sslstrip) • Click Terminal in Mac • Download sslstrip https://docs.google.com/file/d/0B80v2ixuaO4ObDVVUXBxVDJ1LTA/ Or http://www.thoughtcrime.org/software/sslstrip/sslstrip-0.9.tar.gz • Decompress sslstrip (to Documents directory) Use 7zip to unzip the sslstrip-0.9.ziptar -zxfsslstrip-0.9.tar.gz & cd sslstrip-0.9 • Run sslstrip with help (see what options sslstrip supports) python sslstrip.py -h • Run sslstrip python sslstrip.py -a -w log.txt -l 8080
Step 4 (Browser HTTPS web sites) • Input www.google.com in the address bar of Firefox browser • After www.google.com is loaded, come to your Terminal which runs sslstrip and input command “Ctrl+c” to terminate sslstrip • Open the file “log.txt” and search “Found secure reference” • How many https links have been found by sslstrip?
Step 5 (Analyze how sslstrip intercept your connections) • We use “apis.google.com” as a hint to see how sslstrip intercept your connections • In the file “log”, we can find I.ms="https://apis.google.com"; in the HTML document • Back to your Firefox browser, right click at the blank area and select View page source • Search “apis.google.com” in the page source, you can find I.ms="http://apis.google.com" • Now, Do you know how sslstrip works?
Step 6 (Use sslstrip to steal your credentials) • Run “python sslstrip.py -p -w logpw.txt -l 8080” in your Terminal • Visit http://www.facebook.com/ using Firefox browser • Input “some username” in the username entry and input “some password” in the password entry • Click Sign in • Terminate sslstrip using command “Ctrl+c” and read the file logpw.txt • Search “email” or “pass” in the log file. What do you find [Or simply search your email address]
Questions • Use sslstrip to intercept your traffic when you visit www.polyu.edu.hk and answer the question: How many HTTPS links have been found and what are they? (5 marks) • Given that sslstrip can access all your connections to the Internet. Now, you will login to your Facebook account, how do you prevent sslstrip from stealing your passwords? (5 marks) • Hint: sslstrip can only intercept HTTP connections.