| Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 1 | Demonstrations of sslsniff.py |
| 2 | |
| 3 | |
| jeromemarchand | 8b17dc3 | 2018-08-04 07:09:36 +0200 | [diff] [blame] | 4 | This tool traces the write/send and read/recv functions of OpenSSL, |
| 5 | GnuTLS and NSS. Data passed to this functions is printed as plain |
| 6 | text. Useful, for example, to sniff HTTP before encrypted with SSL. |
| Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 7 | |
| 8 | |
| 9 | Output of tool executing in other shell "curl https://example.com" |
| 10 | |
| 11 | % sudo python sslsniff.py |
| 12 | FUNC TIME(s) COMM PID LEN |
| jeromemarchand | 8b17dc3 | 2018-08-04 07:09:36 +0200 | [diff] [blame] | 13 | WRITE/SEND 0.000000000 curl 12915 75 |
| Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 14 | ----- DATA ----- |
| 15 | GET / HTTP/1.1 |
| 16 | Host: example.com |
| 17 | User-Agent: curl/7.50.1 |
| 18 | Accept: */* |
| 19 | |
| 20 | |
| 21 | ----- END DATA ----- |
| 22 | |
| jeromemarchand | 8b17dc3 | 2018-08-04 07:09:36 +0200 | [diff] [blame] | 23 | READ/RECV 0.127144585 curl 12915 333 |
| Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 24 | ----- DATA ----- |
| 25 | HTTP/1.1 200 OK |
| 26 | Cache-Control: max-age=604800 |
| 27 | Content-Type: text/html |
| 28 | Date: Tue, 16 Aug 2016 15:42:12 GMT |
| 29 | Etag: "359670651+gzip+ident" |
| 30 | Expires: Tue, 23 Aug 2016 15:42:12 GMT |
| 31 | Last-Modified: Fri, 09 Aug 2013 23:54:35 GMT |
| 32 | Server: ECS (iad/18CB) |
| 33 | Vary: Accept-Encoding |
| 34 | X-Cache: HIT |
| 35 | x-ec-custom-error: 1 |
| 36 | Content-Length: 1270 |
| 37 | |
| 38 | |
| 39 | ----- END DATA ----- |
| 40 | |
| jeromemarchand | 8b17dc3 | 2018-08-04 07:09:36 +0200 | [diff] [blame] | 41 | READ/RECV 0.129967972 curl 12915 1270 |
| Adrian Lopez | d496d5c | 2016-08-16 17:49:49 +0200 | [diff] [blame] | 42 | ----- DATA ----- |
| 43 | <!doctype html> |
| 44 | <html> |
| 45 | <head> |
| 46 | <title>Example Domain</title> |
| 47 | |
| 48 | <meta charset="utf-8" /> |
| 49 | <meta http-equiv="Content-type" content="text/html; charset=utf-8" /> |
| 50 | <meta name="viewport" content="width=device-width, initial-scale=1" /> |
| 51 | <style type="text/css"> |
| 52 | body { |
| 53 | background-color: #f0f0f2; |
| 54 | margin: 0; |
| 55 | padding: 0; |
| 56 | font-family: "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; |
| 57 | |
| 58 | } |
| 59 | div { |
| 60 | w |
| 61 | ----- END DATA (TRUNCATED, 798 bytes lost) ----- |
| Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 62 | |
| 63 | |
| 64 | |
| 65 | |
| 66 | USAGE message: |
| 67 | |
| jeromemarchand | 8b17dc3 | 2018-08-04 07:09:36 +0200 | [diff] [blame] | 68 | usage: sslsniff.py [-h] [-p PID] [-c COMM] [-o] [-g] [-n] [-d] |
| Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 69 | |
| 70 | Sniff SSL data |
| 71 | |
| 72 | optional arguments: |
| 73 | -h, --help show this help message and exit |
| 74 | -p PID, --pid PID sniff this PID only. |
| 75 | -c COMM, --comm COMM sniff only commands matching string. |
| 76 | -o, --no-openssl do not show OpenSSL calls. |
| 77 | -g, --no-gnutls do not show GnuTLS calls. |
| jeromemarchand | 8b17dc3 | 2018-08-04 07:09:36 +0200 | [diff] [blame] | 78 | -n, --no-nss do not show NSS calls. |
| Adrian Lopez | d9cc3de | 2016-08-17 14:08:08 +0200 | [diff] [blame] | 79 | -d, --debug debug mode. |
| 80 | |
| 81 | examples: |
| 82 | ./sslsniff # sniff OpenSSL and GnuTLS functions |
| 83 | ./sslsniff -p 181 # sniff PID 181 only |
| 84 | ./sslsniff -c curl # sniff curl command only |
| 85 | ./sslsniff --no-openssl # don't show OpenSSL calls |
| 86 | ./sslsniff --no-gnutls # don't show GnuTLS calls |
| jeromemarchand | 8b17dc3 | 2018-08-04 07:09:36 +0200 | [diff] [blame] | 87 | ./sslsniff --no-nss # don't show NSS calls |