Securing communications with STUNNEL

Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs’ code. What STUNNEL basically does is that it turns any insecure TCP port into a secure encrypted port using OpenSSL package for cryptography.

STUNNEL is very simple as it will accept a non-secure connection, add TLS encryption and send it to a remote host. This may come in use in scenarios where we have a hope which for any reason does not support TLS but our backend does. In order to protect at least the data in transit between the hop (redirector) and the backend server (C2) we can use STUNNEL.

Let’s begin by first installing stunnel and then creating the certificate that will be used

apt install stunnel4
openssl genrsa -out key.pem 2048
openssl req -new -x509 -key key.pem -out cert.pem -days 1095
cat key.pem cert.pem >> /etc/stunnel/stunnel.pem

Then enable automatic startup of stunnel

nano /etc/default/stunnel4

Change ENABLED=0 to ENABLED=1

systemctl enable stunnel4.service

Now the service is up and running and should start automatically at each reboot.

The first scenario will be a simple redirection where a connection will be coming in on port 8080 of the redirector and STUNNEL will be responsible for wrapping that in TLS and send it over to the C2 encrypted on port 80.

7BDF4F9A C920 4412 8C35 C935D523B29E

Example config file – To be created in /etc/stunnel/ and have a .conf extension

cert = /etc/stunnel/stunnel.pem

[https redirection]
accept  = 8080
connect = [DEST IP]:80 

cert – which certificate to use
Title of the connection. It can be anything
Accept – The listening port
Connect – Where the connection should be forwarded to

Reload the config file

stunnel [file].conf

Let’s say you want to use SOCAT but don’t want to send unencrypted traffic over it. You can combine SOCAT and STUNNEL to encrypt the communication.

38445963F 90B2 4908 8CCD 9514E1F30931

Example config file – To be created in /etc/stunnel/ and have a .conf extension

cert = /etc/stunnel/stunnel.pem

[https redirection]
accept  = 8080
connect = 8081

cert – which certificate to use
Title of the connection. It can be anything
Accept – The listening port
Connect – Where the connection should be forwarded to

Reload the config file

stunnel [file].conf

And then start the SOCAT listener which will listen on 8081 where STUNNEL is sending the encapsulated traffic. The traffic is then forwarded to the C2 server.

socat TCP4-LISTEN:8081,fork TCP4:[DEST IP]:80

STUNNEL Client / Server

This scenario is for protocols that don’t support SSL natively. In this case the server must be set up the same way as with the other scenarios, but a client must be also setup on the other side to handle the encryption and decryption.

2 9FCB 817889ABA179

Example config file – To be created in /etc/stunnel/ and have a .conf extension

Server config file

[Server incoming]
accept = 8080
connect = [DEST IP]:8090

cert = /etc/stunnel/stunnel.pem 

Reload the config file

stunnel [file].conf

The connection to the server will come in at port 8080 and will be forwarded to port 8090 of the remote host wrapped in SSL.

Client config file

[client incoming]
accept = 8090
connect = 127.0.0.1:8080

cert = /etc/stunnel/stunnel.pem 

The client will receive the incoming connection at port 8090, decrypt it and send it to the localhost 8080 port.

It is important that the same SSL certificate is used for client and the server.

There you have it. I hope you find this useful and be able to apply it in your operations. As always, i would like to have your comments and feedback.

~ @sec_groundzero