In the previous recipe, we prepared our environment to attack an SSL/TLS connection while, in this recipe, we will use SSLsplit to complement a MITM attack and extract information from an encrypted communication.
We need to have an ARP spoofing attack executing before we start this recipe and have successfully completed the previous recipe Setting up an SSL MITM attack.
- Firstly, we need to create the directories in which SSLsplit is going to store the logs. To do that, open a terminal and create two directories, as shown:
mkdir /tmp/sslsplit mkdir /tmp/sslsplit/logdir
- Now, let's start SSLsplit:
sslsplit -D -l connections.log -j /tmp/sslsplit -S logdir -k certauth.key -c ca.crt ssl 0.0.0.0 8443 tcp 0.0.0.0 8080
- Now that SSLsplit is running and the MITM between the windows client and the vulnerable_vm, go to the client and browse to:
https://192.168.56.102/dvwa/. - The browser may ask for confirmation as our CA and certificate are not officially recognized by any web browser. Set the exception and continue.
- Now log in to DVWA using the admin user and password.
- Let's see what happened in SSLsplit by going to a new terminal and checking the contents of the logs in the directory we created for SSLsplit:
ls /tmp/sslsplit/logdir/ cat /tmp/sslsplit/logdir/*
Now, even if Ettercap and Wireshark only see encrypted data, we can view the communication in clear text with SSLsplit.
In this recipe, we continued with the attack on an SSL connection. In the first step, we created the directories in which SSLsplit was going to save the information that was captured.
The second step was the execution of SSLsplit with the following options:
-D: This is to run SSLsplit in the foreground, not as a daemon, and with verbose output.-l connections.log: This saves a record of every connection attempt to theconnections.logfile in the current directory.-j /tmp/sslsplit: This is used to establish thejail directorydirectory that will contain SSLsplit's environment as root (chroot) to/tmp/sslsplit.-S logdir: This is used to tell SSLsplit to save the content log—all the requests and responses—tologdir(in the jail directory) saving data to separate files.-kand-c: This is used to indicate the private key and the certificate to be used by SSLsplit when acting as CA.ssl 0.0.0.0 8443: This tells SSLsplit where to listen for HTTPS (or other encrypted protocol) connections, remember that this is the port we forwarded from 443 using iptables in the previous recipe.tcp 0.0.0.0 8080: This tells SSLsplit where to listen for HTTP connections, remember that this is the port we forwarded from 80 using iptables in the previous recipe.
After executing the command, we waited for the client to browse to the server's HTTPS page and submit data, then we checked the log files to discover the unencrypted information.