{"id":13641985,"url":"https://github.com/SECFORCE/Tunna","last_synced_at":"2025-04-20T12:31:13.178Z","repository":{"id":23711625,"uuid":"27084166","full_name":"SECFORCE/Tunna","owner":"SECFORCE","description":"Tunna is a set of tools which will wrap and tunnel any TCP communication over HTTP. It can be used to bypass network restrictions in fully firewalled environments. ","archived":false,"fork":false,"pushed_at":"2022-09-04T14:21:37.000Z","size":9155,"stargazers_count":1251,"open_issues_count":15,"forks_count":282,"subscribers_count":61,"default_branch":"master","last_synced_at":"2025-04-08T14:08:23.071Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SECFORCE.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2014-11-24T16:31:41.000Z","updated_at":"2025-04-08T11:16:08.000Z","dependencies_parsed_at":"2022-07-08T00:20:25.012Z","dependency_job_id":null,"html_url":"https://github.com/SECFORCE/Tunna","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SECFORCE%2FTunna","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SECFORCE%2FTunna/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SECFORCE%2FTunna/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SECFORCE%2FTunna/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SECFORCE","download_url":"https://codeload.github.com/SECFORCE/Tunna/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249893382,"owners_count":21341440,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-02T01:01:26.238Z","updated_at":"2025-04-20T12:31:08.155Z","avatar_url":"https://github.com/SECFORCE.png","language":"Python","readme":"Tunna\n=====\n\nTunna is a set of tools which will wrap and tunnel any TCP communication over HTTP. It can be used to bypass network restrictions in fully firewalled environments. \n\nv1.1\tAlpha version\n\n\t\t\t\t\t  _____                        \n\t\t\t\t\t |_   _|   _ _ __  _ __   __ _ \n\t\t\t\t\t   | || | | | '_ \\| '_ \\ / _` |\n\t\t\t\t\t   | || |_| | | | | | | | (_| |\n\t\t\t\t\t   |_| \\__,_|_| |_|_| |_|\\__,_|\t\n                                                     \n \n                     Tunna 0.1, for HTTP tunneling TCP connections by Nikos Vassakis\n                     http://www.secforce.co.uk\t/ nikos.vassakis \u003cat\u003e secforce.com\n\n\n################################################################################################################\n\nSUMMARY\n=======\n\n\tTLDR: Tunnels TCP connections over HTTP\n\nIn a fully firewalled (inbound and outbound connections restricted - except the webserver port)\n\nThe webshell can be used to connect to any service on the remote host. \nThis would be a local connection on a local port at the remote host and *should* be allowed by the firewall.\n\nThe webshell will read data from the service port wrap them over HTTP and send it as an HTTP response to the\nlocal proxy.\n\nThe local proxy will unwrap and write the data to it's local port where the client program would be connected.\n\nWhen the local proxy receives data on the local port, it will send them over to the webshell as an HTTP Post.\n\nThe webshell will read the data from the HTTP Post and put them on the service port\n\nand repeat --^\n\nOnly the webserver port needs to be open (typically 80/443)\nThe whole communication (Externally) is done over the HTTP protocol\n\n\nUSAGE\n======\n  `python proxy.py -u \u003cremoteurl\u003e -l \u003clocalport\u003e [options]`\n\nOptions\n=======\n`--help, -h`              \tshow this help message and exit\n\n`--url=URL, -u URL`       \turl of the remote webshell\n\n`--lport=LOCAL_PORT, -l` \tLOCAL_PORT\n                        \tlocal listening port\n\n`--verbose, -v`           \tVerbose (outputs packet size)\n\n`--buffer=BUFFERSIZE, -b BUFFERSIZE*`\n                        \tHTTP request size (some webshels have limitations on\n                        \tthe size)\n\nNo SOCKS Options\n----------------\nOptions are ignored if SOCKS proxy is used\n\n`--no-socks, -n`         \t\tDo