What is this thing
gTunnel is a tunneling solution aimed to provide quick and easy network tunnels that are fast, efficient, and stealthy. The gTunnel server and client are written in golang and can work on Windows, Linux, and Mac. All tunnels are managed over a single TCP connection using GRPC for the control channels. This allows the operator to have multiple tunnels, each with multiple TCP connections, all riding over the same outbound TCP connection. Since the interface is written in gRPC, it will be easy to expand gClient to other languages, such as python, java, or C.
gTunnel can support:
  • Forward tunnels - Good for browsing intranets, lateral movement, and socks proxying.
  • Reverse tunnels - Good for exfiling data or routing C2 out of internal networks
  • Socks Server - gClient has built in socksv5 server support.
And that's it! gTunnel doesn't do a lot, but it does one thing really well good enough.

Why would I use this instead of an SSH tunnel?

Simply to avoid SSH traffic. If your target allows outbound ssh and you don't think it will get caught, SSH is hands down a better bet. gTunnel works over an HTTP/2 connection over TLS, so it should look like a normal web traffic session.

Why would I use this instead of a CobaltStrike socks proxy?

CobaltStrike carries all socks data over HTTP, which has a huge amount of overhead and forces you to put your interactive agent down to sleep 0. This risks your agent as well as produces enormous amounts of web traffic. gClient can executed separately and provides a much quicker experience, resulting in faster page loads and exfil of data.

What are the security risks?

gclient can be provided as an executable or a library. How you choose to execute those are purely up to you. It's likely that gclient already has AV signatures, and is not advisable to put it on a target filesystem.
Last modified 1yr ago