---[ SSToPer ]------------------------------------------------------------------ ---[ SSTP Client for Linux ]---------------------------------------------------- ---[ By Christophe Alladoum ]--------------------------------------------------- What is SSTP ? -------------- Wikipedia says: "Secure Socket Tunneling Protocol (SSTP) is a form of VPN tunnel that provides a mechanism to transport PPP or L2TP traffic through an SSL 3.0 channel. SSL provides transport-level security with key-negotiation, encryption and traffic integrity checking. The use of SSL over TCP port 443 allows SSTP to pass through virtually all firewalls and proxy servers." http://en.wikipedia.org/wiki/Secure_Socket_Tunneling_Protocol What is SSToPer ? ----------------- SSToPer is a SSTP client for Linux. It creates SSTP communications with any Windows Server (2008+) having active service, and is used to establish VPN communication with Microsoft Server 2008 and above. Since SSTP is only a wrapper over PPP communication, pppd (http://ppp.samba.org/) MUST be installed with the synchronous HDLC serial encoding capability enabled. Current SSToPer version DOES NOT support certification validation. It must be considered that SSToPer does not require root privilege but pppd requires it. As a consequence, SSToPer will use Linux capability and drop privilege to nobody user as soon as pppd process is started. Features: --------- - Establishes PPP based VPN through SSTP - Proxy - HMAC-256 support - (Opt.) Wireshark SSTP dissector provided to analyse SSTP behaviour Pre-requisites: --------------- - libcrypto (for hmac.h) - libgnutls (for gnutls.h and other) - libbsd (for util.h) - HDLC-sync capable pppd must be installed - root privileges Todo: ----- - Certification validation Installing Wireshark SSTP dissector: ------------------------------------ * Download Wireshark source from http://www.wireshark.org and un-tar archive * Add "dissectors/packet-sstp.c" in DISSECTOR_SRC section inside `epan/CMakeLists.txt` file * Add "packet-sstp.c" in DISSECTOR_SRC section inside `epan/dissectors/Makefile.common` file * Copy sstoper/misc/packet-sstp.c -> wireshark/epan/dissectors/ * In wireshark/ root directory, execute : {{{ $ ./autogen.sh && ./configure --with-ssl && make }}} * You now have a SSTP-compliant Wireshark version (a simple SSTP negociation PCAP file is provided in misc/ directory) which can be started {{{ $ sudo ./wireshark }}} SSTP Session example: --------------------- - first you need your server PEM-formatted CA file. It can usually be obtained like this: -> Go to http:///certsrv -> Click on "Download a CA certificate, certificate chain, or CRL" link -> Select "Base64" as "Encoding method" option -> Click on "Download CA certificate" link - un-tar and compile sstoper {{{ $ tar xf sstoper.tar.gz $ cd sstoper && make }}} - execute (example values are given below) {{{ $ sudo ./sstoper -s tweety.looney -c misc/vpn.tweety.looney.crt -U user1 Password: 2011-04-12 16:33:45 [!] Using default value: 443 2011-04-12 16:33:45 [!] Using default value: /usr/sbin/pppd Connecting to tweety.looney:443 Connected SSTP link established (Hit Ctrl-C to close connection) ^C2011-04-12 16:35:39 [-] sstp_loop: Interrupted system call Waiting for /usr/sbin/pppd process (PID:7908) to end $ }}} Incrementing verbose option (0-3) will display more connection events. Actually working on Linux (tested Debian & Fedora), other system to be supported. Comments/Bugs: -------------- Please send me back comments and bugs to with backtrace (using sstoper -vvv options) and/or an strace output of the bug. Changelogs: ----------- 03/2011 : 0.2 version adding capabilities, IPv6 support and many fixes. 11/2010 : 0.1 version adding better network handling. 10/2010 : first public release. Thanks for using SSToPer !