not use Socks Proxy\n\n`--rport=REMOTE_PORT, -r`\tREMOTE_PORT\n                        \tremote port of service for the webshell to connect to\n\n`--addr=REMOTE_IP, -a REMOTE_IP`\n\t                        address for remote webshell to connect to (default =\n        \t                127.0.0.1)\n\nUpstream Proxy Options\n----------------------\nTunnel connection through a local Proxy\n\n`--up-proxy=UPPROXY, -x` \tUPPROXY\n                        \tUpstream proxy (http://proxyserver.com:3128)\n\n`--auth, -A`              \tUpstream proxy requires authentication\n\nAdvanced Options\n----------------\n`--ping-interval=PING_DELAY, -q` \tPING_DELAY\n                        \twebshprx pinging thread interval (default = 0.5)\n\n`--start-ping, -s`        \tStart the pinging thread first - some services send\n                        \tdata first (eg. SSH)\n\n`--cookie, -C`        \tRequest cookies\n\n`--authentication, -t`    Basic authentication\n\n\n* See limitations\n\nexample usage:\n\t`python proxy.py -u http://10.3.3.1/conn.aspx -l 8000 -v`\n\n\t# This will start a Local SOCKS Proxy Server at port 8000\n\t# This connection will be wrapped over HTTP and unwrapped at the remote server\n\n\tpython proxy.py -u http://10.3.3.1/conn.aspx -l 8000 -x https://192.168.1.100:3128 -A -v\n\n\t# This will start a Local SOCKS Proxy Server at port 8000\n\t# It will connect through a Local Proxy (https://192.168.1.100:3128) that requires authentication\n\t# to the remote Tunna webshell\n\n\tpython proxy.py -u http://10.3.3.1/conn.aspx -l 4444 -r 3389 -b 8192 -v --no-socks\n\n\t# This will initiate a connection between the webshell and Remote host RDP (3389) service\n\t# The RDP client can connect on localhost port 4444\n\t# This connection will be wrapped over HTTP\n\n\n\n\nPrerequisites\n=============\n\n\tThe ability to upload a webshell on the remote server\n\n\nLIMITATIONS / KNOWN BUGS / HACKS\n================================\n\t\n\tThis is a POC code and might cause DoS of the server.\n\t\tAll efforts to clean up after execution or on error have been made (no promises)\n\n\tBased on local tests: \t\t\n\t\t* JSP buffer needs to be limited (buffer option):\n\t\t\t\t4096 worked in Linux Apache Tomcat\n\t\t\t\t1024 worked in XAMPP Apache Tomcat (slow)\n\t\t\t\t* More than that created problems with bytes missing at the remote socket\n\t\t\t\teg: ruby proxy.rb -u http://10.3.3.1/conn.jsp -l 4444 -r 3389 -b 1024 -v\n\n\t\t* Sockets not enabled by default:\n\t\t\tphp windows (IIS + PHP)\n\t\t\tXAMPP Windows\n\t\t\tphp linux (PHP bultin web server/apache + PHP)\n\t\tIf you have the error Uncaught Error: Call to undefined function socket_create()\n\t\tsee https://stackoverflow.com/questions/6137823/fatal-error-call-to-undefined-function-socket-create\n\t\t\n\t\t\n\t\t* Return cariages on webshells (outside the code): \n\t\t\tget sent on responses / get written on local socket --\u003e corrupt the packets\n\n\t\t* PHP webshell for windows: the loop function DoS'es the remote socket: \n\t\t\tsleep function added -\u003e works but a bit slow \n\t\t* PHP webshell needs new line characters removed at the end of the file (after \"?\u003e\")\n\t\t\tas these will get send in every response and confuse Tunna \n\t\t\n\t\nFILES\n=====\n\n\tWebshells:\n\t\tconn.jsp\tTested on Apache Tomcat (windows + linux)\n\t\tconn.aspx\tTested on IIS 6+8 (windows server 2003/2012) \n\t\tconn.php\tTested on LAMP + XAMPP + IIS (windows + linux)\n\n\tWebServer:\n\t\twebserver.py\tTested with Python 2.6.5\n\n\tProxies:\n\t\tproxy.py\tTested with Python 2.6.5\n\t\n\nTechnical Details\n=================\n\n Architecture descisions\n -----------------------\n\tData is sent raw in the HTTP Post Body (no post variable)\n\n\tInstructions / configuration is sent to the webshell as URL parameters (HTTP Get)\n\tData is sent in the HTTP body (HTTP Post)\n\n\tWebsockets not used: Not supported by default by most of webservers\n\tAsyncronous HTTP responses not really