sec-notes
  • Whoami
  • WEP-Pen
    • Reconnaissance
    • Enumeration
    • OWSAP TOP 10
      • Cryptographic Failures
        • Weak Encoding for Password
        • Improper Following of a Certificate's Chain of Trust
          • Understanding Digital Certificates : Self-Signed and CA-Signed Certificate **
          • Transport Layer Security (TLS) and SSL **
        • Clear Text Transmission Of Sensitive Data
          • SSLStripping **
      • Broken Access Control
        • Path Traversal
        • Sensitive Cookie with Improper SameSite Attribute
        • Link Following
        • Incorrect Default Permissions
        • Information disclosure
        • CSRF
          • csrf checklist
        • 403 bypass
        • Exposure of WSDL File Containing Sensitive Information
        • bussiness logic checklist
        • 2FA bypass checklist
        • admin panal checklist
        • idor checklist
        • Authentication checklist
        • reset_password_checklist
        • ATO
      • Injection
        • Cross Site Scripting
          • Cross Site Scripting
          • Exploitation
          • Protections
        • SQL Injection
          • SQL Injection Overview
        • NoSQL Injection
        • CRLF Injection
        • XML Injection
      • Insecure Design
      • Security Misconfiguration
        • CORS Miscofigration
        • Mail Server Misconfiguration
      • Vulnerable and Outdated Components
      • Identification and Authentication Failures
      • Software and Data Integrity Failures
      • Security Logging and Monitoring Failures
      • Server-Side Request Forgery (SSRF)
    • Checklists
      • mass assignment
      • aem misconfiguration
      • exif_geo
      • xss
      • Session Management
      • Authorization
      • cookie
      • Django
      • Symfony
      • json
      • bypass rate limit
      • Rce
      • Register Page
    • JWT Hacking
    • GraphQL Vulnerabilities
    • PostMessage Vulnerabilities
      • PostMessage Vulnerabilities
      • Blocking main page to steal postmessage
      • Bypassing SOP with Iframes - part 1
      • Bypassing SOP with Iframes - part 2
      • Steal postmessage modifying iframe location
  • API-Pen
    • API Discovry
    • Reverse Engineering API Documentation
    • Excessive Data Exposure
    • Vulnerability Scanning
    • API Authentication Attacks
      • Classic Authentication Attacks
      • API Token Attacks
    • API Authorization Attacks
      • Broken Object Level Authorization (BOLA)
      • Broken Function Level Authorization
    • Improper Assets Management
    • Mass Assignment
    • SSRF
    • Injection Attacks in API
    • Evasive Maneuvers
  • NET-Pen
    • Active Directory Pentesting
      • Active Directory Components
      • Initial Attack Vectors
        • LLMNR Poisoning
        • SMB Relay Attacks
        • IPv6 Attacks ( IPv6 DNS Takeover )
        • Printer Hacking
        • Methodology
        • Some Other Attacks
          • Zerologon (CVE-2020-1472)
          • PrintNightmare (CVE-2021-1675)
      • Post-Compromise Attacks
        • Pass Attacks
        • Kerberoasting Attack
        • Token Impersonation Attack
        • LNK File Attack
        • GPP / cPassword Attacks
        • Mimikatz
        • Methodology
      • We've Compromised the Domain
        • Dumping the NTDS.dit
        • Golden Ticket Attacks
        • Methodology
      • Case Study
      • Password Attacks
    • Attack Vectors by Port
      • FTP 21
      • SSH 22
      • Telnet 23 - 2323
      • SMTP 25
      • DNS 53
      • Kerberos 88
      • POP 110-995
      • RPC 111
      • Ident 113
      • NNTP 119
      • NetBIOS 137-138
      • SMB / Samba 135-139, 445
      • MSRPC 135
      • SNMP 161
      • LDAP 389,636
      • Modbus 502
      • OpenSSL 1337
      • Ms-SQL 1433
      • Oracle Listener 1521 1522 1529
      • NFS 2049
      • MySql 3306
      • RDP 3389
      • ADB Android Debug Bridge 5555
      • WinRM 5985 5986
      • VNC 5800 5900
      • Redis 6379
      • Unreal IRC 6667
      • Tomcat 8080
      • MongoDB 27017
      • http 80
    • Network basics
    • Information Gathering
    • Privilege Escalation
      • Windows Privilege Escalation
      • Linux Privilege Escalation
  • write-ups
    • How i found a Privilege Escalation via Impersonation Features feature
    • How I Bypassed SAML Authentication, Leading to Admin Panel Access.
    • How I was able to discover ATO Via IDOR vulnerability
    • Easy full Account Takeover via Facebook OAuth Misconfiguration
Powered by GitBook
On this page
  • What is SSLStripping?
  • How does it work?
  • How can SSLStripping be exploited?
  • Use of SSLStrip Tool
  • Ettercap and it's benefits:
  • How to run it in Kali Linux:
  • Benefits of Ettercap
  • By Using In-Secure Public WIFI:
  • Remediation
  • Implementation of HTTP Strict Transport Security / HSTS
  • Enable Certificate pinning
  • Enabled secure cookie attribute
  1. WEP-Pen
  2. OWSAP TOP 10
  3. Cryptographic Failures
  4. Clear Text Transmission Of Sensitive Data

SSLStripping **

extra knowledge

PreviousClear Text Transmission Of Sensitive DataNextBroken Access Control

Last updated 1 month ago

What is SSLStripping?

MITM stands for man-in-the-middle attack or we can call it SSLStripping, and SSLStrip is a tool. The data can be effectively stolen because the connection is no longer encrypted when the attacker downgrades the website connection from HTTPS to HTTP. Stripped down to "HTTP," or in other terms, an attacker downgrades the connection to the website from HTTPS to HTTP. Attackers are able to retrieve sensitive information as soon as the connection quality declines, and they also have the ability to change that information.

