Pentest Tools

Published on January 16th, 2018 📆 | 4351 Views ⚑

0

shootback: a reverse TCP tunnel let you access target behind NAT or firewall

https://www.ispeech.org/text.to.speech
shootback is a reverse TCP tunnel let you access target behind NAT or firewall

Typical Scene

1. Access company/school computer(no internet IP) from home
2. Make private network/site public.
3. Help private network penetration.
4. Help CTF offline competitions.
5. Connect to device with dynamic IP, such as ADSL

Getting started

1. requirement:
   • Master: Python3.4+, OS independent
   • Slaver: Python2.7/3.4+, OS independent
   • no external dependencies, only python std lib
2. download git clone https://github.com/aploium/shootback
3. (optional) if you need a single-file slaver.py, run python3 build_singlefile_slaver.py
4. run these command

   # master listen :10000 for slaver, :10080 for you
   python3 master.py -m 0.0.0.0:10000 -c 127.0.0.1:10080
   
   # slaver connect to master, and use example.com as tunnel target
   # ps: you can use python2 in slaver, not only py3
   python3 slaver.py -m 127.0.0.1:10000 -t example.com:80
   
   # doing request to master
   curl -v -H "host: example.com" 127.0.0.1:10080
   # -- some HTML content from example.com --
   # -- some HTML content from example.com --
   # -- some HTML content from example.com --
5. a more reality example:
   assume your master is 22.33.44.55 (just like the graph above)

   # slaver_local_ssh <---> slaver <--> master(22.33.44.55) <--> You
   
   # ---- master ----
   python3 master.py -m 0.0.0.0:10000 -c 0.0.0.0:10022
   
   # ---- slaver ----
   python(or python3) slaver.py -m 22.33.44.55:10000 -t 127.0.0.1:22
   
   # ---- YOU ----
   ssh 22.33.44.55 -p 10022

   [adsense size='1' ]

6. for more help, please see python3 master.py –help and python3 slaver.py –help
   

   Tips

   1. run in daemon:
      nohup python(or python3) slaver.py -m host:port -t host:port -q &
      or
      
      
      
      
      

      # screen is a linux command
      screen
      python(or python3) slaver.py -m host:port -t host:port
      # press  ctrl-a d  to detach screen
      # and if necessary, use "screen -r" to reattach
   2. ANY service using TCP is shootback-able. HTTP/FTP/Proxy/SSH/VNC/…
   3. shootback itself just do the transmission job, do not handle encrypt or proxy.
      however you can use a 3rd party proxy (eg: shadowsocks) as slaver target.
      for example:
      shadowsocks_server<–>shootback_slaver<–>shootback_master<–>shadowsocks_client(socks5)

    

Warning

1. in windows, due to the limit of CPython select.select(), shootback can NOT handle more than 512 concurrency, you may meet
   ValueError: too many file descriptors in select()
   
   1. If you have to handle such high concurrency in windows, Anaconda-Python3 is recommend, it’s limit in windows is 2048

Source: https://github.com/aploium/shootback