Stunnel is a very handy utility for wrapping virtually any service in SSL. In a pentesting perspective its especially handy if you want to use a tool which only speaks HTTP (e.g. a perl LWP script which you are too lazy to make speak SSL, or want to make manual HTTP requests adhoc ;). We can setup a tunnel to our target SSL webserver, and have it bind to a local port we can use for access. NOTE: This only applies to stunnel version 3.x, 4.x uses an stunnel.conf file instead of command line switches.

For example, if our target webserver is called example.foo.com, with a webserver running SSL on port 443, we would run the following command to bind to a local high port e.g. 10666. If you attempted to bind to a local port below 1024, you would have to run this command as root:

stunnel -d localhost:10666 -c -r example.foo.com:443

To confirm that its working, first check the log (usually /var/log/messages, but /var/log/daemon.log on my system).

Mar 7 20:20:32 localhost stunnel[22933]: Using 'example.foo.com.10666' as tcpwrapper service name
Mar 7 20:20:32 localhost stunnel[22933]: stunnel 3.26 on i486-pc-linux-gnu PTHREAD+LIBWRAP with OpenSSL 0.
9.8c 05 Sep 2006
Mar 7 20:20:32 localhost stunnel[22934]: FD_SETSIZE=1024, file ulimit=1024 -> 500 clients allowed

So now our stunnel daemon process is listening on localhost, port 10666, ready to service our requests! Lets try it out by doing a simple HEAD request on the target webserver:

user@host# nc localhost 10666
HEAD / HTTP/1.0

HTTP/1.1 403 Forbidden
Date: Sat, 08 Mar 2008 01:12:44 GMT
Server: Apache
Connection: close
Content-Type: text/html; charset=iso-8859-1

Excellent! I have also run password crackers like hydra through stunnel without problems, so it can take a beating. Happy Hacking!

[ add comment ] ( 1714 views )   |  permalink

---

<Back | 1 | 2 | 3 | Next> Last>>

All information on this blog copyright Goonda Security Inc. - Page Generated in 0.1181 seconds