SSLstrip – HTTPS Stripping Attack Tool

February 26, 2009 – 5:41 AM

This tool provides a demonstration of the HTTPS stripping attacks that was presented at Black Hat DC 2009. It will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links. It also supports modes for supplying a favicon which looks like a lock icon, selective logging, and session denial.

To get this running:

  • Flip your machine into forwarding mode.
  • Setup iptables to redirect HTTP traffic to sslstrip.
  • Run sslstrip.
  • Run arpspoof to convince a network they should send their traffic to you.

That should do it.

How does this work?

First, arpspoof convinces a host that our MAC address is the router’s MAC address, and the target begins to send us all its network traffic. The kernel forwards everything along except for traffic destined to port 80, which it redirects to $listenPort (10000, for example).

At this point, sslstrip receives the traffic and does its magic.



  1. One Response to “SSLstrip – HTTPS Stripping Attack Tool”

  2. So basically the way this works is to set a cookie with the user’s IP address at the their session started. And you’re utilizing session variables to store another copy of that value on the server-side. When a user’s IP doesn’t match the one stored in the session variable, you then check the cookie value to see if it matches. If it matches, life goes on and in this manner you are able to support users behind dynamic/load balancing proxy systems.

    I admit, I have not been on this webpage in a long time… however it was another joy to see It is such an important topic and ignored by so many, even
    professionals. I thank you to help making people more aware of possible issues.
    Great stuff as usual…

    By ronnie on Apr 30, 2009

You must be logged in to post a comment.