Monday, January 18, 2010

More tunneling with SSL and stunnel

We've discussed tunneling in the past with regards to httptunnel and ptunnel. As effective as these methods are for bypassing firewall rules and other purposes, neither ptunnel or httptunnel provide any means of encryption (although shh tunneling does, something i've discussed in a previous post).
Using programs like wiresark, you can easily see the payloads of the tunneled traffic. SSL tunnel provides similar tunneling funtionalities as the other tunneling programs but provides the much needed encryption to mitigate eaves droppers. I'll disscus all the needed steps to set-up a Windows client and a Linux Server.

Server [linux] - 10.0.0.1
Client [Windows XP] - 10.0.0.2

SERVER Setup:

First thing you need to do is generate a x509 certificate file to be used for encrytion if one doesnt already exist [It should be loacated at /etc/stunnel/stunnel.pem]. I usally like to generate my own and customize the certificate with my name, email, location, etc.

To generate an x509 cert, type:
openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem

After the cert is generated the server can be set up using the following commands:
stunnel -d 2222 -r 127.0.0.1:80 -p /root/stunnel.pem

The server would now be listening on port 2222 for incoming client traffic. Traffic connecting to the servers listening port would be forwarded to 127.0.0.1 at port 80.

CLIENT setup:

Download the Stunnel setup for windows and install. Heres a link to the latest compiled binaries:
http://www.stunnel.org/download/stunnel/win32/stunnel-4.29-installer.exe

Rename the original stunnel.conf file to stunnel.conf.bak for backup purposes.

Now make a file named stunnel.conf in that same directory. Input the following using notepad:

Client = yes
[my_https]
accept = 80
connect = 10.0.0.1:2222

Save this file. Now run stunnel.exe (You can also run from the command line: c:\stunnel.exe stunnel.conf). Stunnel looks for stunnel.conf in the same directory by default. If you choose to use a config file with a different name, you would have to open up the command prompt and type as follows to run: c:\stunnel.exe myconfigfile.conf.Your client would now be listening on port 80. To use the tunnel, type in your browser, http://127.0.0.1:80. You should now see the webpage. This webpage was successfully transfered over your securely created ssl tunnel.

Resources/Good reading:
www.stunnel.org
http://freshmeat.net/articles/ssl-encrypting-syslog-with-stunnel
http://librenix.com/?inode=7126

No comments:

Post a Comment