Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/mathewmarcus/stoptls
MitM proxy which performs opportunistic SSL/TLS stripping
https://github.com/mathewmarcus/stoptls
aiohttp asyncio man-in-the-middle python3 ssl tls
Last synced: 22 days ago
JSON representation
MitM proxy which performs opportunistic SSL/TLS stripping
- Host: GitHub
- URL: https://github.com/mathewmarcus/stoptls
- Owner: mathewmarcus
- Created: 2018-11-02T03:40:58.000Z (about 6 years ago)
- Default Branch: master
- Last Pushed: 2019-11-05T17:11:08.000Z (about 5 years ago)
- Last Synced: 2024-04-24T13:41:49.279Z (8 months ago)
- Topics: aiohttp, asyncio, man-in-the-middle, python3, ssl, tls
- Language: Python
- Homepage:
- Size: 58.6 KB
- Stars: 16
- Watchers: 2
- Forks: 4
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-network-stuff - **7**星
README
# StopTLS
StopTLS is a Man-in-the-Middle tool which performs opportunistic SSL/TLS stripping.
Currently it supports the following protocols: HTTP(S), SMTP, and IMAP
It requires Python >= 3.5 (i.e. Python with support for async/await syntax), the [aiohttp](https://aiohttp.readthedocs.io/en/stable/) library, and the [Beautiful Soup](https://www.crummy.com/software/BeautifulSoup/) library for HTML parsing.
## Usage
```
usage: main.py [--help] [-h [HTTP_PORT]] [-t [TCP_PORT]]
[-p {SMTP,IMAP} [{SMTP,IMAP} ...]]MitM proxy which performs opportunistic SSL/TLS stripping
optional arguments:
--help show this help message and exit
-h [HTTP_PORT], --http [HTTP_PORT]
HTTP listen port [default: 10000]
-t [TCP_PORT], --tcp [TCP_PORT]
TCP listen port [default: 49151]
-p {SMTP,IMAP} [{SMTP,IMAP} ...], --tcp-protocols {SMTP,IMAP} [{SMTP,IMAP} ...]
supported TCP protocols
```## Setup
### 1. Download
```bash
$ git clone https://github.com/mathewmarcus/bruteforce-gpg.git
```### 2. Install Dependencies
``` bash
$ pip install -r requirements.txt
```### 3. Add `iptables` rules
Add rules to redirect and allow traffic to the ports specified by the `-h [HTTP_PORT], --http [HTTP_PORT]` and `-t [TCP_PORT], --tcp [TCP_PORT]` options.`stoptls` is setup to handle HTTP traffic on one port, and all other TCP traffic on another, as indicated by the CLI options.
So, assuming the following `stoptls` invocation:
```bash
$ python main.py --http 8080 --tcp 8081 --tcp-protocols SMTP IMAP
````iptables` rules would then need to be added to the `PREROUTING` chain in the `nat` table and the `INPUT` chain in the `filter` table, as shown below:
#### `nat` table, `PREROUTING` chain
##### HTTP
```bash
$ sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
```##### SMTP
```bash
$ sudo iptables -t nat -A PREROUTING -p tcp --dport 25 -j REDIRECT --to-port 8081
$ sudo iptables -t nat -A PREROUTING -p tcp --dport 587 -j REDIRECT --to-port 8081
```##### IMAP
```bash
$ sudo iptables -t nat -A PREROUTING -p tcp --dport 143 -j REDIRECT --to-port 8081
```#### `filter` table, `INPUT` chain
Assuming a default `DROP` policy on this chain, add rules for the `HTTP_PORT` and/or `TCP_PORT`s specified earlier. So, for the above example:##### HTTP
```bash
sudo iptables -A INPUT -p tcp --dport 8080 -m conntrack --ctorigdstport 80 -j ACCEPT
```##### SMTP
```bash
sudo iptables -A INPUT -p tcp --dport 8081 -m conntrack --ctorigdstport 25 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 8081 -m conntrack --ctorigdstport 587 -j ACCEPT
```##### IMAP
```bash
sudo iptables -A INPUT -p tcp --dport 8081 -m conntrack --ctorigdstport 143 -j ACCEPT
```Why the `--ctorigdstport` option? This prevents the `stoptls` ports from being directly accessible (i.e. they will not appear in `nmap` scans).
## TODO
It should be noted that `StopTLS` is very much a work in progress, and is essentially a POC at this point. In fact, currently, it doesn't log anything, but simply strips and proxies the connections. Below is a non-exhaustive list of features to be added.1. Logging
2. Advanced configuration via an INI file
3. Custom log traffic filters for all protocols via config file directives and/or user-supplied callables (functions, methods, etc)
4. Support for additional, user-supplied protocols, by subclassing `stoptls.base.Proxy` and/or `stoptls.tcp.base.TCPProxyConn` abstract classes
5. Support for more complex, non-standard HTTP login mechanisms
6. Packaging and distribution via `pip` and `PyPi` repository
7. Integration testing with Docker## Why?
Why create yet another SSLstripping tool when...
1. tools such as `sslstrip` and `sslsplit` already exist
2. HTTP Strict Transport Security (HSTS) has significantly limited the effectiveness of sslstripping attacks.There are several answers:
1. I wanted to better understand the sslstripping attack vector.
2. I wanted to implement an sslstripping proxy using Python3 native asychronous support via `asyncio`, as opposed to an external library such as `twisted`.
3. I wanted a tool which supported/could support any TCP protocol which uses opportunistic SSL/TLS, in addition to HTTP.
4. I wanted a tool which was highly extensible and customizable.