centos sslsplit traffic interception (simplified)
Unwrap SSL http(s) communications using sslsplit and hosts file; for development / niche purposes only.
Assumption / Optimizations:
- Full access to client (target) OS
- Dedicated CentOS 6 MitM VM
- Single target ip/domain/port you want to sniff traffic on
- Hosts file based interception
Fresh MitM VM
# prep server
yum install epel-release -y
# install tool
yum install sslsplit -y
# create a temporary custom Cert Authority
openssl genrsa -out /root/ca.key 4096
# default values of any name when prompted
openssl req -new -x509 -days 1826 -key /root/ca.key -out /root/ca.crt
# create directories
# 100 = port sslsniff should listen on
# target.domain.name = where sslsniff should send traffic
# 200 = port sslsniff should send traffic on target.domain.name
sslsplit -D -l /tmp/sslsplit/logs/connections.log -j /tmp/sslsplit/ -S /tmp/sslsplit/logs/ -k /root/ca.key -c /root/ca.crt ssl 0.0.0.0 100 target.domain.name 200
# 126.96.36.199 = the IP of your "Fresh MitM VM"
# target.domain = the FQDN your application is requesting
# add the line below
# install tool
yum install /usr/bin/c_rehash
# add our custom CA to keep the client happy
# add the contents of the ca.crt created on MitM
# should be a linked file like 8322c4ec.00 -> temporary.ca.pem
Test and Intercept
Other more comprehensive / complex / multi-platform / alternate method tutorials exist elsewhere.
- Execute the action on the client OS / visit the site you want to intercept.
- Check the output of sslsplit visible on the command line.
- See the decrypted conversation in files at /tmp/sslsplit/logs/