If we try to sniff on an HTTPS session using what we have seen so far, we won't be able to get very much from it as all communication is encrypted.
In order to intercept, read and alter SSL and TLS connections, we need to do a series of preparatory steps to set up our SSL proxy. SSLsplit works by using two certificates, one to tell the server that it is the client so that it can receive and decrypt server responses and one to tell the client that it is the server. For this second certificate, if we are going to supplant a site which possesses its own domain name, and its certificates have been signed by a Certificate Authority (CA) we need to have a CA to issue a root certificate for us and, as we are acting as attackers, we need to do it ourselves.
In this recipe, we will configure our own Certificate Authority and a few IP forwarding rules to carry out SSL Man In The Middle attacks.
- Firstly, we are going to create a CA private key on the Kali Linux computer so issue the following command in a root terminal:
openssl genrsa -out certaauth.key 4096 - Now let's create a certificate signed with that key:
openssl req -new -x509 -days 365 -key certauth.key -out ca.crt - Fill out all the requested information (or just hit Enter for every field).
- Next, we need to enable IP forwarding to enable the system's routing functionality (to forward IP packets not meant for the local machine to the default gateway):
echo 1 > /proc/sys/net/ipv4/ip_forward - Now we are going to configure some rules to prevent forwarding everything. First, let's check if we there is anything in our iptables'
nattable:iptables -t nat -L
- If there is anything there, you may want to back it up because we are going to flush everything, as shown:
iptables -t nat -L > iptables.nat.bkp.txt - Now let's flush the table:
iptables -t nat -F - We then set up the prerouting rules:
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080 iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443
Now we are ready to sniff encrypted connections.
In this recipe, we configured our Kali machine to act as a CA which meant it could validate the certificates that SSLsplit issues. In the first two steps, we only created the private key and the certificate to be used to sign those certificates.
Next, we established port forwarding and its rules. We first enabled the forwarding option and, after that, created iptables rules to forward requests from ports 80 and 443 (HTTP and HTTPS). This was done to redirect the requests our MITM attack was intercepting to SSLsplit so that it could decrypt the received message with one certificate, process it, and encrypt it with the other to send it to its destination.