{"id":13508787,"url":"https://github.com/securesocketfunneling/ssf","last_synced_at":"2025-05-16T04:05:16.490Z","repository":{"id":39619891,"uuid":"36677045","full_name":"securesocketfunneling/ssf","owner":"securesocketfunneling","description":"Secure Socket Funneling - Network tool and toolkit - TCP and UDP port forwarding, SOCKS proxy, remote shell, standalone and cross platform","archived":false,"fork":false,"pushed_at":"2021-05-24T17:29:16.000Z","size":1869,"stargazers_count":1622,"open_issues_count":71,"forks_count":237,"subscribers_count":69,"default_branch":"develop","last_synced_at":"2025-04-08T14:09:51.569Z","etag":null,"topics":["cpp","cpp11","network","port-forwarding","socks","socks-proxy","socks-server"],"latest_commit_sha":null,"homepage":"https://securesocketfunneling.github.io/ssf/","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/securesocketfunneling.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-06-01T17:34:23.000Z","updated_at":"2025-04-01T12:42:26.000Z","dependencies_parsed_at":"2022-07-18T10:39:10.230Z","dependency_job_id":null,"html_url":"https://github.com/securesocketfunneling/ssf","commit_stats":null,"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/securesocketfunneling%2Fssf","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/securesocketfunneling%2Fssf/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/securesocketfunneling%2Fssf/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/securesocketfunneling%2Fssf/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/securesocketfunneling","download_url":"https://codeload.github.com/securesocketfunneling/ssf/tar.gz/refs/heads/develop","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254464895,"owners_count":22075570,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cpp","cpp11","network","port-forwarding","socks","socks-proxy","socks-server"],"created_at":"2024-08-01T02:00:58.444Z","updated_at":"2025-05-16T04:05:11.480Z","avatar_url":"https://github.com/securesocketfunneling.png","language":"C++","readme":"# Secure Socket Funneling\n\nSecure Socket Funneling (SSF) is a network tool and toolkit.\n\nIt provides simple and efficient ways to forward data from multiple sockets (TCP or UDP) through a single secure TLS tunnel to a remote computer.\n\nSSF is cross platform (Windows, Linux, OSX) and comes as standalone executables.\n\nFeatures:\n* Local and remote TCP port forwarding\n* Local and remote UDP port forwarding\n* Local and remote SOCKS server\n* Local and remote shell through sockets\n* File copy\n* Native relay protocol\n* TLS connection with the strongest cipher-suites\n\n[Download prebuilt binaries](https://securesocketfunneling.github.io/ssf/#download)\n\n[Documentation](https://securesocketfunneling.github.io/ssf/)\n\n[Build on Windows](BUILD_WIN32.md)\n\n[Build on Unix/Linux](BUILD_UNIX.md)\n\n[Cross compiling SSF (e.g. Raspberry Pi)](BUILD_CROSS.md)\n\n## How to use\n\n### Command line\n\n#### Client\n\nUsage: `ssf[.exe] [options] server_address`\n\nOptions:\n\n* `-v verbose_level`:\nVerbosity: critical|error|warning|info|debug|trace (default: info)\n\n* `-q`:\nQuiet mode. Do not print logs\n\n* `-p port`:\nRemote port (default: 8011)\n\n* `-c config_file_path`:\nSpecify configuration file. If not set, 'config.json' is loaded from the\ncurrent working directory\n\n* `-m attempts`:\nMax unsuccessful connection attempts before stopping (default: 1)\n\n* `-t delay`:\nTime to wait before attempting to reconnect in seconds (default: 60)\n\n* `-n`:\nDo not try to reconnect client if connection is interrupted\n\n* `-g`:\nAllow gateway ports. Allow client to bind local sockets for a service to a\nspecific address rather than \"localhost\"\n\n* `-S`:\nDisplay microservices status (on/off)\n\nServices options:\n\n* `-D [[bind_address]:]port`:\nRun a SOCKS proxy on the server accessible on `[[bind_address]:]port` on