I'm looking to do a vulnerability research on products running on a variety of devices by intercepting their HTTPS traffic, but I don't want to modify the devices aside from installing a custom cert.
It seems SSLsplit does what I want, as it allows for "connections [to be] transparently intercepted through a network address translation engine and redirected to SSLsplit". From what I understand, these NAT rules don't have to be defined on the device that is running the application being MITM-ed, and I can customize iptables to redirect router traffic through SSLsplit on a device running Fruity Wifi or OpenWRT.
Is SSLsplit with modified iptables rules sufficient and a reasonable way to go about this, or would I have to modify other parts of the Linux networking system, as well?
NOTE : The system I am trying to build requires devices to have a cert installed to the trusted root store to "opt in" to this interception. I am not trying to build a system to intercept arbitrary traffic from unwilling devices.
Best Answer
You have two parts here: The SSLsplit which acts as the web server clients are connecting to, and NAT which swaps out destination addresses in packets to redirect them to the SSLsplit server.
NAT needs to be set up on the router that the client devices use, changing the destination address of the packets from the actual destination server to the SSLsplit server.
Then SSLsplit can pick up the connection and do its thing: connecting to the foreign host (available in the TLS handshake) and forwarding the response.
So, the only thing from networking perspective is that you need to make sure clients get such network options that their default gateway points to a router doing the NAT.