How to Create a Transparent SSL Forward Proxy using SSLsplit on CentOS 7.x to Capture/Sniff SSL packets

We are trying to do a packet capture of network traffic from a server, but cannot capture SSL/TLS traffic because it is encrypted. This tutorial is to show how to install SSLsplit as a Transparent SSL Forward Proxy to capture encrypted traffic, essentially creating a man-in-the-middle for troubleshooting/debugging. Keep in mind that this method of debugging doesn’t work on all sites but can be a useful tool on your networking tool belt.

Prerequisites

  • CentOS 7.x Minimal install NOTE: CentOS 6.x is not supported for SSLsplit
  • EPEL for CentOS 7
  • Windows server for our testing with Internet Explorer. You may use other SSL initiators

 

1. Download Latest Version of EPEL and install

  • We’re downloading our version from http://fedora-epel.mirror.iweb.com/7/x86_64/e/epel-release-7-5.noarch.rpm

[[email protected] ~]# wget http://fedora-epel.mirror.iweb.com/7/x86_64/e/epel-release-7-5.noarch.rpm
[[email protected] ~]# rpm -ivh epel-release-7-5.noarch.rpm

 

2. Install SSLsplit via yum

[[email protected] ~]# yum install sslsplit -y

 

3. Generate SSLSplit Root CA Certificate

  • These following commands generates a 2048-bit RSA private key from OpenSSL and a self signed CA certificate (valid for 365 days) from the private key. Use defaults for the certificate

[[email protected] ~]# mkdir ~/sslsplit-keys
[[email protected] ~]# openssl genrsa -out ~/sslsplit-keys/ca.key 4096
[[email protected] ~]# openssl req -new -x509 -days 365 -key ~/sslsplit-keys/ca.key -out ~/sslsplit-keys/ca.crt

 

4. Enable IP Forwarding in Linux

[[email protected] ~]# sysctl -w net.ipv4.ip_forward=1
  •  Make it permanent by modifying /etc/sysctl.conf and add the following line
net.ipv4.ip_forward = 1

 

5. Remove Firewalld and Replace with IPTables

  • For simplicity sake, let’s fall back to the original CentOS IPTables. You may change the following entries to firewalld if you are familiar
# systemctl disable firewalld
# yum install iptables-services
# touch /etc/sysconfig/iptables
# touch /etc/sysconfig/ip6tables 
# systemctl start iptables
# systemctl start ip6tables
# systemctl enable iptables
# systemctl enable ip6tables
  • Enable HTTP and HTTPS (ports 80 and 443) on IPTables by issuing the following commands

[[email protected] ~]# iptables -t nat -F
[[email protected] ~]# iptables -t nat -A PREROUTING -p tcp –dport 80 -j REDIRECT –to-ports 8080
[[email protected] ~]# iptables -t nat -A PREROUTING -p tcp –dport 443 -j REDIRECT –to-ports 8443
[[email protected] ~]# iptables -I INPUT -p tcp -m state –state NEW -m tcp –dport 80 -j ACCEPT
[[email protected] ~]# iptables -I INPUT -p tcp -m state –state NEW -m tcp –dport 443 -j ACCEPT
[[email protected] ~]# iptables -I INPUT -p tcp -m state –state NEW -m tcp –dport 8443 -j ACCEPT
[[email protected] ~]# iptables -I INPUT -p tcp -m state –state NEW -m tcp –dport 8080 -j ACCEPT
[[email protected] ~]# service iptables save

  • Restart iptables

[[email protected] ~]# service iptables restart

  • Check to see if IPTables is saved properly

[[email protected] ~]# cat /etc/sysconfig/iptables

*nat
:PREROUTING ACCEPT [83:7548]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp –dport 80 -j REDIRECT –to-ports 8080
-A PREROUTING -p tcp -m tcp –dport 443 -j REDIRECT –to-ports 8443
COMMIT
# Completed on Tue Dec 30 13:21:19 2014
# Generated by iptables-save v1.4.21 on Tue Dec 30 13:21:19 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [49:4944]
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp –dport 8443 -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp –dport 8080 -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp –dport 443 -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp –dport 80 -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT
-A INPUT -j REJECT –reject-with icmp-host-prohibited
-A FORWARD -j REJECT –reject-with icmp-host-prohibited
COMMIT

6. Start SSLsplit

  • Execute the following to start SSLsplit.
  • Attributes -D = Debug Mode, -l = Logfile, -S = Log Folder for storing, -k = Private Key, -c = CA Certificate

[[email protected] ~]# sslsplit -D -l connections.log -S ~/sslsplit-logs/ -k ~/sslsplit-keys/ca.key -c ~/sslsplit-keys/ca.crt ssl 0.0.0.0 8443 tcp 0.0.0.0 8080
Generated RSA key for leaf certs.
SSLsplit 0.4.8 (built 2014-09-30)
Copyright (c) 2009-2014, Daniel Roethlisberger <[email protected]>

http://www.roe.ch/SSLsplit

Features: -DDISABLE_SSLV2_SESSION_CACHE -DHAVE_NETFILTER
NAT engines: netfilter* tproxy
netfilter:  IP_TRANSPARENT SOL_IPV6 !IPV6_ORIGINAL_DST
compiled against OpenSSL 1.0.1e 11 Feb 2013 (1000105f)
rtlinked against OpenSSL 1.0.1e-fips 11 Feb 2013 (1000105f)
TLS Server Name Indication (SNI) supported
OpenSSL is thread-safe with THREADID
Using SSL_MODE_RELEASE_BUFFERS
Using direct access workaround when loading certs
SSL/TLS algorithm availability: RSA DSA ECDSA DH ECDH EC
OpenSSL option availability: SSL_OP_NO_COMPRESSION SSL_OP_NO_TICKET SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION SSL_OP_TLS_ROLLBACK_BUG
compiled against libevent 2.0.21-stable
rtlinked against libevent 2.0.21-stable
4 CPU cores detected
proxyspecs:
– [0.0.0.0]:8080 tcp plain netfilter
– [0.0.0.0]:8443 ssl plain netfilter
Loaded CA: ‘/C=CA/ST=ON/L=Toronto/O=Default Company Ltd/OU=IT’
Using libevent backend ‘epoll’
Event base supports: edge yes, O(1) yes, anyfd no
Inserted events:
0x7f39155cd970 [fd 7] Read Persist
0x7f39155cdbd0 [fd 8] Read Persist
0x7f39155d0670 [fd 9] Read Persist
0x7f39155cd7a8 [fd 6] Read Persist
0x7f39155d0700 [fd 3] Signal Persist
0x7f39155d0940 [fd 1] Signal Persist
0x7f39155d0a70 [fd 2] Signal Persist
0x7f39155d0ba0 [fd 13] Signal Persist
Initialized 8 connection handling threads
Started 8 connection handling threads
Starting main event loop.

 

7. Install CA Certificate on Windows Machine

  • Install ca.crt certificate created in step 3 onto the Windows machine under Trusted Root Certification Authorities

 

8. Repoint Certain Domains With Windows Host Files

  • Modify your host file in c:\windows\system32\drivers\etc\hosts and change domains you would like to sniff the SSL. For our example, we would like to sniff Linkedin. Add the following to your hosts file:

# Change the IP address below to your SSLsplit server IP

192.168.0.50 yoursslsite.com

9. Use Internal Explorer and Go and Test

  • Use internet explorer on destination computer and go to https site. Your captured traffic should be logged in ~/sslsplit-logs folder

 

Leave a Comment