the\nlocal side\n\n* `-F [[bind_address]:]port`:\nRun a SOCKS proxy on the local host accessible from the server on\n`[[bind_address]:]port`\n\n* `-X [[bind_address]:]port`:\nForward server shell I/O to the specified port on the local side. Each\nconnection creates a new shell process\n\n* `-Y [[bind_address]:]port`:\nForward local shell I/O to the specified port on the server\n\n* `-L [[bind_address]:]port:host:hostport`:\nForward TCP connections to `[[bind_address]:]port` on the local host to\n`host:hostport` on the server\n\n* `-R [[bind_address]:]port:host:hostport`:\nForward TCP connections to `[[bind_address]:]port` on the server to\n`host:hostport` on the local side\n\n* `-U [[bind_address]:]port:host:hostport`:\nForward local UDP traffic on `[[bind_address]:]port` to `host:hostport` on the server\n\n* `-V [[bind_address]:]port:host:hostport`:\nForward UDP traffic on `[[bind_address]:]port` on the server to `host:hostport`\non the local side\n\n#### Server\n\nUsage: `ssfd[.exe] [options]`\n\nOptions:\n\n* `-v verbose_level`:\nVerbosity: critical|error|warning|info|debug|trace (default: info)\n\n* `-q`:\nQuiet mode. Do not print logs\n\n* `-c config_file_path`:\nSpecify configuration file. If not set, 'config.json' is loaded from the current\nworking directory\n\n* `-p port`:\nLocal port (default: 8011)\n\n* `-R`:\nThe server will only relay connections\n\n* `-l host`:\nSet server bind address\n\n* `-g`:\nAllow gateway ports. Allow client to bind local sockets for a service to a\nspecific address rather than \"localhost\"\n\n* `-S`:\nDisplay microservices status (on/off)\n\n#### Copy\n\nThe copy feature must be enabled on both client and server configuration file:\n\n```json\n{\n \"ssf\": {\n \"services\": {\n \"copy\": { \"enable\": true }\n }\n }\n}\n```\n\nUsage: `ssfcp[.exe] [options] [host@]/absolute/path/file [[host@]/absolute/path/file]`\n\nOptions:\n\n* `-v verbose_level`:\nVerbosity: critical|error|warning|info|debug|trace (default: info)\n\n* `-q`:\nQuiet mode. Do not print logs\n\n* `-c config_file_path`:\nSpecify configuration file. If not set, 'config.json' is loaded from the\ncurrent working directory\n\n* `-p port`:\nRemote port (default: 8011)\n\n* `-t`:\nUse stdin as input\n\n* `--resume`:\nAttempt to resume file transfer if the destination file exists\n\n* `--check-integrity`:\nCheck file integrity at the end of the transfer\n\n* `-r`:\nCopy files recursively\n\n* `--max-transfers arg`:\nMax transfers in parallel (default: 1)\n\n### Examples\n\n#### Client\n\nThe client will run a SOCKS proxy on port 9000 and transfer connection requests\nto the server **192.168.0.1:8000**\n\n```plaintext\nssf -D 9000 -c config.json -p 8000 192.168.0.1\n```\n\n#### Server\n\nThe server will be bound to port **8011** on all the network interfaces\n\n```plaintext\nssfd\n```\n\nThe server will be bound to **192.168.0.1:9000**\n\n```plaintext\nssfd -p 9000 -l 192.168.0.1\n```\n\n#### Copy local file to remote filesystem\n\n```plaintext\nssfcp [-c config_file] [-p port] path/to/file host@absolute/path/directory_destination\n```\n\n```plaintext\nssfcp [-c config_file] [-p port] path/to/file* host@absolute/path/directory_destination\n```\n\n```plaintext\nssfcp [-c config_file] [-p port] -r path/to/dir host@absolute/path/directory_destination\n```\n\n#### Pipe file from standard input to remote filesystem\n\n```plaintext\ndata_in_stdin | ssfcp [-c config_file] [-p port] -t host@path/to/destination/file_destination\n```\n\n#### Copy remote files to local filesystem :\n\n```plaintext\nssfcp [-c config_file] [-p port] remote_host@path/to/file absolute/path/directory_destination\n```\n\n```plaintext\nssfcp [-c config_file] [-p port] remote_host@path/to/file* absolute/path/directory_destination\n```\n\n```plaintext\nssfcp [-c config_file] [-p port] -r remote_host@path/to/dir absolute/path/directory_destination\n```\n\n### Configuration