StopTLS is a Man-in-the-Middle tool which performs opportunistic SSL/TLS stripping.
Currently it supports the following protocols: HTTP(S), SMTP, and IMAP
It requires Python >= 3.5 (i.e. Python with support for async/await syntax), the aiohttp library, and the Beautiful Soup library for HTML parsing.
usage: main.py [--help] [-h [HTTP_PORT]] [-t [TCP_PORT]]
[-p {SMTP,IMAP} [{SMTP,IMAP} ...]]
MitM proxy which performs opportunistic SSL/TLS stripping
optional arguments:
--help show this help message and exit
-h [HTTP_PORT], --http [HTTP_PORT]
HTTP listen port [default: 10000]
-t [TCP_PORT], --tcp [TCP_PORT]
TCP listen port [default: 49151]
-p {SMTP,IMAP} [{SMTP,IMAP} ...], --tcp-protocols {SMTP,IMAP} [{SMTP,IMAP} ...]
supported TCP protocols
$ git clone https://github.com/mathewmarcus/bruteforce-gpg.git
$ pip install -r requirements.txt
Add rules to redirect and allow traffic to the ports specified by the -h [HTTP_PORT], --http [HTTP_PORT]
and -t [TCP_PORT], --tcp [TCP_PORT]
options.
stoptls
is setup to handle HTTP traffic on one port, and all other TCP traffic on another, as indicated by the CLI options.
So, assuming the following stoptls
invocation:
$ python main.py --http 8080 --tcp 8081 --tcp-protocols SMTP IMAP
iptables
rules would then need to be added to the PREROUTING
chain in the nat
table and the INPUT
chain in the filter
table, as shown below:
$ sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
$ sudo iptables -t nat -A PREROUTING -p tcp --dport 25 -j REDIRECT --to-port 8081
$ sudo iptables -t nat -A PREROUTING -p tcp --dport 587 -j REDIRECT --to-port 8081
$ sudo iptables -t nat -A PREROUTING -p tcp --dport 143 -j REDIRECT --to-port 8081
Assuming a default DROP
policy on this chain, add rules for the HTTP_PORT
and/or TCP_PORT
s specified earlier. So, for the above example:
sudo iptables -A INPUT -p tcp --dport 8080 -m conntrack --ctorigdstport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 8081 -m conntrack --ctorigdstport 25 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 8081 -m conntrack --ctorigdstport 587 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 8081 -m conntrack --ctorigdstport 143 -j ACCEPT
Why the --ctorigdstport
option? This prevents the stoptls
ports from being directly accessible (i.e. they will not appear in nmap
scans).
It should be noted that StopTLS
is very much a work in progress, and is essentially a POC at this point. In fact, currently, it doesn't log anything, but simply strips and proxies the connections. Below is a non-exhaustive list of features to be added.
- Logging
- Advanced configuration via an INI file
- Custom log traffic filters for all protocols via config file directives and/or user-supplied callables (functions, methods, etc)
- Support for additional, user-supplied protocols, by subclassing
stoptls.base.Proxy
and/orstoptls.tcp.base.TCPProxyConn
abstract classes - Support for more complex, non-standard HTTP login mechanisms
- Packaging and distribution via
pip
andPyPi
repository - Integration testing with Docker
Why create yet another SSLstripping tool when...
- tools such as
sslstrip
andsslsplit
already exist - HTTP Strict Transport Security (HSTS) has significantly limited the effectiveness of sslstripping attacks.
There are several answers:
- I wanted to better understand the sslstripping attack vector.
- I wanted to implement an sslstripping proxy using Python3 native asychronous support via
asyncio
, as opposed to an external library such astwisted
. - I wanted a tool which supported/could support any TCP protocol which uses opportunistic SSL/TLS, in addition to HTTP.
- I wanted a tool which was highly extensible and customizable.