A tool from Moxie Marlinspike.

Also see SSLStrip.

Github repo: https://github.com/moxie0/sslsniff

Overview

sslsniff is slightly different from sslstrip. The intention of sslstrip is to turn HTTPS requests into HTTP requests, thereby forcing the sheep through an insecure connection. sslsniff is a tool focusing more on certificates.

sslsniff has two modes: authority mode, and targeted mode. In addition, it implements several attacks on Firefox auto-updates.

In authority mode, sslsniff acts as a certificate authority, using a custom certificate (or a self-signed, auto-generated certificate) to sign requests. This won't get you very far, since your certificate won't be trusted. This mode is also useful for exploiting improper implementation of BasicConstraints, which allows you to create a leaf node certificate in place of a CA certificate.

In targeted mode, sslsniff uses particular certificates for particular domains or sets of domains. This is intended for use when you have certificates that will only work for certain domains.

By taking over the Firefox auto-update process, you can install arbitrary binary blobs into the browser - keyloggers, certificate bundles, etc etc.

In Plain English

There is not an off-the-shelf attack to just automatically strip out SSL - modern sites and modern browsers are hip to that jive. You'll need to obtain a trusted certificate (ain't gonna happen) or you'll have to make your own. This tool allows you to explore the world of certificates, certificate authorities, and the many ways of tricking browsers into trusting and accepting your certificates.

Getting Help

Get some help:

sslsniff -h

Important Flags

Important flags:

• -a/-t - authority vs targeted mode

Required options:

• -c - file containing CA certificate or key (authority mode), or a directory with a collection of certificates (targeted mode)
• -s port - port to listen on for ssl interception
• -w file - file to log output to

Running in Authority Mode

To run in authority mode:

   sslsniff -a -s <$listenPort> -w <$logFile> -c <$caCert>

Running In Targeted Mode

   In this mode, sslsniff is given a directory full of certificates, which it 
   uses for targeted MITM attacks against the hosts those certificates are 
   signed for.  This mode is useful if you are able to forge specific 
   certificates, or if you have certificates that were obtained for the "null 
   prefix" vulnerability that I published.  There are sample null prefix 
   certificates in the "certs" directory that comes with sslsniff, but be
   sure to specify "-m IPSCACLASEA1.crt" if you wish to use those. (Note:
   the targeted certs have been removed for legal reasons, but the universal
   wildcard cert remains)

Flags

monkey in the middle attacks in which an attacker tricks two parties into thinking they're communicating with each other, but both are communicating with the attacker. MITM Wireless Attacks: MITM/Wireless Wired Attacks: MITM/Wired Layer 1 and 2 MITM Attacks: MITM/Layer 1 and 2 Network Tap: MITM/Wired/Network Tap Evil Twin Attack: Evil Twin  · MITM/Evil Twin Layer 3 and 4 MITM Attacks: MITM/Layer 3 and 4 Traffic Sniffing: MITM/Sniffing ARP Poisoning: MITM/ARP Poisoning Traffic Injection/Modification: MITM/Traffic Injection DNS Attacks: MITM/DNS  · Bettercap/Failed DNS Spoofing Attack  · Bettercap/Failed DNS Spoofing Attack 2 DHCP Attacks: MITM/DHCP WPAD MITM Attack: MITM/WPAD Port Stealing: MITM/Port Stealing Rushing Attack: MITM/Rushing Attack Attacking HTTPS: MITM/HTTPS Layer 5 MITM Attacks: Session Hijacking: MITM/Session Hijacking Toolz: Ettercap  · Bettercap  · MITMf  · EvilFOCA Wireshark  · Aircrack Dsniff  · Arpspoof  · Dnsspoof SSLSniff  · SSLStrip  · Frankencert Driftnet  · Karma MITM Labs: {{MITMLabs}} Category:MITM  · Category:Attacks  · Category:Kali Attack Layers Template:MITMLabs  · Template:MITMFlag Flags  · Template:MITMFlag  · e