sslsniff

This tool was originally written to demonstrate and exploit IE's vulnerability to a specific man-in-the-middle attack. While Microsoft has since fixed the vulnerability that allowed leaf certificates to act as signing certificates, this tool is still occasionally useful for other purposes. It is designed to MITM all SSL connections on a LAN, and dynamically generates certs for the domains that are being accessed on the fly. The new certificates are constructed in a certificate chain that is signed by any certificate that you provide.

For a long time this was still useful in its original context with the default certificate that was provided, as certificates that were generated by non-singing certificates that were expired would trigger a click-through warning in some browsers which indicated the certificate in question was expired, but not that the whole certificate chain was completely invalid. These days some browsers, specifically Firefox 3, are more heavy-handed.

It is useful for deploying other vulnerabilities as well, some of which are public knowledge. This is the tool that the people who pulled the recent MD5 hash collision publicity stunt used to demonstrate MITM attacks with their rogue CA-certificate.

The three steps to get this running are:
Download and run sslsniff-0.5.tar.gz
Setup iptables
Run arp-spoof