Building

Building stunnel on a mac:

Getting

Get stunnel download from here:

https://www.stunnel.org/downloads.html

Compiling

Verify downloaded thing with

openssl dgst -sha256 stunnel-5.30.tar.gz

./configure && make && sudo make install

Certifying

Now make certificate:

$ sudo make cert

Finding

If you want to know where everything went, it is all in /usr/local.

Config file: /usr/local/etc/stunnel/stunnel.conf

Pem certificate file: /usr/local/etc/stunnel/stunnel.pem

Binary: /usr/local/bin/stunnel

Prepare to Stunnel

At this point, you will want to prepare to run SSH traffic through Stunnel to the command-and-control server.

Copy Private Key from Command and Control

Get the private key from the command and control server to the client machine, either using scp (over a potentially untrusted/observed/man-in-the-middle'd connection, so be wary) or using a higher verification level (more here: [1]).

This will go in your stunnel etc folder, /usr/local/etc/stunnel/stunnel.pem.

Port Forward

Now that you have the command and control server's certificate, you have to open your client firewall to outgoing SSL connections.

Open System Preferences > Security > Firewall. You can open the firewall completely or on specific ports.

Start Stunnel

On the Mac, stunnel's behavior is a bit cryptic. Check the log file, in /var/log/stunnel4/stunnel.log, for any messages. If that directory does not exist, make it.

The log file will tell you if anything goes wrong, or if stunnel has started ok. You can check if it is running with the ps command:

$ ps auxw | grep stunnel

but either way, when you run the stunnel command to start stunnel, it will not print out anything.

SSH Away

ssh -p 443 user@localhost

This will forward your local port 443 connection to stunnel, which will then forward it to the remote computer's port 443. The stunnel on the remote machine's end will receive the traffic on port 443, and then reroute it to the remote machine's own port 22.