Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs’ code. What STUNNEL basically does is that it turns any insecure TCP port into a secure encrypted port using OpenSSL package for cryptography.
STUNNEL is very simple as it will accept a non-secure connection, add TLS encryption and send it to a remote host. This may come in use in scenarios where we have a hope which for any reason does not support TLS but our backend does. In order to protect at least the data in transit between the hop (redirector) and the backend server (C2) we can use STUNNEL.
Let’s begin by first installing stunnel and then creating the certificate that will be used
apt install stunnel4 openssl genrsa -out key.pem 2048 openssl req -new -x509 -key key.pem -out cert.pem -days 1095 cat key.pem cert.pem >> /etc/stunnel/stunnel.pem
Then enable automatic startup of stunnel
nano /etc/default/stunnel4
Change ENABLED=0 to ENABLED=1
systemctl enable stunnel4.service
Now the service is up and running and should start automatically at each reboot.
The first scenario will be a simple redirection where a connection will be coming in on port 8080 of the redirector and STUNNEL will be responsible for wrapping that in TLS and send it over to the C2 encrypted on port 80.
Example config file – To be created in /etc/stunnel/ and have a .conf extension
cert = /etc/stunnel/stunnel.pem [https redirection] accept = 8080 connect = [DEST IP]:80
cert – which certificate to use
Title of the connection. It can be anything
Accept – The listening port
Connect – Where the connection should be forwarded to
Reload the config file
stunnel [file].conf
Let’s say you want to use SOCAT but don’t want to send unencrypted traffic over it. You can combine SOCAT and STUNNEL to encrypt the communication.
Example config file – To be created in /etc/stunnel/ and have a .conf extension
cert = /etc/stunnel/stunnel.pem [https redirection] accept = 8080 connect = 8081
cert – which certificate to use
Title of the connection. It can be anything
Accept – The listening port
Connect – Where the connection should be forwarded to
Reload the config file
stunnel [file].conf
And then start the SOCAT listener which will listen on 8081 where STUNNEL is sending the encapsulated traffic. The traffic is then forwarded to the C2 server.
socat TCP4-LISTEN:8081,fork TCP4:[DEST IP]:80
STUNNEL Client / Server
This scenario is for protocols that don’t support SSL natively. In this case the server must be set up the same way as with the other scenarios, but a client must be also setup on the other side to handle the encryption and decryption.
Example config file – To be created in /etc/stunnel/ and have a .conf extension
Server config file
[Server incoming] accept = 8080 connect = [DEST IP]:8090 cert = /etc/stunnel/stunnel.pem
Reload the config file
stunnel [file].conf
The connection to the server will come in at port 8080 and will be forwarded to port 8090 of the remote host wrapped in SSL.
Client config file
[client incoming] accept = 8090 connect = 127.0.0.1:8080 cert = /etc/stunnel/stunnel.pem
The client will receive the incoming connection at port 8090, decrypt it and send it to the localhost 8080 port.
It is important that the same SSL certificate is used for client and the server.
There you have it. I hope you find this useful and be able to apply it in your operations. As always, i would like to have your comments and feedback.