sslsmurf 0.9.4 Capturing HTTPS traffic |
Tue May 18 16:33:31 CEST 2004
New and improved, version 0.9.4. Washes whiter than ever before!
sslsmurf is a piece of software that acts as an HTTP proxy. Requests and responses are captured and written to stdout. Sslsmurf also converts HTTP requests to HTTPS and is thereby capable of capturing the clear text traffic of SSL sites.
The current version has been written for (and was tested on) Linux, but I bet it is pretty portable. (For compilation under Cygwin, read what Felipe had to say).
Here, you can download:
Sslsmurf then waits for new connections on the local port (6066). Each incoming connection is captured (to standard out) and executed on the Internet or through the downstream proxy. If the request is for a host that is in the "hosts to be smurfed" list then the HTTP operation is executed through an SSL session. Because in this case the sslsmurf is the endpoint of the SSL connection the traffic can be captured in clear text. In order to make this work you have to set your browser to use the sslsmurf as the HTTP/HTTPS proxy.
In the following example I set up the sslsmurf to accept connections and to smurf all HTTP requests to www.rsa.com to HTTPS connections. The local browser has already been set up to use the sslsmurf and I connect to the Internet using downstream proxy "proxy2" on port 80:
$ ./sslsmurf -h www.rsa.com -P proxy2:80 This is the sslsmurf 0.9. (c) Copyright 2004 Jos Visser (a.k.a. muppet) <josv@osp.nl> Using downstream proxy proxy2:80 Waiting for new connection on port 6066... New connection accepted ======================================================================== Tue Feb 17 11:55:38 2004 ======================================================================== GET http://www.rsa.com/ HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, */* Accept-Language: en-gb User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90) Host: www.rsa.com Proxy-Connection: Keep-Alive Connecting to proxy2(145.8.24.89):80 SSL socket info: --------------- Cipher used: RC4-MD5 Server certificate: Subject: /C=US/ST=Massachusetts/L=Bedford/O=RSA Security Inc./OU=Information Services/CN=www.rsasecurity.com Issuer: /O=RSA Security Inc./OU=KCA Services/CN=RSA Corporate Server CA/L=Bedford/ST=Massachusetts/C=US Block of 246 (0xf6) bytes going in: 00000000: 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D HTTP/1.1 200 OK. 00000010: 0A 53 65 72 76 65 72 3A 20 4D 69 63 72 6F 73 6F .Server: Microso 00000020: 66 74 2D 49 49 53 2F 35 2E 30 0D 0A 44 61 74 65 ft-IIS/5.0..Date 00000030: 3A 20 54 75 65 2C 20 31 37 20 46 65 62 20 32 30 : Tue, 17 Feb 20 00000040: 30 34 20 31 30 3A 35 30 3A 33 31 20 47 4D 54 0D 04 10:50:31 GMT. 00000050: 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 .Connection: Kee 00000060: 70 2D 41 6C 69 76 65 0D 0A 43 6F 6E 74 65 6E 74 p-Alive..Content 00000070: 2D 4C 65 6E 67 74 68 3A 20 31 32 32 32 33 0D 0A -Length: 12223.. 00000080: 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 74 65 Content-Type: te 00000090: 78 74 2F 68 74 6D 6C 0D 0A 53 65 74 2D 43 6F 6F xt/html..Set-Coo 000000A0: 6B 69 65 3A 20 41 53 50 53 45 53 53 49 4F 4E 49 kie: ASPSESSIONI 000000B0: 44 53 41 54 54 44 54 52 42 3D 44 4E 4A 43 4D 4B DSATTDTRB=DNJCMK 000000C0: 46 42 43 47 47 50 4D 48 49 47 4B 4E 48 41 41 43 FBCGGPMHIGKNHAAC 000000D0: 4A 43 3B 20 70 61 74 68 3D 2F 0D 0A 43 61 63 68 JC; path=/..Cach 000000E0: 65 2D 63 6F 6E 74 72 6F 6C 3A 20 70 72 69 76 61 e-control: priva 000000F0: 74 65 0D 0A 0D 0A te.... yada yada yada