Consider, for instance, a scenario in which an adversary is able to monitor and intercept the traffic with the use of MITM tools such as SSLstrip. On a public network, an attacker could employ an MITM attack to retrieve information on a legitimate user. This information could include the user's credit card details, password, or any number of other sensitive pieces of information. Attackers change the details of a legitimate user and then send him to a server under the attacker's control, where he can then coerce the user into performing undesired tasks.

Using SSLStrip an attacker can jeopardize the integrity and confidentiality of user information; in extreme cases, it can even allow hackers to collect personally identifiable information (PII), health information, and bank account details.

How does it work?

When a legitimate user connects to a server — which is typically a secure connection — but an attacker downgrades the connection to plaintext because the legitimate user is connected to a wifi network controlled by the attacker, the attacker is able to intercept the traffic and act as a bridge between the legitimate user and the server. Now the attacker is able to access all of the information that is being transmitted between the User and the Server. As I previously stated, this may include sensitive information such as credit card information, usernames and passwords, and a great deal of other information.

For example: We have a website that works on https i.e. https://test.com and if an attacker is able to degrade it to http then the website becomes http://test.com. So in that case user can easily continue to communicate with test.com but due to plaintext protocol attacker will be able to intercept each and every communication that is happening between them.

legit user ⇐ HTTP ⇒ Attacker ⇐ HTTPS ⇒ test.com

As soon as the SSLStripping attack starts, a legit user is communicating to the website on HTTP.

legit user ⇐ HTTP ⇒ Attacker ⇐ HTTP ⇒ test.com

If the application has a vulnerability known as SSLStripping, then an attacker can connect from a particular session while waiting for a response from the server if the application has this vulnerability. Throughout the entirety of this procedure, the legitimate user has no way of knowing whether or not he is connecting to a secure connection, and he also has no way of understanding whether or not the session is being intercepted.

How can SSLStripping be exploited?

SSLStripping vulnerability can be exploited for all users who are going to use the attacker controlled Wifi or network. There are multiple ways to perform SSL Strip:

Use of SSLStrip Tool

In Kali Linux we have a couple of tools which can be used to exploit the SSLstripping vulnerability such as Ettercap. These tools can hijack HTTP traffic from existing networks and watch for HTTPS URLs and then redirect them. After redirection it maps those links the same as HTTP links.

Ettercap and it's benefits:

Ettercap is an open source tool that is available in Kali Linux. It can intercept the network traffic and also perform eavesdropping against some of the common protocols. If there is a need to maintain the connection, It can also insert the commands or characters between the network connections. This tools has some feature due to which it is more popular than others tools of SSLstriping, Let us discuss them in detail:

How to run it in Kali Linux:

It requires very basic knowledge in order to run this and this tool is pre installed on kali Linus. Still if anyone wants to install it he can use this URL https://github.com/Ettercap/ettercap.git. If users want to gain more knowledge about this tool he can visit this URL https://github.com/Ettercap/ettercap. If Ettercap is already installed on Kali Linux then the user can use the below command, in order to execute it.

Syntax : Ettercap -G // where -G is used to select the user interface.

When we run the above command it will show the version of "Ettercap", which you can see in the below screenshot also.

As soon as the user, insert this command. Ettercap prompt will open and it looks like as mentioned below:

In order to extend its functionality users can add Plugins to it that will enhance its basic functionality.

Benefits of Ettercap

Ettercap can perform both active and passive information gathering by using both TCP and UDP protocol. Whenever there is a need to capture gateway logs it is preferred as this tool is capable of MAC base filtering. Sometimes in case of ARP protocols users need to filter the traffic in full duplex mode, Ettercap can also do that. It is capable of creating connections in various environments such as VPN tunneling, SSH connections, and secure HTTP connections.

By Using In-Secure Public WIFI:

Legit users who are connected through the insecure public WIFI, attacker can intercept their traffic by performing MITM attack and using tools such as SSLStrip or Ettercap.

Encryption functionality implemented only on login page

There are so many application developers who encrypt the password on the login page itself. They transmit the password after encrypting it.

Remediation

Because switching a connection from HTTPS to HTTP might result in a vulnerability of a high severity, companies need to take the appropriate remediation measures in order to protect themselves from the threat posed by this vulnerability.

Implementation of HTTP Strict Transport Security / HSTS

As soon as an attacker attempts to degrade it or change application from secure channel to insecure channel, application automatically redirects to secure channel or stops working, because after enabling or adding HSTS header on application it protects against downgrading the HTTPS connection to HTTP and then application can only work on secure channel.

How is it implemented?

With the use of a new something that in the web application known as "Strict-Transport-Security." Therefore, it is impossible for it to be possible as soon as the supported browser receives a connection request to downgrade. The owner of the application is responsible for setting the "max-age" attribute with this header. The admin can define the expiration time in the "max-age" field. As a result, web browsers are able to comprehend the fact that websites have to be accessed via HTTPS only during the allotted period of time.

Enable Certificate pinning

Certificate pinning somehow reduces the attack surface of the SSLStripping vulnerability as by enabling the certificate pinning on websites or applications, we can specify the browser to accept connection only from these hosts where the SSL certificate conditions meet otherwise reject the rest of connections.

Enabled secure cookie attribute

Using the secure attribute in the cookie, it can't be transmitted through unsecure channels so if the attacker has downgraded the connection to HTTP, the cookie will not be transmitted in the request and hence it will be secure from getting his account compromised.