From charlesreid1

Usage

Listening

To listen to traffic on an interface eth0 on port 443, run:

$ ssldump -i eth0 port 443

The last part of the command is an expression (see man pages for available expressions).

To listen to traffic from a particular host (the sheep), run:

ssldump -i eth0 port 443 and host 192.168.0.7

To tell ssldump to read from a file instead of a network device, use the -r option:

ssldump -r full_monty.pcap port 443 and host 192.168.0.7

Note that normally SSL sniffing would be done live, but this allows us to sniff HTTPS traffic and go back to decrypt it later. (For example, we could potentially sniff a bunch of HTTPS traffic from a target, then steal the private key, then go back through the archive and decrypt all of the traffic we had intercepted. HOOOOOOLY COW.)

Decrypting

To decrypt traffic from a particular host (the sheep), run:

ssldump -i eth0 -Ad -k ~/server.pem port 443 and host 192.168.0.7

Here, -A means print everything, -d means print application data as ASCII data (decrypt it), and -k specifies the location of the key file. The rest of the expression just specifies what traffic to look at.

Like with the above syntax, you can decrypt a previously-captured pcap file with HTTPS traffic in it, using the -r flag:

ssldump -r full_monty.cap -Ad -k ~/server.pem port 443 and host 192.168.0.7

Links

Project page and download: http://ssldump.sourceforge.net/

Man page: http://ssldump.sourceforge.net/ssldump-man.html

Exporting certificates from browsers: https://www.identrust.com/irs/fatca/export_certificate.html

Flags