- 1 What is stunnel
- 2 stunnel Server: Command and Control Server
- 3 stunnel Client: Raspberry Pi
- 4 Test It Out
- 5 Reverse SSH Stunnel
What is stunnel
Nominally, stunnel provides SSL encryption and decryption, which provides services not capable of SSL to communicate securely using SSL. (Example: if a mail server listens for unencrypted mail traffic on port 25, and clients send encrypted mail traffic on port 465, stunnel listens on port 465, passes traffic through stunnel to decrypt it, and then passes it to local port 25.
But this can also be used to wrap arbitrary traffic in SSL. In the case of reverse SSH, this provides a way to "wrap" SSH connections in an SSL layer, to make it through the firewall and past intrusion detection systems.
See also RaspberryPi/Reverse SSH
Our stunnel setup will be as follows
The stunnel client will be our Raspberry Pi.
The stunnel server will be our command and control server.
stunnel Server: Command and Control Server
Start by installing stunnel:
$ apt-get install -y stunnel4
Generate Private Keys and Certificates for SSL
Now you need to generate private keys, so that stunnel has private keys to use when encrypting using SSL.
First, go to the directory where stunnel keeps all of its files:
$ cd /etc/stunnel/
Generate Private Key
Use the openssl library to generate a 2048-bit private RSA key:
$ openssl genrsa -out key.pem 2048 Generating RSA private key, 2048 bit long modulus .....+++ ..+++ e is 65537 (0x10001)
Generate a Self-Signed Certificate
To do SSL, an stunnel server must have an SSL certificate, which requires a private key and a signature. We already generated a private key, so now we generate a certificate, and use our own key to sign it. Do this by running the following:
$ openssl req -new -x509 -key key.pem -out cert.pem -days 365 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:. State or Province Name (full name) [Some-State]:. Locality Name (eg, city) :. Organization Name (eg, company) [Internet Widgits Pty Ltd]:. Organizational Unit Name (eg, section) :. Common Name (e.g. server FQDN or YOUR name) : 10.0.0.19 Email Address :.
Key and Certificate
Now you have your private key in
key.pem and your server's certificate in
$ ls -lh total 20K -rw-r--r-- 1 root root 615 Apr 22 2013 README -rw-r--r-- 1 root root 1.1K Aug 4 13:06 cert.pem -rw-r--r-- 1 root root 1.7K Aug 4 13:05 key.pem -rw-r--r-- 1 root root 208 Aug 4 13:02 stunnel.conf -rw------- 1 root root 2.8K Aug 4 12:32 stunnel.pem
put those both into the certificate file that we will point to in our stunnel configuration file (next section):
$ cat key.pem cert.pem >> /etc/stunnel/stunnel.pem
Now edit the stunnel configuration file on the command and control server, which is located in
output = /var/log/stunnel4/stunnel.log cert=/etc/stunnel/stunnel.pem key=/etc/stunnel/stunnel.pem pid=/var/run/stunnel4/stunnel.pid client=yes [ssh] accept = 10.0.0.19:443 connect = 127.0.0.1:22
where 10.0.0.19 is the ip of the command and control server. This will allow incoming SSL connections to the command and control server on port 443, and will route them to localhost port 22.
$ /etc/init.d/stunnel4 start
Open Your Firewall to SSL
Assuming SSH over SSL connections will be coming in through port 443, we should open this on our firewall on our command and control server. This is my
#!/bin/sh iptables -A INPUT -p tcp --dport 443 -j ACCEPT
stunnel Client: Raspberry Pi
Start by installing stunnel on the Pi:
apt-get install -y stunnel4
Copy Private Key
One option, if you want to hack it (this is an insecure option), is to copy the private key from your command and control server to your Raspberry Pi.
A better way to do it would be to generate private keys on both the server and client, and use a level 3 verification in stunnel, whereby both client and server check each others identities. But we're just testing this out.
