Usage

Listening

To listen to traffic on an interface eth0 on port 443, run:

$ ssldump -i eth0 port 443

The last part of the command is an expression (see man pages for available expressions).

To listen to traffic from a particular host (the sheep), run:

ssldump -i eth0 port 443 and host 192.168.0.7

To tell ssldump to read from a file instead of a network device, use the -r option:

ssldump -r full_monty.pcap port 443 and host 192.168.0.7

Note that normally SSL sniffing would be done live, but this allows us to sniff HTTPS traffic and go back to decrypt it later. (For example, we could potentially sniff a bunch of HTTPS traffic from a target, then steal the private key, then go back through the archive and decrypt all of the traffic we had intercepted. HOOOOOOLY COW.)

Decrypting

To decrypt traffic from a particular host (the sheep), run:

ssldump -i eth0 -Ad -k ~/server.pem port 443 and host 192.168.0.7

Here, -A means print everything, -d means print application data as ASCII data (decrypt it), and -k specifies the location of the key file. The rest of the expression just specifies what traffic to look at.

Like with the above syntax, you can decrypt a previously-captured pcap file with HTTPS traffic in it, using the -r flag:

ssldump -r full_monty.cap -Ad -k ~/server.pem port 443 and host 192.168.0.7

Links

Project page and download: http://ssldump.sourceforge.net/

Man page: http://ssldump.sourceforge.net/ssldump-man.html

Exporting certificates from browsers: https://www.identrust.com/irs/fatca/export_certificate.html

Flags

monkey in the middle attacks in which an attacker tricks two parties into thinking they're communicating with each other, but both are communicating with the attacker. MITM Wireless Attacks: MITM/Wireless Wired Attacks: MITM/Wired Layer 1 and 2 MITM Attacks: MITM/Layer 1 and 2 Network Tap: MITM/Wired/Network Tap Evil Twin Attack: Evil Twin  · MITM/Evil Twin Layer 3 and 4 MITM Attacks: MITM/Layer 3 and 4 Traffic Sniffing: MITM/Sniffing ARP Poisoning: MITM/ARP Poisoning Traffic Injection/Modification: MITM/Traffic Injection DNS Attacks: MITM/DNS  · Bettercap/Failed DNS Spoofing Attack  · Bettercap/Failed DNS Spoofing Attack 2 DHCP Attacks: MITM/DHCP WPAD MITM Attack: MITM/WPAD Port Stealing: MITM/Port Stealing Rushing Attack: MITM/Rushing Attack Attacking HTTPS: MITM/HTTPS Layer 5 MITM Attacks: Session Hijacking: MITM/Session Hijacking Toolz: Ettercap  · Bettercap  · MITMf  · EvilFOCA Wireshark  · Aircrack Dsniff  · Arpspoof  · Dnsspoof SSLSniff  · SSLStrip  · Frankencert Driftnet  · Karma MITM Labs: {{MITMLabs}} Category:MITM  · Category:Attacks  · Category:Kali Attack Layers Template:MITMLabs  · Template:MITMFlag Flags  · Template:MITMFlag  · e

attacking SSL with man in the middle attacks attacking secure socket layer, an encrypted wrapper for TCP/IP traffic, and the public-key encryption process. Certificates (or, how HTTPS works) Tools: Ettercap  · Bettercap  · MITMf SSLStrip  · SSLSniff SSLDump  · Stunnel MITM Labs MITM Labs ARP Poisoning Dsniff ARP Poisoning: MITM Labs/Dsniffing Over Wifi Bettercap ARP Poisoning: MITM Labs/Bettercap Over Wifi DNS Hijacking Bettercap to Hijack DNS: Bettercap/Failed DNS Spoofing Attack  · Bettercap/Failed DNS Spoofing Attack 2 Traffic Injection Bettercap to Replace Images: MITM Labs/Bettercap to Replace Images MITMf to Backdoor Browsers: MITM Labs/MITMf to Backdoor Browsers HTTPS MITM Browser + Wireshark/SSLSniff to Decrypt HTTPS: MITM Labs/Decrypting HTTPS Traffic with Private Key File Browser + Wireshark to Decrypt HTTPS: MITM Labs/Decrypting HTTPS Traffic by Obtaining Browser SSL Session Info Device MITM Bettercap to MITM Android Phone: MITM Labs/Bettercap Android Evo Bettercap to MITM iPhone: MITM Labs/Bettercap iPhone Category:SSL  · Category:Man in the Middle  · Category:Attacks  · Category:Kali Attack Layers Flags  · Template:MITMSSLFlag  · e