sslstrip on OpenWRT (Linux) wireless router

Last Modified: Sat, 11 Feb 2012 18:23:02 +0000 ; Created: Sat, 11 Feb 2012 18:18:15 +0000

I wanted to play with sslstrip but have it on my actual wireless router instead of a separate machine on the wireless or LAN. This avoids the requirement of having to get arpspoof to work correctly and is a little simpler since I control the evil wireless router.

Steps

  1. Router with Linux and Python
    • I have a Buffalo WZR-HP-AG300H which I really like
    • I used OpenWRT version r29484
  2. Sufficient space for all the software (you may need an external drive/share mounted)
    • My setup uses 11MB for OS, Python, and sslstrip
  3. Sufficient RAM on your router
    • My router has 128MB. Probably need at least 16MB
  4. sslstrip python program by Moxie
    • I had to use version 0.8 due to bugs in 0.9
    • I didn't use the OpenWRT repository version because it was only version 0.6
  5. iptables
    • For OpenWRT I installed all the iptables packages (which includes modules) and the kernel (kmod-ipt) modules
    • A package search on "ipt" should get you them all
  6. Extract the sslstrip tarball to any directory you like
    • I didn't separate it into the system or run the installer. I just used the stand-alone version.
  7. Start it with python sslstrip
    • Just the defaults. Use -h for other choices
  8. Set your iptables to redirect all HTTP (port 80) traffic to sslstrip
    1. iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:10000
    2. I tried using -j REDIRECT, but my version of OpenWRT didn't have it compiled. The above is just the long form of it anyway.
  9. Bring up the login page for a site like Facebook
  10. Enter in login credentials (fake if you want)
  11. Look in the sslstrip.log file for the credentials
  12. Note that Facebook will be effectively broken as it won't accept a non-secure login. You still get the credentials though, but users will notice Facebook isn't working after trying to login. A custom version of sslstrip could probably allow the user to login as normal.
  13. Google has implemented new security measures to block this attack, but only for a hard-coded list of sites (ex: gmail, paypal). As of 2012-02-11 Facebook is still vulnerable. See Protecting against MITM and sslstrip attacks for details.