file\n\n```json\n{\n \"ssf\": {\n \"arguments\": \"\",\n \"circuit\": [],\n \"http_proxy\": {\n \"host\": \"\",\n \"port\": \"\",\n \"user_agent\": \"\",\n \"credentials\": {\n \"username\": \"\",\n \"password\": \"\",\n \"domain\": \"\",\n \"reuse_ntlm\": true,\n \"reuse_nego\": true\n }\n },\n \"socks_proxy\": {\n \"version\": 5,\n \"host\": \"\",\n \"port\": \"1080\"\n },\n \"tls\" : {\n \"ca_cert_path\": \"./certs/trusted/ca.crt\",\n \"cert_path\": \"./certs/certificate.crt\",\n \"key_path\": \"./certs/private.key\",\n \"key_password\": \"\",\n \"dh_path\": \"./certs/dh4096.pem\",\n \"cipher_alg\": \"DHE-RSA-AES256-GCM-SHA384\"\n },\n \"services\": {\n \"datagram_forwarder\": { \"enable\": true },\n \"datagram_listener\": {\n \"enable\": true,\n \"gateway_ports\": false\n },\n \"stream_forwarder\": { \"enable\": true },\n \"stream_listener\": {\n \"enable\": true,\n \"gateway_ports\": false\n },\n \"copy\": { \"enable\": false },\n \"shell\": {\n \"enable\": false,\n \"path\": \"/bin/bash|C:\\\\windows\\\\system32\\\\cmd.exe\",\n \"args\": \"\"\n },\n \"socks\": { \"enable\": true }\n }\n }\n}\n```\n\n#### Arguments\n\n| Configuration key | Description |\n|:------------------|:-------------------------------------------------------------------------|\n| arguments | use configuration arguments instead of given CLI arguments (except `-c`) |\n\nThe `arguments` key lets the user customize the command line arguments in the configuration file.\nThis feature is a convenient way to save different client connection profiles.\n\nGiven the following configuration file `conf.json`:\n\n```json\n{\n \"ssf\": {\n \"arguments\": \"10.0.0.1 -p 443 -D 9000 -L 11000:localhost:12000 -v debug\"\n }\n}\n```\n\nSSF will extract the given arguments and use them as a replacement of the initial arguments (except `-c`).\n\nFor example, `ssf -c conf.json` will be equivalent to `ssf 10.0.0.1 -p 443 -D 9000 -L 11000:localhost:12000 -v debug`:\n\n * connect to `10.0.0.1:443` (`10.0.0.1 -p 443`)\n * start the SOCKS service (`-D 9000`)\n * start the TCP port forwarding service (`-L 11000:localhost:12000`)\n * set verbosity level to debug (`-v debug`)\n\n#### Circuit\n\n| Configuration key | Description |\n|:------------------|:--------------------------------------------------------------------------|\n| circuit | relay chain servers used to establish the connection to the remote server |\n\nThe circuit is a JSON array containing the bounce servers and ports which will be used to establish the connection.\nThey are listed as follow:\n\n```json\n{\n \"ssf\": {\n \"circuit\": [\n {\"host\": \"SERVER1\", \"port\":\"PORT1\"},\n {\"host\": \"SERVER2\", \"port\":\"PORT2\"},\n {\"host\": \"SERVER3\", \"port\":\"PORT3\"}\n ]\n }\n}\n```\n\nThis configuration will create the following connection chain:\n\n```\nCLIENT -\u003e SERVER1:PORT1 -\u003e SERVER2:PORT2 -\u003e SERVER3:PORT3 -\u003e TARGET\n```\n\n#### Proxy\n\nSSF supports connection through:\n* HTTP proxy by using the `CONNECT` HTTP method\n* SOCKS proxy (v4 or v5)\n\n##### HTTP proxy\n\n| Configuration key | Description |\n|:----------------------------------|:----------------------------------------------------------------------------------------------------------|\n| http_proxy.host | HTTP proxy host |\n| http_proxy.port | HTTP proxy port |\n| http_proxy.user_agent | User-Agent header value in HTTP CONNECT request |\n| http_proxy.credentials.username | proxy username credentials (all platform: Basic or Digest, Windows: NTLM and Negotiate if reuse = false) |\n| http_proxy.credentials.password | proxy password credentials (all platform: Basic or Digest, Windows: NTLM and Negotiate if reuse = false) |\n| http_proxy.credentials.domain | user domain (NTLM and Negotiate auth on Windows only) |\n| http_proxy.credentials.reuse_ntlm | reuse current computer user credentials