Home Explore Help
Sign In
mmn
/
sslsniff
Watch 1
Star 0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
sslsniff
/
README

README 5.3 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137 
  1. sslsniff v0.8
    2. 

  2. Moxie Marlinspike <moxie@thoughtcrime.org>
    3. 

  3. ------------------------------------
    4. 

  4. 

  5. REQUIRES: openssl, libboost1.35-dev, libboost-filesystem1.35-dev, 
    6. 

  6.           libboost-thread1.35-dev, liblog4cpp5-dev, Linux 2.4/2.6 (or BSD)
    7. 

  7. 

  8. The three steps to get this running are:
    9. 

  9. 

  10.     * Download and run sslsniff-0.8.tar.gz
    11. 

  11.     * Setup iptables (or pf on BSD)
    12. 

  12.     * Run arpspoof (or whatever method you'd like to use to redirect traffic).
    13. 

  13. 

  14. Installing sslsniff
    15. 

  15. -------------------
    16. 

  16. 

  17.     * Unpack sslsniff-0.8.tar.gz, run "./configure" and "make". (You'll have
    18. 

  18.       to make some changes to build on BSD systems, see below under "Setting up 
    19. 

  19.       pf")
    20. 

  20.     * There are two ways to run this: in "authority" mode or "targeted" mode.
    21. 

  21. 

  22.     Authority Mode:
    23. 

  23. 

  24.     In this mode, sslsniff acts as if it is a CA which dynamically generates
    25. 

  25.     certificates on the fly.  If you were, for instance, able to obtain a CA
    26. 

  26.     certificate somehow, you could run it in this mode and it would dynamically
    27. 

  27.     create and sign new certificates for whatever site you're trying to connect
    28. 

  28.     to.
    29. 

  29. 

  30.     This mode is also useful for exploiting implementations that do not properly
    31. 

  31.     verify BasicConstraints, as any valid leaf node certificate could be used
    32. 

  32.     instead of a CA cert.
    33. 

  33. 

  34.     You would run sslsniff as: 
    35. 

  35.     ./sslsniff -a -s <$listenPort> -w <$logFile> -c <$caCert>
    36. 

  36. 

  37.     Targeted Mode:
    38. 

  38. 

  39.     In this mode, sslsniff is given a directory full of certificates, which it 
    40. 

  40.     uses for targeted MITM attacks against the hosts those certificates are 
    41. 

  41.     signed for.  This mode is useful if you are able to forge specific 
    42. 

  42.     certificates, or if you have certificates that were obtained for the "null 
    43. 

  43.     prefix" vulnerability that I published.  There are sample null prefix 
    44. 

  44.     certificates in the "certs" directory that comes with sslsniff, but be
    45. 

  45.     sure to specify "-m IPSCACLASEA1.crt" if you wish to use those. (Note:
    46. 

  46.     the targeted certs have been removed for legal reasons, but the universal
    47. 

  47.     wildcard cert remains)
    48. 

  48. 

  49.     You would run sslsniff as: 
    50. 

  50.     ./sslsniff -t -s <$listenPort> -w <$logFile> -m IPSCACLASEA1.crt \
    51. 

  51.       -c <$certDir>
    52. 

  52. 

  53.     Other options:
    54. 

  54.     
    55. 

  55.     * sslsniff can be configured to only attack certain clients.  In this case, 
    56. 

  56.       you need to specify -f <ff,ie,safari,opera> -h <$httpListenPort> 
    57. 

  57.     
    58. 

  58.     * sslsniff can be configured to deny OCSP requests from clients.  In this 
    59. 

  59.       case, you need to specify -d
    60. 

  60. 

  61.     * sslsniff can be configured to only log HTTP POSTS.  In this case, you 
    62. 

  62.       need to specify -p
    63. 

  63. 

  64.     * sslsniff can be configured to hijack Mozilla auto-updates.  In this case, 
    65. 

  65.       you need to specify -u <$updateXmlDir>, where $updateXmlDir contains the 
    66. 

