Stunnel allows a user to tunnel any TCP based application protocol through a connection secured by TLS/SSL.
Proxy for Non-SSL Clients
In order to set up stunnel as a proxy for clients that do not support SSL connections you need to specify listening port and the target website:port:
stunnel -c -f -d 8080 -r www.wellsfargo.com:443
Proxy for Non-SSL Servers
Stunnel can provide transport encryption tunneling for servers that do not natively support SSL.
First generate private and public keys and store them in the same file:
openssl req -new -x509 -out server.pem -nodes -keyout server.pem -subj /CN=localhost
Next run stunnel SSL proxy:
stunnel -p server.pem -f -d 443 -r google.com:80
Encrypted remote shell
An encrypted remote shell can be started using stunnel:
stunnel -p privkey.pem -d 2222 -l /bin/sh
Next we can connect to port 2222 using OpenSSL's s_client and issue shell commands:
$ openssl s_client -connect localhost:2222 -quiet 2> /dev/null id uid=0(root) gid=0(root) groups=0(root)
Published on April 13th, 2009 by iphelix
OpenSSL is an open-source TLS/SSL toolkit implemented for a variety of platforms. In this article you will learn several openssl client and server commands useful in working with TLS/SSL protocol. Read more.
Transport Layer Security (TLS) and Secure Sockets Layer (SSL) are two closely related protocols designed to protect confidentiality and integrity of data in transit between two hosts. Read more.
TLS/SSL protocols support a large number of cipher suites. A cipher suite is a collection of symmetric and asymmetric encryption algorithms used by hosts to establish a secure communication. Supported cipher suites can be classified based on encryption algorithm strength, key length, key exchange and authentication mechanisms. Some cipher suites offer better level of security than others (e.g. Several weak cipher suites were developed for export to comply with US export law). There are more than 200 known cipher suites. Read more.
|Date||January 27th, 2010|
SSLMap is a lightweight TLS/SSL cipher suite scanner.
- Uses custom TLS/SSL query engine for increased reliability/speed (No need for third-party libraries such as OpenSSL)
- Tests for 200+ known cipher suites.
- Capable of discovering undocumented cipher suites.
- Advises on cipher suite security based on Protocol, Key Exchange, Authentication, Encryption algorithm, and other parameters.
- Configurable handshake versions (e.g. TLSv1.1, SSLv2.0) Read more.
Wireshark is capable of decrypting TLS/SSL traffic. This article will discuss the required conditions necessary for the decryption and walk you through the exact steps. Read more.
Network traffic analysis is an important ingredient of a good iOS app pentest. The article covers several common approaches to iOS specific data interception such as network proxying, defeating network encryption, traffic injection and others. Read more.