to authenticate with proxy NTLM auth (SSO) |\n| http_proxy.credentials.reuse_kerb | reuse current computer user credentials (Kerberos ticket) to authenticate with proxy Negotiate auth (SSO) |\n\nSupported authentication schemes:\n* Basic\n* Digest\n* NTLM (Windows only)\n* Negotiate with Kerberos (reuse computer user credentials)\n\n##### SOCKS proxy\n\n| Configuration key | Description |\n|:--------------------|:-----------------------|\n| socks_proxy.version | SOCKS version (4 or 5) |\n| socks_proxy.host | SOCKS proxy host |\n| socks_proxy.port | SOCKS proxy port |\n\nNo authentication scheme supported.\n\n#### TLS\n\n##### Using external files\n\n| Configuration key | Description |\n|:------------------|:-----------------------------------------------------------------------|\n| tls.ca_cert_path | relative or absolute filepath to the CA certificate file |\n| tls.cert_path | relative or absolute filepath to the instance certificate file |\n| tls.key_path | relative or absolute filepath to the private key file |\n| tls.key_password | key password |\n| tls.dh_path | relative or absolute filepath to the Diffie-Hellman file (server only) |\n| tls.cipher_alg | cipher algorithm |\n\nWith default options, the following files and folders should be in the working directory of the client or the server:\n\n* `./certs/dh4096.pem`\n* `./certs/certificate.crt`\n* `./certs/private.key`\n* `./certs/trusted/ca.crt`\n\nWhere:\n\n* **dh4096.pem** contains the Diffie-Hellman parameters ([generate DH parameters](#generating-diffie-hellman-parameters))\n* **certificate.crt** and **private.key** are the certificate and the private key of the SSF server or client ([generate certificate](#generating-a-certificate-signed-with-the-ca-and-its-private-key))\n* **ca.crt** is the concatenated list of certificates trusted by the SSF server or client ([generate CA](#generating-a-self-signed-certification-authority-ca))\n\nIf you want those files at different paths, it is possible to customize them thanks to the TLS path keys:\n\n```json\n{\n \"ssf\": {\n \"tls\" : {\n \"ca_cert_path\": \"./certs/trusted/ca.crt\",\n \"cert_path\": \"./certs/certificate.crt\",\n \"key_path\": \"./certs/private.key\",\n \"key_password\": \"\",\n \"dh_path\": \"./certs/dh4096.pem\",\n \"cipher_alg\": \"DHE-RSA-AES256-GCM-SHA384\"\n }\n }\n}\n```\n\n##### Using configuration file only\n\n| Configuration key | Description |\n|:-------------------|:----------------------------------------------------------------------------------------------------------------------|\n| tls.ca_cert_buffer | CA certificate file content in PEM format (:warning: `\\n` between data and PEM header/footer) |\n| tls.cert_buffer | instance certificate file content in PEM format (:warning: `\\n` between data and PEM header/footer) |\n| tls.key_buffer | private key file content in PEM format (:warning: `\\n` between data and PEM header/footer) |\n| tls.key_password | key password |\n| tls.dh_buffer | Diffie-Hellman parameters file content in PEM format (:warning: `\\n` between data and PEM header/footer, server only) |\n| tls.cipher_alg | cipher algorithm |\n\nYou can integrate the TLS parameters directly into the configuration file by using the `tls.ca_cert_buffer`, `tls.cert_buffer`, `tls.key_buffer` and `tls.dh_buffer` keys.\n\n```json\n{\n \"ssf\": {\n \"tls\" : {\n \"ca_cert_buffer\":\"-----BEGIN CERTIFICATE-----\\n...\\n-----END CERTIFICATE-----\",\n \"cert_buffer\":\"-----BEGIN CERTIFICATE-----\\n...\\n-----END CERTIFICATE-----\",\n \"key_buffer\":\"-----BEGIN RSA PRIVATE KEY-----\\n...\\n-----END RSA PRIVATE KEY-----\",\n \"key_password\": \"\",\n \"dh_buffer\":\"-----BEGIN DH PARAMETERS-----\\n...\\n-----END DH PARAMETERS-----\",\n \"cipher_alg\": \"DHE-RSA-AES256-GCM-SHA384\"\n }\n }\n}\n```\n\nCertificates, private keys and DH parameters must be in PEM format. :warning: `\\n` between data and PEM header/footer are mandatory.