SSLSniff
From charlesreid1
A tool from Moxie Marlinspike.
Also see SSLStrip.
Github repo: https://github.com/moxie0/sslsniff
Overview
sslsniff is slightly different from sslstrip. The intention of sslstrip is to turn HTTPS requests into HTTP requests, thereby forcing the sheep through an insecure connection. sslsniff is a tool focusing more on certificates.
sslsniff has two modes: authority mode, and targeted mode. In addition, it implements several attacks on Firefox auto-updates.
In authority mode, sslsniff acts as a certificate authority, using a custom certificate (or a self-signed, auto-generated certificate) to sign requests. This won't get you very far, since your certificate won't be trusted. This mode is also useful for exploiting improper implementation of BasicConstraints, which allows you to create a leaf node certificate in place of a CA certificate.
In targeted mode, sslsniff uses particular certificates for particular domains or sets of domains. This is intended for use when you have certificates that will only work for certain domains.
By taking over the Firefox auto-update process, you can install arbitrary binary blobs into the browser - keyloggers, certificate bundles, etc etc.
In Plain English
There is not an off-the-shelf attack to just automatically strip out SSL - modern sites and modern browsers are hip to that jive. You'll need to obtain a trusted certificate (ain't gonna happen) or you'll have to make your own. This tool allows you to explore the world of certificates, certificate authorities, and the many ways of tricking browsers into trusting and accepting your certificates.
Getting Help
Get some help:
sslsniff -h
Important Flags
Important flags:
-a/-t- authority vs targeted mode
Required options:
- -c - file containing CA certificate or key (authority mode), or a directory with a collection of certificates (targeted mode)
- -s port - port to listen on for ssl interception
- -w file - file to log output to
Running in Authority Mode
To run in authority mode:
You would run sslsniff as: ./sslsniff -a -s <$listenPort> -w <$logFile> -c <$caCert>
Targeted Mode:
In this mode, sslsniff is given a directory full of certificates, which it uses for targeted MITM attacks against the hosts those certificates are signed for. This mode is useful if you are able to forge specific certificates, or if you have certificates that were obtained for the "null prefix" vulnerability that I published. There are sample null prefix certificates in the "certs" directory that comes with sslsniff, but be sure to specify "-m IPSCACLASEA1.crt" if you wish to use those. (Note: the targeted certs have been removed for legal reasons, but the universal wildcard cert remains)
Flags
 |
monkey in the middle attacks in which an attacker tricks two parties into thinking they're communicating with each other, but both are communicating with the attacker.
Wireless Attacks: MITM/Wireless Wired Attacks: MITM/Wired
Layer 1 and 2 MITM Attacks: Network Tap: MITM/Wired/Network Tap Evil Twin Attack: Evil Twin · MITM/Evil Twin
Layer 3 and 4 MITM Attacks:
ARP Poisoning: MITM/ARP Poisoning Traffic Injection/Modification: MITM/Traffic Injection DNS Attacks: MITM/DNS · Bettercap/Failed DNS Spoofing Attack · Bettercap/Failed DNS Spoofing Attack 2 DHCP Attacks: MITM/DHCP WPAD MITM Attack: MITM/WPAD Port Stealing: MITM/Port Stealing Rushing Attack: MITM/Rushing Attack Attacking HTTPS: MITM/HTTPS
Session Hijacking: MITM/Session Hijacking
Toolz:
SSLSniff · SSLStrip · Frankencert
MITM Labs: {{MITMLabs}}
Category:MITM · Category:Attacks · Category:Kali Attack Layers Template:MITMLabs · Template:MITMFlag Flags · Template:MITMFlag · e |