gTunnel : A Robust Tunelling Solution Written In Golang

gTunnel is a TCP tunneling suite built with golang and gRPC. gTunnel can manage multiple forward and reverse tunnels that are all carried over a single TCP/HTTP2 connection.

I wanted to learn a new language, so I picked go and gRPC. Client executable have been tested on windows and linux.

Dependencies

gTunnel has been tested with Docker version 19.03.6, but any version of docker should do.

How to use?

The start_server.sh script will build a docker image and start it with no exposed ports. If you plan on using forward tunnels, make sure to map those ports or to change the docker network.

./start_server.sh

This will eventually provide you with the following prompt:

The first thing to do is generate a client to run on the remote system. For a windows client named “win-client”

>>> configclient win 172.17.0.1 443 win-client

For a linux client named lclient

>>> configclient linux 172.17.0.1 443 lclient

This will output a configured executable in the “configured” directory, relative to ./start_server.sh Once you run the executable on the remote system, you will be notified of the client connecting.

>>> configclient linux 127.0.0.1 443 test
>>> 2020/03/20 22:01:47 Endpoint connected: id: test
>>>

To use the newly connected client, type use and the name of the client. Tab completion is supported.

>>> use test
(test) >>>

The prompt will change to indicate with which endpoint you’re currently working. From here, you can add or remove tunnels. The format is

addtunnel (local | remote) listenPort destinationIP destinationPort

For example, to open a local tunnel on port 4444 to the ip 10.10.1.5 in the remote network on port 445 and name it “smbtun”, the command would be as follows:

addtunnel local 4444 10.10.1.5 445 smbtun

Similarly, to open a port on the remote system on port 666 and forward all traffic to 192.168.1.10 on port 443 in the local network, the command would be as follows:

addtunnel remote 666 192.168.1.10 443

Note that the name is optional, and if not provide, will be given random characters as a name. To list out all active tunnels, use the “listtunnels” command.

(test) >>> listtunnels
Tunnel ID: smbtun
Tunnel ID: dVck5Zba

To delete a tunnel, use the “deltunnel” command:

(test) >>> deltunnel smbtun
Deleting tunnel : smbtun

To start a socks proxy server on target, use the socks command. The following command will start a socks server on port 1080 on the host running gClient. Usually, you will need to create a tunnel from the gTunnel prompt to use the socks server.

socks 1080
addtunnel local 1080 127.0.0.1 1080

To go back and work with another remote system, use the back command:

(test) >>> back
>>>

Notice how the prompt has changed to indicate it is no longer working with a particular client. To disconnect a client from the server, you can either issue the “disconnect” command while using the client, or provide the endpoint id in the main menu.

(test) >>> disconnect
2020/03/20 22:14:52 Disconnecting test
(test) >>> 2020/03/20 22:14:52 Endpoint disconnected: test
>>>

Or

>>> disconnect test
2020/03/20 22:16:00 Disconnecting test
>>> 2020/03/20 22:16:00 Endpoint disconnected: test
>>>

To exit out of the server, run the exit command:

>>> exit

Note that this will remove the docker container, but any tls generated certificates and configured executable will be in the tls/ and configured/ directories.

To Do

  • Reverse tunnel support
  • Multiple tunnel support
  • Better print out support for tunnels. It should s
  • how how many connections are established and ports, etc.
  • Add REST API and implement web UI
  • Dynamic socks proxy support.
  • Authentication between client and server
  • Server configuration file on input with pre-configured tunnels

Known Issues

  • Internet Explorer is causing the client to lock up on reverse tunnels
  • The startup server script should reuse the built image, not create a new one every time.

R K

Recent Posts

Shadow-rs : Harnessing Rust’s Power For Kernel-Level Security Research

shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…

1 week ago

ExecutePeFromPngViaLNK – Advanced Execution Of Embedded PE Files via PNG And LNK

Extract and execute a PE embedded within a PNG file using an LNK file. The…

2 weeks ago

Red Team Certification – A Comprehensive Guide To Advancing In Cybersecurity Operations

Embark on the journey of becoming a certified Red Team professional with our definitive guide.…

3 weeks ago

CVE-2024-5836 / CVE-2024-6778 : Chromium Sandbox Escape via Extension Exploits

This repository contains proof of concept exploits for CVE-2024-5836 and CVE-2024-6778, which are vulnerabilities within…

3 weeks ago

Rust BOFs – Unlocking New Potentials In Cobalt Strike

This took me like 4 days (+2 days for an update), but I got it…

3 weeks ago

MaLDAPtive – Pioneering LDAP SearchFilter Parsing And Security Framework

MaLDAPtive is a framework for LDAP SearchFilter parsing, obfuscation, deobfuscation and detection. Its foundation is…

3 weeks ago