Sniffing & Spoofingssltlsinterceptionmitmdecryptionnetworkforensicspentest

sslsplit

SSLsplit is a tool for man-in-the-middle attacks against SSL/TLS encrypted network connections. It transparently intercepts connections, terminates SSL/TLS, and logs all transmitted data.

Description

SSLsplit is designed for transparent and scalable SSL/TLS interception. Connections are intercepted through a network address translation engine like netfilter and redirected to SSLsplit. The tool terminates the SSL/TLS connection and initiates a new one to the original destination, enabling logging of all data transmitted.

It is intended for network forensics and penetration testing. SSLsplit supports features like TLS Server Name Indication (SNI) and works with NAT engines such as netfilter and tproxy. The tool generates forged certificates signed by a provided CA key and cert for man-in-the-middle operations.

Compiled against OpenSSL with specific flags like -DDISABLE_SSLV2_SESSION_CACHE and -DHAVE_NETFILTER, it requires dependencies including libevent, libnet, libpcap, and libssl.

How It Works

Connections are transparently intercepted via netfilter (IP_TRANSPARENT, SOL_IPV6, !IPV6_ORIGINAL_DST) or tproxy and redirected to sslsplit. SSLsplit terminates the intercepted SSL/TLS connection, generates leaf certificates using a provided CA key/cert or generates them dynamically, and initiates a new SSL/TLS connection to the original destination. All data transmitted is logged. It supports SNI for targeting specific sites and uses chroot jails and file storage for captured data.

Installation

bash

sudo apt install sslsplit

Flags

-DRun in debug mode

-lLog the connections

-jSet the chroot jail

-SSave files to disk

-kSpecify the key (CA key or leaf cert key)

-cSpecify the cert (CA cert)

-fUse conffile to load configuration from

-oOverride conffile option opt with value val

-CUse CA chain from pemfile (intermediate and root CA certs)

-KUse key from pemfile for leaf certs (default: generate)

-qUse URL as CRL distribution point for all forged certs

-tUse cert+chain+key PEM files from certdir to target all sites

Examples

Run in debug mode, log connections to connections.log, set chroot jail to /tmp/sslsplit/, save files to /tmp/, use ca.key and ca.crt, intercept ssl on 0.0.0.0:8443 and proxy tcp to 0.0.0.0:8080

sslsplit -D -l connections.log -j /tmp/sslsplit/ -S /tmp/ -k ca.key -c ca.crt ssl 0.0.0.0 8443 tcp 0.0.0.0 8080

Use ca.key and ca.pem, log proxy info with -P, intercept https on 127.0.0.1:8443 and ::1:8443

sslsplit -k ca.key -c ca.pem -P https 127.0.0.1 8443 https ::1 8443

Show usage help with all available flags

sslsplit -h

Load configuration from conffile and intercept ssl on 0.0.0.0:8443 proxying tcp to 0.0.0.0:8080

sslsplit -f conffile ssl 0.0.0.0 8443 tcp 0.0.0.0 8080

Override conffile option opt with val, use ca.key, intercept ssl on 0.0.0.0:8443

sslsplit -o opt=val -k ca.key ssl 0.0.0.0 8443

Use CA chain from ca-chain.pem with ca.key for signing forged certs, intercept ssl on 0.0.0.0:8443

sslsplit -C ca-chain.pem -k ca.key ssl 0.0.0.0 8443

Use leaf.key for leaf certs and ca.crt for signing, intercept ssl on 0.0.0.0:8443

sslsplit -K leaf.key -c ca.crt ssl 0.0.0.0 8443

Updated 2026-04-16kali.org ↗