Revision as of 07:02, 22 August 2016

A tool from Moxie Marlinspike.

Github repo: https://github.com/moxie0/sslsniff

Overview

sslsniff is slightly different from sslstrip. The intention of sslstrip is to turn HTTPS requests into HTTP requests, thereby forcing the sheep through an insecure connection. sslsniff is a tool focusing more on certificates.

sslsniff has two modes: authority mode, and targeted mode. In addition, it implements several attacks on Firefox auto-updates.

In authority mode, sslsniff acts as a certificate authority, using a custom certificate (or a self-signed, auto-generated certificate) to sign requests. This won't get you very far, since your certificate won't be trusted. This mode is also useful for exploiting improper implementation of BasicConstraints, which allows you to create a leaf node certificate in place of a CA certificate.

In targeted mode, sslsniff uses particular certificates for particular domains or sets of domains. This is intended for use when you have certificates that will only work for certain domains.

By taking over the Firefox auto-update process, you can install arbitrary binary blobs into the browser - keyloggers, certificate bundles, etc etc.

In Plain English

There is not an off-the-shelf attack to just automatically strip out SSL - modern sites and modern browsers are hip to that jive. You'll need to obtain a trusted certificate (ain't gonna happen) or you'll have to make your own. This tool allows you to explore the world of certificates, certificate authorities, and the many ways of tricking browsers into trusting and accepting your certificates.

Getting Help

Get some help:

sslsniff -h

Important Flags

Important flags:

-a/-t - authority vs targeted mode

Required options:

-c - file containing CA certificate or key (authority mode), or a directory with a collection of certificates (targeted mode)
-s port - port to listen on for ssl interception
-w file - file to log output to

Running in Authority Mode

To run in authority mode:

   sslsniff -a -s <$listenPort> -w <$logFile> -c <$caCert>

Running In Targeted Mode

To run sslsniff in targeted mode, pass the -t flag and tell it where to find the directory of certificates with -c. The null prefix certificates in the certs directory come with sslsniff, to use those add the flag -m IPSCACLASEA1.crt. There are no targeted certs that come with sslsniff. There is a universal wildcard certificate example.

    ./sslsniff -t -s <$listenPort> -w <$logFile> -m IPSCACLASEA1.crt \
      -c <$certDir>

Flags

@@ Line 47: / Line 47: @@
 ==Running In Targeted Mode==
-    In this mode, sslsniff is given a directory full of certificates, which it
+To run sslsniff in targeted mode, pass the -t flag and tell it where to find the directory of certificates with -c. The null prefix certificates in the certs directory come with sslsniff, to use those add the flag <code>-m IPSCACLASEA1.crt</code>. There are no targeted certs that come with sslsniff. There is a universal wildcard certificate example.
-    uses for targeted MITM attacks against the hosts those certificates are
-    signed for.  This mode is useful if you are able to forge specific
+<pre>
-    certificates, or if you have certificates that were obtained for the "null
+     ./sslsniff -t -s <$listenPort> -w <$logFile> -m IPSCACLASEA1.crt \
-    prefix" vulnerability that I published.  There are sample null prefix
+      -c <$certDir>
-    certificates in the "certs" directory that comes with sslsniff, but be
+</pre>
-    sure to specify "-m IPSCACLASEA1.crt" if you wish to use those. (Note:
-    the targeted certs have been removed for legal reasons, but the universal
-     wildcard cert remains)
 =Flags=
 {{MITMFlag}}

SSLSniff: Difference between revisions

From charlesreid1