This repository has been archived by the owner on Jun 24, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathREADME
157 lines (119 loc) · 4.89 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
---[ SSToPer ]------------------------------------------------------------------
---[ SSTP Client for Linux ]----------------------------------------------------
---[ By Christophe Alladoum ]---------------------------------------------------
What is SSTP ?
--------------
Wikipedia says:
"Secure Socket Tunneling Protocol (SSTP) is a form of VPN tunnel that provides a
mechanism to transport PPP or L2TP traffic through an SSL 3.0 channel. SSL
provides transport-level security with key-negotiation, encryption and traffic
integrity checking. The use of SSL over TCP port 443 allows SSTP to pass through
virtually all firewalls and proxy servers."
http://en.wikipedia.org/wiki/Secure_Socket_Tunneling_Protocol
What is SSToPer ?
-----------------
SSToPer is a SSTP client for Linux. It creates SSTP communications with any
Windows Server (2008+) having active service, and is used to establish VPN
communication with Microsoft Server 2008 and above. Since SSTP is only a
wrapper over PPP communication, pppd (http://ppp.samba.org/) MUST be installed
with the synchronous HDLC serial encoding capability enabled.
Current SSToPer version DOES NOT support certification validation.
SSToPer spawns a pppd instance with noauth option that requires root
privilege. Hence, SSToPer must either be started as root, or have CAP_SETKILL
and CAP_SETUID. This can be done as root :
{{{
$ su -c "setcap cap_setuid,cap_kill+eip ./sstoper"
}}}
Features:
---------
- Establishes PPP based VPN through SSTP
- Proxy
- HMAC-128/256 support
- (Opt.) Wireshark SSTP dissector provided to analyse SSTP behaviour
Pre-requisites:
---------------
- libcrypto (for hmac.h)
- libgnutls (for gnutls.h and other)
- libbsd (for util.h)
- HDLC-sync capable pppd must be installed
- root privileges on a 2.6 Linux kernel
Todo:
-----
- Certification validation
Installing Wireshark SSTP dissector:
------------------------------------
* Download Wireshark source from http://www.wireshark.org and un-tar archive
* Add "dissectors/packet-sstp.c" in DISSECTOR_SRC section inside `epan/CMakeLists.txt` file
* Add "packet-sstp.c" in DISSECTOR_SRC section inside `epan/dissectors/Makefile.common` file
* Copy sstoper/misc/packet-sstp.c -> wireshark/epan/dissectors/
* In wireshark/ root directory, execute :
{{{
$ ./autogen.sh && ./configure --with-ssl && make
}}}
* You now have a SSTP-compliant Wireshark version (a simple SSTP negociation
PCAP file is provided in misc/ directory) which can be started
{{{
$ sudo ./wireshark
}}}
SSTP Session example:
---------------------
- first you need your server PEM-formatted CA file. It can usually be obtained
like this:
-> Go to http://<server>/certsrv
-> Click on "Download a CA certificate, certificate chain, or CRL" link
-> Select "Base64" as "Encoding method" option
-> Click on "Download CA certificate" link
- un-tar and compile sstoper
{{{
$ tar xf sstoper.tar.gz
$ cd sstoper && make
$ su -c "make install"
}}}
`install` directive will install sstoper binary by properly setting capabilities
so that it can be executed by any user.
- Execution with SSToPer with Linux capabilities
{{{
$ sstoper -s tweety.looney -c misc/vpn.tweety.looney.crt -U user1 -vv
Password:
[...]
2011-06-18 03:07:20 [!] Using default value: '443'
2011-06-18 03:07:20 [!] Using default value: '/usr/sbin/pppd'
2011-06-18 03:07:20 [+] Verbose level: 2
2011-06-18 03:07:20 [*] Starting ./sstoper as 7789
2011-06-18 03:07:20 [+] Connected to tweety:443
2011-06-18 03:07:20 [+] Dropping privileges
2011-06-18 03:07:20 [*] chdir-ed '/var/empty'
2011-06-18 03:07:20 [*] Switch user to 'nobody'
2011-06-18 03:07:20 [+] '/usr/sbin/pppd' forked with PID 7790
2011-06-18 03:07:20 [*] [7790] Waiting for SIGUSR1
[...]
2011-06-18 03:07:27 [*] --> 112 bytes
2011-06-18 03:07:27 [+] status: CLIENT_CONNECT_ACK_RECEIVED (0x2) -> CLIENT_CALL_CONNECTED (0x3)
2011-06-18 03:07:27 [+] SSTP link established
2011-06-18 03:07:27 [*] --> 8 bytes
2011-06-18 03:07:27 [*] --> 22 bytes
[...]
(Hit Ctrl-C to close connection)
2011-06-18 03:07:44 [+] SSTP connection time: 22 sec
2011-06-18 03:07:44 [+] Sent 986 bytes, received 894 bytes
2011-06-18 03:07:44 [+] End of TLS connection, reason: Success.
$
}}}
Incrementing verbose option (0-3) will display more connection events. Level 3
will expose low-level details, such as crypto algorithm negociation, key
exchange, etc.
Actually working on Linux (tested Debian & Fedora), other system to be
supported.
Comments/Bugs:
--------------
Please send me back comments and bugs to
<christophe __DOT__ alladoum __AT__ hsc __DOT__ fr> with backtrace (using sstoper
-vvv options) and/or an strace output of the bug.
Changelogs:
-----------
06/2012 : migrating to GitHub public repository
06/2011 : 0.21 few bug fixes
03/2011 : 0.2 version adding capabilities, IPv6 support and many fixes.
11/2010 : 0.1 version adding better network handling.
10/2010 : first public release.
Thanks for using SSToPer !