A tool from Moxie Marlinspike.

Also see SSLStrip.

Github repo: https://github.com/moxie0/sslsniff

Overview

sslsniff is slightly different from sslstrip. The intention of sslstrip is to turn HTTPS requests into HTTP requests, thereby forcing the sheep through an insecure connection. sslsniff is a tool focusing more on certificates.

sslsniff has two modes: authority mode, and targeted mode. In addition, it implements several attacks on Firefox auto-updates.

In authority mode, sslsniff acts as a certificate authority, using a custom certificate (or a self-signed, auto-generated certificate) to sign requests. This won't get you very far, since your certificate won't be trusted. This mode is also useful for exploiting improper implementation of BasicConstraints, which allows you to create a leaf node certificate in place of a CA certificate.

In targeted mode, sslsniff uses particular certificates for particular domains or sets of domains. This is intended for use when you have certificates that will only work for certain domains.

By taking over the Firefox auto-update process, you can install arbitrary binary blobs into the browser - keyloggers, certificate bundles, etc etc.

In Plain English

There is not an off-the-shelf attack to just automatically strip out SSL - modern sites and modern browsers are hip to that jive. You'll need to obtain a trusted certificate (ain't gonna happen) or you'll have to make your own. This tool allows you to explore the world of certificates, certificate authorities, and the many ways of tricking browsers into trusting and accepting your certificates.

Getting Help

Get some help:

sslsniff -h

Important Flags

Important flags:

• -a/-t - authority vs targeted mode

Required options:

• -c - file containing CA certificate or key (authority mode), or a directory with a collection of certificates (targeted mode)
• -s port - port to listen on for ssl interception
• -w file - file to log output to

Running in Authority Mode

To run in authority mode:

   sslsniff -a -s <$listenPort> -w <$logFile> -c <$caCert>

Running In Targeted Mode

To run sslsniff in targeted mode, pass the -t flag and tell it where to find the directory of certificates with -c. The null prefix certificates in the certs directory come with sslsniff, to use those add the flag -m IPSCACLASEA1.crt. There are no targeted certs that come with sslsniff. There is a universal wildcard certificate example.

    ./sslsniff -t -s <$listenPort> -w <$logFile> -m IPSCACLASEA1.crt \
      -c <$certDir>

Flags

monkey in the middle attacks in which an attacker tricks two parties into thinking they're communicating with each other, but both are communicating with the attacker. MITM Wireless Attacks: MITM/Wireless Wired Attacks: MITM/Wired Layer 1 and 2 MITM Attacks: MITM/Layer 1 and 2 Network Tap: MITM/Wired/Network Tap Evil Twin Attack: Evil Twin  · MITM/Evil Twin Layer 3 and 4 MITM Attacks: MITM/Layer 3 and 4 Traffic Sniffing: MITM/Sniffing ARP Poisoning: MITM/ARP Poisoning Traffic Injection/Modification: MITM/Traffic Injection DNS Attacks: MITM/DNS  · Bettercap/Failed DNS Spoofing Attack  · Bettercap/Failed DNS Spoofing Attack 2 DHCP Attacks: MITM/DHCP WPAD MITM Attack: MITM/WPAD Port Stealing: MITM/Port Stealing Rushing Attack: MITM/Rushing Attack Attacking HTTPS: MITM/HTTPS Layer 5 MITM Attacks: Session Hijacking: MITM/Session Hijacking Toolz: Ettercap  · Bettercap  · MITMf  · EvilFOCA Wireshark  · Aircrack Dsniff  · Arpspoof  · Dnsspoof SSLSniff  · SSLStrip  · Frankencert Driftnet  · Karma MITM Labs: {{MITMLabs}} Category:MITM  · Category:Attacks  · Category:Kali Attack Layers Template:MITMLabs  · Template:MITMFlag Flags  · Template:MITMFlag  · e