From the Raspberry Pi, we copy the stunnel private key and certificate from the command and control server at 10.0.0.19:
$ scp 10.0.0.19:/etc/stunnel/stunnel.pem /etc/stunnel/stunnel.pem
Now edit your stunnel configuration file to resemble the following:
$ cat /etc/stunnel/stunnel.conf output = /var/log/stunnel4/stunnel.log cert = /etc/stunnel/stunnel.pem key = /etc/stunnel/stunnel.pem pid = /var/run/stunnel4/stunnel.pid client = yes [ssh] accept = 127.0.0.1:443 connect = 10.0.0.19:443
Let's break down what that means:
stunnel accepts SSH traffic on port 443. (That means, we have to run the ssh command like
ssh -p 443)
It reroutes that SSH traffic through stunnel to wrap it in a layer of SSL encryption. (This is the key to getting past the firewall and IDS).
That encrypted SSL traffic is then sent out to the remote command-and-control server, via port 443. And now there's essentially no difference between how your connection looks and how a standard HTTPS browser session looks. And because it is wrapped in SSL, the firewall/IDS says its ok.
Open Your Firewall to SSL
The last step is to open your client firewall to outgoing SSL connections, using the same
firewall.sh script as before:
#!/bin/sh iptables -A INPUT -p tcp --dport 443 -j ACCEPT
$ /etc/init.d/stunnel4 restart
Test It Out
Okay, now give it a shot!
From your client (the Raspberry Pi), run the following command:
$ ssh -p 443 root@localhost Linux kronos 3.18.0-kali3-amd64 #1 SMP Debian 3.18.6-1~kali2 (2015-03-02) x86_64 The programs included with the Kali GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Tue Aug 4 13:41:09 2015 from localhost Cannot open display "default display" root@kronos:~#
Here's a photo. The Raspberry Pi client is "kali-pi" and the command and control server is "kronos":
When we run
ssh -p 443 root@localhost, we're creating "outgoing" SSH traffic (it doesn't actually go out anywhere).
That SSH traffic is routed to port 443, where stunnel is listening. Stunnel wraps the SSH traffic going through port 443 in an SSL layer, than sends that SSL traffic out and over port 443 to our remote command and control server. The remote command and control server, which also has stunnel running, listens on port 443, and when it finds traffic, decrypts it and reroutes it to local host port 22, where it looks like regular SSH traffic.
Reverse SSH Stunnel
This is just part 1 of the trick. Being able to automatically open an SSH tunnel over an arbitrary port is critical to bypassing a firewall, but right now the trick isn't particularly useful, since we aren't usually sitting in front of our Raspberry Pi - we are usually sitting in front of our command-and-control server.
Part 2 of this trick will show you how to set up a reverse SSH connection, so that when the Pi connects to the command-and-control server, it sets up a tunnel that reverse connections can then use. See the RaspberryPi/Reverse SSH Stunnel article.
sshsecure shell, the most useful tool in unix
Building SSH tunnels: SSH Tunnels
Tunnel SSH through HTTPS: Stunnel
Tunnel SSH through DNS: Iodine
Raspberry Pi and SSH:
Linux and SSH:
Flags · Template:SSHFlag · e
Raspberry Pia tiny tool for performing extraordinary acts beyond good and evil - with an ARM processor.
Basic Pi Information and Operations:
Organization/Layout of SD Card: Kali Raspberry Pi/SD Card ·
Disable IPV6 on the Raspberry Pi: Disable_IPv6_Pi
Kali Linux on Raspberry Pi:
Debian Raspberry Pi:
Raspberry Pi Circuits:
Raspberry Pi Timelapse Photos:
Flags · Template:PiFlag · e
Kali Linux"The quieter you become, the more you are able to hear."
Penetration testing Linux distribution.
1 Physical Attacks: Kali/Layer 1 Attacks
2 Data/MAC Attacks: Kali/Layer 2 Attacks
3 Network Attacks: Kali/Layer 3 Attacks
4 Transport Attacks: Kali/Layer 4 Attacks
5 Session Attacks: Kali/Layer 5 Attacks
6 Presentation Attacks: Kali/Layer 6 Attacks
7 Application Attacks: Kali/Layer 7 Attacks
Red Team Blue Team
Kali on Raspberry Pi:
Flags · Template:KaliFlag · e