【安全牛学习笔记】补充Proxytunnel、stunnel4
来源:互联网 发布:为什么手机网络不稳定 编辑:程序博客网 时间:2024/05/19 00:09
stunnel4
无需修改源代码的情况下降TCP流量封装与SSL通道内
适用于本身不支持加密传输的应用
支持openssl安全特性
跨平台
性能
yuanfh@Bodhi:~$ sudo apt-get install stunnel4
1.1.1.1 防火墙
External port range: from:other 3306
NAT IP 1.1.1.10
Local port: 3306
save
msfadmin@metasploitable:~$ netstat -pantu | grep :3306
(No info could be read for "-p": geteuid()=1000 but you should be root.)
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
wireshark
ip.addr == 192.168.1.11
External port range: from:other 3306; to:3306
root@K:~# mysql -u root -h 192.168.1.11
Welcome to the Mysql monitor. Commands and with ; or \g.
Your MYSQL connection id is 7
Server version: 5.0.51a-3ubuntuS (Ubuntu)
Copyright (c) 2000, 2016 Oracle and/or its affiliate. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or it>
affiliates. Other names may be trademarks of their respective
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement
mysql> show datebases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| dvwa |
| metasploit |
| mysql |
| owasp10 |
| tikiwiki |
| tikiwiki195 |
+--------------------+
stunnel4
安装内网Stunnel4服务器
服务器配置
- 生成证书:openssl req -new --days 365 -nodes -x509 -out
/etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem
- 创建配置文件 /etc/stunnel/stunnel.conf
cert = /etc/stunnel/stunne.pem
setuid = stunnel4
setgid = stunnel4
pid = /var/run/stunnel4/stunnel4.pid
[mysqls]
accept = 0.0.0.0:443
connect = 1.1.1.1:3306
yuanfh@Bodhi:~$ sudo openssl req -new --days 1000 -nodes -x509 -out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem
Generating a 2048 bit RSA private key
.......................................................................................
....................................................................+++
..................+++
writing new private key to '/etc/stunnel/stunnel.pem'
-----
You are about to be asked to enter information that will incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There you are quite a few fields but you can leave some blank
For some fields there will be a default value.
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BJ
Locality Name (eg. city) []:BJ_HD
Organization Name (eg. company) [Internet Widgits Pty Ltd]:LAB
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:www.lab.com
Email Address []:yuanfh@lab.com
yuanfh@Bodhi:~$ cat /etc/stunnel/stunnel.pem
yuanfh@Bodhi:~$ sudo vi /etc/stunnel/stunnel.conf
cert = /etc/stunnel/stunne.pem
setuid = stunnel4
setgid = stunnel4
pid = /var/run/stunnel4/stunnel4.pid
[mysqls]
accept = 0.0.0.0:443
connect = 1.1.1.1:3306
stunnel4
Stunnel4自动启动
- /etc/default/stunnel4
启动stunnel4服务端
- service stunnel4 start
防火墙规则
- 端口映射TCP/443端口到stunnel4服务端TCP/443
- 设置防火墙规则
Stunnel4客户端
stunnel4
启动客户端服务
- service stunnel4 stop / start
Mysql客户端连接服务器
- mysql -u root -h 127.0.0.1
抓包对比隧道前后差异
yuanfh@Bodhi:~$ sudo vi /etc/default/stunnel4
WNABLED=1
yuanfh@Bodhi:~$ service stunnel start
yuanfh@Bodhi:~$ netstat -pantu | grep 443
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0.0.0.0:443 0.0.0.0:* LISTEN -
yuanfh@Bodhi:~$ sudo service stunnel4 stop
Stopping SSL tunnels: [stopped./etc/stunnel/stunnel.conf] stunnel.
Enternal port range: from: HTTPS
NAT: 1.1.1.11
root@K:~# vi /etc/stunnel/a.conf
client = yes
{mysqls]
accept = 3306
connect = 192.168.1.11:443
root@K:~# vi /etc/default/stunnel4
ENABLED=1
root@K:~# service stunnel4 start
root@K:~# cat /etc/stunnel/a.conf
client = yes
{mysqls]
accept = 3306
connect = 192.168.1.11:443
root@K:~# netstat -pantu | grep :3306
tcp 0 0.0.0.0:3306 0.0.0.0:* LISTEN 3355/stunnel4
root@K:~# mysql -u root -h 127.0.0.1
Welcome to the Mysql monitor. Commands and with ; or \g.
Your MYSQL connection id is 7
Server version: 5.0.51a-3ubuntuS (Ubuntu)
Copyright (c) 2000, 2016 Oracle and/or its affiliate. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or it>
affiliates. Other names may be trademarks of their respective
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement
mysql> show datebases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| dvwa |
| metasploit |
| mysql |
| owasp10 |
| tikiwiki |
| tikiwiki195 |
+--------------------+
7 rows in set (0.00 sec)
ip.addr == 192.168.1.11
- 【安全牛学习笔记】补充Proxytunnel、stunnel4
- 【安全牛学习笔记】SSL、TLS拒绝服务攻击和补充概念
- 【安全牛学习笔记】SSL、TLS拒绝服务攻击和补充概念
- Spring学习笔记 补充
- 学习笔记补充
- wpf学习笔记补充
- [学习笔记]aj补充
- jquery学习笔记补充
- 【安全牛学习笔记】WPA安全系统
- 【安全牛学习笔记】python学习笔记
- 【安全牛学习笔记】搜索引擎
- 【安全牛学习笔记】端口扫描
- 【安全牛学习笔记】TOR
- 【安全牛学习笔记】SHODAN
- 【安全牛学习笔记】 端口扫描
- 【安全牛学习笔记】NEXPOSE
- 【安全牛学习笔记】POP3
- 【安全牛学习笔记】FUZZING
- 后缀数组 + LCP(最长公共前缀)
- 连续第四天总结
- 1071. 小赌怡情(15)
- Android面试题总结(二)
- eclipse创建maven工程
- 【安全牛学习笔记】补充Proxytunnel、stunnel4
- Linux环境的新手上路
- pandas表连接 索引上的合并
- html5页面布局
- POJ1743-Musical Theme
- java读取properties配置文件
- 指针数组与数组指针
- html5 from表单
- java 内部类详解