Defcon1-Header
Tool-BarfreeBSD ArticlesSearch Our SiteHOMEfreeBSD LinksContribute to FreeBSD HelpFreeBSD FilesFreeBSD Script Corner

Zebedee - Encrypted tunneling made simple

Pete Fritchman

There are many protocols that were not designed with security in mind, thus they communicate potentially private data in clear text. This is a very Bad Thing(tm) - this data can be sniffed. Using a tunnel, you can encrypt the data sent to a remote server that would normally be in plain text.

The FreeBSD Ports Collection (see http://www.FreeBSD.org/ports/) includes

zebedee in /usr/ports/security/zebedee. To install, simply type:

# cd /usr/ports/security/zebedee

# make install

(Note - at the time of writing this article an older version of zebedee is in ports -- make sure you have at least version 2.2.0. If you do not, apply the patch located at http://hex.databits.net/~petef/diffs/zebedee.diff).

From now on, all the commands you type should be as a regular user for two reasons: (1) zebedee does not need to use any priveleged (<1024) ports, and
(2) if there ever is some sort of security problem in zebedee, you'd rather not have your root account compromised - this is the reason why most daemons (named, httpd, etc) do not run as root.

Zebedee implements a fairly simple idea of a tunnel (you may be familiar with the `datapipe' program - same idea). Except that instead of a tunnel that just forwards data, the client-side zebedee process encrypts and compresses the data, and the server-side zebedee process decrypts and compresses the data.

Now for some sample server-side and client-side configuration files. I usually put these configuration files in ~/etc. You'll obviously have to change 'MY.SERVER' to the hostname or IP address of your server :)

--- start client-side config file named client.zdb --

# zebedee sample configuration (client)
# Pete Fritchman <petef@databits.net
#
# we are a client, not a server.
server false

# only allow connections from the local machine to access the
# forwarded port
localsource true

# handle multiple connection requests & establish a new tunnel
# for each one. 
multiuse true

# set the hostname of the server
serverhost MY.SERVER

# tunnel telnet to localhost port 5523
tunnel 5523:MY.SERVER:23

# tunnel web to localhost port 5580
tunnel 5580:MY.SERVER:80

# tunnel pop3 to localhost port 55110
tunnel 55110:MY.SERVER:110

# highest compression
compression zlib:9

# highest encryption strength
keygenlevel 2

# send the zebedee process into the background
detached true

# specify the server port
serverport 5555

--- end config file --

--- start server-side config file named server.zdb --

# zebedee sample configuration (server)
# Pete Fritchman <petef@databits.net
#
# we are the server
server true

# we'll only tunnel these specific ports
redirect 23 # telnet
redirect 80 # web
redirect 110 # pop3

# highest compression
compression zlib:9

# highest encryption strength
keygenlevel 2

# send the zebedee process into the background
detached true

# specify the server port; make sure this isn't in use.
serverport 5555

--- end config file --

Now to actually create the tunnels, you'll need to run zebedee with the "-f" option, pointing to your config file (obviously, the server-side config file when you run zebedee on the server, and the client-side config file when you run zebedee on the client). You need to start the server zebedee process first, otherwise the client will not be able to connect.

user@myserver% zebedee -f ~/etc/server.zdb
user@myserver%

You can check to make sure the zebedee process started ok:
user@myserver% ps x | grep zebedee
37601 ?? Is   0:00.00 zebedee -f etc/server.zbd
user@myserver%

Now, start the client:
user@client% zebedee -f ~/etc/client.zdb
zebedee(792/0): Listening on local port 5523
zebedee(792/0): Listening on local port 5580
zebedee(792/0): Listening on local port 55110
user@client%

Once the zebedee server and client processes are running, you can start making connections:

To establish a POP3 connection, you would set your mail server to "localhost", and set the port to 55110 (in this example).

To establish a telnet connection:

 

user@client% telnet localhost 5523
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.

FreeBSD/i386 (hex.databits.net) (ttyp3)

login:

(note that hex.databits.net is the remote host running zebedee, it is *not* localhost - you are telnetting to zedebee essentially, which is creating an encrypted and compressed pipe to the remote server).

And because we've specified `multiuse true', you can open as many connections to localhost:5523 as you want (notice that a seperate zebedee process is spawned on the server and client to handle each tunnel).

There's really no need to use ssh, since zebedee handles the encryption and compression aspect for you.

There are plenty of other options with zebedee, this document is merely a quick start guide. You should read the man page for zebedee, and visit the official website, http://www.winton.org.uk/zebedee/ .


  Pete Fritchman

© 1997 - 20013 Defcon1, www.defcon1.org , Copyrights for all materials on this web site are held by the individual authors, artists, photographers or creators. Materials may not be reproduced or otherwise distributed without permission of www.defcon1.org and the content's original author.

Defcon1-Header2
Tool-Bar-2Defcon1  Webmail