sslsniff(1) SSL/TLS man-in-the-middle attack tool


sslsniff [options]


This manual page documents briefly the sslsniff command.

sslsniff is designed to create man-in-the-middle (MITM) attacks for SSL/TLS connections, and dynamically generates certs for the domains that are being accessed on the fly. The new certificates are constructed in a certificate chain that is signed by any certificate that is provided.
sslsniff also supports other attacks like null-prefix or OCSP attacks to achieve silent interceptions of connections when possible.


Authority mode. Specify a certificate that will act as a CA.
Targeted mode. Specify a directory full of certificates to target.

Required options:
-c <file|directory>
File containing CA cert/key (authority mode) or directory containing a collection of certs/keys (targeted mode)
-s <port>
Port to listen on for SSL interception.
-w <file>
File to log to

Optional options:
-u <updateLocation>
Location of any Firefox XML update files.
-m <certificateChain>
Location of any intermediary certificates.
-h <port>
Port to listen on for HTTP interception (required for fingerprinting).
-f <ff,ie,safari,opera>
Only intercept requests from the specified browser(s).
Deny OCSP requests for our certificates.
Only log HTTP POSTs
-e <url>
Intercept Mozilla Addon Updates
-j <sha256>
The sha256sum value of the addon to inject


sslsniff works only on the FORWARD traffic (not on INPUT or OUTPUT).


To intercept traffic on port 8443, start sslsniff on a local port:
sslsniff -a -c /usr/share/sslsniff/certs/wildcard -s 4433 -w /tmp/sslsniff.log

and redirect traffic to this port using the iptables nat table:

iptables -t nat -A PREROUTING -p tcp --destination-port 8443 -j REDIRECT --to-ports 4433


sslsniff was written by Moxie Marlinspike.

This manual page was written by Pierre Chifflier <[email protected]>, for the Debian project (and may be used by others).