This tool was originally written to demonstrate and exploit IE’s vulnerability to a specific “basicConstraints” man-in-the-middle attack. While Microsoft has since fixed the vulnerability that allowed leaf certificates to act as signing certificates, this tool is still occasionally useful for other purposes.
It is designed to MITM all SSL connections on a LAN and dynamically generates certs for the domains that are being accessed on the fly. The new certificates are constructed in a certificate chain that is signed by any certificate that you provide.
For more information on these attacks, see the video from Defcon 17.
The three steps to get this running are:
- Install the sslsniff dependencies (openssl, libboost1.35-dev, libboost-filesystem1.35-dev, libboost-thread1.35-dev, liblog4cpp5-dev)
- Unpack sslsniff-0.7.tar.gz, run ‘./configure’, run ‘make’
sslsniff requires Linux 2.4/2.6, although it can easily be ported to other platforms.
- sslsniff can now be run in the old “authority” mode or the new “targeted” mode. You can specify a single cert to sign new certificates with, or you can specify a directory full of certificates to use for targeted attacks (these can be null-prefix or universal wildcard certificates).
- sslsniff can now also defeat OCSP, fingerprint clients to attack, and hijack auto-updates.
- See the README for more information on how to run sslsniff
Setting up iptables
- Flip your machine into ip_forward mode (echo 1 > /proc/sys/net/ipv4/ip_forward)
- Add a rule to intercept SSL traffic (iptables -t nat -A PREROUTING -p tcp –destination-port 443 -j REDIRECT –to-ports <$listenPort>)
- If you wish to fingerprint clients and only intercept some traffic based on client type, add a rule to intercept HTTP traffic (iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-ports <$httpListenPort>)
Assuming we want to intercept SSL traffic from 172.17.10.36, we need to trick that host into thinking that we’re the router. Using arpspoof, we can convince the target that the router’s MAC address is our MAC address.
- arpspoof -i eth0 -t 172.17.10.36 172.17.8.1