Skip to main content

Hijacking SSL

SSL has been in centerstage of researches as well as attacks for quite long time. Last year in a conference in Germany researchers showed how to generate duplicate certificates exploiting MD5 hashing to break SSL. Later in Black Hat, Maxie showed how to exploit a field in SSL certificates to sign an own forged certificate to present it to the client. The main feature of this attack was that the client will never get any warning dialog box by the browser and subsequently the hacker doing an MITM can see the conversation between the client and server. The client will even get a PADLOCK sign to be assured that all things are going via encryption, but in reality it's not. Maxie released a tool SSLStrip to carry out these attacks.
The tool has been used by many researchers around the world to carry out the attacks. They all used Unix machines as many open source utilities makes it easier to run the tool on it.
My attempt was to run the tool on a Windows machine. It has been never easy to do that. It took considerable amount of time to find Windows equivalents of the Unix commands and utilities.
But finally I did it.
Here is an white paper to help you understand. Would love to have comments from you.

It can be downloaded here:


Anonymous said…
Hi Nilesh!
I read your whitepaper and i have created a lab using your paper.
The command line for java tool apparently it works, but the sslstrip tool dont capture nothing.
The same lab in environment linux works fine with IPTABLES, but dont work in a Windows environment.
Have you any idea?
operat0r said…

I am trying to create portable sslstrip for windows so far I got it running and arp is working but I get no output from java or sslstrip ? rmccurdy1 ATATATATAT yahoo or rmccurdy_co m

* doubled check the registry setting ( reboot )
* arp is working I can see the traffic
* if I hit http://localhost sslstrip goes ape so I know that part is working

so its like its not going from the target to the port fwd. Is there something in windows I am missing besides the reg key ? have firewall enabled or disabled or something I am missing ? I have tried it on two differnt boxes one was clean build etc.

feel free to call me let me know a time and timezone to call you back and I can have you remote into test mashine here if you like ;)
Anonymous said…
I try your process to setup SSstrip on windows and i uncounter some problem at the step2. The java command does pass and i get the following output:
C:\Users\azea> java -classpath commons-logging.jar;portforward.jar org.enterpris 80 localhost:10000
Exception in thread "main" java.lang.NoClassDefFoundError: org/enterprisepower/n
Caused by: java.lang.ClassNotFoundException:
.Forwarder at$ Source) at Method) at Source) at java.lang.ClassLoader.loadClass(Unknown Source) at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source) at java.lang.ClassLoader.loadClass(Unknown Source)
Could not find the main class: Program will exit.
Please can you help me debugging that.
thank in advance.

Anonymous said…
Hello. I am having the same difficulties. Exception in thread "main" java.lang.NoClassDefFoundError: org/enterprisepower/net/portforward/Forwarder
I would like to know if anyone was able to find the issue.

Popular posts from this blog

File Upload through Null Byte Injection

Sometimes, during file upload we come across situation wherein there would be check on the file extension at the client side as well as server side too. If the application does allow only .jpeg extension to be uploaded, the client side java script checks for the extension of the file before passing the request. We all know that how easily this can be defeated.
Some applications, checks for the extension at the server side also. That's not easy to bypass. However there are some ways with which it still can be bypassed. Most of server side scripts are written in high level languages such as Php, Java etc who still use some C/C++ libraries to read the file name and contents. That leads to the problem. In C/C++ a line ends with /00 or which is called Null Byte. So whenever the interpreter sees a null byte at the end of the a string, it stops reading thinking it has reached at the end of the string.
This can be used for the bypass. It works for many servers, specially php servers. Th…

SQL Injection in search field

Earlier I had written about performing SQL injection in search field and how to do a DoS attack and privilege escalation using 'Like' operators. Now another SQLi exploitation I came across recently. That too in the search field. This becomes important as lots of people don't pay much attention on the search forms/ fields in the application. My aim is to show that a search form can also be exploited with SQL Injection. The following queries are based on a real world exploitation. The steps and data are for just illustration purpose only. Suppose, the search form provides the details of users who have accessed the application some time and their login time details etc, we just need to provide their name in the search box provided. All the data were being going as Post request. So, to just fingerprint the database, I provide, 'nil'+'esh' in the search field and it successfully gives me the results. That means the database behind the application is concatenat…

Insecure protocols

Some basic insecure protocols and risk associated with them: