sstoper

sstoper copied to clipboard

---[ SSToPer ]------------------------------------------------------------------ ---[ SSTP Client for Linux ]---------------------------------------------------- ---[ By Christophe Alladoum ]---------------------------------------------------

What is SSTP ?

Wikipedia says: "Secure Socket Tunneling Protocol (SSTP) is a form of VPN tunnel that provides a mechanism to transport PPP or L2TP traffic through an SSL 3.0 channel. SSL provides transport-level security with key-negotiation, encryption and traffic integrity checking. The use of SSL over TCP port 443 allows SSTP to pass through virtually all firewalls and proxy servers." http://en.wikipedia.org/wiki/Secure_Socket_Tunneling_Protocol

What is SSToPer ?

SSToPer is a SSTP client for Linux. It creates SSTP communications with any Windows Server (2008+) having active service, and is used to establish VPN communication with Microsoft Server 2008 and above. Since SSTP is only a wrapper over PPP communication, pppd (http://ppp.samba.org/) MUST be installed with the synchronous HDLC serial encoding capability enabled.

Current SSToPer version DOES NOT support certification validation.

SSToPer spawns a pppd instance with noauth option that requires root privilege. Hence, SSToPer must either be started as root, or have CAP_SETKILL and CAP_SETUID. This can be done as root : {{{ $ su -c "setcap cap_setuid,cap_kill+eip ./sstoper" }}}

Features:

• Establishes PPP based VPN through SSTP
• Proxy
• HMAC-128/256 support
• (Opt.) Wireshark SSTP dissector provided to analyse SSTP behaviour

Pre-requisites:

• libcrypto (for hmac.h)
• libgnutls (for gnutls.h and other)
• libbsd (for util.h)
• HDLC-sync capable pppd must be installed
• root privileges on a 2.6 Linux kernel

Todo:

• Certification validation

Installing Wireshark SSTP dissector:

• Download Wireshark source from http://www.wireshark.org and un-tar archive
• Add "dissectors/packet-sstp.c" in DISSECTOR_SRC section inside epan/CMakeLists.txt file
• Add "packet-sstp.c" in DISSECTOR_SRC section inside epan/dissectors/Makefile.common file
• Copy sstoper/misc/packet-sstp.c -> wireshark/epan/dissectors/
• In wireshark/ root directory, execute : {{{ $ ./autogen.sh && ./configure --with-ssl && make }}}
• You now have a SSTP-compliant Wireshark version (a simple SSTP negociation PCAP file is provided in misc/ directory) which can be started {{{ $ sudo ./wireshark
  }}}

SSTP Session example:

• first you need your server PEM-formatted CA file. It can usually be obtained like this: -> Go to http:///certsrv -> Click on "Download a CA certificate, certificate chain, or CRL" link -> Select "Base64" as "Encoding method" option -> Click on "Download CA certificate" link

• un-tar and compile sstoper {{{ $ tar xf sstoper.tar.gz $ cd sstoper && make $ su -c "make install" }}}

install directive will install sstoper binary by properly setting capabilities so that it can be executed by any user.

• Execution with SSToPer with Linux capabilities {{{ $ sstoper -s tweety.looney -c misc/vpn.tweety.looney.crt -U user1 -vv Password: [...] 2011-06-18 03:07:20 [!] Using default value: '443' 2011-06-18 03:07:20 [!] Using default value: '/usr/sbin/pppd' 2011-06-18 03:07:20 [+] Verbose level: 2 2011-06-18 03:07:20 [] Starting ./sstoper as 7789 2011-06-18 03:07:20 [+] Connected to tweety:443 2011-06-18 03:07:20 [+] Dropping privileges 2011-06-18 03:07:20 [] chdir-ed '/var/empty' 2011-06-18 03:07:20 [] Switch user to 'nobody' 2011-06-18 03:07:20 [+] '/usr/sbin/pppd' forked with PID 7790 2011-06-18 03:07:20 [] [7790] Waiting for SIGUSR1 [...] 2011-06-18 03:07:27 [] --> 112 bytes 2011-06-18 03:07:27 [+] status: CLIENT_CONNECT_ACK_RECEIVED (0x2) -> CLIENT_CALL_CONNECTED (0x3) 2011-06-18 03:07:27 [+] SSTP link established 2011-06-18 03:07:27 [] --> 8 bytes 2011-06-18 03:07:27 [*] --> 22 bytes [...]

(Hit Ctrl-C to close connection)

2011-06-18 03:07:44 [+] SSTP connection time: 22 sec 2011-06-18 03:07:44 [+] Sent 986 bytes, received 894 bytes 2011-06-18 03:07:44 [+] End of TLS connection, reason: Success. $ }}}

Incrementing verbose option (0-3) will display more connection events. Level 3 will expose low-level details, such as crypto algorithm negociation, key exchange, etc.

Actually working on Linux (tested Debian & Fedora), other system to be supported.

Comments/Bugs:

Please send me back comments and bugs to <christophe DOT alladoum AT hsc DOT fr> with backtrace (using sstoper -vvv options) and/or an strace output of the bug.

Changelogs:

06/2012 : migrating to GitHub public repository 06/2011 : 0.21 few bug fixes 03/2011 : 0.2 version adding capabilities, IPv6 support and many fixes. 11/2010 : 0.1 version adding better network handling. 10/2010 : first public release.

Thanks for using SSToPer !