SSLSniff :unlock:

- 1 min
research

Summary

Worked on a short research with SSL Sniff, a tool that exploits SSL, to see if it is still usable and whether if it could be used in a Network Security Class to provide better understanding of how vulnerable SSL could be and demonstrate Man-in-the-Middle Attack.

Markdown Image

Diagram showing how SSL Sniff Works

SSL Sniff

SSL Sniff is a tool developed by Moxie Marlinspike to demonstrate how vulnerable SSL System was around 10 years ago. It shows a great example of how a seemingly through security could be easily broken, mainly through unexpected components of the system. The video below is a great presentation given by Moxie Marlinespike on how it all works.

Research

Using the tool provided, we were able to demonstrate part of the process, successfully retrieving the username and the password of a user that was connected to the same network (This was on a private network)

Markdown Image

The tool running to get the Username and Password

This also worked as we were able to generate a certificate of the website the user was logging into on the fly, although as you can see, the “issued by” field is pretty obvious.

Markdown Image

Fake Certificate created for mobile.twitter.com

Documentation

The Documentation shows the step by step process of what we were able to get running

Related Posts

Daniel Choi

Daniel Choi

A developer who loves coffee

rss facebook twitter github gitlab youtube mail spotify lastfm instagram linkedin google google-plus pinterest medium vimeo stackoverflow reddit quora quora