\n\n#### Microservices\n\n| Configuration key | Description |\n|:-------------------------|:-----------------------------------------|\n| services.*.enable | enable/disable microservice |\n| services.*.gateway_ports | enable/disable gateway ports |\n| services.shell.path | binary path used for shell creation |\n| services.shell.args | binary arguments used for shell creation |\n\nSSF's features are built using microservices (TCP forwarding, remote SOCKS, ...)\n\nThere are 7 microservices:\n* stream_forwarder\n* stream_listener\n* datagram_forwarder\n* datagram_listener\n* copy\n* socks\n* shell\n\nEach feature is the combination of at least one client side microservice and one server side microservice.\n\nThis table sums up how each feature is assembled:\n\n| ssf feature | microservice client side | microservice server side |\n|:----------------------------|:-------------------------|:-------------------------|\n| `-L`: TCP forwarding | stream_listener | stream_forwarder |\n| `-R`: remote TCP forwarding | stream_forwarder | stream_listener |\n| `-U`: UDP forwarding | datagram_listener | datagram_forwarder |\n| `-V`: remote UDP forwarding | datagram_forwarder | datagram_listener |\n| `-D`: SOCKS | stream_listener | socks |\n| `-F`: remote SOCKS | socks | stream_listener |\n| `-X`: shell | stream_listener | shell |\n| `-Y`: remote shell | shell | stream_listener |\n\nThis architecture makes it easier to build remote features: they use the same microservices but on the opposite side.\n\n`ssf` and `ssfd` come with pre-enabled microservices.\nHere is the default microservices configuration:\n\n```json\n{\n \"ssf\": {\n \"services\": {\n \"datagram_forwarder\": { \"enable\": true },\n \"datagram_listener\": { \"enable\": true },\n \"stream_forwarder\": { \"enable\": true },\n \"stream_listener\": { \"enable\": true },\n \"socks\": { \"enable\": true },\n \"copy\": { \"enable\": false },\n \"shell\": { \"enable\": false }\n }\n }\n}\n```\n\nTo enable or disable a microservice, set the `enable` key to `true` or `false`.\n\nTrying to use a feature requiring a disabled microservice will result in an error message.\n\n## How to generate certificates for TLS connections\n\n### Manually\n\n#### Generating Diffie-Hellman parameters\n\n```bash\nopenssl dhparam 4096 -outform PEM -out dh4096.pem\n```\n\n#### Generating a self-signed Certification Authority (CA)\nFirst of all, create a file named *extfile.txt* containing the following lines:\n\n```plaintext\n[ v3_req_p ]\nbasicConstraints = CA:FALSE\nkeyUsage = nonRepudiation, digitalSignature, keyEncipherment\n```\n\nThen, generate a self-signed certificate (the CA) *ca.crt* and its private key *ca.key*:\n\n```bash\nopenssl req -x509 -nodes -newkey rsa:4096 -keyout ca.key -out ca.crt -days 3650\n```\n\n#### Generating a private key and a certificate (signed with the CA)\n\nGenerate a private key *private.key* and a certificate signing request *certificate.csr*:\n\n```bash\nopenssl req -newkey rsa:4096 -nodes -keyout private.key -out certificate.csr\n```\n\nGenerate the certificate (*certificate.pem*) by signing the CSR with the CA (*ca.crt*, *ca.key*):\n\n```bash\nopenssl x509 -extfile extfile.txt -extensions v3_req_p -req -sha1 -days 3650 -CA ca.crt -CAkey ca.key -CAcreateserial -in certificate.csr -out certificate.pem\n```\n","funding_links":[],"categories":["C++","\u003ca name=\"cpp\"\u003e\u003c/a\u003eC++","\u003ca id=\"d03d494700077f6a65092985c06bf8e8\"\u003e\u003c/a\u003e工具","C++ (225)","network"],"sub_categories":["\u003ca id=\"57b8e953d394bbed52df2a6976d98dfa\"\u003e\u003c/a\u003eSocks"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsecuresocketfunneling%2Fssf","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsecuresocketfunneling%2Fssf","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsecuresocketfunneling%2Fssf/lists"}