In the previous recipe, we prepared our environment to attack an SSL/TLS connection while, in this recipe, we will use SSLsplit to complement a MITM attack and extract information from an encrypted communication.
We need to have an ARP spoofing attack executing before we start this recipe and have successfully completed the previous recipe Setting up an SSL MITM attack.
mkdir /tmp/sslsplit mkdir /tmp/sslsplit/logdir
sslsplit -D -l connections.log -j /tmp/sslsplit -S logdir -k certauth.key -c ca.crt ssl 0.0.0.0 8443 tcp 0.0.0.0 8080
https://192.168.56.102/dvwa/
.ls /tmp/sslsplit/logdir/ cat /tmp/sslsplit/logdir/*
Now, even if Ettercap and Wireshark only see encrypted data, we can view the communication in clear text with SSLsplit.
In this recipe, we continued with the attack on an SSL connection. In the first step, we created the directories in which SSLsplit was going to save the information that was captured.
The second step was the execution of SSLsplit with the following options:
-D
: This is to run SSLsplit in the foreground, not as a daemon, and with verbose output.-l connections.log
: This saves a record of every connection attempt to the connections.log
file in the current directory.-j /tmp/sslsplit
: This is used to establish the jail directory
directory that will contain SSLsplit's environment as root (chroot
) to /tmp/sslsplit
.-S logdir
: This is used to tell SSLsplit to save the content log—all the requests and responses—to logdir
(in the jail directory) saving data to separate files.-k
and -c
: This is used to indicate the private key and the certificate to be used by SSLsplit when acting as CA.ssl 0.0.0.0 8443
: This tells SSLsplit where to listen for HTTPS (or other encrypted protocol) connections, remember that this is the port we forwarded from 443 using iptables in the previous recipe.tcp 0.0.0.0 8080
: This tells SSLsplit where to listen for HTTP connections, remember that this is the port we forwarded from 80 using iptables in the previous recipe.After executing the command, we waited for the client to browse to the server's HTTPS page and submit data, then we checked the log files to discover the unencrypted information.
18.225.72.245