striptls: proxy poc implementation of STARTTLS stripping attacks

by do son · December 13, 2017

striptls – auditing proxy

proxy poc implementation of STARTTLS stripping attacks.

A generic tcp proxy implementation and audit tool to perform protocol independent ssl/tls interception and STARTTLSstripping attacks on SMTP, POP3, IMAP, FTP, NNTP, XMPP, ACAP and IRC.

🏆 Trophies

CVE-2016-0772 – python: smtplib
CVE-2016-10027 – Smack XMPP library

Vectors

GENERIC
Intercept – protocol independent ssl/tls interception. peeks for TLS Handshake, converts socket to tls (tls-to-tls proxy)
InboundIntercept – protocol independent ssl/tls interception for the inbound channel only (tls-to-plain proxy)
SMTP
SMTP.StripFromCapabilities – server response capability patch
SMTP.StripWithInvalidResponseCode – client STARTTLS stripping, invalid response code
SMTP.UntrustedIntercept – STARTTLS interception (client and server talking ssl) (requires server.pem in pwd)
SMTP.StripWithTemporaryError
SMTP.StripWithError
SMTP.ProtocolDowngradeStripExtendedMode
SMTP.InjectCommand
SMTP.InboundStarttlsProxy – (starttls-to-plain proxy)
POP3
POP3.StripFromCapabilities
POP3.StripWithError
POP3.UntrustedIntercept
IMAP
IMAP.StripFromCapabilities
IMAP.StripWithError
IMAP.UntrustedIntercept
IMAP.ProtocolDowngradeToV2
FTP
FTP.StripFromCapabilities
FTP.StripWithError
FTP.UntrustedIntercept
NNTP
NNTP.StripFromCapabilities
NNTP.StripWithError
NNTP.UntrustedIntercept
XMPP
XMPP.StripFromCapabilities
XMPP.StripInboundTLS
XMPP.UntrustedIntercept
ACAP (untested)
ACAP.StripFromCapabilities
ACAP.StripWithError
ACAP.UntrustedIntercept
IRC
IRC.StripFromCapabilities
IRC.StripWithError
IRC.UntrustedIntercept
IRC.StripWithNotRegistered
IRC.StripCAPWithNotregistered
IRC.StripWithSilentDrop

Download

git clone https://github.com/tintinweb/striptls.git
cd striptls
setup.py install

Usage

#> python -m striptls --help    # from pip/setup.py

#> python striptls --help       # from source / root folder

Usage: striptls.py [options]



       example: striptls.py --listen 0.0.0.0:25 --remote mail.server.tld:25





Options:

  -h, --help            show this help message and exit

  -q, --quiet           be quiet [default: True]

  -l LISTEN, --listen=LISTEN

                        listen ip:port [default: 0.0.0.0:<remote_port>]

  -r REMOTE, --remote=REMOTE

                        remote target ip:port to forward sessions to

  -k KEY, --key=KEY     SSL Certificate and Private key file to use, PEM

                        format assumed [default: server.pem]

  -s, --generic-ssl-intercept

                        dynamically intercept SSL/TLS

  -b BUFFER_SIZE, --bufsiz=BUFFER_SIZE

  -x VECTORS, --vectors=VECTORS

                        Comma separated list of vectors. Use 'ALL' (default)

                        to select all vectors, 'NONE' for tcp/ssl proxy mode.

                        Available vectors: ACAP.StripFromCapabilities,

                        ACAP.StripWithError, ACAP.UntrustedIntercept,

                        FTP.StripFromCapabilities, FTP.StripWithError,

                        FTP.UntrustedIntercept, GENERIC.Intercept,

                        IMAP.ProtocolDowngradeToV2,

                        IMAP.StripFromCapabilities, IMAP.StripWithError,

                        IMAP.UntrustedIntercept,

                        IRC.StripCAPWithNotRegistered,

                        IRC.StripFromCapabilities, IRC.StripWithError,

                        IRC.StripWithNotRegistered, IRC.StripWithSilentDrop,

                        IRC.UntrustedIntercept, NNTP.StripFromCapabilities,

                        NNTP.StripWithError, NNTP.UntrustedIntercept,

                        POP3.StripFromCapabilities, POP3.StripWithError,

                        POP3.UntrustedIntercept, SMTP.InboundStarttlsProxy,

                        SMTP.InjectCommand,

                        SMTP.ProtocolDowngradeStripExtendedMode,

                        SMTP.StripFromCapabilities, SMTP.StripWithError,

                        SMTP.StripWithInvalidResponseCode,

                        SMTP.StripWithTemporaryError, SMTP.UntrustedIntercept,

                        XMPP.StripFromCapabilities, XMPP.StripInboundTLS,

                        XMPP.UntrustedIntercept [default: ALL]

Example

                  inbound                    outbound

[inbound_peer]<------------->[listen:proxy]<------------->[outbound_peer/target]

  smtp-client                   striptls                    remote/target

local smtp-client -> localhost:8825 (proxy) -> mail.gmx.net:25

Generic SSL/TLS Interception

--generic-ssl-intercept is a global switch to enable generic ssl/tls handshake detection and session conversion. Can be combined with any mangle/vector.

GENERIC.Intercept is a mangle/vector implementation of the ssl/tls handshake detect and convert feature.

# python striptls.py -l 0.0.0.0:9999 -r mail.gmx.com:465 -x GENERIC.Intercept

Audit Mode

iterates all protocol specific cases on a per client basis and keeps track of clients violating the starttls protocol. Ctrl+C to abort audit and print results.