If we try to sniff on an HTTPS session using what we have seen so far, we won't be able to get very much from it as all communication is encrypted.
In order to intercept, read and alter SSL and TLS connections, we need to do a series of preparatory steps to set up our SSL proxy. SSLsplit works by using two certificates, one to tell the server that it is the client so that it can receive and decrypt server responses and one to tell the client that it is the server. For this second certificate, if we are going to supplant a site which possesses its own domain name, and its certificates have been signed by a Certificate Authority (CA) we need to have a CA to issue a root certificate for us and, as we are acting as attackers, we need to do it ourselves.
In this recipe, we will configure our own Certificate Authority and a few IP forwarding rules to carry out SSL Man In The Middle attacks.
openssl genrsa -out certaauth.key 4096
openssl req -new -x509 -days 365 -key certauth.key -out ca.crt
echo 1 > /proc/sys/net/ipv4/ip_forward
nat
table:iptables -t nat -L
iptables -t nat -L > iptables.nat.bkp.txt
iptables -t nat -F
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080 iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443
Now we are ready to sniff encrypted connections.
In this recipe, we configured our Kali machine to act as a CA which meant it could validate the certificates that SSLsplit issues. In the first two steps, we only created the private key and the certificate to be used to sign those certificates.
Next, we established port forwarding and its rules. We first enabled the forwarding option and, after that, created iptables rules to forward requests from ports 80 and 443 (HTTP and HTTPS). This was done to redirect the requests our MITM attack was intercepting to SSLsplit so that it could decrypt the received message with one certificate, process it, and encrypt it with the other to send it to its destination.
3.137.220.92