sslstrip on OpenWRT (Linux) wireless router
Last Modified: Sat, 11 Feb 2012 18:23:02 +0000 ; Created: Sat, 11 Feb 2012 18:18:15 +0000
|I wanted to play with sslstrip but have it on my actual wireless router instead of a separate machine on the wireless or LAN. This avoids the requirement of having to get arpspoof to work correctly and is a little simpler since I control the evil wireless router.
- Router with Linux and Python
- I have a Buffalo WZR-HP-AG300H which I really like
- I used OpenWRT version r29484
- Sufficient space for all the software (you may need an external drive/share mounted)
- My setup uses 11MB for OS, Python, and sslstrip
- Sufficient RAM on your router
- My router has 128MB. Probably need at least 16MB
- sslstrip python program by Moxie
- I had to use version 0.8 due to bugs in 0.9
- I didn't use the OpenWRT repository version because it was only version 0.6
- For OpenWRT I installed all the iptables packages (which includes modules) and the kernel (kmod-ipt) modules
- A package search on "ipt" should get you them all
- Extract the sslstrip tarball to any directory you like
- I didn't separate it into the system or run the installer. I just used the stand-alone version.
- Start it with
- Just the defaults. Use -h for other choices
- Set your iptables to redirect all HTTP (port 80) traffic to sslstrip
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:10000
- I tried using -j REDIRECT, but my version of OpenWRT didn't have it compiled. The above is just the long form of it anyway.
- Bring up the login page for a site like Facebook
- Enter in login credentials (fake if you want)
- Look in the sslstrip.log file for the credentials
- Note that Facebook will be effectively broken as it won't accept a non-secure login. You still get the credentials though, but users will notice Facebook isn't working after trying to login. A custom version of sslstrip could probably allow the user to login as normal.
- Google has implemented new security measures to block this attack, but only for a hard-coded list of sites (ex: gmail, paypal). As of 2012-02-11 Facebook is still vulnerable. See Protecting against MITM and sslstrip attacks for details.