  66.       XML files for whatever binaries you want to have sslsniff auto-update, 
    67. 

  67.       one for each platform.  There are sample XML files in the "update" 
    68. 

  68.       directory that comes with sslsniff.
    69. 

  69. 

  70.     * sslsniff can be configured to hijack Firefox/Thunderbird addon 
    71. 

  71.       auto-updates. In this case, you need to specify -e <url> -j <sha256sum> 
    72. 

  72.       where <url> is the URL where your custom addon is located, and <sha256sum> 
    73. 

  73.       is the sha256sum of that addon.
    74. 

  74. 

  75. 

  76. Setting up iptables
    77. 

  77. -------------------
    78. 

  78. 

  79.     * Flip your machine into ip_forward mode 
    80. 

  80.       (echo 1 > /proc/sys/net/ipv4/ip_forward)
    81. 

  81. 

  82.     * Add a rule to intercept HTTPS traffic 
    83. 

  83.       (iptables -t nat -A PREROUTING -p tcp --destination-port 443
    84. 

  84.        -j REDIRECT --to-ports <$listenPort>)
    85. 

  85. 

  86.     * If you're going to do client fingerprinting, add a rule to
    87. 

  87.       intercept HTTP traffic:
    88. 

  88.       (iptables -t nat -A PREROUTING -p tcp --destination-port 80
    89. 

  89.       -j REDIRECT --to-ports <$httpListenPort>)
    90. 

  90. 

  91.     * Add a rule to intercept imaps traffic:
    92. 

  92.       (iptables -t nat -A PREROUTING -p tcp --destination-port 993 \
    93. 

  93.        -j REDIRECT --to-ports <$listenPort>)
    94. 

  94. 

  95.     * Add a rule to intercept pop3s traffic:
    96. 

  96.       (iptables -t nat -A PREROUTING -p tcp --destination-port 995 \
    97. 

  97.        -j REDIRECT --to-ports <$listenPort>)
    98. 

  98. 

  99.     * Add a rule to intercept irc over ssl traffic:
    100. 

  100.       (iptables -t nat -A PREROUTING -p tcp --destination-port 6697 \
    101. 

  101.        -j REDIRECT --to-ports <$listenPort>)
    102. 

  102. 

  103. Setting up pf
    104. 

  104. -------------
    105. 

  105. 

  106. Basic support for pf is now included. Set up firewall rules similar to
    107. 

  107. those above, and change util/Destination.cpp by undefining HAVE_NETFILTER
    108. 

  108. and defining HAVE_PF at the top.
    109. 

  109. 

  110. 

  111. Running arpspoof
    112. 

  112. --------------------------
    113. 

  113. 

  114. Assuming we want to intercept SSL traffic from 172.17.10.36, we need to 
    115. 

  115. trick that host into thinking that we're the router.  Using arpspoof, we 
    116. 

  116. can convince the target that the router's MAC address is our MAC address.
    117. 

  117. 

  118.     * arpspoof -i eth0 -t 172.17.10.36 172.17.8.1
    119. 

  119. 

  120. At this point, any SSL traffic should get proxied by sslsniff and logged to 
    121. 

  121. a file.
    122. 

  122. 

  123. How does this work?
    124. 

  124. -------------------
    125. 

  125. 

  126. First, arpspoof convinces a host that our MAC address is the router's MAC 
    127. 

  127. address, and the target begins to send us all its network traffic.  The 
    128. 

  128. kernel forwards everything along except for traffic destined to port 443, 
    129. 

  129. which it redirects to $listenPort (10000, for example).
    130. 

  130. 

  131. At this point, sslsniff receives the client connection, makes a connection 
    132. 

  132. to the real SSL site, and looks at the information in its certificate.  
    133. 

  133. sslsniff then either sends a forged certificate if available 
    134. 

  134. (targeted certificate mode), or it dynamically forges a certificate and signs
    135. 

  135. it with your authoritative certificate (authority mode).
    136. 

  136. 

  137.