possible\n\t\tProxy queries the server constantly (default 0.5 seconds)\n\n\n INITIATION PHASE\n ----------------\n\t\n1st packet initiates a session with the webshell - gets a cookie back\n\teg: http://webserver/conn.ext?proxy \t\n\n2nd packet sends connection configuration options to the webshell\n\teg: http://webserver/conn.ext?proxy\u0026port=4444\u0026ip=127.0.0.1\n\t\n\tIP and port for the webshell to connect to\n\tThis is a threaded request:\n\t\tIn php this request will go into an infinate loop \n\t\tto keep the webshell socket connection alive\n\t\tIn other webshells [OK] is received back\n\n TUNNA CLIENT\n ------------\nA local socket is going to get created where the client program is going to connect to\nOnce the client is connected the pinging thread is initiated and execution starts.\nAny data on the socket (from the client) get read and get sent as a HTTP Post request\nAny data on the webshell socket get sent as a response to the POST request\n\n PINGING THREAD\n --------------\nBecause HTTP responses cannot be asyncronous. \nThis thread will do HTTP Get requests on the webshell based on an interval (default 0.5 sec)\nIf the webshell has data to send, it will (also) send it as a reply to this request\nOtherwise it sends an empty response\n\nIn general:\n\tData from the local proxy get send with HTTP Post\n\tThere are Get requests every 0.5 sec to query the webshell for data\n\tIf there is data on the webshell side get send over as a response to one of these requests\t\n\n WEBSHELL\n --------\nThe webshell connects to a socket on the local or a remote host. \nAny data written on the socket get sent back to the proxy as a reply to a request (POST/GET)\nAny data received with a post get written to the socket.\n\n NOTES\n -----\nAll requests need to have the URL parameter \"proxy\" set to be handled by the webshell\n\t(http://webserver/conn.ext?proxy)\n \n AT EXIT / AT ERROR\n ------------------\nKills all threads and closes local socket\nSends proxy\u0026close to webshell:\n\tKills remote threads and closes socket\t\n\n SOCKS\n -----\nThe SOCKS support is an addon module for Tunna. Locally is a seperate thread that handles the connection \nrequests and traffic adds a header that specifies the port and the size of the packet and forwards it to \nTunna. Tunna sends it over to the remote webserver, removes the HTTP headers and forwards the packet to\nthe remote SOCKS proxy. The remote SOCKS proxy initiates the connection and mapps the received port to\nthe local port. If the remote SOCKS proxy receives data from the service, it looks at the mapping table\nand finds the port it needs to respond to, adds the port as a header so the local SOCKS proxy will know where\nto forward the data. Any traffic from the received port will be forwarded to the local port and vice versa.\n \n\nCOPYRIGHT \u0026 DISCLAIMER\n======================\n\nTunna, TCP Tunneling Over HTTP\nNikos Vassakis\nCopyright (C) 2014 SECFORCE.\n\nThis tool is for legal purposes only.\n\nThis program is free software: you can redistribute it and/or modify it \nunder the terms of the GNU General Public License as published by the \nFree Software Foundation, either version 3 of the License, or (at your \noption) any later version.\n\nThis program is distributed in the hope that it will be useful, but\nWITHOUT ANY WARRANTY; without even the implied warranty of \nMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General \nPublic License for more details.\n\nYou should have received a copy of the GNU General Public License along \nwith this program. If not, see \u003chttp://www.gnu.org/licenses/\u003e.\n","funding_links":[],"categories":["Python (1887)","Python","其他_安全与渗透","Exfiltration"],"sub_categories":["网络服务_其他","Purple Team"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSECFORCE%2FTunna","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FSECFORCE%2FTunna","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSECFORCE%2FTunna/lists"}