I have kali on an old Pi2 and was going through my copy of “Penetration Testing with Raspberry Pi” book from PACKT. Had issues trying to figure this out so went to Google and found Charles Reids notes and managed to make it work from there, but his page also has a very minor error which caused my setup to not work.
On Client (RaspberryPi):
# Stunnel Config: /etc/stunnel/stunnel.conf output = /var/log/stunnel4/stunnel4.log cert = /etc/stunnel/stunnel.pem key = /etc/stunnel/stunnel.pem client = yes [ssh] accept = 443 connect = server-ip:443
Setup Server (i.e. Laptop)
On Server (my Laptop):
# Stunnel Config: /etc/stunnel/stunnel.conf output = /var/log/stunnel4/stunnel4.log cert = /etc/stunnel/stunnel.pem key = /etc/stunnel/stunnel.pem client = no [ssh] accept = 443 connect = 127.0.0.1:443
STunnel on Boot
make sure both your kali-pi and command & control client starts /etc/init.d/stunnel4 on boot
systemd things into play
systemctl enable reverse-ssh reboot (test if it comes back up)
this didn’t work for me straight off the bat and i had to ‘disable’ and copy the systemd-generated ‘reverse-ssh.service’ file into place:
cp /run/systemd/generator.late/reverse-ssh.service /etc/systemd/system/
then edit it to make sure it came up after
ssh.service was running because i was getting a bunch of these in the logs from bootup attempts on the pi:
Jul 18 10:32:40 kaliwifipi reverse-ssh: Opening reverse shell Jul 18 10:32:41 kaliwifipi reverse-ssh: ssh: connect to host localhost port 2200: Connection refused
so yea, not playing ball, so did the copy and then edited like so:
# Automatically generated by systemd-sysv-generator [Unit] Documentation=man:systemd-sysv-generator(8) SourcePath=/etc/init.d/reverse-ssh Description=LSB: Start reverse ssh at boot time After=ssh.service [Install] WantedBy=multi-user.target [Service] Type=forking Restart=no TimeoutSec=5min IgnoreSIGPIPE=no KillMode=process GuessMainPID=no RemainAfterExit=yes SuccessExitStatus=5 6 ExecStart=/etc/init.d/reverse-ssh start ExecStop=/etc/init.d/reverse-ssh stop
key things are ‘After=ssh.service’ and ‘WantedBy=multi-user.tartet’ - not sure about the latter, but systemctl complained about not having an ‘[install]’ block in the ‘.service’ file so, yea, it comes up as required with this .service file.
in my case, Charles original page has the SERVER stunnel.conf file with
client = yes which, when i tried to
ssh -p 443 [email protected] on my client (Pi), would fail and give me this error in the SERVER side logs:
SSL_connect: 140770FC: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol.
which from this stackoverflow thread explains this error is when the stunnel client tries to connect to an endpoint/server that’s NOT SSL/Stunnel… i.e. the 2 ends dont match up protocol wise
note: i just realized the stackoverflow ticket response is from Charles himself who answers the issue, but dont think there’s any mental link back to his page which the ‘client = yes’ in the wrong place is the cause of the protocol mismatch
the section for setting up ‘stunnel’, Chapter 2, page 46, is a bit shit. For example there’s no mention of the file ‘server.key’ anywhere and suddenly it pops up out of nowhere and you’re supposed to know what it refers to. This section is pretty messy and not that easy to follow, whereas the page by Charles is pretty clearly laid out. Props to Charles.
also, /etc/init.d/stunnel4 & ‘systemctl restart/start stunnel4’ is shithouse and doesn’t actually start anything. i have to literally run ‘stunnel4’ and the deamon starts. w.t.actual.f.