Sniffing & Spoofingssltlsmitminterceptioncertificateca

sslsniff

sslsniff is an SSL/TLS man-in-the-middle attack tool that dynamically generates certificates for intercepted domains. It supports silent interceptions via attacks like null-prefix or OCSP.

Description

sslsniff creates man-in-the-middle (MITM) attacks for SSL/TLS connections by dynamically generating certificates for accessed domains on the fly. These certificates form a chain signed by a provided certificate, enabling interception of encrypted traffic.

The tool operates in authority mode with a CA certificate or targeted mode with a directory of certificates. It requires specifying a listening port for SSL interception and a log file. Additional features include HTTP interception for fingerprinting and browser-specific targeting.

Use cases include testing SSL/TLS security in controlled environments, demonstrating MITM vulnerabilities, and analyzing encrypted traffic with generated certificates. It also supports attacks like denying OCSP requests for silent interceptions.

How It Works

sslsniff performs MITM on SSL/TLS by acting as a proxy, dynamically constructing certificate chains signed by a user-provided CA or target certificates. In authority mode (-a), it uses a single CA cert/key; in targeted mode (-t), it selects from a directory of certs/keys. It listens on specified ports for SSL (-s) and optionally HTTP (-h) traffic, logs interceptions to a file (-w), and supports techniques like null-prefix or OCSP attacks (-d) for bypassing checks. Browser fingerprinting (-f) and addon injection (-j) enable targeted exploitation.

Installation

bash

sudo apt install sslsniff

Flags

-aAuthority mode. Specify a certificate that will act as a CA.

-tTargeted mode. Specify a directory full of certificates to target.

-c <file|directory>File containing CA cert/key (authority mode) or directory containing a collection of certs/keys (targeted mode)

-s <port>Port to listen on for SSL interception.

-w <file>File to log to

-u <updateLocation>Location of any Firefox XML update files.

-m <certificateChain>Location of any intermediary certificates.

-h <port>Port to listen on for HTTP interception (required for fingerprinting).

-f <ff,ie,safari,opera,ios>Only intercept requests from the specified browser(s).

-dDeny OCSP requests for our certificates.

-pOnly log HTTP POSTs

-e <url>Intercept Mozilla Addon Updates

-j <sha256>The sha256sum value of the addon to inject

Examples

Display help and usage information.

sslsniff -h

Run in authority mode with CA cert, listen on port 443 for SSL, log to file.

sslsniff -a -c ca_cert.pem -s 443 -w /tmp/ssl.log

Run in targeted mode with cert directory, listen on port 993, log output.

sslsniff -t -c /path/to/certs -s 993 -w capture.log

Intercept SSL on 443, HTTP on 80 for Firefox fingerprinting, log to file.

sslsniff -c ca.pem -s 443 -h 80 -w log.txt -f ff

Targeted interception on 443, deny OCSP, log only HTTP POSTs.

sslsniff -c certs/ -s 443 -w output.log -d -p

Authority mode with intermediary certs for IMAP over SSL.

sslsniff -a -c ca_chain.pem -s 993 -w imap.log -m intermediates.pem

Intercept Mozilla addon updates during SSL traffic capture.

sslsniff -c certdir/ -s 443 -w log -e https://addons.mozilla.org

Updated 2026-04-16kali.org ↗