sslsniff 0.6

Nick_the_Greek · #1 (**permalink**) 10-19-2009, 09:21 PM

For several days I am trying to install - use correctly sslsniff v0.6. The best results that i get was from ntua.gr. Maybe isn't the right way but it's a way.

sslsniff v0.6 (with a small man page)
ftp.ntua.gr:/debian/pool/main/s/sslsniff/

And here are dependencies:

1)http://ftp.ntua.gr/debian/pool/main/b/boost1.40/
libboost-filesystem1.40.0
libboost-system1.40.0
libboost-thread1.40.0

2)ftp.ntua.gr:/debian/pool/main/l/log4cpp/
liblog4cpp5

At sslsniff's home page says that is needed the following packages:
openssl libboost1.35-dev libboost-filesystem1.35-dev libboost-thread1.35-dev liblog4cpp5-dev
When I was installing boost1.35 from backtrack repository and then compile and run sslsniff, I am always getting a asio.hpp read 2 error ,or something like that. As far as I understand asio.hpp is a library from boost. With boost1.40 and sslsniff from ntua.gr installed this problem is fixed, but others come out. I can run sslsniff (short off) only in authority mode. Not 100% successfully since I am using wrong certificates and not a vulnerable browsers. (I realize that today). And as far as I know there is no boost1.40 package for ubuntu.Only for debian.

Anyway. It will be very nice if we could use sslsniff in backtrack4.

Titan8990 · #2 (**permalink**) 10-19-2009, 10:51 PM

Here is a quick guide to recompiling and installing .deb packages from non-BT distros: Simple Source Builds

The guide should be added to the official wiki when it comes back up.

Nick_the_Greek · #3 (**permalink**) 10-20-2009, 02:22 PM

Thank you for your reply.

Maybe this is off topic, but you may found it also useful, since you are missing how to add pgp keys.

Quote:

Coming Soon: An sane way of adding the gpg key for the Debian Sid repository

Virchanza's how to:
Download stuff just once from apt-get (but install loads of times)

Maybe prowl3r's script (for Ubuntu) help you finish your paper.

Nick

Titan8990 · #4 (**permalink**) 10-20-2009, 07:56 PM

Thanks for the link. I will look in to it, however, a tool is already provided for this (no script required). Its called `apt-key`. I just need to get around to learning how to use it

.

palko · #5 (**permalink**) 10-29-2009, 02:53 PM

Hi Nick,
I was hoping you could post your results here...have you in the meantime found any 100% solution to this problem?

I'm having a similar one:
a)download sslsniff-0.6
b)install dependencies: openssl, libboost1.35-dev, libboost-filesystem1.35-dev, libboost-thread1.35-dev, liblog4cpp5-dev

1)setting up iptables:
iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-ports 10000
2)ip_forwarding mode setup:
echo 1 > /proc/sys/net/ipv4/ip_forward
3)run mitm:
ettercap -i eth0 -Tq -o -M arp:remote /"VICTIM IP ADDRESS"/ //
note: victim = my computer, on my local lan
4)run sslsniff:
./sslsniff -t -s 10000 -w sslsniff.log -m IPSCACLASEA1.crt -c ./certs/

everything works fine until now. if I try to https with the victim computer, following is logged in sslsniff.log:
1256822722 DEBUG sslsniff : Read error: asio.misc:2

I would most deeply appreciate any help...thanks in advance guys!

Nick_the_Greek · #6 (**permalink**) 10-29-2009, 03:25 PM

Quote:

Originally Posted by palko

Hi Nick,
I was hoping you could post your results here...have you in the meantime found any 100% solution to this problem?

Well, I glad that I am not the only one that suffering.

No, palko. No progress here. Tried almost everything that my mind can think. Tried Debian packages ,compiled my self Boost, authority mode, targeted mode, IE 6, IE 7...Nothing.

Yesterday I send a e-mail to the author of sslsniff about this. I am waiting for a response, but to be honest I am not expecting one. I am not a security analyst and my English are terrible.

Maybe it could be a good idea to send you OR THE AUTHORS OF BT4 also a e-mail to found out what or how or if can we make sslsniff to work

Come on guys (authors) don't let us suffering. We are two now. Me and palko.

Nick

BTW Welcome to the forums, palko

palko · #7 (**permalink**) 10-29-2009, 04:08 PM

Seems to me like the same problem:

Tried boost1.35, boost1.37, and, too, even compiling the boost1.40 myself, but still no prevail (Honestly I don't know if it's a boost problem, I was just assuming this based on your post, but reading the log it seems just logical.)

Tried BT 8.10, tried it on Ubuntu9.04....I'm a noob, don't no if it made any sense to try with 9.04, tried anyway.

If anybody was able to succesfully run sslsniff, it would be helpful to post his configuration here, please.

@nick: don't know if trying various browser could affect this, since, at least in my case, sslsniff does not intersect the communication, just redirects it further (like a proxy, not changing the traffic, not providing fake certs, no mitm ... ). I'll keep you updated if I find something out!

see you!

Nick_the_Greek · #8 (**permalink**) 11-01-2009, 06:28 AM

Quote:

GIAC Certified Incident Handler
Practical Assignment v3

SSLSniff and IE’s Certification Chain Validation Vulnerability:

Decomposing an Insider Threat to a Sensitive Web Application

Download:
http://www.chipchilders.com/pubs/Chip_Childers_GCIH.pdf

Jimmy Kane · #9 (**permalink**) 11-03-2009, 02:17 PM

ok i have done a lot of experimenting with it. Sslsniff doesn't work for me.
I have contacted with the author but he was not a lot helpful.
So here are some replies from him (after i donated 5 e). ..
These may come helpful....

> How is the targeted mode and the authority mode used for sslsniff
> ?

Code:

Authority mode will create a cert for the domain clients are trying to
connect to on the fly and sign it with whatever certificate you specify
with -c.  So the certificate you specify needs to have basicConstraints:
CA set to TRUE and it needs to be trusted by the client's browser as a
signing certificate.

> what ceerts should i have in my certs folder?

Code:

If you are running in targeted mode, you need to have a valid leaf-node
certificate in your "certs" directory for whatever domain the client is
trying to connect to.  If you're trying to intercept traffic to
google, this means you need a cert with google in the
CN, which is signed by a CA-cert.

And two Certs for you guys
1. trusted -the one that is in the doc that nick linked - For your appetites

Code:

2. Paypal

Code:

Good Luck!!!

Nick thanks

Nick_the_Greek · #10 (**permalink**) 11-03-2009, 03:26 PM

Quote:

Originally Posted by Jimmy Kane

ok i have done a lot of experimenting with it. Sslsniff doesn't work for me.

Jimmy Kane, I can proudly inform you that I got some (I say some) positive results with sslsniff. I can use it with an expired leaf certificate in authority mode only and my client is using IE6. The client complaining that the cert has expired but if I change the date to that date that the certificate was valid the the IE accepts the cert and I can capture data.

Stay tuned. I will do some further testing and very soon I will post how to install-use sslsniff.

Nick

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode